rhadamanthys | f4b1f75feb5864acae90b00168dda506c169334a98bb7a147e33e18725a660a4

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4b1f75feb5864acae90b00168dda506c169334a98bb7a147e33e18725a660a4.msi
Size

32.8MB
MD5

86a6e8316dda14183644539895fbe10d
SHA1

061e8bb0bf7b9a6b3efc919d48187cbf6e6d39ed
SHA256

f4b1f75feb5864acae90b00168dda506c169334a98bb7a147e33e18725a660a4
SHA512

74fe5fa99cd652ca75b7afc077a54216df7b594d3c3e20e323b76cc7d361df121af2f69915cf680e1e19c117545bf038d6a7855961574707fbf30395a066bb8c
SSDEEP

786432:inLwZc62Yf1cfloFG/AavUcpjuwi0biBG:iLwaroFWAavUcRN

Score

10^/10

rhadamanthys collection credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6896 created 2620	6896	StampLayer.exe	44

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
116	powershell.exe
4808	powershell.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	StampLayer.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	StampLayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	StampLayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	StampLayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	StampLayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Advanced QM Video Editor = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Navicat Data Modeler 3 Converter\\StampLayer.exe"	StampLayer.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	3788	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	StampLayer.exe
File opened (read-only)	\??\K:	StampLayer.exe
File opened (read-only)	\??\H:	StampLayer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	StampLayer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	StampLayer.exe
File opened (read-only)	\??\L:	StampLayer.exe
File opened (read-only)	\??\R:	StampLayer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	StampLayer.exe
File opened (read-only)	\??\W:	StampLayer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	StampLayer.exe
File opened (read-only)	\??\O:	StampLayer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	StampLayer.exe
File opened (read-only)	\??\J:	StampLayer.exe
File opened (read-only)	\??\P:	StampLayer.exe
File opened (read-only)	\??\Z:	StampLayer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	StampLayer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	StampLayer.exe
File opened (read-only)	\??\Q:	StampLayer.exe
File opened (read-only)	\??\S:	StampLayer.exe
File opened (read-only)	\??\Y:	StampLayer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	StampLayer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	StampLayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	StampLayer.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9E82.tmp	msiexec.exe
File created	C:\Windows\Installer\e579c42.msi	msiexec.exe
File created	C:\Windows\Installer\e579c40.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579c40.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{882EEE79-A660-42E3-8710-CDA877DD61A5}	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
4260	filmora-idco_setup_full1901.exe
4872	StampLayer.exe
6112	NFWCHK.exe
6896	StampLayer.exe

Loads dropped DLL 8 IoCs

pid	Process
4872	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe
6896	StampLayer.exe
6896	StampLayer.exe
6896	StampLayer.exe
6896	StampLayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3788	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5668	6896	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StampLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filmora-idco_setup_full1901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StampLayer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	StampLayer.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	StampLayer.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	StampLayer.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	StampLayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	StampLayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	StampLayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	StampLayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	StampLayer.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\MuiCached	filmora-idco_setup_full1901.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19E24B471D7A437AFFED5DC5C32F4F40FE56D908	StampLayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19E24B471D7A437AFFED5DC5C32F4F40FE56D908\Blob = 03000000010000001400000019e24b471d7a437affed5dc5c32f4f40fe56d9082000000001000000900200003082028c308201f5a00302010202083b095a8f17a2650f300d06092a864886f70d01010b0500307e313d303b06035504030c344d6963726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417569686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3232303832343032353535375a170d3236303832333032353535375a307e313d303b06035504030c344d6963726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417569686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100ca4095e76f9ffc41be17dfd86426998905a290d63854c8c7d1dca90195c4f4a6c92ba375f2f6757f65234cdbd85ad89bc063961bc3abc622969368d1e1cf88dd73c1b52f5918dd82cea7c532fac46418ead83130b41aa62df15720af9ca6d1b5e176d17aa5bf7d215806cdadf5cdc4c1e0550d2b0f666d00b2b01a3c1e1fe9e70203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100894c3189fdac91a4f721cad8374dd6906b1dbad490aabd72d66670cf0fd61a842b8dc3d6de4e906438e695dbc9e60c667af0130f544e1637b3271eb3ec4a1900c1a2bea3fd32ecb8cb4eb37fb1452109fad5835373d87fe4f9bb8672ca53c431683feef8437e174a923aeb75fbaa833a803cee39217df501f9a62060cac9185c	StampLayer.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2112	msiexec.exe
2112	msiexec.exe
6896	StampLayer.exe
6896	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe
5560	openwith.exe
5560	openwith.exe
5560	openwith.exe
5560	openwith.exe
116	powershell.exe
116	powershell.exe
4872	StampLayer.exe
4872	StampLayer.exe
4808	powershell.exe
4808	powershell.exe
4872	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe
4872	StampLayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3788	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: SeCreateTokenPrivilege	3788	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3788	msiexec.exe
Token: SeLockMemoryPrivilege	3788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3788	msiexec.exe
Token: SeMachineAccountPrivilege	3788	msiexec.exe
Token: SeTcbPrivilege	3788	msiexec.exe
Token: SeSecurityPrivilege	3788	msiexec.exe
Token: SeTakeOwnershipPrivilege	3788	msiexec.exe
Token: SeLoadDriverPrivilege	3788	msiexec.exe
Token: SeSystemProfilePrivilege	3788	msiexec.exe
Token: SeSystemtimePrivilege	3788	msiexec.exe
Token: SeProfSingleProcessPrivilege	3788	msiexec.exe
Token: SeIncBasePriorityPrivilege	3788	msiexec.exe
Token: SeCreatePagefilePrivilege	3788	msiexec.exe
Token: SeCreatePermanentPrivilege	3788	msiexec.exe
Token: SeBackupPrivilege	3788	msiexec.exe
Token: SeRestorePrivilege	3788	msiexec.exe
Token: SeShutdownPrivilege	3788	msiexec.exe
Token: SeDebugPrivilege	3788	msiexec.exe
Token: SeAuditPrivilege	3788	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3788	msiexec.exe
Token: SeChangeNotifyPrivilege	3788	msiexec.exe
Token: SeRemoteShutdownPrivilege	3788	msiexec.exe
Token: SeUndockPrivilege	3788	msiexec.exe
Token: SeSyncAgentPrivilege	3788	msiexec.exe
Token: SeEnableDelegationPrivilege	3788	msiexec.exe
Token: SeManageVolumePrivilege	3788	msiexec.exe
Token: SeImpersonatePrivilege	3788	msiexec.exe
Token: SeCreateGlobalPrivilege	3788	msiexec.exe
Token: SeBackupPrivilege	1884	vssvc.exe
Token: SeRestorePrivilege	1884	vssvc.exe
Token: SeAuditPrivilege	1884	vssvc.exe
Token: SeBackupPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3788	msiexec.exe
3788	msiexec.exe
4872	StampLayer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4260	filmora-idco_setup_full1901.exe
4260	filmora-idco_setup_full1901.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4736	2112	msiexec.exe	99
PID 2112 wrote to memory of 4736	2112	msiexec.exe	99
PID 2112 wrote to memory of 4260	2112	msiexec.exe	101
PID 2112 wrote to memory of 4260	2112	msiexec.exe	101
PID 2112 wrote to memory of 4260	2112	msiexec.exe	101
PID 2112 wrote to memory of 4872	2112	msiexec.exe	102
PID 2112 wrote to memory of 4872	2112	msiexec.exe	102
PID 2112 wrote to memory of 4872	2112	msiexec.exe	102
PID 4260 wrote to memory of 6112	4260	filmora-idco_setup_full1901.exe	103
PID 4260 wrote to memory of 6112	4260	filmora-idco_setup_full1901.exe	103
PID 4872 wrote to memory of 6896	4872	StampLayer.exe	115
PID 4872 wrote to memory of 6896	4872	StampLayer.exe	115
PID 4872 wrote to memory of 6896	4872	StampLayer.exe	115
PID 6896 wrote to memory of 5560	6896	StampLayer.exe	116
PID 6896 wrote to memory of 5560	6896	StampLayer.exe	116
PID 6896 wrote to memory of 5560	6896	StampLayer.exe	116
PID 6896 wrote to memory of 5560	6896	StampLayer.exe	116
PID 6896 wrote to memory of 5560	6896	StampLayer.exe	116
PID 4872 wrote to memory of 372	4872	StampLayer.exe	121
PID 4872 wrote to memory of 372	4872	StampLayer.exe	121
PID 4872 wrote to memory of 372	4872	StampLayer.exe	121
PID 372 wrote to memory of 116	372	cmd.exe	123
PID 372 wrote to memory of 116	372	cmd.exe	123
PID 372 wrote to memory of 116	372	cmd.exe	123
PID 4872 wrote to memory of 4808	4872	StampLayer.exe	124
PID 4872 wrote to memory of 4808	4872	StampLayer.exe	124
PID 4872 wrote to memory of 4808	4872	StampLayer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	StampLayer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	StampLayer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2620
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5560

