bazarbackdoor | 318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96

Analysis

max time kernel
146s
max time network
133s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.871-Installer-1.0.6-global.exe
Size

23.6MB
MD5

7a4472a78d0651e11d20aa08e43cc045
SHA1

aab1d5f80d7399ae2c1982201733be7681d100b1
SHA256

318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96
SHA512

c152c9d21b0615548173dcc61accb1a1afd5b6f98e6ec21f6a7119536397f07a54ad4087669716c3344dd338ce4f24cecf9989d472f65eaa18c87d496f23c681
SSDEEP

393216:gXQLpnUN/n8IPfs/dQETVlOBbpFEj9GZ1GphRqV56Hpk7IXOzDnKI17fyVS:ggLFUp8aHExiTI3qqHp6zvKcfyVS

Score

10^/10

bazarbackdoor backdoor discovery upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000600000001da99-104.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001da99-106.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001daa5-107.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001daa5-109.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001daa5-115.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001daa5-117.dat	BazarBackdoorVar3
behavioral1/files/0x000200000000f6fd-119.dat	BazarBackdoorVar3
behavioral1/files/0x000500000001dbb0-135.dat	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

flow	pid	Process
48	3024	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1040	irsetup.exe
2372	AdditionalExecuteTL.exe
2436	irsetup.exe
2692	jre-windows.exe
2720	jre-windows.exe
2264	installer.exe
984	bspatch.exe

Loads dropped DLL 29 IoCs

pid	Process
1504	TLauncher-2.871-Installer-1.0.6-global.exe
1504	TLauncher-2.871-Installer-1.0.6-global.exe
1504	TLauncher-2.871-Installer-1.0.6-global.exe
1504	TLauncher-2.871-Installer-1.0.6-global.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
2372	AdditionalExecuteTL.exe
2372	AdditionalExecuteTL.exe
2372	AdditionalExecuteTL.exe
2372	AdditionalExecuteTL.exe
2436	irsetup.exe
2436	irsetup.exe
2436	irsetup.exe
1040	irsetup.exe
2692	jre-windows.exe
1224	Process not Found
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
3024	msiexec.exe
984	bspatch.exe
984	bspatch.exe
984	bspatch.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122f2-55.dat	upx
behavioral1/files/0x000a0000000122f2-56.dat	upx
behavioral1/files/0x000a0000000122f2-57.dat	upx
behavioral1/files/0x000a0000000122f2-58.dat	upx
behavioral1/files/0x000a0000000122f2-60.dat	upx
behavioral1/memory/1040-64-0x00000000003B0000-0x0000000000798000-memory.dmp	upx
behavioral1/files/0x000a0000000122f2-67.dat	upx
behavioral1/memory/1040-72-0x00000000003B0000-0x0000000000798000-memory.dmp	upx
behavioral1/files/0x000a0000000122f2-74.dat	upx
behavioral1/files/0x000900000001c91f-87.dat	upx
behavioral1/files/0x000900000001c91f-86.dat	upx
behavioral1/files/0x000900000001c91f-85.dat	upx
behavioral1/files/0x000900000001c91f-84.dat	upx
behavioral1/files/0x000900000001c91f-89.dat	upx
behavioral1/files/0x000900000001c91f-93.dat	upx
behavioral1/memory/2436-101-0x0000000000DA0000-0x0000000001188000-memory.dmp	upx
behavioral1/memory/2436-102-0x0000000000DA0000-0x0000000001188000-memory.dmp	upx
behavioral1/memory/984-137-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/984-142-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_351\installer.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6dcb21.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE614.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEF1.tmp	msiexec.exe
File created	C:\Windows\Installer\6dcb1f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE355.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE644.tmp	msiexec.exe
File created	C:\Windows\Installer\6dcb1d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6dcb1d.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_351\\\\bin\\javaws.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\PackageName = "jre1.8.0_35164.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F\jrecore	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\PackageCode = "97BA944EF7A3CCC4488541CAD6E00626"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238"	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1672	chrome.exe
1336	chrome.exe
1336	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2720	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2720	jre-windows.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeSecurityPrivilege	3024	msiexec.exe
Token: SeCreateTokenPrivilege	2720	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2720	jre-windows.exe
Token: SeLockMemoryPrivilege	2720	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2720	jre-windows.exe
Token: SeMachineAccountPrivilege	2720	jre-windows.exe
Token: SeTcbPrivilege	2720	jre-windows.exe
Token: SeSecurityPrivilege	2720	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2720	jre-windows.exe
Token: SeLoadDriverPrivilege	2720	jre-windows.exe
Token: SeSystemProfilePrivilege	2720	jre-windows.exe
Token: SeSystemtimePrivilege	2720	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2720	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2720	jre-windows.exe
Token: SeCreatePagefilePrivilege	2720	jre-windows.exe
Token: SeCreatePermanentPrivilege	2720	jre-windows.exe
Token: SeBackupPrivilege	2720	jre-windows.exe
Token: SeRestorePrivilege	2720	jre-windows.exe
Token: SeShutdownPrivilege	2720	jre-windows.exe
Token: SeDebugPrivilege	2720	jre-windows.exe
Token: SeAuditPrivilege	2720	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2720	jre-windows.exe
Token: SeChangeNotifyPrivilege	2720	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2720	jre-windows.exe
Token: SeUndockPrivilege	2720	jre-windows.exe
Token: SeSyncAgentPrivilege	2720	jre-windows.exe
Token: SeEnableDelegationPrivilege	2720	jre-windows.exe
Token: SeManageVolumePrivilege	2720	jre-windows.exe
Token: SeImpersonatePrivilege	2720	jre-windows.exe
Token: SeCreateGlobalPrivilege	2720	jre-windows.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1040	irsetup.exe
1040	irsetup.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
1040	irsetup.exe
2436	irsetup.exe
2436	irsetup.exe
2720	jre-windows.exe
2720	jre-windows.exe
2720	jre-windows.exe
2720	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1504 wrote to memory of 1040	1504	TLauncher-2.871-Installer-1.0.6-global.exe	28
PID 1336 wrote to memory of 1496	1336	chrome.exe	32
PID 1336 wrote to memory of 1496	1336	chrome.exe	32
PID 1336 wrote to memory of 1496	1336	chrome.exe	32
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1684	1336	chrome.exe	33
PID 1336 wrote to memory of 1672	1336	chrome.exe	34
PID 1336 wrote to memory of 1672	1336	chrome.exe	34
PID 1336 wrote to memory of 1672	1336	chrome.exe	34
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35
PID 1336 wrote to memory of 1664	1336	chrome.exe	35

