plugx | 28a920e33768735e25af7b1c751f58ebda4ccc5adee11687a67746c74ae34d6c

Analysis

max time kernel
155s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2022 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GaBiEducation9.2.1.68_desktop.exe
Size

193.7MB
MD5

e0b8ed89f55f785e7e45f9c57b4aa14b
SHA1

ffc0f6e2deaa984a803cb3f23a4c735e3bc652db
SHA256

28a920e33768735e25af7b1c751f58ebda4ccc5adee11687a67746c74ae34d6c
SHA512

13f939758d6f9ca41b52f0b55c5f2df1a7b0c937f6445c4b98a885b60a5d783dcf58a14ff69f8fa683ff6af69c7393a0b306bafc9e5857946a41365c5e57cece
SSDEEP

6291456:vuFFBo/i0YGa6ZLezuZ5IOfmWdJXWxgzb:QFS60hsuaWd0G

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\thinkstep\GaBi Education\GaBiMain260.bpl	family_plugx
C:\Program Files\thinkstep\GaBi Education\GaBiMain260.bpl	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 6 IoCs

Processes:

GaBiEducation9.2.1.68_desktop.tmp_setup64.tmpGaBi.exeGaBi.exeGaBi.exeLicProtector500.exe

pid process

1308 GaBiEducation9.2.1.68_desktop.tmp
4460 _setup64.tmp
2308 GaBi.exe
2392 GaBi.exe
204 GaBi.exe
3100 LicProtector500.exe

Loads dropped DLL 64 IoCs

Processes:

GaBi.exe

pid	process
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

GaBiEducation9.2.1.68_desktop.tmp

description	ioc	process
File opened for modification	C:\Program Files\thinkstep\GaBi Education\gbexchange.dll	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-S2BNU.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-JCS3R.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-QDIJK.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-KNSAG.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-P51M5.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-23STQ.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-KBFCU.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\Portal\assets\is-ERL35.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\Portal\is-PI217.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\Portal\assets\fonts\is-C7S8E.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-SCLPK.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-1HEFL.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-RUKPQ.tmp	GaBiEducation9.2.1.68_desktop.tmp
File opened for modification	C:\Program Files\thinkstep\GaBi Education\GaBiFileImporter.exe	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-2SCN3.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-FJMN8.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-1UJLM.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-R53JT.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-HPQ8L.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\SysData\is-865H2.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\SysData\is-7SQ6G.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\SysData\is-K1UTL.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-VEBPK.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\Portal\assets\is-KK8DM.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-FSKRR.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-PRLMM.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-KNVQB.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-2DCRO.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-V0R3Q.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-H848O.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-91QSN.tmp	GaBiEducation9.2.1.68_desktop.tmp
File opened for modification	C:\Program Files\thinkstep\GaBi Education\wPDF400W64.dll	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-FE2UN.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\UI\is-J0DQQ.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\SysData\is-6BLFP.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-PVOGD.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-ICV57.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-OJAJH.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\SysData\is-7UAFE.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-5FDKJ.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-OFL4R.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\SysData\is-PU3U6.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-RK7B7.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-FGMGB.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-VJQJ6.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-7RP3Q.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-HRJ23.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-DS617.tmp	GaBiEducation9.2.1.68_desktop.tmp
File opened for modification	C:\Program Files\thinkstep\GaBi Education\GaBiLicConvert.exe	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-GKFG8.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-93F67.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-H3GNV.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-2IJLU.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-L88H3.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-7UL97.tmp	GaBiEducation9.2.1.68_desktop.tmp
File opened for modification	C:\Program Files\thinkstep\GaBi Education\LicProtector314.dll	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-Q1KK2.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-T61S1.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-3JLV8.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-3852C.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-P3BG1.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-2BMR4.tmp	GaBiEducation9.2.1.68_desktop.tmp
File created	C:\Program Files\thinkstep\GaBi Education\is-9BU17.tmp	GaBiEducation9.2.1.68_desktop.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

GaBi.exeGaBi.exeGaBi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\	GaBi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GaBi.exe = "11000"	GaBi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\	GaBi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GaBi.exe = "11000"	GaBi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\	GaBi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GaBi.exe = "11000"	GaBi.exe

Modifies registry class 64 IoCs

Processes:

GaBiEducation9.2.1.68_desktop.tmpregsvr32.exeLicProtector500.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gup\ = "tsGaBiOtherFile"	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEEFFA1A-D2C9-4875-9B7B-2FE406E7A19C}\3.1\0\win32\ = "C:\\Program Files\\thinkstep\\GaBi Education\\LicProtector314.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8B5A61-027F-43C6-A6FD-B8B6B24F2AD8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\ProxyStubClsid32	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gsp\ = "tsGaBiOtherFile"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E43AD8CB-CB84-4C02-8E90-A38DB2950B71}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiDBFile\DefaultIcon\ = "C:\\Program Files\\thinkstep\\GaBi Education\\Resdll.dll,2"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}\LocalServer32	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0\ = "LicProtector Library"	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\TypeLib	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\TypeLib\Version = "5.0"	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiReportFile\ = "thinkstep GaBi Report File"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEEFFA1A-D2C9-4875-9B7B-2FE406E7A19C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8B5A61-027F-43C6-A6FD-B8B6B24F2AD8}\ = "ILicProtectorDLL314"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorDLL314\ = "LicProtector Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E43AD8CB-CB84-4C02-8E90-A38DB2950B71}\TypeLib\ = "{BEEFFA1A-D2C9-4875-9B7B-2FE406E7A19C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}\Version\ = "5.0"	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0\0\win32	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0\HELPDIR	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}\ProgID\ = "LicProtector.LicProtectorEXE500"	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiReportFile\DefaultIcon	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbmx	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8B5A61-027F-43C6-A6FD-B8B6B24F2AD8}\TypeLib\Version = "3.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E43AD8CB-CB84-4C02-8E90-A38DB2950B71}\ProgID\ = "LicProtector.LicProtectorDLL314"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0\FLAGS\ = "0"	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiExchangeFile\ = "thinkstep Data Exchange File"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mydb	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEEFFA1A-D2C9-4875-9B7B-2FE406E7A19C}\3.1\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\TypeLib\ = "{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}"	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8B5A61-027F-43C6-A6FD-B8B6B24F2AD8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E43AD8CB-CB84-4C02-8E90-A38DB2950B71}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0\0\win32\ = "C:\\Program Files\\thinkstep\\GaBi Education\\LicProtector500.exe"	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}\ = "LicProtector Object"	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiOtherFile	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEEFFA1A-D2C9-4875-9B7B-2FE406E7A19C}\3.1\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8B5A61-027F-43C6-A6FD-B8B6B24F2AD8}\ = "ILicProtectorDLL314"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\ProxyStubClsid32	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gup	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8B5A61-027F-43C6-A6FD-B8B6B24F2AD8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiDBFile\ = "thinkstep GaBi Database File"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiDBBackupFile\DefaultIcon	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}\TypeLib\ = "{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}"	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiDBBackupFile\DefaultIcon\ = "C:\\Program Files\\thinkstep\\GaBi Education\\Resdll.dll,5"	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E43AD8CB-CB84-4C02-8E90-A38DB2950B71}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorDLL314\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}\5.0\0	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA53C73A-6402-4498-82BF-5E4E106DA678}\ProgID	LicProtector500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiOtherFile\ = "thinkstep GaBi File"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gsp	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiDBFile\shell\open\command	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tsx	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tsx\ = "tsGaBiExchangeFile"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiExchangeFile\DefaultIcon	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbx\ = "tsGaBiExchangeFile"	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E43AD8CB-CB84-4C02-8E90-A38DB2950B71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\ = "ILicProtectorEXE500"	LicProtector500.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tsGaBiOtherFile\DefaultIcon	GaBiEducation9.2.1.68_desktop.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbm	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbmx\ = "tsGaBiReportFile"	GaBiEducation9.2.1.68_desktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2123DE67-ECAE-4EA3-B5BD-F33460D45596}\TypeLib\ = "{3B02C119-BB53-44CB-91C0-7E6AE3EB2A62}"	LicProtector500.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

