Malware Analysis Report

2024-09-23 04:57

Sample ID 220626-3w27eafdar
Target 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020
SHA256 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020
Tags
qulab discovery ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020

Threat Level: Known bad

The file 358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020 was found to be: Known bad.

Malicious Activity Summary

qulab discovery ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-26 23:52

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-26 23:52

Reported

2022-06-27 00:07

Platform

win7-20220414-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1880 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 1724 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1512 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
PID 1512 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
PID 1512 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
PID 1512 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
PID 1192 wrote to memory of 784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 1192 wrote to memory of 784 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe

"C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {217071D1-02C7-4FBD-8DB4-76D13AE7067B} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe a -y "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\41646D696E5456484A43574D4857494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\*"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
DE 196.18.0.25:8000 api.telegram.org tcp
DE 196.18.0.25:8000 api.telegram.org tcp

Files

memory/1880-54-0x0000000075311000-0x0000000075313000-memory.dmp

memory/1512-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll

MD5 81a0ebd8d7c725a249d14c403a67a2c0
SHA1 843658a33936628bcb18f4bb8c08b2e0a4643696
SHA256 da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8
SHA512 d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll

MD5 81a0ebd8d7c725a249d14c403a67a2c0
SHA1 843658a33936628bcb18f4bb8c08b2e0a4643696
SHA256 da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8
SHA512 d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3

memory/1512-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/1724-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

MD5 0668ef8068965996eb556fe0022c3459
SHA1 2bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256 ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512 b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

MD5 0668ef8068965996eb556fe0022c3459
SHA1 2bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256 ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512 b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

memory/1932-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

MD5 0668ef8068965996eb556fe0022c3459
SHA1 2bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256 ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512 b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Screen.jpg

MD5 d19934e02a4b7e07459b8aee8e65b746
SHA1 d7d15c75a67c94a6cb03496154b7be0646b42e9b
SHA256 7f5a4476bec35426150883920e8a8cfac9e7183b1dfed052d25b7cc653940c85
SHA512 b1dcce64eefed2a449d009ae9bfc13d91322035bd6c2b5f78899ea01e5c77e7bb201bcfdff2181add6518ed8d52c61a8616f4069e18981b6e75ad086a974fc5f

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Information.txt

MD5 514ab51be212d8fd4466278bf6b783b5
SHA1 0468b6c465fa846cefbcb28f8c5af4b643291b27
SHA256 c50c8535dc69bb051b0ece5a2623c5a8efc925dc39509067a4f84bf7c597130f
SHA512 d323e389563fc096880f91bdbc82b138c373081783b2a2f3cfaac408197cfb643aec0f2fce2717283a4c5f7851e965f1b06fe1f956a7e2348c28cf2a2dbe9daf

memory/784-68-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-26 23:52

Reported

2022-06-27 00:07

Platform

win10v2004-20220414-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 4888 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 4888 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

Processes

C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe

"C:\Users\Admin\AppData\Local\Temp\358928e393e91937f17a754c2fca43d8eedc2d797e960610d9a35c4190197020.exe"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe a -y "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\41646D696E4653484C5250544257494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\*"

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.42.72.131:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
DE 196.18.0.25:8000 api.telegram.org tcp
DE 196.18.0.25:8000 api.telegram.org tcp

Files

memory/2532-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll

MD5 81a0ebd8d7c725a249d14c403a67a2c0
SHA1 843658a33936628bcb18f4bb8c08b2e0a4643696
SHA256 da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8
SHA512 d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.sqlite3.module.dll

MD5 81a0ebd8d7c725a249d14c403a67a2c0
SHA1 843658a33936628bcb18f4bb8c08b2e0a4643696
SHA256 da375641c5ad4e752983e0fbcfeb4c6d20e240507331a6fac5f3b32ffe97e6c8
SHA512 d5e775ab3d29f5f81a4333b89d44dc0657cfabb382d4567628f11784e4aa85b52dac65e93fb77cba25f1c05cc1e17d3d9a091a72e58a48e63992de9a469fa6d3

memory/2532-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2532-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/276-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

MD5 0668ef8068965996eb556fe0022c3459
SHA1 2bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256 ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512 b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\CortanaMapiHelper.ProxyStub.module.exe

MD5 0668ef8068965996eb556fe0022c3459
SHA1 2bf527ce2db7e7a68e53467be9b0d71c06de4d6f
SHA256 ee7b61ff0adf48cc99ff45ae651f3793996fd85428984545ede59ba778f2d620
SHA512 b544b4d77741224bf919c67a7aea16475accd5e3858fb0b113619c8e18586ca7ee2a54ae5650d36c3a6342d9a19fe18a3842b1ea72ec436ec0898870cec1fb7d

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Screen.jpg

MD5 e1d90981393ea298b1fef240bdeabbbc
SHA1 6d09ffb4ffa85168b8c561ad8ae018d467b3a5ea
SHA256 699f190151df9a0a261322a430465f07fc7e73556c0008a1634d4324a707bdc8
SHA512 f82a6d8379a478241ede75ca682bc957a7228bcb68282d0f4b6f145d09622950af90f7fb8031c22a1903608e9c517d0a29ee371aa7e8178cb8a64f6d392d2603

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-web-app-host.resources\1\Information.txt

MD5 37f4aa89a0725a215a2fb993bd6dfbdc
SHA1 2706bbdbccf6a7eebb7e83ef94d9d6ac476f9451
SHA256 773dc0ab88e38b6ab1a8f5f82985c34e16a817a7f88c9565d41f7a40d21823e9
SHA512 723960d444b74f2bba7492f73bcb4c0f7795e32bb10ecb237b86485fa8b832c57193fdb6c7060e5b48df011cefd3cabc2b395b63ff242cb33757144bf3f91811