babadeda | 5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd

Analysis

max time kernel
92s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2022, 08:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe
Size

15.6MB
MD5

2b0b6f7adb2c4f30a25aa73f19eb69de
SHA1

6856ec4a84ba879e8118bbe8fd89237f12977a7e
SHA256

5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd
SHA512

4018b7127fe13b8f4ccfd4ad5ac842e4e56e2f4c8637cdaca34b614106724ba24c57d572e11643b89265cfbed128016edf60c0b823224d45004c82585e473b62
SSDEEP

393216:WiYKzJ17sYSuDHiW6NEhlYsZF07VmkNAPSEMSaYSwpCAIe:rVBFJD2olYsT0V3Nk/azC

Score

10^/10

babadeda collection crypter discovery loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x0001000000022e22-150.dat	family_babadeda
behavioral1/memory/4436-163-0x0000000006800000-0x0000000006840000-memory.dmp	family_babadeda

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	312	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4436	text.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe

Loads dropped DLL 12 IoCs

pid	Process
2620	5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe
2620	5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe
4436	text.exe
4436	text.exe
4436	text.exe
4436	text.exe
4436	text.exe
4436	text.exe
4436	text.exe
4436	text.exe
4436	text.exe
312	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	text.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	text.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3772	312	WerFault.exe	83

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	text.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	text.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	text.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	text.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	text.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
312	rundll32.exe
312	rundll32.exe
312	rundll32.exe
312	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	text.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4436	2620	5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe	82
PID 2620 wrote to memory of 4436	2620	5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe	82
PID 2620 wrote to memory of 4436	2620	5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe	82
PID 4436 wrote to memory of 312	4436	text.exe	83
PID 4436 wrote to memory of 312	4436	text.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe
"C:\Users\Admin\AppData\Local\Temp\5d270c5f31a22248cc088654d6ea6f293d000e3780ed1d0e180ea005b6e120bd.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\Text Productivity Tools\text.exe
  "C:\Users\Admin\AppData\Roaming\Text Productivity Tools\text.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\rundll32.exe
    "C:\Users\Admin\AppData\Roaming\nsis_unse570918.dll",PrintUIEntry |5CQkOhiAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBTIhAGT|AEcAdQBtAE||AHEATABaADT6OQJlLQJZSIPsKP|oBAIAAEiDxP8ow8zMzEyJRP8kGEiJVCQQSO+JTCQIWQFIi0S|JDBIiQQkfQE4|UhrAAhIx0QkEPYtAesOfQEQSIPAdQGLARB9AUBIOZIA+3MlmwOLDCRIA3|ISIvBSItMpwH9VHcAA9FIi8qK3wmICOvBYgVlSO+LBCVg8|AzyUj|i1AYSDvRdDb|SIPCIEiLAkj|O8J0KmaDeEj|GHUaTItAUGa|QYM4a3QHDRFL+3UIDRB4EC50Bf9IiwDr1UiLSPr5AMFmAEBTVVZX|0FUQVVBVkFX|lkBZoE5TVpNi||4TIvySIvZD|uF|PPwTGNJPEH|gTwJUEUAAA|7herz8EGLhAmI|vPwhcBIjTwBD3uE1mYRg7wJjC0B9w+Ex|PwRItnIP9Ei18ci3ckRP+LTxhMA+FMA||ZSAPxM8lFhe|JD4Sk8|BNi8T|QYsQRTPSSAP|04oChMB0HUG|wcoND77A9gAB90QD0LsRdexBgf|6qvwNfHQOg||BAUmDwARBO||Jc2nrxovBD|+3DE5FiyyLTL8D63RYM+2mEHTvUUGLFL0A0zPJ|4oCTIvC6w|B7cnEEQPI4RABQYr9ANEQ7TPAM|ZB5zsMttwQogCDxgH|g|gIcu7rCkj|i8tB|9VJiQT394PF4BDEBDtv9xhyr2IBQV9BXv9BXUFcX15dW74vF0iB7GABYACL|+noZv7||0iFb8APhJlxIEyNqwF9iycQyDP|6Jt5IP+NXwRMjUVCM3|Si8v|VCRofCC|TIvgD4RscSBF3qQQM8CL040gSInXfCQgoiBwfCBIi8|wD4RMcSCiIFBI|41WCESNR0BI942MJIERSIvY6Lt8|XogjVZI2iAQ2t4hzPPw6GfrIESLTwaNVwg9IKIgWMYhr4mEJICDEt3z8Is9DtYgWImMJG0RAzD2jSDoMesgTItdOruLrCkySIucFjJM|4lkJDhEjWds70k77EiGIDBMid1cgAGEJNyDEYaO9OMh3yDwrBNIi9Po2+f8ATCKnHMySI39hHMyQYDzIUmL78xEMBigAoPpAe9184G8czIhUmV|eHVKi4Qk9B4x95Qk+PPwA8JIO||ocjVBO9R2MP9EjUlASSvUQdO4AJQAoiBAxiL4dPMXRLQwvjFIjVNsvo0gTSvE6GyAMEj7i86iIHhIhf908xRMjDAXMUiNTCT3QLoD8|D|10iBGcRwIV0kAAA=
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - outlook_office_path
    - outlook_win_path
    PID:312
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 312 -s 312
      4⤵
      Program crash
      PID:3772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 312 -ip 312
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pb6F465A3C\PB3Dll.dll