GaBiEducation9.2.1.68_desktop.tmpGaBi.exeGaBi.exeGaBi.exe

pid	process
1308	GaBiEducation9.2.1.68_desktop.tmp
1308	GaBiEducation9.2.1.68_desktop.tmp
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2308	GaBi.exe
2392	GaBi.exe
2392	GaBi.exe
2392	GaBi.exe
2392	GaBi.exe
204	GaBi.exe
204	GaBi.exe
204	GaBi.exe
204	GaBi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

GaBi.exeGaBi.exeGaBi.exe

description pid process

Token: SeDebugPrivilege 2308 GaBi.exe
Token: SeDebugPrivilege 2392 GaBi.exe
Token: SeDebugPrivilege 204 GaBi.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GaBiEducation9.2.1.68_desktop.tmp

pid process

1308 GaBiEducation9.2.1.68_desktop.tmp
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

GaBi.exeGaBi.exeGaBi.exe

pid process

2308 GaBi.exe
2308 GaBi.exe
2392 GaBi.exe
2392 GaBi.exe
204 GaBi.exe
204 GaBi.exe

description	pid	process
Token: SeDebugPrivilege	2308	GaBi.exe
Token: SeDebugPrivilege	2392	GaBi.exe
Token: SeDebugPrivilege	204	GaBi.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

GaBiEducation9.2.1.68_desktop.exeGaBiEducation9.2.1.68_desktop.tmpregsvr32.exe

description	pid	process	target process
PID 3808 wrote to memory of 1308	3808	GaBiEducation9.2.1.68_desktop.exe	GaBiEducation9.2.1.68_desktop.tmp
PID 3808 wrote to memory of 1308	3808	GaBiEducation9.2.1.68_desktop.exe	GaBiEducation9.2.1.68_desktop.tmp
PID 3808 wrote to memory of 1308	3808	GaBiEducation9.2.1.68_desktop.exe	GaBiEducation9.2.1.68_desktop.tmp
PID 1308 wrote to memory of 4460	1308	GaBiEducation9.2.1.68_desktop.tmp	_setup64.tmp
PID 1308 wrote to memory of 4460	1308	GaBiEducation9.2.1.68_desktop.tmp	_setup64.tmp
PID 1308 wrote to memory of 2308	1308	GaBiEducation9.2.1.68_desktop.tmp	GaBi.exe
PID 1308 wrote to memory of 2308	1308	GaBiEducation9.2.1.68_desktop.tmp	GaBi.exe
PID 1308 wrote to memory of 2392	1308	GaBiEducation9.2.1.68_desktop.tmp	GaBi.exe
PID 1308 wrote to memory of 2392	1308	GaBiEducation9.2.1.68_desktop.tmp	GaBi.exe
PID 1308 wrote to memory of 1680	1308	GaBiEducation9.2.1.68_desktop.tmp	regsvr32.exe
PID 1308 wrote to memory of 1680	1308	GaBiEducation9.2.1.68_desktop.tmp	regsvr32.exe
PID 1680 wrote to memory of 2304	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 2304	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 2304	1680	regsvr32.exe	regsvr32.exe
PID 1308 wrote to memory of 204	1308	GaBiEducation9.2.1.68_desktop.tmp	GaBi.exe
PID 1308 wrote to memory of 204	1308	GaBiEducation9.2.1.68_desktop.tmp	GaBi.exe
PID 1308 wrote to memory of 3100	1308	GaBiEducation9.2.1.68_desktop.tmp	LicProtector500.exe
PID 1308 wrote to memory of 3100	1308	GaBiEducation9.2.1.68_desktop.tmp	LicProtector500.exe
PID 1308 wrote to memory of 3100	1308	GaBiEducation9.2.1.68_desktop.tmp	LicProtector500.exe

C:\Users\Admin\AppData\Local\Temp\GaBiEducation9.2.1.68_desktop.exe
"C:\Users\Admin\AppData\Local\Temp\GaBiEducation9.2.1.68_desktop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\is-0TPJS.tmp\GaBiEducation9.2.1.68_desktop.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0TPJS.tmp\GaBiEducation9.2.1.68_desktop.tmp" /SL5="$201FE,202592627,195072,C:\Users\Admin\AppData\Local\Temp\GaBiEducation9.2.1.68_desktop.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\is-AFSS2.tmp\_isetup\_setup64.tmp
helper 105 0x4A0
3⤵
- Executes dropped EXE
PID:4460

C:\Program Files\thinkstep\GaBi Education\GaBi.exe
"C:\Program Files\thinkstep\GaBi Education\GaBi.exe" "/ConnectDatabase:C:\ProgramData\thinkstep\GaBi\My Databases Education\Education database 2020.MyDB"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files\thinkstep\GaBi Education\GaBi.exe
"C:\Program Files\thinkstep\GaBi Education\GaBi.exe" "/InstallLicense:C:\ProgramData\thinkstep\GaBi\GaBiEducation.lic"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\thinkstep\GaBi Education\LicProtector314.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\thinkstep\GaBi Education\LicProtector314.dll"
4⤵
- Modifies registry class
PID:2304

C:\Program Files\thinkstep\GaBi Education\GaBi.exe
"C:\Program Files\thinkstep\GaBi Education\GaBi.exe" /PostInstall
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:204