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:24771453" "__IRSID:S-1-5-21-3406023954-474543476-3319432036-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-3406023954-474543476-3319432036-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2436
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\jds7155048.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7155048.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c44f50,0x7fef6c44f60,0x7fef6c44f70
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1092 /prefetch:2
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1600 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3304 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1304640415804431998,11943633057973152364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:2284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3024
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 2724C09FDF1B865E542471C1918C3352
  2⤵
  - Loads dropped DLL
  PID:2308
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  PID:2264
- - C:\ProgramData\Oracle\Java\installcache_x64\7204890.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
dfe513d54b6e0521ac2adb089eceef04

SHA1
a149214a46b7909c36edb90527de69de4f70d9a8

SHA256
7cb878b60608be35a23719e78e10c1270c908f724fde44d812e3fc703037298b

SHA512
58aac2ce5ec39ef906477a79017259fe0e922c6672b64dd9df0ba977e46b98cfb4633b0886084e17e5304988f29854679b5c56a622121c473b2b6440bcabe0bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9566d0e72aa1b7612f3f4f478d93aadf

SHA1
09806871272dec354d2698d36bb5c37be3aea763

SHA256
b672dcce1cccda517b2d86ba91379cefc0540ae0de3751ddf9a9c9e2b2d12413

SHA512
96848b287b26a0977c76857a6108514cc780a00adc267ca293bfca2305db5b7844f14631b986c6428c8f265ef91b1d0ef17f3859a81b77570ba4d91a4db160a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
65974a81793dd4313a093e2f5921c383

SHA1
bd0d08cea54c42f4d1a2ef0b08c05d15016fda8e

SHA256
2934bd630e13c3b85dcce6407225163bc745e058fc5ea34067194dec35804a4f

SHA512
cf5dbc184e75fad48a5798f45bdaac572ee4fff142877f30fe60c3d2e8ee953c392e57f12471d4ad2ad770c880a70ccf5262430a0b57bb04f8deee046ad57f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9f2726ec15cac4d9a816217b7a02c88a

