b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6

Analysis

max time kernel
176s
max time network
221s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe
Size

2.3MB
MD5

87456bf60dac3e8cfdaa3426801e18f8
SHA1

35e4812bac1f4d4f108af6e42ab76562cb23766f
SHA256

b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6
SHA512

2446c1dada684598ada56903b112ea7d20bc36af8d6cdcb035932cdcc1fc55c2bbaeedd35c5dfe06244c3062a70da572f13be2dd83b1900bbef763e5f21cb6c4
SSDEEP

49152:OgCh1LGumhuW+Pb2axbX8npxk+McGmA8IRIsWYsTMQmimQb50/QPS:jCP0aVMnpxHymNI+sWYmMmKT

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1184	irsetup.exe
1492	psvc.exe
1336	triarch.exe
1948	FreeDesk.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012308-55.dat	upx
behavioral1/files/0x000a000000012308-56.dat	upx
behavioral1/files/0x000a000000012308-57.dat	upx
behavioral1/files/0x000a000000012308-58.dat	upx
behavioral1/files/0x000a000000012308-60.dat	upx
behavioral1/memory/1184-63-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/files/0x000a000000012308-64.dat	upx
behavioral1/memory/1184-65-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/files/0x000a000000012326-67.dat	upx
behavioral1/memory/1184-93-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe
620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe
620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe
620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe
1184	irsetup.exe
1184	irsetup.exe
1184	irsetup.exe
1184	irsetup.exe
1948	FreeDesk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\arch = "C:\\ProgramData\\triarch\\triarch.exe"	triarch.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\doload.text	psvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Videos	psvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Videos\desktop.ini	psvc.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\uninstall.exe	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\FreeDesk.exe	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\SkinPlusPlus.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\ie1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\ku61.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\popcap1.bmp	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\tuan1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\youku1.bmp	irsetup.exe
File created	C:\Program Files (x86)\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\version.ini	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\Thumbs.db	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\baidu1.bmp	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\QQ1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\Uninstall\uni5207.tmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\baidu1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\taobao1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\tuan1.bmp	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\skins\AquaOS.ssk	irsetup.exe
File created	C:\Program Files (x86)\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Uninstall\uni5207.tmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\cfg.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\Thumbs.db	irsetup.exe
File created	C:\Program Files (x86)\AutoInstall\AutoInstall.exe	irsetup.exe
File created	C:\Program Files (x86)\Uninstall\IRIMG3.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\version.ini	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\popcap1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\AutoInstall\AutoInstall.exe	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\ku61.bmp	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\taobao1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\SkinPlusPlus.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\bmp\QQ1.bmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\skins\AquaOS.ssk	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\cfg.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\FreeDesk\FreeDesk.exe	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\ie1.bmp	irsetup.exe
File created	C:\Program Files (x86)\FreeDesk\bmp\youku1.bmp	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1184	irsetup.exe
1184	irsetup.exe
1336	triarch.exe
1336	triarch.exe
1948	FreeDesk.exe
1336	triarch.exe
1336	triarch.exe
1948	FreeDesk.exe
1948	FreeDesk.exe
1948	FreeDesk.exe
1948	FreeDesk.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 620 wrote to memory of 1184	620	b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe	28
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1336	1184	irsetup.exe	30
PID 1184 wrote to memory of 1948	1184	irsetup.exe	31
PID 1184 wrote to memory of 1948	1184	irsetup.exe	31
PID 1184 wrote to memory of 1948	1184	irsetup.exe	31
PID 1184 wrote to memory of 1948	1184	irsetup.exe	31

C:\Users\Admin\AppData\Local\Temp\b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe
"C:\Users\Admin\AppData\Local\Temp\b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\b37cbd3de11353bd475fc3992108842f7562c87f18efb0ef725d0b018c30c5c6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3385717845-2518323428-350143044-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\ProgramData\triarch\triarch.exe
    C:\ProgramData\triarch\triarch.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1336
- - C:\Program Files (x86)\FreeDesk\FreeDesk.exe
    "C:\Program Files (x86)\FreeDesk\FreeDesk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1948

