c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cloudflare.msi
Size

13.8MB
MD5

5d2922491b47e1c355103194e069e5ac
SHA1

eb918f926c9cc2f9239f1dfe0380727c8170982c
SHA256

c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0
SHA512

522be674a5fb20af9a4fa42315ae8e780df3310f5b0ea8feccca1cf788cd6af542226aed65e9c6f7353d2daf954522f4067880626a2ccf4b7793178b57eb0bd9
SSDEEP

393216:GDFCbAjiImi73v4JPUQ6Rm1feeuQx1qbvto:GRCbAjCK6PEm12ZQx1qbFo

Score

7^/10

collection discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AudioReaderXL.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AudioReaderXL.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AudioReaderXL.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AudioReaderXL.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AudioReaderXL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Advanced Chart Manager = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Audio Reader XL Premium\\AudioReaderXL.exe"	AudioReaderXL.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f136.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f136.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{67D76A46-417D-40B2-AC02-DA0F92C8DB7A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF29D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f138.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4620	AudioReaderXL.exe

Loads dropped DLL 7 IoCs

pid	Process
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1320	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioReaderXL.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	AudioReaderXL.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AudioReaderXL.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	AudioReaderXL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AudioReaderXL.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	AudioReaderXL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	AudioReaderXL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	AudioReaderXL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AudioReaderXL.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3148	msiexec.exe
3148	msiexec.exe
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	3148	msiexec.exe
Token: SeCreateTokenPrivilege	1320	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1320	msiexec.exe
Token: SeLockMemoryPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeMachineAccountPrivilege	1320	msiexec.exe
Token: SeTcbPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	1320	msiexec.exe
Token: SeTakeOwnershipPrivilege	1320	msiexec.exe
Token: SeLoadDriverPrivilege	1320	msiexec.exe
Token: SeSystemProfilePrivilege	1320	msiexec.exe
Token: SeSystemtimePrivilege	1320	msiexec.exe
Token: SeProfSingleProcessPrivilege	1320	msiexec.exe
Token: SeIncBasePriorityPrivilege	1320	msiexec.exe
Token: SeCreatePagefilePrivilege	1320	msiexec.exe
Token: SeCreatePermanentPrivilege	1320	msiexec.exe
Token: SeBackupPrivilege	1320	msiexec.exe
Token: SeRestorePrivilege	1320	msiexec.exe
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeDebugPrivilege	1320	msiexec.exe
Token: SeAuditPrivilege	1320	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1320	msiexec.exe
Token: SeChangeNotifyPrivilege	1320	msiexec.exe
Token: SeRemoteShutdownPrivilege	1320	msiexec.exe
Token: SeUndockPrivilege	1320	msiexec.exe
Token: SeSyncAgentPrivilege	1320	msiexec.exe
Token: SeEnableDelegationPrivilege	1320	msiexec.exe
Token: SeManageVolumePrivilege	1320	msiexec.exe
Token: SeImpersonatePrivilege	1320	msiexec.exe
Token: SeCreateGlobalPrivilege	1320	msiexec.exe
Token: SeBackupPrivilege	3520	vssvc.exe
Token: SeRestorePrivilege	3520	vssvc.exe
Token: SeAuditPrivilege	3520	vssvc.exe
Token: SeBackupPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1320	msiexec.exe
1320	msiexec.exe
4620	AudioReaderXL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4620	AudioReaderXL.exe
4620	AudioReaderXL.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 680	3148	msiexec.exe	95
PID 3148 wrote to memory of 680	3148	msiexec.exe	95
PID 3148 wrote to memory of 4620	3148	msiexec.exe	98
PID 3148 wrote to memory of 4620	3148	msiexec.exe	98
PID 3148 wrote to memory of 4620	3148	msiexec.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AudioReaderXL.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AudioReaderXL.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cloudflare.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:680
- C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe
  "C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f137.rbs

Filesize
12KB

MD5
4d854165bad0c1111ee57756627d77c0

SHA1
fc466288de2739edf207ef9d8195ac8795f98f57

SHA256
d47e9af45a37f24338d33296317842ba8471644543b75c896465ad29e32102a3

SHA512
6778755209e8a74e8886611a5692863888da86a6a22d0d7d9deaa3aaa6d4d83eaa734463bd008e557bd69069e9cf03bd67443ab4cabba985850581c07b0bca98