Filesize
202KB

MD5
142bc2bb269b896cc0f11f9021dcbc52

SHA1
75b09b25f8f6b3b0fc94fcdcc61d932f303ac418

SHA256
5da7da9abb77790ddbb87d86b9ea4b01a4f375035827e30fa879dab8c2a737db

SHA512
150ffd4e66ee126912c6a5071bec750e4b5e603af9cc79b26c63e482f7d5d0aafcae1c995f10b60ba2da138effb19c668e1515f35db3b8b7a508ef34f59d134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb6F465A3C\PBCore.dll

Filesize
472KB

MD5
016a5d74b1e5a4625bf1ad1aac6bfb68

SHA1
1a4247c53e1472e2199c12e46389ac0df172bc19

SHA256
d43cb6a64b707d13ac99936e71c6be436c32a76506ed1fe462e2f9249722d487

SHA512
f635d56caf1d50e6ad8c5074d0840cdb127380898f5e63b53c0eda1a7230012e4ba622d3639d6ef72bde1250c500fc798b5ef90ff07b53f1eb3343034fb6f3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\HunspellX86.dll

Filesize
437KB

MD5
a8d72f9e1e75420cea790ebb071a3810

SHA1
ba6ab45d2b14cb43bfd952aca642e071ff4784e9

SHA256
c0cd8aab3a4b3f9ca22378c79ccb012875d3b717ca5646436193a632164be012

SHA512
21acad06fcf5f95472b893440d12c20a95743271f7341f431f2f0f14b92e3d12c7a91c09228f812cca3a61b7fa413766699b49ffc17197b92acc9f3f5787f7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\Hunspellx86.dll

Filesize
437KB

MD5
a8d72f9e1e75420cea790ebb071a3810

SHA1
ba6ab45d2b14cb43bfd952aca642e071ff4784e9

SHA256
c0cd8aab3a4b3f9ca22378c79ccb012875d3b717ca5646436193a632164be012

SHA512
21acad06fcf5f95472b893440d12c20a95743271f7341f431f2f0f14b92e3d12c7a91c09228f812cca3a61b7fa413766699b49ffc17197b92acc9f3f5787f7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\MSVCP140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\VCRUNTIME140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\dm