C:\Program Files\thinkstep\GaBi Education\LicProtector500.exe
"C:\Program Files\thinkstep\GaBi Education\LicProtector500.exe" /regserver
3⤵
- Executes dropped EXE
- Modifies registry class
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\thinkstep\GaBi Education\Eldos260.bpl
Filesize
7.3MB

MD5
21865bba2ed08cb7b7980bac68d91165

SHA1
083a4e480eeff988c802fa3fd1d6df665e2bac14

SHA256
5b8df42ff33659b74d8dadff0087bb17a26fee6400adad58016d9769a630c957

SHA512
6198a421ef4e539231928f294f71e385f6c2dd5f0bbda2149b40a052d98b58d7bd94f5d1dfb87a85c6980d5b1001fbbfdda25bae95a2a995d2a501891f5308bc

Download Submit
C:\Program Files\thinkstep\GaBi Education\Eldos260.bpl
Filesize
7.3MB

MD5
21865bba2ed08cb7b7980bac68d91165

SHA1
083a4e480eeff988c802fa3fd1d6df665e2bac14

SHA256
5b8df42ff33659b74d8dadff0087bb17a26fee6400adad58016d9769a630c957

SHA512
6198a421ef4e539231928f294f71e385f6c2dd5f0bbda2149b40a052d98b58d7bd94f5d1dfb87a85c6980d5b1001fbbfdda25bae95a2a995d2a501891f5308bc

Download Submit
C:\Program Files\thinkstep\GaBi Education\GaBi.exe
Filesize
761KB

MD5
2bd073035312f0e4775e9c84a32b3ed3

SHA1
b0eafaf8f171930b41b47e2c53f8b51a9ab67eda

SHA256
def145d89c25fb7184b26418b10dadf97b69cac563af18eb4327eb2fcf377507

SHA512
930f9ec86b811525433026b83b02bf00ac8e70ef3c7fbd8b3a22cd5215b6909b9576cffbc5bdc9e8855ae5f431bdec8f09f4a5d23cf494165b8bcb3aac56d58b

Download Submit
C:\Program Files\thinkstep\GaBi Education\GaBiMain260.bpl
Filesize
58.6MB

MD5
cd88dec887b1d0500ce6309d8e313431

SHA1
8e27ecd3b82f7d19fe62a3fdd696404a8bc19512

SHA256
1f0f7750033dcb2f8fa95fccfcc689eb8d16200c851d36095056d03c91472845

SHA512
066ef3fd169b96cf317896ea3b4a413a6b67f0ae66c13d84f66387171d2b3c78787a1e83e1f13061dbeaf87837bee39726a64e886322ac797d685a69ef26c034

Download Submit
C:\Program Files\thinkstep\GaBi Education\GaBiMain260.bpl
Filesize
58.6MB

MD5
cd88dec887b1d0500ce6309d8e313431

SHA1
8e27ecd3b82f7d19fe62a3fdd696404a8bc19512

SHA256
1f0f7750033dcb2f8fa95fccfcc689eb8d16200c851d36095056d03c91472845

SHA512
066ef3fd169b96cf317896ea3b4a413a6b67f0ae66c13d84f66387171d2b3c78787a1e83e1f13061dbeaf87837bee39726a64e886322ac797d685a69ef26c034

Download Submit
C:\Program Files\thinkstep\GaBi Education\IndyCore260.bpl
Filesize
573KB

MD5
72e8182fd61b2e086b82d0f4a8d7a342

SHA1
5c553e3fa47ce3e958a7d64313c6e1e0b73a7b83

SHA256
1d206700cb35f1c9e45157f451f589cc38f91e83f34252ad7d3ce76f10431f3f

SHA512
b84b7bf7fe3bf1bc022c3a74ba9870bfe989c45c516dbb32b9727d5c9a30c592bb91761ecad6dc4a81361c35d61b10909ff1e19a4cdfe573c294523ad08e3329

Download Submit
C:\Program Files\thinkstep\GaBi Education\IndyCore260.bpl
Filesize
573KB

MD5
72e8182fd61b2e086b82d0f4a8d7a342

SHA1
5c553e3fa47ce3e958a7d64313c6e1e0b73a7b83

SHA256
1d206700cb35f1c9e45157f451f589cc38f91e83f34252ad7d3ce76f10431f3f

SHA512
b84b7bf7fe3bf1bc022c3a74ba9870bfe989c45c516dbb32b9727d5c9a30c592bb91761ecad6dc4a81361c35d61b10909ff1e19a4cdfe573c294523ad08e3329

Download Submit
C:\Program Files\thinkstep\GaBi Education\IndyProtocols260.bpl
Filesize
3.5MB

MD5
b90489b63b49d6ea8946b0f67df2fb06

SHA1
3d8ee1f499f57f814fe1b637aa2caf6155a76157

SHA256
48b1a146449fce42bf953b6e14e8453ea6ff555c4e2d93c94ba35e2e7663e4e4

SHA512
dbc1af3cf34be7d7d8566d83dfdf5e1f6763a2c6d3c8859c0d1d84662ac86fc11cdcc28192161608154adb311066a9f04e6add34cf4707a4f4a92411a4d67871

Download Submit
C:\Program Files\thinkstep\GaBi Education\IndyProtocols260.bpl
Filesize
3.5MB

MD5
b90489b63b49d6ea8946b0f67df2fb06

SHA1
3d8ee1f499f57f814fe1b637aa2caf6155a76157

SHA256
48b1a146449fce42bf953b6e14e8453ea6ff555c4e2d93c94ba35e2e7663e4e4

SHA512
dbc1af3cf34be7d7d8566d83dfdf5e1f6763a2c6d3c8859c0d1d84662ac86fc11cdcc28192161608154adb311066a9f04e6add34cf4707a4f4a92411a4d67871

Download Submit
C:\Program Files\thinkstep\GaBi Education\IndySystem260.bpl
Filesize
423KB

MD5
b4ed87848d3091abad8886e81a66bfff

SHA1
cc5d21096886caa3c36f150e8812beaccf5a0d6d

SHA256
616206434bb8cbe57572ab19b48964f4e2ba182130a63f72f70df47d388e5341

SHA512
e2eb1e7349f6cf8dccdb7dabd9480bbbedb1e5748674fdcfd3ccbc671d474a94528070cf1a1de526f6074003874ac1248e703b0e343fc45e8797a4cf654ac4f6

Download Submit
C:\Program Files\thinkstep\GaBi Education\IndySystem260.bpl
Filesize
423KB

MD5
b4ed87848d3091abad8886e81a66bfff

SHA1
cc5d21096886caa3c36f150e8812beaccf5a0d6d

SHA256
616206434bb8cbe57572ab19b48964f4e2ba182130a63f72f70df47d388e5341

SHA512
e2eb1e7349f6cf8dccdb7dabd9480bbbedb1e5748674fdcfd3ccbc671d474a94528070cf1a1de526f6074003874ac1248e703b0e343fc45e8797a4cf654ac4f6

