qulab | e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272

Analysis

max time kernel
60s
max time network
45s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe
Size

3.5MB
MD5

40447a9f2376de63982646d8df22fb55
SHA1

958e4c23f9a4387f11165f2534347dbd43010d80
SHA256

e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272
SHA512

79350e8b916a404d21911e38578275fdcccef56b363af4a10a16d81a904ee9d53146361e6337576bf68b49e9734e71312285bdf5256e3668b83da1ffa8280017
SSDEEP

49152:qh+ZkldoPK8Yahamthw94PNgX4h0mM8bVZSY886fynFkzOhFYg0NNT+lxkGvfME4:j2cPK8iEC4Pu4M8nBFkGUTJGv0E6

Score

10^/10

qulab discovery evasion spyware stealer upx

Malware Config

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1592 attrib.exe

pid	process
1592	attrib.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll	acprotect
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

KBDRU.module.exe

pid process

1864 KBDRU.module.exe
Loads dropped DLL 4 IoCs

Processes:

KBDRU.exe

pid process

2728 KBDRU.exe
2728 KBDRU.exe
2728 KBDRU.exe
2728 KBDRU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1864	KBDRU.module.exe

pid	process
2728	KBDRU.exe
2728	KBDRU.exe
2728	KBDRU.exe
2728	KBDRU.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll	upx
behavioral1/memory/2728-15-0x0000000061E00000-0x0000000061ED2000-memory.dmp	upx
behavioral1/memory/2728-12-0x0000000061E00000-0x0000000061ED2000-memory.dmp	upx
behavioral1/memory/2728-23-0x0000000061E00000-0x0000000061ED2000-memory.dmp	upx
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe	upx
behavioral1/memory/1864-129-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1864-140-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipapi.co
10 ipapi.co
Drops file in System32 directory 1 IoCs

Processes:

KBDRU.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ KBDRU.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
9	ipapi.co
10	ipapi.co

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	KBDRU.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

KBDRU.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	KBDRU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	KBDRU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	KBDRU.exe

NTFS ADS 3 IoCs

Processes:

e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exeKBDRU.exeKBDRU.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_c\winmgmts:\localhost\	KBDRU.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_c\winmgmts:\localhost\	KBDRU.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

KBDRU.exe

pid process

2728 KBDRU.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe

pid process

2916 e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe

pid	process
2728	KBDRU.exe

pid	process
2916	e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

KBDRU.module.exe

description	pid	process
Token: SeRestorePrivilege	1864	KBDRU.module.exe
Token: 35	1864	KBDRU.module.exe
Token: SeSecurityPrivilege	1864	KBDRU.module.exe
Token: SeSecurityPrivilege	1864	KBDRU.module.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exewmplayer.exeKBDRU.exetaskeng.exe

description	pid	process	target process
PID 2916 wrote to memory of 2728	2916	e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe	KBDRU.exe
PID 2916 wrote to memory of 2728	2916	e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe	KBDRU.exe
PID 2916 wrote to memory of 2728	2916	e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe	KBDRU.exe
PID 2916 wrote to memory of 2728	2916	e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe	KBDRU.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2608 wrote to memory of 2816	2608	wmplayer.exe	setup_wm.exe
PID 2728 wrote to memory of 1864	2728	KBDRU.exe	KBDRU.module.exe
PID 2728 wrote to memory of 1864	2728	KBDRU.exe	KBDRU.module.exe
PID 2728 wrote to memory of 1864	2728	KBDRU.exe	KBDRU.module.exe
PID 2728 wrote to memory of 1864	2728	KBDRU.exe	KBDRU.module.exe
PID 2728 wrote to memory of 1444	2728	KBDRU.exe	KBDRU.exe
PID 2728 wrote to memory of 1444	2728	KBDRU.exe	KBDRU.exe
PID 2728 wrote to memory of 1444	2728	KBDRU.exe	KBDRU.exe
PID 2728 wrote to memory of 1444	2728	KBDRU.exe	KBDRU.exe
PID 2728 wrote to memory of 1592	2728	KBDRU.exe	attrib.exe
PID 2728 wrote to memory of 1592	2728	KBDRU.exe	attrib.exe
PID 2728 wrote to memory of 1592	2728	KBDRU.exe	attrib.exe
PID 2728 wrote to memory of 1592	2728	KBDRU.exe	attrib.exe
PID 344 wrote to memory of 1496	344	taskeng.exe	KBDRU.exe
PID 344 wrote to memory of 1496	344	taskeng.exe	KBDRU.exe
PID 344 wrote to memory of 1496	344	taskeng.exe	KBDRU.exe
PID 344 wrote to memory of 1496	344	taskeng.exe	KBDRU.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1592 attrib.exe

pid	process
1592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe
"C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
2⤵
- Loads dropped DLL
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_c\ENU_687FE97D938BC13E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_c\ABC\*"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_c"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1592