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f4b1f75feb5864acae90b00168dda506c169334a98bb7a147e33e18725a660a4.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4736
- C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\filmora-idco_setup_full1901.exe
  "C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\filmora-idco_setup_full1901.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    3⤵
    - Executes dropped EXE
    PID:6112
- C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe
  "C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Enumerates connected drives
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4872
- - C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe
    "C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:6896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 1424
      4⤵
      Program crash
      PID:5668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6896 -ip 6896
1⤵
PID:5636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579c41.rbs

Filesize
60KB

MD5
c492b7574b195633388ea3659f734935

SHA1
edbe6dbb95b36c8802c78a046cbbbc5de16f9c8b

SHA256
f2e6f503aefa425aad9b4cad1b188233e841e121c98374f704b081c6bf35f9cf

SHA512
72c51665909e9ce8e2ca15759b65304a8b49751f66fa4c4e657fb4fe649aa3d16081bb8c1fcb6c787e36fc9295d4ba2f5d7fa4d44e112e0339512fa961b0af65

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Command Line Start.bat

Filesize
747B

MD5
c0535a62f64514f289ad1ef154ae4baa

SHA1
8709544b80c7b0ffbb90b85c8210eecda0ed0855

SHA256
5f6b8b72c9fd6acbd4fed5ffed89ea29e133425de29f25fcd40b928501d7126e

SHA512
e26e501e91810ff48bf88a37f4ace26d35de7b13312f16e455e51c91e3ea481d3d85f8aa10dd68eaa528cc5d5191d9d1bb0c3b279c1a1231e197de701e891d6f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\DMLScripts\EnableCheckbox.dml

Filesize
200B

MD5
20fbab614eaad08add69fff5e2ad3e76

SHA1
a84577cb52cc9f1ead9228a2e895d95461ce2c60

SHA256
79d4eb833398b88de1e318714ed045f78d8c5d4ebb52ee330ed865a72ad6b291

SHA512
37a9310e78fbc01caa7bbf35b69a53ae500e15421c212c958f3ed155cb2a69ec412fe05ec23ddc9e9aad126056fad0246d59a41b861542b1bf7c2e9aee411766

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\DMLScripts\EpsProperties.dml

Filesize
1KB

MD5
0d789b98d9fab52d50162568a7a04c1b

SHA1
7df9bf796fc64f63d82527d2dfec0fd48bcfc887

SHA256
b645bae3ed5227107242e2645c32551402becfabd9ba03ca4c2d55945f32da98

SHA512
7be8fa7d080a145bb762c7773d1f9f8cfff546ae7b11aaa2b4dcab6fee6f564780973a2f3d8d1914dd48a9875bf2cc311f8ca15457995a0b8e531007fda1e354

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\DMLScripts\ExrProperties.dml

Filesize
1KB

MD5
5f51bf4beb52a2acf6ff6c53195e01ce

SHA1
4a968198c1ad6c633640742c51373b1a8609a572

SHA256
ae328d7e8632f2e20db6628074fcdb1a450d0fa1cad57f047b664f9085c42d76

SHA512
2fd51893a7a87f366d9f72e158e9fe7a51fdfbe295631b32c4c62fa67fd59aab7fbdcf7576b2129772af71f7c527ab4c0aa68fc2e43140a36588116ae2742c09