Download Submit
C:\Program Files\thinkstep\GaBi Education\RESTComponents260.bpl
Filesize
1.4MB

MD5
4c41becf27c017dbb52f43190fa1dd35

SHA1
4f5fbfeeaf5aeb0e9920686634ab7b870aedaf6a

SHA256
d50a70f99334520191ea3c0225d7af8954f2eb64da0ec8ba05b9f68b28a02bd6

SHA512
1a2353e8c5de3b723063a9a88615f941880d81b4e1e16726d90c97a296963e988158cfeb3ca15351f2f736e34db2d82094587d4ee14f94d9b43d1367d66c22a7

Download Submit
C:\Program Files\thinkstep\GaBi Education\RESTComponents260.bpl
Filesize
1.4MB

MD5
4c41becf27c017dbb52f43190fa1dd35

SHA1
4f5fbfeeaf5aeb0e9920686634ab7b870aedaf6a

SHA256
d50a70f99334520191ea3c0225d7af8954f2eb64da0ec8ba05b9f68b28a02bd6

SHA512
1a2353e8c5de3b723063a9a88615f941880d81b4e1e16726d90c97a296963e988158cfeb3ca15351f2f736e34db2d82094587d4ee14f94d9b43d1367d66c22a7

Download Submit
C:\Program Files\thinkstep\GaBi Education\TMS260.bpl
Filesize
6.8MB

MD5
cfc23f3d364bf8b59a33dc4d4a5bcb1a

SHA1
715e2ac0f1eb508403832911173a77152d9f7769

SHA256
f56d93cae6ab0395c71ef51e9df0c5ca5af6859ae19383b3fc390a22f68db1e2

SHA512
90988f5cc1d30761e3e39aceb826b1c48be0fd8f984b893fcd7d1bd1e9a0350582d062866049d1903634c79f35cb5a0ea040a182f728c8dda1e934ebc272bcfd

Download Submit
C:\Program Files\thinkstep\GaBi Education\Unidac260.bpl
Filesize
2.8MB

MD5
231d72aeaf281a8b06b2901bf62572cb

SHA1
c13f333436f5825d37328a340af5eeb8cd36444d

SHA256
bbc2832769e85bf24ce51e5b5ac6f047e138420f9b63ac751ba8857f4f12eecb

SHA512
0c2426c023ec3b2e5f48d618c74465aa332a900d09f48c64a3d2d9a1a1933bb377ccdcab2a7756af62b0022916bc8b39475493a44e16363e67292447945014e3

Download Submit
C:\Program Files\thinkstep\GaBi Education\VclSmp260.bpl
Filesize
135KB

MD5
bb8d616b08ef9d1651407e919520036f

SHA1
31e7bfc45adf4b1ccf5f6fabe15872152e7e99bf

SHA256
db14a4f2aef83e4f1c47d3e6ebddf1bf8546f1348402835fb88e3987d3e632f9

SHA512
6be4bbf3aaf0f426c7ac865823ccbad43f68d41823ed2733ab37184b4340930437f292715403d2698ba25a01a0245d75e608b0e7fa1b3f242a8466c273d190da

Download Submit
C:\Program Files\thinkstep\GaBi Education\WPTools7260.bpl
Filesize
4.8MB

MD5
0e93a5838ad55d6fcc6f7eff0da7c6ee

SHA1
a80b3549f92715ff1c51696e0aaf8fbe6d728c33

SHA256
c345c31b0761a0677d62a862476f0b800ed54d5099f010a7f2b09ce3d6289a4b

SHA512
431cfc539ca42ebadbe8f8f4f346dac3383239c509da4fa566676158181dd901a956d3172480da2353a01634f055ed2aac6eb89173598bab4575b7bb6c0c2a39

Download Submit
C:\Program Files\thinkstep\GaBi Education\WPTools7260.bpl
Filesize
4.8MB

MD5
0e93a5838ad55d6fcc6f7eff0da7c6ee

SHA1
a80b3549f92715ff1c51696e0aaf8fbe6d728c33

SHA256
c345c31b0761a0677d62a862476f0b800ed54d5099f010a7f2b09ce3d6289a4b

SHA512
431cfc539ca42ebadbe8f8f4f346dac3383239c509da4fa566676158181dd901a956d3172480da2353a01634f055ed2aac6eb89173598bab4575b7bb6c0c2a39

Download Submit
C:\Program Files\thinkstep\GaBi Education\dbrtl260.bpl
Filesize
959KB

MD5
c3cdf57660bcf6912efa743e230f2cb5

SHA1
7d4a178fdc768616d0630179f55a109773115abd

SHA256
9403ac7330c852caf8f3fd7ba7e3ac356008d6f6a8f6ac21871442cb67952dec

SHA512
2b6ba1d373069ff21044604ba14308bfdf0241807eb1b731fa4963bcc486d5072bc24a4871ead279f838f955e6f6af28865e2a48d00c0b78938e8385f5c4bfe1

Download Submit
C:\Program Files\thinkstep\GaBi Education\dbrtl260.bpl
Filesize
959KB

MD5
c3cdf57660bcf6912efa743e230f2cb5

SHA1
7d4a178fdc768616d0630179f55a109773115abd

SHA256
9403ac7330c852caf8f3fd7ba7e3ac356008d6f6a8f6ac21871442cb67952dec

SHA512
2b6ba1d373069ff21044604ba14308bfdf0241807eb1b731fa4963bcc486d5072bc24a4871ead279f838f955e6f6af28865e2a48d00c0b78938e8385f5c4bfe1

Download Submit
C:\Program Files\thinkstep\GaBi Education\teechart260.bpl
Filesize
5.6MB

MD5
1ebfe4836ab4ad3d810bba0ff93fc35a

SHA1
50592f7a251f391c2ca9c8df8d80d77cec40fce2

SHA256
3f53cd28e4490fbc494f14d506d293ef7c7648bd0a0761bd2cd7b4b57d0ef3dc

SHA512
2ab044d9769b62453bf246333d4c8079d472bf96f8e59186ae450b4caa9533abe6290c20fbaca6d1182b7242ea80c969656ac47fc39004839bd061b16a1dd6d6

Download Submit
C:\Program Files\thinkstep\GaBi Education\teechart260.bpl
Filesize
5.6MB