SHA1
a452756223765c71e03399ec1e76550eec6a9456

SHA256
4527bc73dfa1a9385dd40b271ffccb2752f470e1a55f12df0c9e022e2f240880

SHA512
1047c4f61d6718772c1cf3f3a5777f816432b94c06f7e0d161da8c688076fbf2bf5387c6f5e274cc5e0899734b058d1cae099e858d3188143f04f606f5a532df

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7155048.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7155048.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
4f337ff2612c84ed9e7714ec4d1fd2ef

SHA1
c888595b151e81c144cee844b6decdc89178e277

SHA256
bc8bd32ba13d7b7a604bcc303a1d873519097da33bcc1dff61f7070b9f7f4dfe

SHA512
7db98092d9bbedb03006e4a83de492b921eb4f2ada5c8696b752b23aa93d4f153e138ffc28020e2660ed5235c944ec6055624c4d4cfcecff5f86df438f54e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
20KB

MD5
2e9aec0204f8b5675cf815530fc28ed5

SHA1
40e32fb111cea1b5719aa29502716e90d5f86aab

SHA256
2ad3628f5a770ce6d825e9865867c4f7904d62594d33d814a1ebdf05a7ce387f

SHA512
7d6114168730cb8c8305a8bb957864d248b0a01d257d83c00064015aa4e7d02e9dcc1efe6111fe1f88127d6c751352dff82e1188f6fd42699528e957d0c6514f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
40KB

MD5
25420f72176d0673ee36141b12321289

SHA1
a3593dde0d4d318cf83e4785dd132fba17fa2015

SHA256
925cf611fd9bc045c3c08300c14e7117d6352283bca931b9820318719a2e1d13

SHA512
e5d1c61b3df146bdd8b7821c0d01d403532c4ba31998bc60353596ed3f2cbc999ba5606c3b5fa9c38673ea8f3011e91f94f6dd16a55d2962f223cd2b7898326c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
603B

MD5
08d38d749944de70edb880f413edef0c

SHA1
051fec6abb3f7965b1245dd0818476cdb78b4212

SHA256
a85fe76fec5dec4855f85dcc0ad2638b3b0db7a43526440fb81bab3f2cd24c71

SHA512
364d8154bbaf7104ca50a9e42434f88afa99025de57ae0e2c106cb28b81ede12a3d90d384f028190431cfb28adb952b1681f775c6f1cafacbc6315a619d996fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A8NT7C5S.txt

Filesize
867B

MD5
f16bb791f4bbd03b59749789f49c0459

SHA1
b525cf87cb6a3ff2ec6fb3593dedb1d50fccdb02

SHA256
6db081b380bc5a86b58ed53dfe05966c03cdb302bea3e20e9e6e2471113fb9b5

SHA512
2a6a6194f93b0c187072328b773a4309e6eebb4510d646fc067adceeff05fd83399ffe77a24785d71bc3adb382707adcc2797544d85bc8355ea8719b3fa0013f

Download Submit
C:\Windows\Installer\6dcb21.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSIDEF1.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIE355.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIE644.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7155048.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7155048.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSIDEF1.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIE355.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIE644.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/984-145-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/984-144-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/984-143-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/984-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/984-140-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/984-139-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/984-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1040-70-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1040-83-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/1040-64-0x00000000003B0000-0x0000000000798000-memory.dmp

Filesize
3.9MB

Download
memory/1040-141-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1040-72-0x00000000003B0000-0x0000000000798000-memory.dmp

Filesize
3.9MB

Download
memory/1040-71-0x00000000007C0000-0x00000000007C3000-memory.dmp

Filesize
12KB

Download
memory/1504-63-0x0000000002B20000-0x0000000002F08000-memory.dmp

Filesize
3.9MB

Download
memory/1504-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1504-62-0x0000000002B20000-0x0000000002F08000-memory.dmp

Filesize
3.9MB

Download
memory/2372-99-0x0000000002D40000-0x0000000003128000-memory.dmp

Filesize
3.9MB

Download
memory/2372-97-0x0000000002D40000-0x0000000003128000-memory.dmp

Filesize
3.9MB

Download
memory/2372-98-0x0000000002D40000-0x0000000003128000-memory.dmp

Filesize
3.9MB

Download
memory/2372-100-0x0000000002D40000-0x0000000003128000-memory.dmp

Filesize
3.9MB

Download
memory/2436-102-0x0000000000DA0000-0x0000000001188000-memory.dmp

Filesize
3.9MB

Download
memory/2436-101-0x0000000000DA0000-0x0000000001188000-memory.dmp

Filesize
3.9MB

Download
memory/2720-110-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download