qulab | 1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6

Analysis

max time kernel
161s
max time network
171s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe
Size

1.6MB
MD5

355237317f0c1f050f370497829ef4de
SHA1

982f9a8357afba7a19e652314835c71c8db31122
SHA256

1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6
SHA512

c8db2d4f9fa04e7f3d17c79aeef3ce1a37ecb1ffe6991bf48af6d03db4b6442233cb3b77950d4dcc0088bd9b98792b94003601b524d40e534f0e9eb25f2e8286

Score

10^/10

qulab discovery evasion ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 13.06.2022, 06:33:43 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: WYZSGDWS - Processor: Intel Core Processor (Broadwell) - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 380 - winlogon.exe / PID: 416 - services.exe / PID: 460 - lsass.exe / PID: 476 - lsm.exe / PID: 484 - svchost.exe / PID: 588 - svchost.exe / PID: 664 - svchost.exe / PID: 744 - svchost.exe / PID: 792 - svchost.exe / PID: 824 - svchost.exe / PID: 864 - svchost.exe / PID: 108 - spoolsv.exe / PID: 988 - svchost.exe / PID: 1036 - taskhost.exe / PID: 1176 - dwm.exe / PID: 1264 - explorer.exe / PID: 1312 - svchost.exe / PID: 528 - sppsvc.exe / PID: 1840 - WMIADAP.exe / PID: 1980 - WmiPrvSE.exe / PID: 1968 - 1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe / PID: 1300 - RTWorkQ.exe / PID: 1244

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll	acprotect
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll	acprotect

Executes dropped EXE 7 IoCs

Processes:

XXMBK.exeSSJK.exeRTWorkQ.exeCDGH.exeRTWorkQ.module.exeRTWorkQ.exeRTWorkQ.exe

pid process

848 XXMBK.exe
2044 SSJK.exe
1244 RTWorkQ.exe
1536 CDGH.exe
1412 RTWorkQ.module.exe
1768 RTWorkQ.exe
660 RTWorkQ.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1820 attrib.exe

pid	process
848	XXMBK.exe
2044	SSJK.exe
1244	RTWorkQ.exe
1536	CDGH.exe
1412	RTWorkQ.module.exe
1768	RTWorkQ.exe
660	RTWorkQ.exe

pid	process
1820	attrib.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe	upx
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe	upx
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe	upx
behavioral1/memory/1412-86-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exeXXMBK.exeRTWorkQ.exe

pid	process
1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe
848	XXMBK.exe
848	XXMBK.exe
848	XXMBK.exe
848	XXMBK.exe
1244	RTWorkQ.exe
1244	RTWorkQ.exe
1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe
1244	RTWorkQ.exe
1244	RTWorkQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipapi.co
13 ipapi.co

flow	ioc
5	ipapi.co
13	ipapi.co

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\SSJK.exe	autoit_exe
\Users\Admin\AppData\Roaming\SSJK.exe	autoit_exe
\Users\Admin\AppData\Roaming\SSJK.exe	autoit_exe
\Users\Admin\AppData\Roaming\SSJK.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\SSJK.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\SSJK.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

RTWorkQ.exeRTWorkQ.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	RTWorkQ.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	RTWorkQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CDGH.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\CDGH.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\CDGH.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\CDGH.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\CDGH.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\CDGH.exe	nsis_installer_2

NTFS ADS 2 IoCs

Processes:

SSJK.exeRTWorkQ.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\winmgmts:\localhost\	SSJK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_dual\winmgmts:\localhost\	RTWorkQ.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RTWorkQ.exe

pid process

1244 RTWorkQ.exe

pid	process
1244	RTWorkQ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RTWorkQ.module.exe

description	pid	process
Token: SeRestorePrivilege	1412	RTWorkQ.module.exe
Token: 35	1412	RTWorkQ.module.exe
Token: SeSecurityPrivilege	1412	RTWorkQ.module.exe
Token: SeSecurityPrivilege	1412	RTWorkQ.module.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exeXXMBK.exeSSJK.exeRTWorkQ.exetaskeng.exe