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\DMLScripts\PCXProperties.dml

Filesize
1KB

MD5
a14369e9e3e8aeb8211ba554a903d316

SHA1
dde455818ca3e660a29796c038670875c42b1631

SHA256
503b63d5614595431d9b78122a3924add0f0722a813a19e48c938507f765e5e7

SHA512
b2910cb43a45d77a5d2afb4d2f17b33aa70402185bd22da12320dae89356095d765e1b97facb5727ffccd9f82a28ddeee95491de30ecd72a631bbe277ce5bf6e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\DesktopDock.dll

Filesize
3.4MB

MD5
304a7b1466e527082446374bf1373cb0

SHA1
9ad60badc5feaa622a5a3d596701ca2d46f84ab2

SHA256
2c50d4ca3014eeea42be696fd756957ab605f09642f2b5f96728aa6e4c0dd112

SHA512
70895b395606ae28ac304afcca2c3cb17d836c8936d4daae16b2786766ebbb731bba5a48ec6e26c18e0bc992c77d4ae357ad510ec8b141706982718dec43e9b9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\ImageConverter Plus on the Web.htm

Filesize
129B

MD5
a542c3a8ddd11391e3306e988cb4feed

SHA1
bc564befb8a284d16b3fa0c6e6730e51f639c054

SHA256
92786b4f04aed9e47ec25b6d808fc7685277bef34f2845d222eb9949b5ec2d14

SHA512
f31cceabc1ef10879d91304236cab1251c80d5e356f7632cd0c268cfd0dc309450b6f3bd1a805855dc6aff97fb6aa8cfbc8871502240e829789019f742d42671

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\ImageShackSettingsDialog.dml

Filesize
603B

MD5
e8c770e54da2352d095825828b52142a

SHA1
522ffa84b1fb026a7584fb5fefd655d3ae90c4b3

SHA256
d9b0e3138abd721115738542f12db809760f0d9fe2b2598079e2927f509c17c4

SHA512
5510dfaf8ce9255e08d785b2a39feb5ca28842fc576de6f66a377c55ca1ec52e7e17c8160e8b346fec4c37388d82a1998118e1bef1f1058697920ba680830c18

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Images\crop.bmp

Filesize
1KB

MD5
b97f9153bc5fd5c9ff4ebe5b9bec786d

SHA1
0a089bddac52cc87b5ac20ac5c5831688dca9bda

SHA256
25e49b36c417fbe4de01863ec0ff67330360f3ede99015ee052f4c948e9dfd05

SHA512
c64ca308e28a795d4309a7202171175415d691e6a6bceb4da1e6c28bfc84d0624eb36c2f3b472e517f30026f6b4c5a2d26f50c7914829f0faa3e4c9dd2dbd854

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Images\mirror.bmp

Filesize
1KB

MD5
10a6fbcdbadd16481458ad433acbee38

SHA1
c952d16c819b5c4077b38a2a9fcca4a95638f37f

SHA256
77c886c8c4173ff04d6495cef7148105c28bc1ab39abaa273735c53cf242f9f0

SHA512
76a1272663924da4d054b06c913e50881d206869f64f825f3215b2b1d3eaa23b03d6019e8ef3b6503470c668b2611fa8c71382ab36881606b928d6c44c669c18

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Images\rotate.bmp

Filesize
1KB

MD5
7545333f32bdb0ea78268b8338bbd9c6

SHA1
a1c52aeffae720fd82e54fd6bf25f77b7c0bc76f

SHA256
b2d967238bf82962bf6bbd271499682f1938072d63a4f8edb80b16a86537869b

SHA512
4d555a35f8e5dba54fc4f2c7e02c0920cfb24efaf116cbd7824fa22a28a7ba4342babf87f5b1e4856fa5a0ce09b703b3cc593a500f4233bc8d2458808699cc8a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Images\smile01.png

Filesize
1KB

MD5
b80bd13b664188927c42ca3ef3867fda

SHA1
215fcaf3b91a86f64a5618b4143d4c2df17a19d2

SHA256
9cfff993e63fb213503dd2fdf31a5e52ca2edccf9f6219a3b4476173c0e0f6bc

SHA512
8f9486f22f542dbf069d8fe1ec8b75a2707caafc9d6c8c85f29d1d10ec2ee21548a89ea1906559796eac181867f7ee2423e8be26869f7a43baec689c828d7672

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Images\smile02.png

Filesize
1KB

MD5
b6a2c4253bcba6f3cfd74c31644d730b

SHA1
58562b3f6a5e17466904c794f831831eef7fc4d7

SHA256
2484ad8a48a914a90a4e5d67a76c9867a4d95f89763226e4749e497bed712461

SHA512
a706cdba9b80e020e658eb1cb468d9917900be99903db52a8e43fd6e9d6c8afce7978e7efad8bac832a1e73b8c2e1717d49532a1a5aac1e340bdce74090935ef

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\Images\zoom.bmp

Filesize
1KB

MD5
30a7b5acdfa6f7b25add7a98b5b7dffc

SHA1
6d1c646358f6005907bae6de302a2dd322d7ed02

SHA256
6c67e8e63a3f8f2ef70bdd96e64fe5cb068daaba59b662a58b6ed4bcea3e27dd

SHA512
366d35467168e6274fc52010a73aa5e17000b76e5fca8c8164e2426263f63f1e043552d52063228b43cf725b0a4c0e176061a3bf0ccf65fc93bfb3f0f8bd40db

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\PicasaUpdateDialog.dml

Filesize
535B

MD5
4c61702bed766cba2a51aba06d56bd12

SHA1
0b27c5995db0f04cf4492f9235204b03b7af8527

SHA256
1b85c012f8988a70bec078d9608b8402bb5f05e1ae71e5a606505f8ddf194e37

SHA512
846aefb2a14cf3b5137f89f2fd3f6f6f0b87ce1f5fc839900d2abf13b44e59f4c1208d56ccbf27202507e7dd07bb355004c7d457a684b391d4c75b6d5bf8cf9b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\StampLayer.exe

