Analysis Overview
SHA256
15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b
Threat Level: Known bad
The file 15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets file to hidden
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
AutoIT Executable
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-09 05:17
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-09 05:17
Reported
2022-06-09 09:33
Platform
win7-20220414-en
Max time kernel
125s
Max time network
110s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe
"C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {8F46E304-6310-4A40-BC53-61970B8C7164} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 104.85.1.163:80 | tcp |
Files
memory/1788-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp
memory/2016-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/2016-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1172-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Information.txt
| MD5 | 1cce84b26e3d0238c5768202671a0e98 |
| SHA1 | 84f47c78fbafd9f49d6caa11bd18f2c2b0864551 |
| SHA256 | 5e1131339d536ac207767c8ae7446386829d1472e4d1a951f0c8b546d03d4a72 |
| SHA512 | 8369993756f3a97c73f8b2cabdef9f3b0ebdc5404f644f9bb738ba69e23ca3c2762ca332fdc307673538f5f3b2036c6412b08366df960b21a0484c9c03e93e9a |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Screen.jpg
| MD5 | 4d791fb26e385825405e673f184ee646 |
| SHA1 | 7f69f7755783161b145d7de02ae2a7e851f3700f |
| SHA256 | f2cbff2e7e92803ad42e8d75a7b05b3de0fbcf98aae96b77428377dc72a03fe1 |
| SHA512 | 66c2eb495135dd7d08f1aa7ff728b66e7321cd9018069ceb3b7764fa44e24907e18e950d704691987ea73612d2055b545ace13e23cc32c3ebdf80dddcbaf8e75 |
memory/1172-66-0x0000000000400000-0x000000000047D000-memory.dmp
memory/2016-67-0x0000000004350000-0x00000000043CD000-memory.dmp
memory/2016-68-0x0000000004350000-0x00000000043CD000-memory.dmp
memory/996-69-0x0000000000000000-mapping.dmp
memory/1700-70-0x0000000000000000-mapping.dmp
memory/1420-72-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-09 05:17
Reported
2022-06-09 09:33
Platform
win10v2004-20220414-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe
"C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\*"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 104.208.16.90:443 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 93.184.221.240:80 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/3980-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/3980-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/3980-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/3980-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4404-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Information.txt
| MD5 | d07653a7ec1c8be6ab831ac4707cc988 |
| SHA1 | a94c488b9320140b0d3b07658223a7a52cc5ecbc |
| SHA256 | 5420d7b13dc8359e3d71bd293fc0305d784142a527b72a1487ba0ceec8e57930 |
| SHA512 | 4df2bd8dcb90f4dcf470b986460cba1ee642d1d84b2f00449582f09413168e422e7e4291ca59f9a02c01b92f05a263978b48787b9c3fe1289cf0987bd384e03e |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Screen.jpg
| MD5 | 00f99c236dc49cb228b3b52282cd97de |
| SHA1 | d4630cb1098bc872e895c9c7924368985b4a60e9 |
| SHA256 | 0ca0fabd290468176a242f2d1d5572fe28e5d4e379ff1636cfe2bad4876e3d64 |
| SHA512 | 9a7d14e5c07c0099c03560e9404e0c6f416b7bb7629b157f1368da72ff97d7481dfe692733632e1b1c3d1cfb85cee744aa5ba8e4b952ee5d60aa3825e6ddb376 |
memory/4404-141-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1392-142-0x0000000000000000-mapping.dmp