description	pid	process	target process
PID 1300 wrote to memory of 848	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	XXMBK.exe
PID 1300 wrote to memory of 848	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	XXMBK.exe
PID 1300 wrote to memory of 848	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	XXMBK.exe
PID 1300 wrote to memory of 848	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	XXMBK.exe
PID 848 wrote to memory of 2044	848	XXMBK.exe	SSJK.exe
PID 848 wrote to memory of 2044	848	XXMBK.exe	SSJK.exe
PID 848 wrote to memory of 2044	848	XXMBK.exe	SSJK.exe
PID 848 wrote to memory of 2044	848	XXMBK.exe	SSJK.exe
PID 2044 wrote to memory of 1244	2044	SSJK.exe	RTWorkQ.exe
PID 2044 wrote to memory of 1244	2044	SSJK.exe	RTWorkQ.exe
PID 2044 wrote to memory of 1244	2044	SSJK.exe	RTWorkQ.exe
PID 2044 wrote to memory of 1244	2044	SSJK.exe	RTWorkQ.exe
PID 1300 wrote to memory of 1536	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	CDGH.exe
PID 1300 wrote to memory of 1536	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	CDGH.exe
PID 1300 wrote to memory of 1536	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	CDGH.exe
PID 1300 wrote to memory of 1536	1300	1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe	CDGH.exe
PID 1244 wrote to memory of 1412	1244	RTWorkQ.exe	RTWorkQ.module.exe
PID 1244 wrote to memory of 1412	1244	RTWorkQ.exe	RTWorkQ.module.exe
PID 1244 wrote to memory of 1412	1244	RTWorkQ.exe	RTWorkQ.module.exe
PID 1244 wrote to memory of 1412	1244	RTWorkQ.exe	RTWorkQ.module.exe
PID 1244 wrote to memory of 1820	1244	RTWorkQ.exe	attrib.exe
PID 1244 wrote to memory of 1820	1244	RTWorkQ.exe	attrib.exe
PID 1244 wrote to memory of 1820	1244	RTWorkQ.exe	attrib.exe
PID 1244 wrote to memory of 1820	1244	RTWorkQ.exe	attrib.exe
PID 1776 wrote to memory of 1768	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 1768	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 1768	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 1768	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 660	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 660	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 660	1776	taskeng.exe	RTWorkQ.exe
PID 1776 wrote to memory of 660	1776	taskeng.exe	RTWorkQ.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1820 attrib.exe

pid	process
1820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe
"C:\Users\Admin\AppData\Local\Temp\1df742d27fe872427bc8e913ab19ae7d721a7d22d9707176aec8d61b3a2156e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\XXMBK.exe
  "C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Roaming\SSJK.exe
    "C:\Users\Admin\AppData\Roaming\SSJK.exe"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
      C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe
        
        C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_dual\ENU_687FE9737473A97E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_dual\1\*"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_dual"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1820
- C:\Users\Admin\AppData\Local\Temp\CDGH.exe
  "C:\Users\Admin\AppData\Local\Temp\CDGH.exe"
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Windows\system32\taskeng.exe
taskeng.exe {137C2581-6212-465B-B8C7-3E9A215EF624} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
  C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1768
- C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
  C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CDGH.exe

Filesize
35KB

MD5
439e839b6ea367af00f7b99c0e9636a4

SHA1
72546bc18281613ce3f0a9138136ae33fe4559e8

SHA256
cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637

SHA512
eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDGH.exe

Filesize
35KB

MD5
439e839b6ea367af00f7b99c0e9636a4

SHA1
72546bc18281613ce3f0a9138136ae33fe4559e8

SHA256
cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637

SHA512
eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe

Filesize
1.6MB

MD5
a24d6f686b4e46d2a828036ed821f15a

SHA1
7df1294dd167c8c50b21d5ac5b731ccb140f39e1

SHA256
a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad

SHA512
338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe

Filesize
1.6MB

MD5
a24d6f686b4e46d2a828036ed821f15a

SHA1
7df1294dd167c8c50b21d5ac5b731ccb140f39e1

SHA256
a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad

SHA512
338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936

Download Submit
C:\Users\Admin\AppData\Roaming\SSJK.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
C:\Users\Admin\AppData\Roaming\SSJK.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Information.txt