MD5
1ebfe4836ab4ad3d810bba0ff93fc35a

SHA1
50592f7a251f391c2ca9c8df8d80d77cec40fce2

SHA256
3f53cd28e4490fbc494f14d506d293ef7c7648bd0a0761bd2cd7b4b57d0ef3dc

SHA512
2ab044d9769b62453bf246333d4c8079d472bf96f8e59186ae450b4caa9533abe6290c20fbaca6d1182b7242ea80c969656ac47fc39004839bd061b16a1dd6d6

Download Submit
C:\Program Files\thinkstep\GaBi Education\tms260.bpl
Filesize
6.8MB

MD5
cfc23f3d364bf8b59a33dc4d4a5bcb1a

SHA1
715e2ac0f1eb508403832911173a77152d9f7769

SHA256
f56d93cae6ab0395c71ef51e9df0c5ca5af6859ae19383b3fc390a22f68db1e2

SHA512
90988f5cc1d30761e3e39aceb826b1c48be0fd8f984b893fcd7d1bd1e9a0350582d062866049d1903634c79f35cb5a0ea040a182f728c8dda1e934ebc272bcfd

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsLearningCenter260.bpl
Filesize
2.8MB

MD5
bcf27cb1a6297fea993fdac09beb12d9

SHA1
bfad2e2d76530e4b789bfb1432f8bca56af5520a

SHA256
4c923a6a73e7ebf525f247561c6f742f310a7b0b55d370394bbf0f8690278deb

SHA512
c3366cc1d4f457779ff6c467e36e96c677783899661e078cbe56792fc6821311ff3a7e60c44de48664b335b5a48359f4d8e877048f6a7e6a27fe8a85b6f01f07

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsLearningCenter260.bpl
Filesize
2.8MB

MD5
bcf27cb1a6297fea993fdac09beb12d9

SHA1
bfad2e2d76530e4b789bfb1432f8bca56af5520a

SHA256
4c923a6a73e7ebf525f247561c6f742f310a7b0b55d370394bbf0f8690278deb

SHA512
c3366cc1d4f457779ff6c467e36e96c677783899661e078cbe56792fc6821311ff3a7e60c44de48664b335b5a48359f4d8e877048f6a7e6a27fe8a85b6f01f07

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsapi260.bpl
Filesize
3.8MB

MD5
5cbdbcd4f92fb21c2b0b9f1fdedacdd7

SHA1
e795ae69c83c8068e8ab65be2000d3bf18b983f6

SHA256
bb728338a926ab24fd91cd16cea65bdfb249dd65006b5c449c6c9f17e3c83c34

SHA512
57b60cd2bd4732786f7d8d62e894557b49512a63d96df5648832edddf9e236a59ed8ef1150968f3b40f5a90cd8692d424d53e11812bc44a40382569ebe5f6f47

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsapi260.bpl
Filesize
3.8MB

MD5
5cbdbcd4f92fb21c2b0b9f1fdedacdd7

SHA1
e795ae69c83c8068e8ab65be2000d3bf18b983f6

SHA256
bb728338a926ab24fd91cd16cea65bdfb249dd65006b5c449c6c9f17e3c83c34

SHA512
57b60cd2bd4732786f7d8d62e894557b49512a63d96df5648832edddf9e236a59ed8ef1150968f3b40f5a90cd8692d424d53e11812bc44a40382569ebe5f6f47

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscontainers260.bpl
Filesize
2.9MB

MD5
1ccd50a290a7950663233ad6c72b3980

SHA1
e5175056f661db7ca2a301ff66724a9c461d1364

SHA256
a91c6490e9fac99f02032a17ada1a848ebdadaf65925e7fbe1eb26e9534a8892

SHA512
64b874d4fcff38aa30f5131be3af6f270ca8a3a34c6e46232a17b98245bd8a4d89e68a69fdc8b40d42d65f350b15fae9443ff2b4353c25c72163f775ae0984e1

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscontainers260.bpl
Filesize
2.9MB

MD5
1ccd50a290a7950663233ad6c72b3980

SHA1
e5175056f661db7ca2a301ff66724a9c461d1364

SHA256
a91c6490e9fac99f02032a17ada1a848ebdadaf65925e7fbe1eb26e9534a8892

SHA512
64b874d4fcff38aa30f5131be3af6f270ca8a3a34c6e46232a17b98245bd8a4d89e68a69fdc8b40d42d65f350b15fae9443ff2b4353c25c72163f775ae0984e1

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsconverter260.bpl
Filesize
3.6MB

MD5
68593185a49d17d888943c9bbc0dc4d1

SHA1
c69c734d11454904a29a791a7475897ef3c22203

SHA256
3d685b0f7a8df2b4a39ed1a8a03ee21ca5b8589d11dbb6b5fee4cd243a2b8e0c

SHA512
4a28cab1e665f9b6c0ff4ab766ccaa5472734d0f44b33b98a2c9738ae32c6d1c5f3f5c1620133d4ebdb4bafc2530efad12e9921eb02943236ed64958848741cd

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsconverter260.bpl
Filesize
3.6MB

MD5
68593185a49d17d888943c9bbc0dc4d1

SHA1
c69c734d11454904a29a791a7475897ef3c22203

SHA256
3d685b0f7a8df2b4a39ed1a8a03ee21ca5b8589d11dbb6b5fee4cd243a2b8e0c

SHA512
4a28cab1e665f9b6c0ff4ab766ccaa5472734d0f44b33b98a2c9738ae32c6d1c5f3f5c1620133d4ebdb4bafc2530efad12e9921eb02943236ed64958848741cd

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscore260.bpl
Filesize
6.4MB

MD5
3d1e46f80466cdbc9a3fbb6597c87089

SHA1
440ed51cbfd55fb8ced89657d7e5fde4718d70ef

SHA256
839a8c0c14a469890c16981fb34603da0d0f497d8e46bade2d67354ca19fa44e

SHA512
44f8ffcf87258da2b4698b99caadd370c61c6658bda67ae5ea9b9c5ca63b8f81a02c813b70c3bdccee6b559ca999fbc4d9392c02acda7471aadc6767f259c96d

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscore260.bpl
Filesize
6.4MB

MD5
3d1e46f80466cdbc9a3fbb6597c87089

SHA1
440ed51cbfd55fb8ced89657d7e5fde4718d70ef

SHA256
839a8c0c14a469890c16981fb34603da0d0f497d8e46bade2d67354ca19fa44e

SHA512
44f8ffcf87258da2b4698b99caadd370c61c6658bda67ae5ea9b9c5ca63b8f81a02c813b70c3bdccee6b559ca999fbc4d9392c02acda7471aadc6767f259c96d

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscoreapi260.bpl
Filesize
2.0MB

MD5
8472284ea3e228e8b63f017ec8d9c89a

SHA1
7f4126aa75386022fcf25a95527cccd82130cf80

SHA256
fb37988b1eebb25d3a33de7389236ce37ee2f04c8a673f173550a3c07b8a8350

SHA512
0eee5655643f462a11d227b1e42b55c45b76bb99419d052240cf2d0bb75646034eb4b4661bc720684a905a6aff592269fe31be4316fb0b379e9366a0eb2055dd