Filesize
7.9MB

MD5
e215f65df78d028138bc7a3b30eb27c2

SHA1
e24f9af89a6e153f85afecebe97d5a750b87338d

SHA256
ea79db2a00d59c4974f5906731b9e234d3ccbd16898c78c7e9be29038a152aca

SHA512
4662150f1e69ee491710e6c085ff8bea6b9252179f4d80fa9557f373db5340c217616807892f3a0368daa041f91147d16edf1872e7413d7e52968c87fe4c7645

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\TwitterSendDialog.dml

Filesize
1KB

MD5
b068709a5a0172aa091f2501162a068f

SHA1
6ac2affc491811446f557be82d066b5eef2ec2b1

SHA256
107c97a6d1c2d71912f158292a3a0420bbbb6892d7fd0350e79bd02012054b94

SHA512
579071a254d8a39cba05415dd3b7fedd2a74d77a2bc29139dfeaaeb0313051c9b76021fa1bc7827bd615844513e6a1824e4761588317756f4c4ecded7fbb71a1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\VerifySettingsDialog.dml

Filesize
514B

MD5
afc4652ab6f8ea2ef0e38eec17e4129a

SHA1
0372b6e54db7a4f778755e483c818d98331253d6

SHA256
5582dec4f636087ee273c7edc38c32d53493ddd1beaf1f00d8bc4981a18591b0

SHA512
43211757af5a3e9b0fd4a008d653a47650c7ddd4baf363abcaeb5660034ec7368d54fabfd9a3a68da3027d4028bfa7723d2e74fb963be60f7f8617f6cb0ccebb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\filmora-idco_setup_full1901.exe

Filesize
1.9MB

MD5
4a2cc9a194b872a64790f14f1d102301

SHA1
f780d19e26ad14cf64c4f068c3ceb4fb193e364c

SHA256
08aedd6d0cb756a6552378823e29e78c8752ac16fc7afb2a610e552ce5aa6935

SHA512
655ea9874604e77f739d577713ff5b320aeaa7094adc35a3c1cb8e0b9aadb8b2228a2be4136be09303bb203ea1448bc95e721a139cac4a116677fad1cccfd0ae

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\gray.icm

Filesize
880B

MD5
f14ce559b4af294896b0c378ca1bf15e

SHA1
5b99ca05e20e78ef4877befee1101e3093aebfe3

SHA256
22ce531ffd176fb3f17fdc590c14ee515bf9d1abf9f981917cef08ca3f12810f

SHA512
5cc5651b7a28d3502536eb8b222a153fdd92c42c4e818eb799fd84be8ec7527e3dda27468e219981d5145a3cac06d8dbbe0cf120eb05c76430b48d66a4d658bd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\config_1.xml

Filesize
1KB

MD5
2dfd942da0737ed2ee7455ccfe9ec099

SHA1
963a25d26332b6d0a34a78606b3595b801fbf15a

SHA256
cd79fc34944829fdc0fabaedff4f061505d1f1e549d942699d977a2241ef729e

SHA512
3ed4f256cb6da2686eb7e5cb13dd4fb62723d4c1ec4330d80d49f7fb7597425d2a880476a5df6f2df4db053161d3f41bb7e5f98a5bf0377e447fd1f2baaebf5f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\fonts.xml

Filesize
210B

MD5
c9d5ce5c5cc939c9baaa3e34575633de

SHA1
e4b054428c36e55329b166eb3a50bfd8a1e40faf

SHA256
946b0fe2f9fcd6a9398feeda135586322ce227d38cd6b068b90f0ef5e5286175

SHA512
4e6d4d34d623cd8f77c197fb446ac508a3dacb86ad4dc32c075ef8ae99e3e18a76b3b6f9e3306e12b0960a28609e75433fbaf8e65196c55b3ce7527c670293c4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\bg-lm-border.gif

Filesize
1KB

MD5
cf0f37bb14d210f8e4b40f6dfdd35791

SHA1
23aae21c6508746bcd4adcaa1ab0a3928e9f96f7

SHA256
fee53d9afa3ff19c0eacf7f17fd188a88a49407e9a41d414e93a6bae1d0aa06e

SHA512
0df01cb59f4a3d23ff816b087fbd9c65eb78ea72e73440147fe5b6e7a1b441dabe2256fe4a703e410126a9a62c916cb79b7595cdabf966c16e088093db4f4653

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\bg-lmenuactive.gif

Filesize
1KB

MD5
882af806175a288bed68b7f709360f3d

SHA1
0e7f6384fbdc92745f1babd001634b0a8b72633f

SHA256
9f5bed140fc2bc5537c893e1f52af1728aba6c8ccfefb4475c40ff9db8c0ae67

SHA512
c834c0f86a3da635c49d931471bd7d219da64351da78e8839bc998c3cf94d48380aed487805ff723ef9a671d75dfecb4acc434a344d4431c7207f7fdf401dadc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\bg-lmenuactive2.png

Filesize
575B

MD5
ce62b918084806a8d9bf50175bec66d3

SHA1
7ab48bb17cdc627a752ad816d2d28e15511aebf4

SHA256
822c7f7beed762ced44d92fe548ba53f9fc4cbe1cb3cac4f1be2583fab50034b

SHA512
6bfe29188a376c571f1f3d15d890ac539e254ca194f1565c9568e551e2a6182afed7f79b08a9ca97ecd03a72946488eb0215fb5f2678e9d855291d9659c006bc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\bg-rmenuactive.png

Filesize
558B

MD5
2addb1270bbda71595d9611eded89930

SHA1
71c6280572153c1e5518902eed7bf283cc12a3e0

SHA256
4e837211f65052fb1dab17bd254c1a56f5c6653010162b945f96248939758769

SHA512
348ad7e1f4df06039d317c3320c763f6027f751ae9277737b449964c85d613540f3ad4a754758a9a16d74e18f3ed7b009d9878b37ff84fe6693b2d87bb967a51