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\ABCpdf.dll

Filesize
652KB

MD5
f35e190d9847aee93157ad18bee2ff51

SHA1
011dd903705ac60f39a74191b41b82c11c53abe6

SHA256
faf2b98ef2934c7addf7056a3b6f2fa56c814db79d960f8fb2744e4e4d260500

SHA512
f4329b5bed3a840e1e630be9a5a61903d2aae31d6fac068d6f750b98a0d2b65de9b38db1ddd6298c104704d48593996bc7db8f6e6d77f1117bfc8e0431935738

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\AudioReaderXL.exe

Filesize
2.3MB

MD5
5d8a546c266cc1d2f14b3be5c662c67a

SHA1
a474fe2bf3311a452bee640dbb423b20e0a99929

SHA256
8eaeff4697ce489daee3d82e7c703409907bfb9fa890a3646b56634798e01bc4

SHA512
cdd3c8c4a73ccf10d97097826e5b4567d0a3b227a9080e3ff7ad84eec6276a11c94a47f545d2b6023ed6a3b4b377d2073e6584b2ce4492f1de7789a7fa6c2cca

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\CharcoalDarkSlate.vsf

Filesize
59KB

MD5
947023ba00312c4574a44688a11fd5eb

SHA1
164a4609c041d93ccb645ab8df70e04ffb984508

SHA256
aa45e23296396e41e3f1547ee8aa59989f2ee3e05651f27b842eca366c87f047

SHA512
a6af49ba6e12b886bd30217a7ae5856881f553a4931acda2ae26e372fb79afc09ecf0a6364011adcdf2e2f93d76899a23570f00db2dce9d5c06a1a9c24b5c66d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\Concept.dat

Filesize
5.5MB

MD5
4035390af4171153c1cb708f7151ed5f

SHA1
9ed10ad504e6b19f6fd9570ed92a793bd2d79721

SHA256
407048f9d01e5bf9051a043261a29c4654190444fe15e5f96f97c446ad7ae8d3

SHA512
56c8942340b9d83c0c396aed680000e1a2c9a0f075cb8c96150d9341aeef4a62245a373288ca0546c21605333deca86dc2fd47812de605bb3eaeb08b987e22c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\Languages\Russian.sib

Filesize
125KB

MD5
4d7d38ca87590e1c4787d834312485fb

SHA1
7114a6219f62149071e289ff171cb3a78dd43dd7

SHA256
ba8827d76c9682a3fbb548c1c392bd058c1cfda1fd8654c715abfbdad750e9a0

SHA512
28680ac747344f770d6a724c27f3b5f073c5a0d159ffa620900042ef25433e46f45d3a4c803175a92051f1f10b67f32ed2c41deb5b610f65e37bb41c701b2cd5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\License-Russian.txt

Filesize
4KB

MD5
3d44e666ce041981dbf7529916d4c92a

SHA1
0d51862ae922cebaa9638d542d6b4684e195a1a8

SHA256
62edad9e609781d9cc130b3dcb9ac27c7342f79f97be295390c517251e98877b

SHA512
665e016a6956588ce761aca0e11d9429164e05e471b8f9c7510b297ddf136b209ec112c6043af5407f3effdde3e09ac4baa47548209c5c09f156e483d447016b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\License.txt

Filesize
3KB

MD5
8c3d5df72e234543b6619a38ea4c9915

SHA1
42247b1b09814b174742d85a87e842af096426c9

SHA256
3a5ddb81221d346b0a4f9dcbdcefa7d63f38d4570d0c9b0627a7698094ba4356

SHA512
9f52d48261909bb151449dac60eb5d74128fab03e89c2e50ee9a872d263e0f4d27203fc898e4ba1e39510672de6ca0caea0329640c78b639da58defb1f18c225

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\PDFtext.dll

Filesize
1.2MB

MD5
f5dd27918cdc45136567ceb8b216c5b8

SHA1
d7da1e100292ab7d6908516a60a555be77b6d01e

SHA256
8a4c862ffdf0e858ae721bce97e2a5951c4d8dd665856459c41378141f5f2772

SHA512
c1d2240dc168df8cad9355f5266093babf0eaf257f40206a18f3364d0d3f2b1d03042241cef8134df06aa11cfb386f231ea48fa433801ace68282bbe32d904bf

