a310logger | 139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb1c29f4a8c046e798cd9781cc127a7.exe
Size

876KB
MD5

0bb1c29f4a8c046e798cd9781cc127a7
SHA1

bbad89c8d04b20f63d36014f00ded3818e595a53
SHA256

139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72
SHA512

4b439bd85c725f104be24956525a6ae1a16dba28fe254695cbd667933d0cce2225e9a0f934ef17e1f5ef65ac033aa6ed72d016e3bed0bf270dd3d1eef12de63f
SSDEEP

12288:+nkguFRskuUAlWC/44toU73kJiIWK4vV9BrFZsk1q1/1Yah2UKbnltqvTmDcN:0kEkuUAlV46zbk6K6VVZsuSYgF+qvH

Score

10^/10

a310logger blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
@@@@@@

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

A310logger Executable 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
behavioral1/memory/2640-55-0x0000000000220000-0x00000000002D2000-memory.dmp	a310logger

Executes dropped EXE 1 IoCs

Processes:

Fox.exe

pid process

2640 Fox.exe
Loads dropped DLL 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

2632 0bb1c29f4a8c046e798cd9781cc127a7.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2640	Fox.exe

pid	process
2632	0bb1c29f4a8c046e798cd9781cc127a7.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

description pid process target process

PID 1880 set thread context of 2632 1880 0bb1c29f4a8c046e798cd9781cc127a7.exe 0bb1c29f4a8c046e798cd9781cc127a7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2508 schtasks.exe

description	pid	process	target process
PID 1880 set thread context of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
2508	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0bb1c29f4a8c046e798cd9781cc127a7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0bb1c29f4a8c046e798cd9781cc127a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0bb1c29f4a8c046e798cd9781cc127a7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0bb1c29f4a8c046e798cd9781cc127a7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

2632 0bb1c29f4a8c046e798cd9781cc127a7.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

2632 0bb1c29f4a8c046e798cd9781cc127a7.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

2632 0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
2632	0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
2632	0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
2632	0bb1c29f4a8c046e798cd9781cc127a7.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe0bb1c29f4a8c046e798cd9781cc127a7.exe

description	pid	process	target process
PID 1880 wrote to memory of 2508	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 1880 wrote to memory of 2508	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 1880 wrote to memory of 2508	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 1880 wrote to memory of 2508	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632	1880	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 2632 wrote to memory of 2640	2632	0bb1c29f4a8c046e798cd9781cc127a7.exe	Fox.exe
PID 2632 wrote to memory of 2640	2632	0bb1c29f4a8c046e798cd9781cc127a7.exe	Fox.exe
PID 2632 wrote to memory of 2640	2632	0bb1c29f4a8c046e798cd9781cc127a7.exe	Fox.exe
PID 2632 wrote to memory of 2640	2632	0bb1c29f4a8c046e798cd9781cc127a7.exe	Fox.exe

outlook_office_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp"
2⤵
- Creates scheduled task(s)
PID:2508

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"{path}"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab65B7.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6608.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp
Filesize
1KB

MD5
507025585ff4c4532a8ad5126d67e529

SHA1
db826f82d8a0b76deba826f1d06e48bd5d4e8bd9

SHA256
427809fee70d4c78750119481481305030179ac45a020d09bb00c5b7402cfdd7

SHA512
6f710565eb1e81046f904f2d4d5c648b7e198421d1a94ff6f50003d85dda35ad9dad3ddbe4ea60f59530a1282d916203999e26f154928d07f229753a04a3fe53

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\CUE3L4~1.ZIP
Filesize
285KB

MD5
40a9752d59f2883e40d928f85a749008

SHA1
c60fb58eff64a7969b46f3934766f991352eeb47

SHA256
ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820

SHA512
ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
Filesize
8.7MB

MD5
d79638c7a82b3efe9951679fc65dcc2c

SHA1
3bea7f043ec7c69121281954be4e66cb2c504f9b

SHA256
819733cca92548f167b5190ee3a8f6f9e1cdeb29e365bbfad15f8d4f4e430c3a

SHA512
a4bfc699d6e56576feb25dec2eb9213030c5aebe79790b828771b7742e0c02c214618d13fae5f7df6dec199843f285b5e831c62d48ce04da7d040361dabcb0c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\AssertSend.xlsx
Filesize
767KB

MD5
e7dfb78025c821c6959902749fed2c1e

SHA1
5f91573212a6801d24919cbbe10361575c11a77d

SHA256
74ca119efde4a8b210138dc83db9182c12d788dc4659e0cd9ec3bbcc63e67345

SHA512
da667417b5898a259a7cd9d67d1d27082062adb2db60431e6eea7180d78a75f38d2663d3cdf9cfba8a410e4721f0ca426563eb1244e5a99a4258664aef4bcd5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ConvertUndo.rtf
Filesize
481KB

MD5
384c89718564ad9f63b4605b2b590624

SHA1
7f6af83eafe3af413e170df621d09cbbc2644de3

SHA256
c5bfd4045e4c0204c49b90bfcc1683b530e40d47f3c32dd9e599bbd716c04ac1

SHA512
854d92cb525b4bad1223de3cc16ada8fc23ce44cdad8ce300aa941524f6c2a180abadc5a11303a64fb5045aa4bd69e48619d736c26f4d446e5985ac7b85510d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DisconnectLimit.docx
Filesize
1.1MB