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\bg_footer3.jpg

Filesize
603B

MD5
d1996b88887c6802c396f6f8b332d528

SHA1
43d85cff6248c177b70f0b2e4c8d54c3ef17afa0

SHA256
afd3fb201b3f033be0aa5b4e0c0acb52ed4d138099eff120c76edbeb93be3462

SHA512
420f9a3fe6cdda5d0ba9ab811705a16b08c3596c6226a3419f51a280db13654de1d877ff517273cf827799d779b23994a34c456581c15274ca56e7183817cacf

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\bg_topline5.jpg

Filesize
1KB

MD5
bc83e40600bac0ef7ea8bd39d4f2f9c0

SHA1
03e77da372a8fdf144b24c1d09c070eb35fb8b88

SHA256
cc1a0f373a7c5e5e54302129ee47ab7a1418942219170b20fdb4332ec620b56f

SHA512
3732f86112ba7cf9b530992ff4d75fdb23941fa795b14f20b976411f3f7b07a54ea1faf150bfe730452ba9996661c25eedb8c2c445aaeeaf3751a411d1969bec

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\flag_de.gif

Filesize
76B

MD5
b84c2dbbb6ff29cac64e2c4ef070e2da

SHA1
1850e2b24aab5fa3024d4d15693a6a4f48507830

SHA256
1cfa1e0b9dca39e7f4baa3d9ee1a294c2b138803482fc28c5b76a433abc04270

SHA512
4d0e498e3be0be361073c608fb4fb1548731a8937255a136f2614f23a2e015fb22a9e3d6e177e1d408b1c618fd4129073a1e3a2171e9562c746c18ac3ed98402

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\flag_gb.gif

Filesize
559B

MD5
8ad638ca3264728486d196fa19ba08bd

SHA1
ff9b0ad5cc228e33fcd9727abb283d1fbe1455dd

SHA256
38f4abae532be689ff1f201f25962825e7a144f35396b6c9f746767c561b1cfa

SHA512
d1e39ddce9dee1e6e847796c1e1633261731650eb4fb742c9bd86766dcdb261c3f5075a2ff1c90dad5f33d5dfcef9ed7e4f1af6290a17f6d484a5c3b0fdb04db

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\flag_it.gif

Filesize
82B

MD5
d3006c123d8cf89523b926377b04fb1f

SHA1
e8c368b89d66f9858d5af4afc98cf63efb4d3d3c

SHA256
0ac2a8178828be41e8d721fcd89e6caa635d7d5d52304924ea0b111871c374fa

SHA512
20f9c84542630e79a8fcb02a86465fa0bbf8d2f4d8c2a5b0639ba07ad25cff9f3822d77bd19f10ba51490ee6330f099833ecd2c19b4655f9b0687bd9881447c5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\flag_ru.gif

Filesize
76B

MD5
66fc3e4162e439e7040f0398f689febd

SHA1
f9ead9f169bd61a22fdb0c436a8ae1fac5c1192f

SHA256
af862f05132da144287104dcd62ca4d4add2701784f66dfaf56ce29ee8c4032b

SHA512
0dae1ab2c3543eb9947565bff8f97d8677bba6056832b1587c2506a43c02586c0da234350977b589dee1d0cbd36cea87f845869266feb6be21c2e34ad56e1a49

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\flag_us.gif

Filesize
138B

MD5
ae1a7bce9cb314ac0aa139870c128980

SHA1
4f637c0b3fb2555fc0e69f99c558ca86e03039c2

SHA256
ae1f7afe6153d7cbb5932d16b393a9cd0a43f165cb48b5597f3c965dff162912

SHA512
5793bc81e46989dcb225b462e4f32dd447fd8770af19f6289448f8cdb98c7356e48f54cc34a20aacbbf647df4d3c7a3ea8c57fec3bd4cc9125a9e0029623e3fd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\li_green.gif

Filesize
170B

MD5
927bdce4b48426d2ef4ce68816aa7d50

SHA1
1e5bdf97e4414aeaa4cf089bcd6f2e08fc76c86e

SHA256
2b76ce4536e4981b14d1ddb52d6ea697f34f7d473c9b94250e7da484abacae75

SHA512
f39722e37a5051fe7313a8917d8b7464edc3f98dfeeb8a0fce8cb07e557dee14980997dec15c01807e162511a92932602c5147e58badfca4f6db201aeabd9a0c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\logo_footer2.gif

Filesize
1KB

MD5
2ae420e5c97c12d9d46d52b3f422aab3

SHA1
4c85b68347f3d007c193c5d1c00ccb17355346d7

SHA256
ad0e9cab7cd2bd5e5e5dbce2792b7516176f2b7c7d192729dc55bab1b0163077

SHA512
9aa11a140550f56c3bee8dd60a7311fd45135fb5e92ca9f545c1ee0d8605cae008691ea841d7300753527bbd8bebdf2198b11da5f1edd686e9c0f049afa42de9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\rss.gif

Filesize
141B

MD5
00d8678dcbf4b7b48ef4bc99583a500e

SHA1
e92fa62ce6d3a11b250a871e6ec64da67eff818a

SHA256
527108c9960f51c3d8b01c00d326c13ef1eba4f1135ae9f3dac40dbc60d2e1f8

SHA512
74e27d47d66386d52ee959f9083dbb4ebfb460d5fbfa5cc16583a7b63987a75f105f861590aa50dcf0ed0bdd15a4c51401d93b155d536ae69a0843bf1c46f3d6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\images\search_off.gif

Filesize
331B

MD5
9bd8e30af40d6b2de64e11877b40734e

SHA1
b319818b8c6a00a641191993c17fb410f30b24f2

SHA256
286a8001941c00e52f0672f9d14d6af6c49cbf295eaae4e1bbb8c66cd3a81c15

SHA512
40fd001826150d91f5ced01c9acc61af22cd5e604baf1f9eea7a4d4751d8f1c9b0983a9d6f5ba98c40d176f3691d4becdf491d26c71894a1943b4216cc10e87c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\purchase1.html