C:\ProgramData\lvc\psvc.exe
C:\ProgramData\lvc\psvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FreeDesk\FreeDesk.exe

Filesize
839KB

MD5
ec6c5975a42f0af8f6dfcc951469804b

SHA1
cd9366fd121e48a67e454405dfe3359500a97945

SHA256
a519f7e5e6b92ca97bed29d1c14f3667ef5057614574040715436dc1389eb41e

SHA512
2cbc5aeedb7ce761bd95bdd74b9f50509278ccdbab8c4492f3507aaecf1e3cae85747b864224acb1d72ec8c1bb61b089d1c238bf6c1b5b548627689e6566c899

Download Submit
C:\Program Files (x86)\FreeDesk\FreeDesk.exe

Filesize
839KB

MD5
ec6c5975a42f0af8f6dfcc951469804b

SHA1
cd9366fd121e48a67e454405dfe3359500a97945

SHA256
a519f7e5e6b92ca97bed29d1c14f3667ef5057614574040715436dc1389eb41e

SHA512
2cbc5aeedb7ce761bd95bdd74b9f50509278ccdbab8c4492f3507aaecf1e3cae85747b864224acb1d72ec8c1bb61b089d1c238bf6c1b5b548627689e6566c899

Download Submit
C:\Program Files (x86)\FreeDesk\SkinPlusPlus.dll

Filesize
1.3MB

MD5
945c694b334f7949ccb290dc825fb994

SHA1
d62237a405745ef166371c86e9b603abd2fee1f7

SHA256
67186d0686d04b2a160041234ae6026685d53f2b3b093d070a87e9e5d1b6be69

SHA512
94b66885b0ab37c0d50de2ab63dd6f2c2af4c4a968f149da5224fb2bfc3bceef38ad8e6551f66932d635ef479df03900395871f309da7850bf7c7ea6d47e2022

Download Submit
C:\Program Files (x86)\FreeDesk\bmp\QQ1.bmp

Filesize
3KB

MD5
81d3300fc05848c624a05eee7f52915c

SHA1
7984d8fc126bd09735907f10b6d3311d1a2b07df

SHA256
114f8bb8788ed3c743abce25af50e1b5d572c9a01c7ea5adc2428485451b63ea

SHA512
48b40d9837bb6e86775f053c893099c59db24ace346dc6c9819853be03afa931b9000c6f85bc1ff2b2e0099cb2205c29618a156039b2f29e4cadce8ec4f5ad81

Download Submit
C:\Program Files (x86)\FreeDesk\bmp\baidu1.bmp

Filesize
3KB

MD5
b2430a507429370eb0089b284cdfee34

SHA1
e49a02b1eabf5116a12bf76772db8b08a63c4439

SHA256
c30f0c50c1dd08f0d6ae8f9dbabb63d7f09ea4bd558a2bad4c6ab527902c9226

SHA512
66189dcb41b9dc03ef57c8e18d03521d421af3612e10d366acc1d65cf0fc95cb75c5a43687ee516acb65d3acef7bc69c5c7d4806f26addaa6e1bfd1e48626166

Download Submit
C:\Program Files (x86)\FreeDesk\bmp\ie1.bmp

Filesize
3KB

MD5
410f21b5e061960d6a558e5c517388ad

SHA1
3371be95f941b4c68b75ec043873d16dba325d2f

SHA256
4578c6b433ff544273063e27ff116de667718fa61eeb59c6a1630ff67949993d

SHA512
61a33536ec33a313f640c8aef7f9d5f8cf631b8397fece960e3c8b83d6ff842a6de7cbb3947b87f6509dbb93091c890d0dc5d7d079f4726a4a59180bbbf079ad