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\RwcProxy.dll

Filesize
336KB

MD5
741fd2623ad12de3403f39ef575181e3

SHA1
54f3fa29a9565278109ba6a4049f403970110c49

SHA256
1612b2db97aa51736de92be6fc50c502394169ed4dc3e9bfde06f331dd08790a

SHA512
045171c2f8b65a0ce41ac86680dbc2683c1561ed008a4f33c34874cddefb8f5b15aa7f402dc98386e7b37428fc7ea86325c19c2e3b1b91bc401fc1659f6b8705

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\SAPIDLL.dll

Filesize
403KB

MD5
7d96ebf6ab548ac4e9f6ee761454de9f

SHA1
cc121db7480602a3e3a10cfc453f2604258805d2

SHA256
39c4355690759ade7e5a645603c46c48ff83b0d47163fbf7ffe9eaa92dfaecaf

SHA512
b2bf462d11217c764a5071b2e84b18cfdba778b48705afbde6e38f68dff80f8fe9a8f3c0f27cc731efa114e2ddd3a67219d79b289934c328d3820a2fe017a0df

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\ThemedTypesIgnore.xml.bkp

Filesize
322B

MD5
df00c215260aaa2d2b571005d38dee66

SHA1
a32c80f9023a9efb2d23a0c9d2b67824f5dfe85c

SHA256
72d8c1c2d41160e27830af8c48d49c8bb36cbcb03c4dcd0ecada3e43bcea31d8

SHA512
b15911c9a908758006200d31bc359611f3e6eb197cf98b61307680fee1bcad011beb5d09b6e7fe4e14b31e00715950b1ba43e5ab26e43207f36c856e3b61cddc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\WhatsNew-Russian.txt

Filesize
753B

MD5
622f3d0b51d18328020f858c77ac4a9c

SHA1
84ec68b009c254fbcbf8d0fe38917e27eee26392

SHA256
4f39de7b48d8cd80f40267250df737619c122c260e982ca64029ce6bbc852d95

SHA512
1f9712be02005380a52806478eb316d9d9f212cedfd7458eb337b9534823ddd5ad69e4f2d968d8ce8825286372a1da90423a8ef0e0bba6068deaeeff228656fa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\WhatsNew.txt

Filesize
782B

MD5
26c76e66cf53cf7767f08c00e4659b09

SHA1
0907744fe2d42ebb9b53be23ad28dddb256acbd2

SHA256
5cbd87a6585c0bbc9904dff390d98333c36dd7728fbb67ece896bdd93abfd066

SHA512
874746b34fe44ba42e3aebb691b446ad6a8f7ceda52ca35c99b2a06ab754e4538931eb3bb3d2beb71196102bd1516a14ddfe9235f94bfd42d117c596a8129b39

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\ebooks\meal.wav

Filesize
1.8MB

MD5
1adb1764e42021f4049b1ae9f2e1d614

SHA1
813df01ff0a7562f1d0a02ab1f60f3f60435abd4

SHA256
88183affe3e1feb95c8b9f55b2d4a63bcbd1e8b40b901ec01bdcaa15a6d442a1

SHA512
e3d4f0efb59a7f77b5940a0a3c26aec5a5e879dc42f951376bb6c5e4184f137bd624d766c10b6315294860cb0b7113ff2fd6b4d09c89b4f9421b73705dd5e647

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\jdefend.dll

Filesize
8.7MB

MD5
ba095598cffb424c202781656ca2f2a7

SHA1
013486f84aba2a89955c6a62def2fd9524dba151

SHA256
f7b8d216b27fa51d835d262ee55fbd836d08b4f413e42bad38dea658f1779aed

SHA512
687223da11c8e0507a57b8480421400cbc44476ee94407e3601a8797e86449f95bf72ce47520071816523b40377509a27cfbdab29eac7c97f68c4411a852229c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Audio Reader XL Premium\links.xml