Filesize
194B

MD5
e909fce8f5b310826692840cdb0fbbeb

SHA1
8e17f4283777ba94e9b384b37c147ddb58447659

SHA256
7f32c556a03941698ecb623ca67af96f90cc59ac5c93d6b279c2b9457c520a0c

SHA512
c0282378db0caf89e9d11ac4fa93e6129e98f2dd5fe24093d911bd29b384821ffbe0240f678774657d2794e6c947c34b1ce7e89d6fa8765591a63b2e3f3d1c35

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\purchase2.html

Filesize
194B

MD5
86dbcab6f046610cf1c9b5b5674a5376

SHA1
71ab068bad9ed95b71e73b5c449c833073ba8d93

SHA256
3bd728e367ce923f46f33d4c3e7d2b25805fc358bd72783ac8448f9ba52cea01

SHA512
c8d444551f4015ac316b4a784f6d7df9a42f06d48c34c70dc2da7bac60909118a2925a1b97814956f524b69a8e39a67f97a4bd76886d8490e515272660cfc531

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\purchase2_1.html

Filesize
196B

MD5
29d04a13c97f6bd432f9f4e83cfe951a

SHA1
41ae09722383ed3306caa50d6ff969f8da065892

SHA256
6a6a330bb4634d2022634a7fb4e26735cac7dfe0f477c37133d458a89cd6cafc

SHA512
27a7e304ca59dd68087c684a99427e3ffb2bf511b3765ddd151199a3f79712cafb687f1842c0ada1e88cded9b4f647d1d8ec6dc6896f0ef755287fb31532cfec

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\purchase2_2.html

Filesize
196B

MD5
1251478bf9af12acdf89ba544441fcb4

SHA1
0700ad71fd4ee14d09af7dd9012b11421701b6d7

SHA256
830bd4fb7907d2a074fddae4c069038792e996b80da9cd6131fd8564fc8652d3

SHA512
ac2a13ea6276a98c33f3dd6bad977106d863ac2af83b58ee4c5dddf011825cbce84ebb1919f7785e1da7caaebf4ff21ec6943e99f2ee6218e58870c434f42808

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\purchase3.html

Filesize
194B

MD5
021e022bfeb3ddfa6cf916658a79c5cf

SHA1
05940fdea80200fee787f206970e50f7a6406156

SHA256
736c4cf6c499567868fc91a5bcea45c452831c39f8fe58fba2876827f612a948

SHA512
3438569d39977e1371f97186e77766768aa29764f291b01babbb689d2693a3bb5c46e6bb57cd28a412d3fbebc710448bae698cbc5107ec9958a2e1a07250c379

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\Start\~$foboard.htm

Filesize
162B

MD5
fdc53c05649bfb418c64260c191b1fdc

SHA1
00e7c08d0424eff2e2bf70d1e4000b7b35c3f6bd

SHA256
c01084f7b2091da97c66b160c71f8ead5ffa53c902cc7fc9ab4b4a1349f17049

SHA512
57ac1b7d1c869c2283a30a5952cfb3e117fea749c46d7a768446b184f754da4076f557fa7214471e3c564088eec9558dd919f602cc751ca8c25e69021dfec2ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\bord_bot.png

Filesize
383B

MD5
3da16077145ff5c27289be198321ebae

SHA1
2ff0690b4e4b53c9f943ff628fdda04f7ce8a15e

SHA256
bcbf6cfe853b5f498c3771a306b1fd5b3a483c685568f118802818811201e237

SHA512
fc4962298ed4949f70e231322e42869fe224198e7847673b2bf933e4178fbb98a6bbaeec5f67869f15b0e1084a48777568f8cc45287a560d4af823a0b858985f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\bord_mid1.png

Filesize
405B

MD5
0cad1173c15a6397be7719bd8b785cf5

SHA1
2f87180836ebf91168e8cd578a4b346776db025f

SHA256
57d0cec27ac5cf59061be65966038259afb5f1531e312f2da9c25115e98d49a1

SHA512
6645d1ce611921485b85ee919221b8ed9f6b04374f0e7195e3f95bf457a0192808e78de4447e1f370a30f79bd22454bc035c9e94f40d9fafd1cc33307f0e8d25

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\bord_top.png

Filesize
379B

MD5
8fee886fb0371712381c7791c4901bee

SHA1
db5dc4141f233763c04e309a7345a0bf66d720b9

SHA256
97da30dd23f15de74cdcaa7d2d06f322b7feee29d3057992b0a64ab9592caa1c

SHA512
7b8924bd1b344fa24c3ac62462ec457580459e58f1a75ae6fc7aad1871f754495f0ffef6ddfbba9c8dc4c8848272ec7b2b9ebb505d649a140a510cc24a7ab3e9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\greenbord1.png

Filesize
1KB

MD5
9600f56475a633c9cd8f1aaa562a597d

SHA1
34bbc2b1b7e6632060de3a10d1317fa0ddb7b280

SHA256
7679842c3d93f01039c724892463f6d18c488023ce23d42370826ef49a535263

SHA512
d1041373745877cd88ae3e25b62a5df23a28a29cd90a7e92037be528a56aec750a538d7dad24c6125f9dcb35c67c7cabefe015a8214109e1a35d8fc34c9da321

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\greenbord2.png

Filesize
441B

MD5
e725370387b05b2750b5eb856b5af5dc

SHA1
610bbbfa0a766f19a1c27f2e97215b3b4af6a0c0

SHA256
e78d1f94129c8b4b95b0ca4cfeb8311055e4b0ad3605abf9b421492b3e803ba9

SHA512
aa18bc2391472f1a9e9dd91f5fe21d24590498747c87c08e87d6d4307c9d95728b7c68485ee65fecfa59cddd569afacb9165a33dc926de5efe092cb3c7fce8a7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\li_leaf.png

Filesize
841B

MD5
e88b0af8cd4a28b1a0fc052b5ca2a2dc

SHA1
d8e249a30107ee0c6fddbeba27c8f6a9717a8a05

SHA256
e5cd83054c257b6439137ca883a9ea2691263441a84674938ec4bb0c87e772ae

SHA512
6c183f944334b6a4685c90bbc79ef691543c959203523e9d6e0f7a9498c582503e796ed60b92a8c6ac02894329d88670c904523f5e6160e7d809c3e04dd84739