Download Submit
C:\Program Files (x86)\FreeDesk\bmp\taobao1.bmp

Filesize
3KB

MD5
8c83ec499b95286b6ad86bd0c0e3c090

SHA1
131b976d48a3e7e6d4524b8f206c3b5e369be33e

SHA256
afab726e421522960e10b8b8ee2272badf416813d9dd308018294f0a990b9c13

SHA512
4bb46939c6d74b2aed5f3393853df986cb3c3e2b30d612952a5c9956ea2d1d94ef1f4e188695ebfde94b272b89b2a3c101105d992fe273c415b0f29dc0a603ad

Download Submit
C:\Program Files (x86)\FreeDesk\bmp\tuan1.bmp

Filesize
3KB

MD5
d154e1c65f2bea3a743caca9970809ed

SHA1
aaab205161b8ae8bc9cb316d983093fa8c90f03a

SHA256
86e9eb0d8aed5fc334602f68f06a568a0a26408780ef845b2e0984be2bdea144

SHA512
018cd9c7ffc942818bb37861e67fa133d6159d18aad73d285821313f5686abac21ba5981910887e00eeaebce368bcd9d43a6c87dfdff48de904a0d3b100cbcd9

Download Submit
C:\Program Files (x86)\FreeDesk\bmp\youku1.bmp

Filesize
3KB

MD5
341b72d9a98bcb1ad279d41b30a28a54

SHA1
1819f87a0fe749a66f1f8aa01a5944cb43534ecd

SHA256
1b7bf6e1c621021bc36321b5f2f6c0e2dc5bea3a8763769b0e017195935ad6df

SHA512
968b1e14d1bace4be20842a18d62423fb3c89aa36d6fa17bb1c8feecdef928ab12e06a62a6216b361cd591989b5142f7cb5f6c07f7998328a21efac1cdaedfb5

Download Submit
C:\Program Files (x86)\FreeDesk\cfg.ini

Filesize
33B

MD5
712c2b4d9fcd780648e368a5526949f7

SHA1
a927d8784fbc46fe2b22cb4751513f8c2ea3b681

SHA256
263c3e3b765b61a626eaef7ab203b3dacb7db6bfba8792cf0e93a12ea835e03a

SHA512
4f3fb439c152cc80524a35c715de04be2b1b2233ca5a2a9168858a5d88a224783b335794eb8aa1486eac69bf48f8e92ab182f892cf9a215d21e270c5e7da9bde

Download Submit
C:\Program Files (x86)\FreeDesk\skins\AquaOS.ssk

Filesize
83KB

MD5
7a52c94ea8d174c09bfc15245aac9194

SHA1
4d0f5462a120f07d88dc0103c3d52382d098d557

SHA256
af6ee034e8143cc571cd5385eb17a58b10497175aa55cda2fd742930e5f5d4f6

SHA512
22cee813e6ec618ccaf77118c218b144de1383ff3136aaef3d83a6167a6a21aefb6dc9f30df361338398937f3ea5b3887e9ce2b6bcc61f1698a2d6263797de77

Download Submit
C:\Program Files (x86)\FreeDesk\version.ini

Filesize
52B

MD5
6a46044a10ea9af24bc08450eb0b8f56

SHA1
dc407d6d3b743fb5ce847840f52b436684480b07

SHA256
d2638b53e6a6c8a3d4cd7b169f884b34fe0b0556edf1bc4cb523501bd2c41c9b

SHA512
fe8ae816d62989c61a20953a1aeb414cdd849b5771c843938a1ed90695b0d69041e0746779a1e74ecc28c52a1341088a5d42f1aa71d4411b31076b3a9dfe6053

Download Submit
C:\ProgramData\lvc\psvc.exe

Filesize
248KB

MD5
a7687f76c4c41d57ce7d08287501d356

SHA1
f43f017b044d8110c493cfc01c0aff111c2e4cab

SHA256
6d2a52a18f2bd783fc07f546d06260aebebdf10e5a1cb09f2f6a3b3814a4cb25

SHA512
0cacc3b3471d2394716bb8b1cd8f174dd0805b2a934811817209f18d9026ca8c8464383e26c979693494e3b178da135e6029ed959b48bd32bcebe3297e304b96