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscoreapi260.bpl
Filesize
2.0MB

MD5
8472284ea3e228e8b63f017ec8d9c89a

SHA1
7f4126aa75386022fcf25a95527cccd82130cf80

SHA256
fb37988b1eebb25d3a33de7389236ce37ee2f04c8a673f173550a3c07b8a8350

SHA512
0eee5655643f462a11d227b1e42b55c45b76bb99419d052240cf2d0bb75646034eb4b4661bc720684a905a6aff592269fe31be4316fb0b379e9366a0eb2055dd

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscoreui260.bpl
Filesize
5.3MB

MD5
9aa7d2637f546f080d7a97426bcf9ede

SHA1
dadb35d58ba3d1e62eba3fdb8f7824f5f31f3bd6

SHA256
354299935d7f85d998e46e53558488815745fbfb49bf2c9b1bccf92437e2f2a9

SHA512
7e69c2bdb203a1f69a26bbc4aaaec8f10b9b0ea430f20a59bedbfe85ef95c4f9aff11a045a6b0aab2058e8e0ee8e39963a4680c697ecd3254e6643f559092254

Download Submit
C:\Program Files\thinkstep\GaBi Education\tscoreui260.bpl
Filesize
5.3MB

MD5
9aa7d2637f546f080d7a97426bcf9ede

SHA1
dadb35d58ba3d1e62eba3fdb8f7824f5f31f3bd6

SHA256
354299935d7f85d998e46e53558488815745fbfb49bf2c9b1bccf92437e2f2a9

SHA512
7e69c2bdb203a1f69a26bbc4aaaec8f10b9b0ea430f20a59bedbfe85ef95c4f9aff11a045a6b0aab2058e8e0ee8e39963a4680c697ecd3254e6643f559092254

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsdb260.bpl
Filesize
4.9MB

MD5
ac40793c70f3d625758a807cccbdf873

SHA1
c57aba4262e5179c3a1f8209979462bca46b1b3b

SHA256
61838c607f3174bf1b88de2c0207e35f8a033758a17579e3fff16e8de3158488

SHA512
6cf7b670bc35b4f7b11c7689f3fe23d914f5f2e27e788ed7260fb54fd9c4539f945623cc543d523e7fd200fe70bf73b7bdbf022efae1ad83a27d21aedbbb1468

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsdb260.bpl
Filesize
4.9MB

MD5
ac40793c70f3d625758a807cccbdf873

SHA1
c57aba4262e5179c3a1f8209979462bca46b1b3b

SHA256
61838c607f3174bf1b88de2c0207e35f8a033758a17579e3fff16e8de3158488

SHA512
6cf7b670bc35b4f7b11c7689f3fe23d914f5f2e27e788ed7260fb54fd9c4539f945623cc543d523e7fd200fe70bf73b7bdbf022efae1ad83a27d21aedbbb1468

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsexception260.bpl
Filesize
3.0MB

MD5
33b29f862c7e3ff4e122dd5dbcfd369a

SHA1
57f28b50145b48a546add592c2e72a8a14bbc0b6

SHA256
f4066820472f49416e4164c4a3543d67544d0b9c1576707508209a6ff9f486d9

SHA512
7b3da9a308f9dd92aae40d26f8f636095fde0cb4e0198f41644afa9f6e22cef5ca8030c7bc47f1e7fe151eb2d03d6fc8f212abe682b282d73b919be0d90960e6

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsexception260.bpl
Filesize
3.0MB

MD5
33b29f862c7e3ff4e122dd5dbcfd369a

SHA1
57f28b50145b48a546add592c2e72a8a14bbc0b6

SHA256
f4066820472f49416e4164c4a3543d67544d0b9c1576707508209a6ff9f486d9

SHA512
7b3da9a308f9dd92aae40d26f8f636095fde0cb4e0198f41644afa9f6e22cef5ca8030c7bc47f1e7fe151eb2d03d6fc8f212abe682b282d73b919be0d90960e6

Download Submit
C:\Program Files\thinkstep\GaBi Education\tslanguage260.bpl
Filesize
3.4MB

MD5
105c17f9a71a6a0f3332eb453465a709

SHA1
6a32da9558e4f1203235133e249f3228063ab815

SHA256
effda10c044a29df49483622ba685ceb968b214ea7ffd4cb20c22dea7fec0dc8

SHA512
4a0e8f502a74d5de7aafd3b710ef43102f9c92a2428b112b770c5201867a3f5f0d2360c1c9ca96b8b6f12cf156392df7c075b7b99a92e03a8f3701d8e47e766e

Download Submit
C:\Program Files\thinkstep\GaBi Education\tslanguage260.bpl
Filesize
3.4MB

MD5
105c17f9a71a6a0f3332eb453465a709

SHA1
6a32da9558e4f1203235133e249f3228063ab815

SHA256
effda10c044a29df49483622ba685ceb968b214ea7ffd4cb20c22dea7fec0dc8

SHA512
4a0e8f502a74d5de7aafd3b710ef43102f9c92a2428b112b770c5201867a3f5f0d2360c1c9ca96b8b6f12cf156392df7c075b7b99a92e03a8f3701d8e47e766e

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsmath260.bpl
Filesize
140KB

MD5
f82c397b03159e05810c0f5e0fdd57a3

SHA1
62111ec3ba6038cb40f968a515e97554e3b2462f

SHA256
fafe86d5b99c26ff12fbd1fa12adfa847c1273485862d2dfc01ff9ac56518771

SHA512
5953a288c61e38a88b9e159849599b4157ad92d7f0fdb13e1fcc4a7f9d4ac1f8c68448bb59d3cbf72e69bb53c363c41c62a6cfe1af89a95c24c2dbdb42b4c73c

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsmodel260.bpl
Filesize
3.1MB

MD5
4e61c9d2efe3880e2e6a62b4ea2e3f26

SHA1
0c0d0b311ba5341d9d0d866d6d2412a585b9b0e4

SHA256
f40d36104d85674943f20a80501ea196a072bb0c078359995149e6cffbaec7f1

SHA512
ce8046c0c983488f039b1a2e6ff6a17f10148f9f17bf765447969d1748ed1fb71a36650da15cc76f357224f89d83de18bab97d275471d6882464d03106382831

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsmodel260.bpl
Filesize
3.1MB