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\shadow1.png

Filesize
970B

MD5
34415510b7a6703127f0cfa6d9284c06

SHA1
bed7e730b70b81708666b900e9f79d419a8a27ce

SHA256
80b34560437dfb0d36fdeb353284be983efc75f42bdcae3e823be20a30931055

SHA512
70d2404ee23ee130726233f4bae601626f851d6165f66111b1032b3c5f0b371bcc2f2f19a351e00c2347968868b61548cdd0aa88e8e79edb90920d466ad13823

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\shadow2.png

Filesize
416B

MD5
997761cc85d643b83adc02f0ffff0f12

SHA1
f94140bcf9f4595af3d0e0ea5433565d9bc4083b

SHA256
48ae8f3a65a50c4e87411765720ce7ed4e996249ad9efd11356c0f9c2972fee8

SHA512
2580772abcd261dfaad58b2955c6d002d2281eb606e43d99f157f75154792132c82a57ea01dfd2ec4e24a14513c7a303935126c05a0df7859f662a1a799ab71b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\help\images\shadow3.png

Filesize
1KB

MD5
ccd71226304c18a89ddca286cb76267b

SHA1
d4f6dd17a047a4a6f5a49bae46b12ebe488381ad

SHA256
d6e3a567de1472484b653c3a0d5c50b09f6577c7a85350246600d83f2457eb01

SHA512
a71a1bba99091c9e887b85a9c62bfa51b6101cc46749e399c807f9a4a046fe06c8450f6b8759c75f253c701e2dd6364178f3f665694148c6da51b0230f28ebc4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\ievision.dll

Filesize
19.9MB

MD5
7b60a6dadab3cafdfb05de99a8aa907d

SHA1
044d8dd07d5f133f970e1e6d27b894ba21e1c5c4

SHA256
4ce38c92882435f98405c56897f86489758d6ec4d74935ceb87b34b14db85366

SHA512
d686f178b34d081c93cb322f70ce600fd0a26f4a264eab45e66f898db79dee3af090041d154c88919149784b5fa95f3b900184162688e0723b98af56752578aa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\liblocal.dll

Filesize
6.9MB

MD5
947f96ab7854428ea3530b2f4264c5e2

SHA1
7beef3d246b3768c1ab57b58dbacc1ea7ecb0910

SHA256
939def225f879a132b5246afbdb53762457ca2634fbb4bd48d746ca1392187cb

SHA512
1222ef3dc78b45a8504dc93f38ce2ca0fe161756cee6337b7d435831e0b2b0f9c33576635fe915268ecbedb4e48370423b74ab2d8e4f42f03de1cfb831db1d3a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\libmkv_plugin.dll

Filesize
858KB

MD5
02097d910137c6abd388fbf37f943f57

SHA1
0cdc290b3a7498b51912a2e3d140a7554da19d2d

SHA256
44b24fa57fc51d5aaad015da3dd5614403c9b388343e6456c80d910eca5664dd

SHA512
6f631cd39d7b654e843cf695446577fe400ae603605e546dcf8956599e808bccadbcb364d6b3c763837c29107a8d85d204bef200336c8bd810530693d7c30403

Download Submit
C:\Users\Admin\AppData\Local\Programs\Navicat Data Modeler 3 Converter\podcast.wav

Filesize
5.2MB

MD5
1580496cda6aa583d7c4ead63ae2207a

SHA1
504910683bedda6527a6bbcd54e38411a9c94164

SHA256
52edbec140de808d8a67e8c9a6061ce7e1f3d869b06a4851322057dbe4a6b3d0

SHA512
f5c7dd8f1b35f805aa679beba01d9eade6c6bf702006b904f68bd326cbfc7216ee73627d0fd3a15d66dd439f08e75ce8414daa2fea19f3300270a15e773c9d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipewisdriwh

Filesize
40KB

MD5
ab893875d697a3145af5eed5309bee26

SHA1
c90116149196cbf74ffb453ecb3b12945372ebfa

SHA256
02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

SHA512
6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
546B

MD5
01b41eb2d25f76cb005a7e7ccfc4d3d8

SHA1
867e80030f1c76fc8a03b136e0c05860c51a4817

SHA256
ade088c8caeff9ae390307e6dc1de1441cf500d1c59960a27ce88d0029e893c8

SHA512
e70d88275bb2588a0fc844599464de9f2942dfbea9404d8e4ee25d94929937a759bb42e8dfe905d5bc54ba15b735f75a33f3aa096032d6fb007777247c0382ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbfvhpnq.fi1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
54KB

MD5
de154c60960c0eb09b474ea3af9cfc27

SHA1
a5d1ecbde26f1d7bd9b9cb737ea3ed18ba84eee2

SHA256
f30b407e43f912e616ffd7663b7331402a33b2ee51acbf3cee5eee31514951a2

SHA512
db552a9c104b5f860c88f6f8a425849d5edc205b59551812e65c4c176e6fb5ad3e3ec9f6d51c5bd7636f34f8d30cf773eced99ccabfc57a50d187988c4e83ba0

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
C:\Windows\Installer\e579c40.msi

Filesize
32.8MB

MD5
86a6e8316dda14183644539895fbe10d

SHA1
061e8bb0bf7b9a6b3efc919d48187cbf6e6d39ed

SHA256
f4b1f75feb5864acae90b00168dda506c169334a98bb7a147e33e18725a660a4

SHA512
74fe5fa99cd652ca75b7afc077a54216df7b594d3c3e20e323b76cc7d361df121af2f69915cf680e1e19c117545bf038d6a7855961574707fbf30395a066bb8c

Download Submit
memory/116-1530-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/116-1512-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/116-1497-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/116-1498-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/116-1499-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/116-1531-0x00000000077A0000-0x00000000077B1000-memory.dmp

Filesize
68KB

Download
memory/116-1501-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/116-1533-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/116-1535-0x00000000078C0000-0x00000000078C8000-memory.dmp