Filesize
1.4MB

MD5
86e3cdb4ce5278becd9ebea27e48d3f0

SHA1
44b63d3c58310387ca7e535671c34218ad98c7e0

SHA256
eec35cba92f56bdc5252b2edb3bd8b958ee3cc0ab245d0fe0eb7b7b49f4da46a

SHA512
7debc2c77eb749eb26b455fa6ab465f13c0060393e6eabad72e1cc2a26bf2274dcf061564004c39ed6c4fc460f0b0e10702d1182774d0f3451ca6cba3ed39018

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\extract_help.htm

Filesize
5KB

MD5
2b28b429bad9ecc1be318437a2e4f1ff

SHA1
cf52adfd6760aa6fd4e35b27ba8dc83f68472063

SHA256
fa989ac26c974984a87ed232f86f4404115df81e7816abaee52d5d5fa0ca3b1f

SHA512
606219e30267299f0aa4a6e556913528b743d82bab0d28db769db7db81b1a9a3554792955a3dc032f5cdb6dfd62ee113f33b3a18489c85d6d71c22d7fb857134

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\libminddb.dll

Filesize
13KB

MD5
7e1ad32b95b09b1b3fc5a5bec6d5099a

SHA1
35e2579111a22f861ec5448fc69cdfcbd29fa624

SHA256
1d0e7355da042f27ed046d30853a2b381f2cfe12230afe9977fb6d600577b3fb

SHA512
f5fd5692d17e9d97fa1eee1546e896015a7a6431ef61afb8d186e278789354c44bd48bcfa6d16f2337a1019799eb67361e9e9bea4d0a19cdd66f850b36926420

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\libminddb.dll

Filesize
13KB

MD5
7e1ad32b95b09b1b3fc5a5bec6d5099a

SHA1
35e2579111a22f861ec5448fc69cdfcbd29fa624

SHA256
1d0e7355da042f27ed046d30853a2b381f2cfe12230afe9977fb6d600577b3fb

SHA512
f5fd5692d17e9d97fa1eee1546e896015a7a6431ef61afb8d186e278789354c44bd48bcfa6d16f2337a1019799eb67361e9e9bea4d0a19cdd66f850b36926420

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\libmsagl.dll

Filesize
32KB

MD5
53634bc76f19ea065981ac1b02225df9

SHA1
7d1cb4ae535c30d2443c4b8f14927300c8449839

SHA256
e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a

SHA512
3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\libmsagl.dll

Filesize
32KB

MD5
53634bc76f19ea065981ac1b02225df9

SHA1
7d1cb4ae535c30d2443c4b8f14927300c8449839

SHA256
e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a

SHA512
3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\libmsagl.dll

Filesize
32KB

MD5
53634bc76f19ea065981ac1b02225df9

SHA1
7d1cb4ae535c30d2443c4b8f14927300c8449839

SHA256
e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a

SHA512
3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\license.txt

Filesize
10KB

MD5
f0656f89c18cb41595453ab550ed44fb

SHA1
430bacdbcd2077547dbde66f53624d78c71c4577

SHA256
327dce257228c2a74d8c5c7cb23d7bb338e2e270764ea35cf33c14e570cac981

SHA512
8e468a04fe178398f8e32ce2d77c8530e15310e0bc2df71cb81af175735f58811a733bf8f35d652febb090993fea571385fb193e5317841cfc1e0b6ba2046efe

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\md.dat

Filesize
200KB

MD5
33526dea59ea40b601a61c9ac5bfa93e

SHA1
b7a06b5de9f02f6c584fe5c7b2d7f3056c52f5aa

SHA256
7dfa9316378c0ec79ddbfbf08eaf1f01a86e7e11aa0505adac7112425351419f

SHA512
c65f8e3080c646f19b31b7e986490c76f2e9cb6e7600fa3d1d0fedcdc69e6b33618609ca2313a4c21fa2e7581f4ebdb782133966e0788e99e97c27f95fe67207

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\msvcp140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\msvcp140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\settings.ini