MD5
8cd7fad9d98a3179f3991286aad65b29

SHA1
9dcb3c53c522c30cd5104dcc4b686af5e20d5193

SHA256
e66f180b0d92e996677139a59bba6b4e2eaa792e61e6d1004413e312a635853f

SHA512
f4983639bc62c0ee07733ca71cf58cdcb16a2fb8da25c8c4fd7018b9ec5d9f80b003f4f488df612787b81c72f8c7cd11c0c52ac34ee411b7409f31b65b67de91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\RepairUpdate.pdf
Filesize
804KB

MD5
88626ef70b4740946160ae6207170bb0

SHA1
b0614df776697c653d515174698b696149c523df

SHA256
928144009f5818d0c04407469d3cf5405f7b13b8b7d843abf95016187b0efd2c

SHA512
f936c31527e10fd877c24f0e4757e3c1f444ab89050cbec792a84de5b38a2a85fc22e00e46da4a427fad63acd873bed66bb4e92f07defab04dc3da1721497cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ShowDebug.docx
Filesize
1.2MB

MD5
9f23713daefce937d5c5a5778690e29d

SHA1
d49a4aa5d93217be0c47e55fa4023ea7e3079214

SHA256
9f994e0c46db6baa24ca1afbc549a2bab3ed8fb825c803856f9a1a244cb421b9

SHA512
26b75f2c54b3e6d8c90580a56af86580c5f098ee40fc0f3bef9fc604eb932fe6aead1db9d57c8bd1f7ad860096e8760571c9defe0b2d7ec71613b5c21f7ec127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SkipSubmit.doc
Filesize
694KB

MD5
f0b1e86847b0b0709546e858868a3513

SHA1
22ee1a44f23046750d20284d93a29077fbf0992b

SHA256
ec5c727ac62e6927302aa7096a8303e4f0a34a01af5f3f2a0f6930ec11e8e8ae

SHA512
5d8e49d31b5e721a95677165960911d83b88ca381d59da370cf9c0f0b82d48044877d995d14a329fc53e333a2d39b11883b739f76f8cd9b51a4cbf73012d143d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SuspendDismount.xlsm
Filesize
1.4MB

MD5
bb9d2cb8c4d25310d862bcb2a681b05d

SHA1
2dcbd1212f7c08e1d557abbd31153cf1a1a0a521

SHA256
63c6efb32f0ac64ab02208b0565f3470fb5405ac9750d5155f7c1e62d6420658

SHA512
caf6035632b110362df85c51d3bac3d084eaebf3afbb7248b03f6d3ce86add48d1096ac970c9e812abb9e192a660ff22c676e5f24cd41d7f5c978d439a820c0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\TestInitialize.docm
Filesize
1.4MB

MD5
7837f6a2d0c1dbf756295621a976a5d4

SHA1
4870062cf50a0ef8141c02a57b2e7d31e5806132

SHA256
3dc4b97c2b2face60aa12a7526e684a105c4e6ce17f637d03246b27bc45404d9

SHA512
6f46de6fe83769e30bda9d9a98169c488e5356794a3e3b7315b19d210a364f3372b1f8ba44df499893a009a142af97844b2be2331ec1149991f715212794dbfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UnprotectInitialize.rtf
Filesize
442KB

MD5
799a3e25f8471a2f1f7cf551bdb14150

SHA1
39332cec3e7fc97893db963453e43d58300b5e56

SHA256
54fb1c379000e063f37b329ff388c219def1ceba09387a9107d5a277c48b7108

SHA512
7a331abe3fbf6ca69f68360e0dbdf59580fb59603fb0e8f94d7197df7e6d727f1e35c09aae0a830dbd390aa79690f4600d0f8983c02c4332008928a6d285cc5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UseSubmit.docx
Filesize
521KB

MD5
fe54bdfad78cbcdaabce46305c2dd964

SHA1
c24dcc944979811670002569b61e7da1c1fc1f6a

SHA256
3b72973ab47039dc72f5c23a6a2565fa68178b5ab2dd552ed997de2614ea491f

SHA512
a6caebc8456df12e096984e75160d8f70e0c36802fbf5399f78212b9c244c0396182432177ea934a76d47185dd24e1962d2121ab9785a38d5d34d592688a707b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
Filesize
689KB

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
memory/1880-7-0x0000000004F50000-0x0000000004FC2000-memory.dmp

Filesize
456KB

Download
memory/1880-21-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-6-0x00000000080C0000-0x000000000817E000-memory.dmp

Filesize
760KB

Download
memory/1880-5-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1880-4-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1880-2-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/1880-0-0x0000000000DF0000-0x0000000000ED2000-memory.dmp

Filesize
904KB

Download
memory/2632-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2632-111-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2632-22-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2632-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-19-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2632-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2632-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2632-217-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2632-219-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2640-59-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-57-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/2640-56-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-55-0x0000000000220000-0x00000000002D2000-memory.dmp

Filesize
712KB

Download