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
3⤵
- NTFS ADS
PID:1444

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
2⤵
PID:2816

C:\Windows\system32\taskeng.exe
taskeng.exe {A99A2F44-A7F3-46DC-9794-00F80EE246F9} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
2⤵
- Drops file in System32 directory
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB752.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB764.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp21207.WMC\allservices.xml
Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24873.WMC\serviceinfo.xml
Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nkjuvne.tmp
Filesize
1.6MB

MD5
25b37a8c6bce274745637bb21baa6b19

SHA1
0271fd093538e6d0b389e4a964449e12853ddf8a

SHA256
d6025a365fcc03c6b5f1f20e08fc8ecc327e385a5821ceeddb60df8c700c0b45

SHA512
340967484a3b250b4c377caed3cf51a7d63b4e1e362c1b2732d7265974995054be921712013a5d10c3972fa4ecf448a51802f186b0d796a78f61532f90357c19

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\CompressConvertFrom.doc
Filesize
174KB

MD5
22841a4f150ce0cf52cc8fc5533bdef3

SHA1
186a350c4c02d9ec63755c5458b93587bbb33a20

SHA256
ed13b13789541e09077b86bebb4e6da5e6b10a6e5183d436d2c6659d87794208

SHA512
404b0fb201f2c2cab7a788553733bd5d9a578b54cd9f37140ca6fee2d30c27250e92204fdae5e328523642745918cba022eb3b9a7618c46aa9b32872e75e0894

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\UnprotectSplit.pdf
Filesize
163KB

MD5
e41954c60361dc946b9184651b9ab327

SHA1
98115f7bb35f3d2599a6dc80d608ea6c5b61b36f

SHA256
fd0de2c88dddb7ef730afadf704071e4c5841485cd6f4164303f0ebd6d361225

SHA512
374c015369dd364417310067051551ce1c5b60f865d13743456d37fe4cab8c6884a6ce99708b1a3ce7fa8f22df545521cfaeb4c4c90882f92025bd29a9adfd64

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Information.txt
Filesize
3KB

MD5
67a45e7be3799e3d965346bf7887517c

SHA1
4dbd387ea8aecdd14307a25086fd0cc3217b96e0

SHA256
cc056ca0811e451439edb18340abd4d6904dad5bb39db54e4d118ad01140c0de

SHA512
7560f6ef5c41e075c215792550cc34f9cd30953d99f35b9fc8f4737788dcc47929fdbd3088b99a7487b99db07f61f4a5c894eb6a9484c24d197062fdbbbf30d8

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Screen.jpg
Filesize
45KB

MD5
5f9d9f79a408922567e5b76ac4505010

SHA1
cf9528521611fde451eedb7316f4cc1949f1222d

SHA256
994b75f31e98f40c0af732d5cc153b20764ef8617ad1fdc4af637e29c79df056

SHA512
483fe1632b7b7869c319bda57eb9240a524f53acbcbc75c25bdcfacadfc799976170d33618688ae98973efa159aa041b2b2b8594a992c1cd38722fd7efe13914

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\E
Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe.3
Filesize
197KB

MD5
1f8044b1008b5d23d7bc7aba14f87a7d

SHA1
455987e9bdb83d371ea21b577228ecb3c563cb38

SHA256
3b50d7eba0f50d118c95efd8de04443084a8ca3dcd5a5719df23c87640adb44a

SHA512
a89b2e082625ee3001ec2cb407aaee80effd73232d1ac9ad363f24bee0b8d0e38815e61ea589b02587980fa156216c1507cd425a745528c2ebc604c75bea0885

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll.3
Filesize
360KB

MD5
2b11bd827ac4323b96cf8adcdd8e3d54

SHA1
4a170b694a547f4267e714e0195baa9a32338ba9

SHA256
8e9b45ec752dfdf7f2c86a69ee0bb0e0ea9bc73d0c02276b19121f29974f1dbb

SHA512
15f967cad7815fd71eaf3d86e89a6de3cbc0cb36a5c2cd7793d5ccc4c794f13c45fc74a3b311f89edf86819f72b2994209ab17382ab66e62e526b9d26fb7ee80

Download Submit
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll
Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll
Filesize
185KB

MD5
4c7c71f112a1d4ef7488b71a35f8e26f

SHA1
7c33ac66d703026344ddfc46506e41d4a783f626

SHA256
396c09c6290aeebbf994785e634cf8c8917bf2e5b3da37910db13e5b0a13b40e

SHA512
851effc05279aa6d2048316fe3da1f5a9c2d58c915c74121523baf7385db8f43e1588de543e50fd46e3792fed38e17a6ec9e3ca2cdc288b8d786547396f3dd64

Download Submit
memory/1444-145-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1864-140-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1864-129-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2728-23-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/2728-41-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2728-54-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2728-52-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2728-15-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/2728-53-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2728-128-0x00000000070B0000-0x000000000712D000-memory.dmp

Filesize
500KB

Download
memory/2728-51-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2728-127-0x00000000070B0000-0x000000000712D000-memory.dmp

Filesize
500KB

Download
memory/2728-42-0x0000000065080000-0x0000000065237000-memory.dmp

Filesize
1.7MB

Download
memory/2728-12-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/2728-146-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download