Filesize
102B

MD5
5b9efae16ed24a00cd143caa386017e1

SHA1
fb52e115a189fc3c16cd973473dbeccc588e7b71

SHA256
26c1579b128be6b0ae2fbeebf556ea4f0facb6ec8bf318736b06ee1e06704523

SHA512
738e2ab5f0a08095d8962490eb8535f19dc34070680eb5d975fb6926bb735543353cd7de3c901c15cf14107152e367c8c5650fb131683068d8ebbc030603cc6c

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\text.exe

Filesize
9.6MB

MD5
4e8bbd13922b08c0a0b851b1bce6b2e0

SHA1
4510265de5c1d395b451bcc2c5847ff88292dd7f

SHA256
bcc187bb85d27785ebf14930d1156096076ee89497878b252f277cef5d87915a

SHA512
4ba1810f998f132423f2172cbb154601ba3d705c8fdcabbb25eeec2042ca2e2cacf78ed6d281aad7a1f2caa5e220e9a6b03285b6e7658c078a917c39ab61d7b0

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\unins000.dat

Filesize
12KB

MD5
390f806d9f8c354e90b1c1a4f2a6407b

SHA1
bf3b7162bdf3e3dbff94fdfe5d7ef6fa793f8b26

SHA256
13c0e3080ba7b2d299399d53fe82053719bebdf0c86f14092d89037ce00591f9

SHA512
87c3d007484f18d6126ce7081eaeccebc9a265d8eaf46cdf3039c8b77c8fb921a1a1a24e5f4a1d7a510fb64e7d5ff0b6358356a885108477f772396ee01c9f29

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\unins000.msg

Filesize
22KB

MD5
524800545e00c0806daa96054758d2a1

SHA1
36dbb61f99a5064a4059079b39a26b9bd89db67c

SHA256
45f19302c2cfca8445e1d3a0b34646adae35c05efe5df79e32d451eed8326672

SHA512
92f227567a8ccd09947279fa285efa0abcfafa1fefa33912f8460bb7c17267c3b60795ce8d92c1a1c01da6960c6171a82126deb36c6c6bc4c063717db07dbcae

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\vcruntime140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\vcruntime140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Roaming\Text Productivity Tools\vcruntime140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Roaming\nsis_unse570918.dll

Filesize
58KB

MD5
664e46926466a2d4c9b87540f4853c39

SHA1
b172d1c2bde331770b0a944fcf6a9e2d75ded66b

SHA256
92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

SHA512
1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

Download Submit
C:\Users\Admin\AppData\Roaming\nsis_unse570918.dll

Filesize
58KB

MD5
664e46926466a2d4c9b87540f4853c39

SHA1
b172d1c2bde331770b0a944fcf6a9e2d75ded66b

SHA256
92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

SHA512
1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

Download Submit
memory/312-171-0x00007FF472130000-0x00007FF47222A000-memory.dmp

Filesize
1000KB

Download
memory/312-170-0x000001F4E56C0000-0x000001F4E56C7000-memory.dmp

Filesize
28KB

Download
memory/312-174-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/312-175-0x00007FF472130000-0x00007FF47222A000-memory.dmp

Filesize
1000KB

Download
memory/4436-164-0x0000000006D30000-0x0000000006D63000-memory.dmp

Filesize
204KB

Download
memory/4436-165-0x000000000693C000-0x0000000006962000-memory.dmp

Filesize
152KB

Download
memory/4436-166-0x0000000005D60000-0x0000000005D7D000-memory.dmp

Filesize
116KB

Download
memory/4436-163-0x0000000006800000-0x0000000006840000-memory.dmp

Filesize
256KB

Download
memory/4436-152-0x0000000006870000-0x000000000692C000-memory.dmp

Filesize
752KB

Download
memory/4436-172-0x0000000006D30000-0x0000000006D63000-memory.dmp

Filesize
204KB

Download
memory/4436-173-0x0000000005D60000-0x0000000005D7D000-memory.dmp

Filesize
116KB

Download