Filesize
32KB

Download
memory/116-1534-0x00000000078E0000-0x00000000078FA000-memory.dmp

Filesize
104KB

Download
memory/116-1532-0x00000000077D0000-0x00000000077DE000-memory.dmp

Filesize
56KB

Download
memory/116-1529-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/116-1528-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/116-1527-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/116-1526-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/116-1525-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/116-1515-0x000000006A260000-0x000000006A2AC000-memory.dmp

Filesize
304KB

Download
memory/116-1514-0x0000000006840000-0x0000000006872000-memory.dmp

Filesize
200KB

Download
memory/116-1513-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/116-1500-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/116-1511-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4808-1591-0x0000000005480000-0x0000000005494000-memory.dmp

Filesize
80KB

Download
memory/4808-1563-0x00000000055F0000-0x0000000005944000-memory.dmp

Filesize
3.3MB

Download
memory/4808-1564-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/4808-1578-0x0000000069C90000-0x0000000069CDC000-memory.dmp

Filesize
304KB

Download
memory/4808-1588-0x0000000006D10000-0x0000000006DB3000-memory.dmp

Filesize
652KB

Download
memory/4808-1590-0x0000000005440000-0x0000000005451000-memory.dmp

Filesize
68KB

Download
memory/4872-1364-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1411-0x00000000075C0000-0x0000000007B62000-memory.dmp

Filesize
5.6MB

Download
memory/4872-237-0x0000000072100000-0x00000000725F6000-memory.dmp

Filesize
5.0MB

Download
memory/4872-1291-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1362-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1410-0x00000000075C0000-0x0000000007B62000-memory.dmp

Filesize
5.6MB

Download
memory/4872-1380-0x0000000000400000-0x0000000000BF8000-memory.dmp

Filesize
8.0MB

Download
memory/4872-1386-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1390-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1391-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1396-0x0000000002DD0000-0x0000000002F29000-memory.dmp

Filesize
1.3MB

Download
memory/4872-1394-0x00000000081F0000-0x0000000008797000-memory.dmp

Filesize
5.7MB

Download
memory/4872-1400-0x00000000075C0000-0x0000000007B62000-memory.dmp

Filesize
5.6MB

Download
memory/4872-1399-0x000000006E600000-0x000000006E69D000-memory.dmp

Filesize
628KB

Download
memory/4872-1401-0x00000000075C0000-0x0000000007B62000-memory.dmp

Filesize
5.6MB

Download
memory/4872-1398-0x0000000063280000-0x00000000634BE000-memory.dmp

Filesize
2.2MB

Download
memory/4872-1409-0x00000000075C0000-0x0000000007B62000-memory.dmp

Filesize
5.6MB

Download
memory/4872-1479-0x00000000095B0000-0x0000000009638000-memory.dmp

Filesize
544KB

Download
memory/4872-1480-0x0000000009660000-0x0000000009676000-memory.dmp

Filesize
88KB

Download
memory/4872-1490-0x0000000072100000-0x00000000725F6000-memory.dmp

Filesize
5.0MB

Download
memory/4872-1412-0x00000000075C0000-0x0000000007B62000-memory.dmp

Filesize
5.6MB

Download
memory/5560-1457-0x0000000076510000-0x0000000076725000-memory.dmp

Filesize
2.1MB

Download
memory/5560-1455-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/5560-1452-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/5560-1454-0x0000000002100000-0x0000000002500000-memory.dmp

Filesize
4.0MB

Download
memory/6112-1310-0x000000001C0D0000-0x000000001C132000-memory.dmp

Filesize
392KB

Download
memory/6112-1308-0x000000001B850000-0x000000001BB5E000-memory.dmp

Filesize
3.1MB

Download
memory/6112-1307-0x000000001B830000-0x000000001B850000-memory.dmp

Filesize
128KB

Download
memory/6112-1368-0x000000001D050000-0x000000001D08E000-memory.dmp

Filesize
248KB

Download
memory/6112-1306-0x000000001B7F0000-0x000000001B808000-memory.dmp

Filesize
96KB

Download
memory/6112-1305-0x000000001B7A0000-0x000000001B7C4000-memory.dmp

Filesize
144KB

Download
memory/6112-1309-0x000000001C010000-0x000000001C059000-memory.dmp

Filesize
292KB

Download
memory/6112-1360-0x000000001C610000-0x000000001CADE000-memory.dmp

Filesize
4.8MB

Download
memory/6112-1361-0x000000001CB80000-0x000000001CC1C000-memory.dmp

Filesize
624KB

Download
memory/6112-1366-0x000000001BFA0000-0x000000001BFA8000-memory.dmp

Filesize
32KB

Download
memory/6896-1414-0x0000000002C70000-0x0000000002DC9000-memory.dmp

Filesize
1.3MB

Download
memory/6896-1447-0x0000000006C20000-0x0000000007020000-memory.dmp

Filesize
4.0MB

Download
memory/6896-1413-0x0000000002C70000-0x0000000002DC9000-memory.dmp

Filesize
1.3MB

Download
memory/6896-1448-0x0000000006C20000-0x0000000007020000-memory.dmp

Filesize
4.0MB

Download
memory/6896-1449-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/6896-1451-0x0000000076510000-0x0000000076725000-memory.dmp

Filesize
2.1MB

Download
memory/6896-1466-0x0000000000400000-0x0000000000BF8000-memory.dmp

Filesize
8.0MB

Download
memory/6896-1458-0x0000000002C70000-0x0000000002DC9000-memory.dmp

Filesize
1.3MB

Download
memory/6896-1477-0x0000000072100000-0x00000000725F6000-memory.dmp

Filesize
5.0MB

Download
memory/6896-1397-0x0000000072100000-0x00000000725F6000-memory.dmp

Filesize
5.0MB

Download
memory/6896-1403-0x0000000002C70000-0x0000000002DC9000-memory.dmp

Filesize
1.3MB

Download
memory/6896-1415-0x0000000002C70000-0x0000000002DC9000-memory.dmp

Filesize
1.3MB

Download
memory/6896-1416-0x0000000002C70000-0x0000000002DC9000-memory.dmp

Filesize
1.3MB

Download