MD5
4e61c9d2efe3880e2e6a62b4ea2e3f26

SHA1
0c0d0b311ba5341d9d0d866d6d2412a585b9b0e4

SHA256
f40d36104d85674943f20a80501ea196a072bb0c078359995149e6cffbaec7f1

SHA512
ce8046c0c983488f039b1a2e6ff6a17f10148f9f17bf765447969d1748ed1fb71a36650da15cc76f357224f89d83de18bab97d275471d6882464d03106382831

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsportal260.bpl
Filesize
3.1MB

MD5
a05d20671ec971a0620d63fb913fe116

SHA1
8dda53f348e72332eeeec5aef924ca3f6440e527

SHA256
ca8ee0915a2ebb12f900bac4a41ac88816d5054f3a78d2352cf97b52b21f90de

SHA512
52f952b75aaba4455782a4c9ff3390367de2e1050009f9482d3f354089c4f73bceed72a1f908be49401f4be4d322199edf44e584a904c80711b0a4dc879f3b9f

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsportal260.bpl
Filesize
3.1MB

MD5
a05d20671ec971a0620d63fb913fe116

SHA1
8dda53f348e72332eeeec5aef924ca3f6440e527

SHA256
ca8ee0915a2ebb12f900bac4a41ac88816d5054f3a78d2352cf97b52b21f90de

SHA512
52f952b75aaba4455782a4c9ff3390367de2e1050009f9482d3f354089c4f73bceed72a1f908be49401f4be4d322199edf44e584a904c80711b0a4dc879f3b9f

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsui260.bpl
Filesize
4.5MB

MD5
a6a10a94f9be15df67e747b443b939cf

SHA1
163515045c9cdbb29297e8f613e9a97f1ff8978e

SHA256
04feeb7ac5ef9c5e186aaf9fbde04962afe7e895dc5dd577bacf4298d0116b71

SHA512
83e105dc25b1c4e1c3fad92fca4555a96d0e3be439132f2790f2462bb55401532bd79d3cc97ce915d967f96f13b0dcbec023eca8328b02b895bd3c6105aac22b

Download Submit
C:\Program Files\thinkstep\GaBi Education\tsui260.bpl
Filesize
4.5MB

MD5
a6a10a94f9be15df67e747b443b939cf

SHA1
163515045c9cdbb29297e8f613e9a97f1ff8978e

SHA256
04feeb7ac5ef9c5e186aaf9fbde04962afe7e895dc5dd577bacf4298d0116b71

SHA512
83e105dc25b1c4e1c3fad92fca4555a96d0e3be439132f2790f2462bb55401532bd79d3cc97ce915d967f96f13b0dcbec023eca8328b02b895bd3c6105aac22b

Download Submit
C:\Program Files\thinkstep\GaBi Education\unidac260.bpl
Filesize
2.8MB

MD5
231d72aeaf281a8b06b2901bf62572cb

SHA1
c13f333436f5825d37328a340af5eeb8cd36444d

SHA256
bbc2832769e85bf24ce51e5b5ac6f047e138420f9b63ac751ba8857f4f12eecb

SHA512
0c2426c023ec3b2e5f48d618c74465aa332a900d09f48c64a3d2d9a1a1933bb377ccdcab2a7756af62b0022916bc8b39475493a44e16363e67292447945014e3

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclactnband260.bpl
Filesize
641KB

MD5
9a509d8c1535e2938ac9ff10554950b4

SHA1
7d06812bc6e23cc230e8a085981f82c38591e6b2

SHA256
d5237dcfedea6d9511f336f4fec741c6dcda5a641dd8ba113d7f721dbe64f65d

SHA512
c621a16a7e335092d6d547081faf0768c02e96a8769fd773f4c0cfedee63f0ea67e12c2837b63d3ff7dc2ed6ca76ed79d9c89c63cc5520bbfb7b66972eec4ca9

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclactnband260.bpl
Filesize
641KB

MD5
9a509d8c1535e2938ac9ff10554950b4

SHA1
7d06812bc6e23cc230e8a085981f82c38591e6b2

SHA256
d5237dcfedea6d9511f336f4fec741c6dcda5a641dd8ba113d7f721dbe64f65d

SHA512
c621a16a7e335092d6d547081faf0768c02e96a8769fd773f4c0cfedee63f0ea67e12c2837b63d3ff7dc2ed6ca76ed79d9c89c63cc5520bbfb7b66972eec4ca9

Download Submit
C:\Program Files\thinkstep\GaBi Education\vcldb260.bpl
Filesize
548KB

MD5
f06b6330616b8f2df6d98449b3c7374f

SHA1
a2db47783954d312afd34b60c760e866d9c36c07

SHA256
3ce0b426e7d021ac5267e70bca79ff7ec3f11d27014baf98a735c7859bd7be5f

SHA512
b8c7b9a9160b3d488ab3882dab1ad4e600b8e03e3f791fffce5687d7133b8f147489f7bd3efc9f81219e0d7d06016e795aecbfd49eb059f3c790ec1cca06b9d5

Download Submit
C:\Program Files\thinkstep\GaBi Education\vcldb260.bpl
Filesize
548KB

MD5
f06b6330616b8f2df6d98449b3c7374f

SHA1
a2db47783954d312afd34b60c760e866d9c36c07

SHA256
3ce0b426e7d021ac5267e70bca79ff7ec3f11d27014baf98a735c7859bd7be5f

SHA512
b8c7b9a9160b3d488ab3882dab1ad4e600b8e03e3f791fffce5687d7133b8f147489f7bd3efc9f81219e0d7d06016e795aecbfd49eb059f3c790ec1cca06b9d5

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclimg260.bpl
Filesize
500KB

MD5
c0a07381b85ab8fe2fed89c0742e9480

SHA1
34edeb50e184a20a206526f5cc1aeb1befe46345

SHA256
e981680df6656bc69458cd099bff5f941cfd4fb96737a0951089141bd3e46fb9

SHA512
3ac320ae898d9390c7a7fbc42a5945582f9329c1bc9c9da80d4a2df6e29e1c7bbb5bf861f740bc54b973ec797e324e615717728b14f8b61b2a70f1c321cf9afb

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclimg260.bpl
Filesize
500KB

MD5
c0a07381b85ab8fe2fed89c0742e9480

SHA1
34edeb50e184a20a206526f5cc1aeb1befe46345

SHA256
e981680df6656bc69458cd099bff5f941cfd4fb96737a0951089141bd3e46fb9

SHA512
3ac320ae898d9390c7a7fbc42a5945582f9329c1bc9c9da80d4a2df6e29e1c7bbb5bf861f740bc54b973ec797e324e615717728b14f8b61b2a70f1c321cf9afb