Download Submit
C:\ProgramData\triarch\triarch.exe

Filesize
476KB

MD5
9019e06439a53af020380843eb15659f

SHA1
3c7d7a80b1784e919065d375abb16c06504426fb

SHA256
8b232683e577c585ea1b3da34c7c4e460ce8d9d6f192bc87b65637d78da6a10c

SHA512
e1d52e760f245ecddc5a2a2398e5a571ad8150ca3d3ab8e7370170bc8b83e4456c682bff99292ecb7f11d1defc931695372f1c0d2c3ba7bb89827b41fb0e860e

Download Submit
C:\ProgramData\triarch\triarch.exe

Filesize
476KB

MD5
9019e06439a53af020380843eb15659f

SHA1
3c7d7a80b1784e919065d375abb16c06504426fb

SHA256
8b232683e577c585ea1b3da34c7c4e460ce8d9d6f192bc87b65637d78da6a10c

SHA512
e1d52e760f245ecddc5a2a2398e5a571ad8150ca3d3ab8e7370170bc8b83e4456c682bff99292ecb7f11d1defc931695372f1c0d2c3ba7bb89827b41fb0e860e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Program Files (x86)\FreeDesk\FreeDesk.exe

Filesize
839KB

MD5
ec6c5975a42f0af8f6dfcc951469804b

SHA1
cd9366fd121e48a67e454405dfe3359500a97945

SHA256
a519f7e5e6b92ca97bed29d1c14f3667ef5057614574040715436dc1389eb41e

SHA512
2cbc5aeedb7ce761bd95bdd74b9f50509278ccdbab8c4492f3507aaecf1e3cae85747b864224acb1d72ec8c1bb61b089d1c238bf6c1b5b548627689e6566c899

Download Submit
\Program Files (x86)\FreeDesk\FreeDesk.exe

Filesize
839KB

MD5
ec6c5975a42f0af8f6dfcc951469804b

SHA1
cd9366fd121e48a67e454405dfe3359500a97945

SHA256
a519f7e5e6b92ca97bed29d1c14f3667ef5057614574040715436dc1389eb41e

SHA512
2cbc5aeedb7ce761bd95bdd74b9f50509278ccdbab8c4492f3507aaecf1e3cae85747b864224acb1d72ec8c1bb61b089d1c238bf6c1b5b548627689e6566c899

Download Submit
\Program Files (x86)\FreeDesk\SkinPlusPlus.dll

Filesize
1.3MB

MD5
945c694b334f7949ccb290dc825fb994

SHA1
d62237a405745ef166371c86e9b603abd2fee1f7

SHA256
67186d0686d04b2a160041234ae6026685d53f2b3b093d070a87e9e5d1b6be69

SHA512
94b66885b0ab37c0d50de2ab63dd6f2c2af4c4a968f149da5224fb2bfc3bceef38ad8e6551f66932d635ef479df03900395871f309da7850bf7c7ea6d47e2022

Download Submit
\Program Files (x86)\uninstall.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\ProgramData\triarch\triarch.exe

Filesize
476KB

MD5
9019e06439a53af020380843eb15659f

SHA1
3c7d7a80b1784e919065d375abb16c06504426fb

SHA256
8b232683e577c585ea1b3da34c7c4e460ce8d9d6f192bc87b65637d78da6a10c

SHA512
e1d52e760f245ecddc5a2a2398e5a571ad8150ca3d3ab8e7370170bc8b83e4456c682bff99292ecb7f11d1defc931695372f1c0d2c3ba7bb89827b41fb0e860e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
memory/620-62-0x00000000028A0000-0x0000000002A21000-memory.dmp

Filesize
1.5MB

Download
memory/620-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1184-63-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1184-86-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1184-65-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1184-68-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/1184-93-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1336-72-0x0000000000000000-mapping.dmp

Download
memory/1948-76-0x0000000000000000-mapping.dmp

Download