Filesize
3KB

MD5
2f1a9b70a7772aa9c1acb3331dad6699

SHA1
007d5c230f45e7f07f8040367df4ce4571d59ec0

SHA256
ef1f5e43d932b5cc16fbec927395873e17af309e093563843a45fa88a4dc5c4f

SHA512
082ac4166196111810d5ae281be2133cb1310942cd3fdd752f32a8c99f09a5961f110efb7dcc9d626d9a52dfcac0930239e69bc19c7581133ccf59e362553fe9

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_dual\1\Screen.jpg

Filesize
41KB

MD5
264844711a7bc75784dd23b7871be143

SHA1
9d9c6cbeacd2497f56a3dd16736008b42a7eaf5e

SHA256
b338acdf7da4971f1aad38805c29bf7bfd4c18bfbfa25bf9f2d8fb9f2d1ddc2e

SHA512
fce38062dba1547f7566ed0e7d24aa292c5901bb8a23c823f09e703f9144e858b5d5b183a0a4589a41f1d766091f07075f101367250c35fd5362f119e1c9afbd

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Local\Temp\CDGH.exe

Filesize
35KB

MD5
439e839b6ea367af00f7b99c0e9636a4

SHA1
72546bc18281613ce3f0a9138136ae33fe4559e8

SHA256
cfdf8ea497068d151b91d122e0daa28e08a919d39cd0a061f0a66353d4fe3637

SHA512
eaf8471418db8abb3488e3d11a097ee50c0f5cd44800d29a692fa70a6ec56865ac83ddb98373844801bc8978fa3a42373e22308a7a879c167d9c0a4596aa431b

Download Submit
\Users\Admin\AppData\Local\Temp\XXMBK.exe

Filesize
1.6MB

MD5
a24d6f686b4e46d2a828036ed821f15a

SHA1
7df1294dd167c8c50b21d5ac5b731ccb140f39e1

SHA256
a3253375704929d9843d71b2a974661ab9014ebb4a510be7576654be456de5ad

SHA512
338697d0e29ec48bcc3e8cea7828628472773e2b72a820a81d306f774d81a7e060d70b5a97f4b29c9086c0fc1f0d4a2cc675318e54c4a0f6bdd152754c853936

Download Submit
\Users\Admin\AppData\Roaming\SSJK.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
\Users\Admin\AppData\Roaming\SSJK.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
\Users\Admin\AppData\Roaming\SSJK.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
\Users\Admin\AppData\Roaming\SSJK.exe

Filesize
1.8MB

MD5
f19b8319668ed8f19956434ca5800731

SHA1
f2b6a5bdd18dd933f677ee9e964564dd897b69ba

SHA256
45e91d7bcf287f0b543753a8e26907f978d6b663599aa3ac864fe44e2d514f21

SHA512
67fc0f512feaec172d0cd192520f3c55a10071ed35b4f0389768627c1951eeb93a91b9f5b1f99486c0836128b11c133aa28f57b3e8932ba9a70f207c685f1361

Download Submit
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\amd64_dual\RTWorkQ.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/660-92-0x0000000000000000-mapping.dmp

Download
memory/848-56-0x0000000000000000-mapping.dmp

Download
memory/1244-87-0x0000000002770000-0x00000000027ED000-memory.dmp

Filesize
500KB

Download
memory/1244-68-0x0000000000000000-mapping.dmp

Download
memory/1244-73-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1244-74-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1300-54-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1412-82-0x0000000000000000-mapping.dmp

Download
memory/1412-86-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1536-76-0x0000000000000000-mapping.dmp

Download
memory/1768-89-0x0000000000000000-mapping.dmp

Download
memory/1820-88-0x0000000000000000-mapping.dmp

Download
memory/2044-64-0x0000000000000000-mapping.dmp

Download