Filesize
255B

MD5
a09cd34d7b0c5d9855e09181c6dd72e8

SHA1
d6b1fa061c69bc773922336824ed8b6040b9690c

SHA256
c7b45450bf29b9e7dbce2b7ebc0583875edd233180eeca698b2b681c5da9200d

SHA512
b6af8cd55d1361e248091e4de08a13f6deabaa5e129aef6a29f161916682ab8a9133955e418bcda0e79cdd053f0872c0d1b2525e5fafa275f431886d88580ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ydiuaedhs

Filesize
40KB

MD5
ab893875d697a3145af5eed5309bee26

SHA1
c90116149196cbf74ffb453ecb3b12945372ebfa

SHA256
02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

SHA512
6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

Download Submit
C:\Windows\Installer\e57f136.msi

Filesize
13.8MB

MD5
5d2922491b47e1c355103194e069e5ac

SHA1
eb918f926c9cc2f9239f1dfe0380727c8170982c

SHA256
c348002e3d2cf40a2fc3c819a96b1735dc451bb3ec32ba9355feaccd3eee63c0

SHA512
522be674a5fb20af9a4fa42315ae8e780df3310f5b0ea8feccca1cf788cd6af542226aed65e9c6f7353d2daf954522f4067880626a2ccf4b7793178b57eb0bd9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
93204482651350b1eaf6f9756b06c58c

SHA1
bfc45b345d685ce74535324212c5ca6228e53bcb

SHA256
0e21889feba9fc2d0fbe565bc35dd7bbfd95e101f75e9a48b898e10856544d97

SHA512
64a1608438d0818a65b77bd74a110f9cf4356c5568a7a8916d83ed124fcd16e9d4714d8a1268fa319f969af93cd1fd4804778d2c9201293357e1098a5d79b127

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a95f84ca-54a7-4893-9185-9bbed9542083}_OnDiskSnapshotProp

Filesize
6KB

MD5
6e0217fad86cd1adcf34d76542b313b8

SHA1
7e47bea1649d8f783821d67c4d3590be72a886be

SHA256
f9183fe2f0130cf8481aa9671b87a514563250b42e5b826425195309af8e7b37

SHA512
ce0e14ea500cda147ca98732bb00008d8388612798098fb6d7f6646d571fd99e72903c3864f363a5b945410f6822d8cea7a2e6c3cfb683d4231c88d0a731abb2

Download Submit
memory/4620-79-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-117-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-77-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-62-0x0000000074420000-0x000000007448E000-memory.dmp

Filesize
440KB

Download
memory/4620-52-0x0000000000C30000-0x0000000000C9A000-memory.dmp

Filesize
424KB

Download
memory/4620-85-0x0000000000C30000-0x0000000000C9A000-memory.dmp

Filesize
424KB

Download
memory/4620-84-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4620-86-0x0000000000CA0000-0x0000000000DE7000-memory.dmp

Filesize
1.3MB

Download
memory/4620-88-0x0000000000C30000-0x0000000000C9A000-memory.dmp

Filesize
424KB

Download
memory/4620-87-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4620-90-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4620-98-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4620-108-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-63-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-116-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-112-0x000000000A0E0000-0x000000000A66B000-memory.dmp

Filesize
5.5MB

Download
memory/4620-113-0x0000000006200000-0x00000000062EB000-memory.dmp

Filesize
940KB

Download
memory/4620-123-0x000000006E600000-0x000000006E69D000-memory.dmp

Filesize
628KB

Download
memory/4620-122-0x0000000063280000-0x00000000634BE000-memory.dmp

Filesize
2.2MB

Download
memory/4620-124-0x0000000009340000-0x00000000098CC000-memory.dmp

Filesize
5.5MB

Download
memory/4620-125-0x0000000009340000-0x00000000098CC000-memory.dmp

Filesize
5.5MB

Download
memory/4620-126-0x0000000009340000-0x00000000098CC000-memory.dmp

Filesize
5.5MB

Download
memory/4620-128-0x0000000009340000-0x00000000098CC000-memory.dmp

Filesize
5.5MB

Download
memory/4620-127-0x0000000009340000-0x00000000098CC000-memory.dmp

Filesize
5.5MB

Download
memory/4620-54-0x0000000000CA0000-0x0000000000DE7000-memory.dmp

Filesize
1.3MB

Download
memory/4620-177-0x0000000074420000-0x000000007448E000-memory.dmp

Filesize
440KB

Download