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclsmp260.bpl
Filesize
135KB

MD5
bb8d616b08ef9d1651407e919520036f

SHA1
31e7bfc45adf4b1ccf5f6fabe15872152e7e99bf

SHA256
db14a4f2aef83e4f1c47d3e6ebddf1bf8546f1348402835fb88e3987d3e632f9

SHA512
6be4bbf3aaf0f426c7ac865823ccbad43f68d41823ed2733ab37184b4340930437f292715403d2698ba25a01a0245d75e608b0e7fa1b3f242a8466c273d190da

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclx260.bpl
Filesize
370KB

MD5
dacdf2cfcdb3938f4c232e97dfa33028

SHA1
ac371cd53ccb659ef2551c3d6455f42221a7ebae

SHA256
3a0a577b29268a0e650148cbfff527b9ad71f206ca0b81fa23c788bb2091aa8a

SHA512
fd765123e67afd685d0f296d965886ee18ca0f73fb713d7fe6fa28240118d156a1c267adfbfc0a61d6b14c951ad0346b2d353d13122158ad1ead6efa6ccc8aa6

Download Submit
C:\Program Files\thinkstep\GaBi Education\vclx260.bpl
Filesize
370KB

MD5
dacdf2cfcdb3938f4c232e97dfa33028

SHA1
ac371cd53ccb659ef2551c3d6455f42221a7ebae

SHA256
3a0a577b29268a0e650148cbfff527b9ad71f206ca0b81fa23c788bb2091aa8a

SHA512
fd765123e67afd685d0f296d965886ee18ca0f73fb713d7fe6fa28240118d156a1c267adfbfc0a61d6b14c951ad0346b2d353d13122158ad1ead6efa6ccc8aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0TPJS.tmp\GaBiEducation9.2.1.68_desktop.tmp
Filesize
1.2MB

MD5
8e00f5d2367b574168769331de87ba8c

SHA1
4c7c2e4a4f6e1777782662afe491e9e7566e0fe0

SHA256
571536b4ca6f2ec3e142e52748ce0ee163ea4d365e1e4c6facc2220878e413b8

SHA512
93d0c2f0a23a9f12716272e75d142114c2e3befaad034501a411ced16b0d95cd6e330154f671438c54f00c2cb95ec4c52bf28b59c66bd407c593726aad19596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0TPJS.tmp\GaBiEducation9.2.1.68_desktop.tmp
Filesize
1.2MB

MD5
8e00f5d2367b574168769331de87ba8c

SHA1
4c7c2e4a4f6e1777782662afe491e9e7566e0fe0

SHA256
571536b4ca6f2ec3e142e52748ce0ee163ea4d365e1e4c6facc2220878e413b8

SHA512
93d0c2f0a23a9f12716272e75d142114c2e3befaad034501a411ced16b0d95cd6e330154f671438c54f00c2cb95ec4c52bf28b59c66bd407c593726aad19596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AFSS2.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
526426126ae5d326d0a24706c77d8c5c

SHA1
68baec323767c122f74a269d3aa6d49eb26903db

SHA256
b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1

SHA512
a2d824fb08bf0b2b2cc0b5e4af8b13d5bc752ea0d195c6d40fd72aec05360a3569eade1749bdac81cfb075112d0d3cd030d40f629daf7abcc243f9d8dca8bfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AFSS2.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
526426126ae5d326d0a24706c77d8c5c

SHA1
68baec323767c122f74a269d3aa6d49eb26903db

SHA256
b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1

SHA512
a2d824fb08bf0b2b2cc0b5e4af8b13d5bc752ea0d195c6d40fd72aec05360a3569eade1749bdac81cfb075112d0d3cd030d40f629daf7abcc243f9d8dca8bfbe

Download Submit
memory/204-232-0x0000000010E80000-0x0000000010FA0000-memory.dmp

Filesize
1.1MB

Download
memory/204-226-0x0000000000000000-mapping.dmp

Download
memory/1308-134-0x0000000000000000-mapping.dmp

Download
memory/1680-219-0x0000000000000000-mapping.dmp

Download
memory/2304-220-0x0000000000000000-mapping.dmp

Download
memory/2304-221-0x0000000002680000-0x0000000002D88000-memory.dmp

Filesize
7.0MB

Download
memory/2304-223-0x0000000002681000-0x0000000002A8D000-memory.dmp

Filesize
4.0MB

Download
memory/2304-224-0x0000000002681000-0x0000000002A8D000-memory.dmp

Filesize
4.0MB

Download
memory/2308-205-0x000000000B7A1000-0x000000000BB5D000-memory.dmp

Filesize
3.7MB

Download
memory/2308-206-0x000000000B7A1000-0x000000000BB5D000-memory.dmp

Filesize
3.7MB

Download
memory/2308-207-0x0000000010F60000-0x0000000011080000-memory.dmp

Filesize
1.1MB

Download
memory/2308-208-0x000000000B7A1000-0x000000000BB5D000-memory.dmp

Filesize
3.7MB

Download
memory/2308-209-0x0000000009DE1000-0x000000000A790000-memory.dmp

Filesize
9.7MB

Download
memory/2308-204-0x0000000009DE1000-0x000000000A790000-memory.dmp

Filesize
9.7MB

Download
memory/2308-203-0x0000000009DE1000-0x000000000A790000-memory.dmp

Filesize
9.7MB

Download
memory/2308-202-0x0000000009DE0000-0x000000000AE0F000-memory.dmp

Filesize
16.2MB

Download
memory/2308-141-0x0000000000000000-mapping.dmp

Download
memory/2392-211-0x000000000A0F0000-0x000000000B11F000-memory.dmp

Filesize
16.2MB

Download
memory/2392-215-0x000000000B791000-0x000000000BB4D000-memory.dmp

Filesize
3.7MB

Download
memory/2392-216-0x0000000011120000-0x0000000011240000-memory.dmp

Filesize
1.1MB

Download
memory/2392-217-0x000000000B791000-0x000000000BB4D000-memory.dmp

Filesize
3.7MB

Download
memory/2392-218-0x000000000A0F1000-0x000000000AAA0000-memory.dmp

Filesize
9.7MB

Download
memory/2392-214-0x000000000B791000-0x000000000BB4D000-memory.dmp

Filesize
3.7MB

Download
memory/2392-213-0x000000000A0F1000-0x000000000AAA0000-memory.dmp

Filesize
9.7MB

Download
memory/2392-212-0x000000000A0F1000-0x000000000AAA0000-memory.dmp

Filesize
9.7MB

Download
memory/2392-210-0x0000000000000000-mapping.dmp

Download
memory/3100-235-0x0000000000000000-mapping.dmp

Download
memory/3808-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3808-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4460-138-0x0000000000000000-mapping.dmp

Download

pid	process
1308	GaBiEducation9.2.1.68_desktop.tmp
4460	_setup64.tmp
2308	GaBi.exe
2392	GaBi.exe
204	GaBi.exe
3100	LicProtector500.exe