d896da5d7f9f64d5375d41081a29f93dce7bf14c1974c9cde8979ee7a98b522f

Resubmissions

06/07/2024, 12:48

240706-p11bqaycpq 7

06/07/2024, 12:44

240706-pyjaes1cpg 7

Analysis

max time kernel
99s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.8.exe
Size

24.1MB
MD5

ff77de2eb5a4366f68735e22ce263d3c
SHA1

8758fe1d1ab6359e3011a41e35529185f75a0b99
SHA256

d896da5d7f9f64d5375d41081a29f93dce7bf14c1974c9cde8979ee7a98b522f
SHA512

30ef806a6dd951ae33e05e40f99577675bc4dfab0a8fe6d239ebbb46e026899484e140af36e41959ea29886e54d49022cbe5c7e4dcdaffcdab67ae85f7976e60
SSDEEP

786432:WKqHyU7V5bJmM9irrKJBH5lFRqH0fYk/pUJ8a:WKay+sMQPKJBZlCUfYSpUJ8

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2344	irsetup.exe
2804	BrowserInstaller.exe
1964	irsetup.exe
836	TLauncher.exe
4632	TLauncher.exe

Loads dropped DLL 21 IoCs

pid	Process
2416	TLauncher-Installer-1.4.8.exe
2416	TLauncher-Installer-1.4.8.exe
2416	TLauncher-Installer-1.4.8.exe
2416	TLauncher-Installer-1.4.8.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2804	BrowserInstaller.exe
2804	BrowserInstaller.exe
2804	BrowserInstaller.exe
2804	BrowserInstaller.exe
1964	irsetup.exe
1964	irsetup.exe
1964	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0038000000014335-3.dat	upx
behavioral1/memory/2416-14-0x0000000003560000-0x0000000003949000-memory.dmp	upx
behavioral1/memory/2344-19-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2344-692-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2344-731-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/files/0x000400000001deae-770.dat	upx
behavioral1/memory/1964-798-0x0000000000950000-0x0000000000D39000-memory.dmp	upx
behavioral1/memory/2344-807-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2344-1542-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/1964-1544-0x0000000000950000-0x0000000000D39000-memory.dmp	upx
behavioral1/memory/1964-1545-0x0000000000950000-0x0000000000D39000-memory.dmp	upx
behavioral1/memory/2344-1550-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2344-1552-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2344-1554-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2344-2230-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3283001-3B95-11EF-805B-F637117826CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB3035A1-3B95-11EF-805B-F637117826CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1964	irsetup.exe
1964	irsetup.exe
4852	chrome.exe
4852	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4372	iexplore.exe
4660	iexplore.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
2344	irsetup.exe
1964	irsetup.exe
1964	irsetup.exe
4372	iexplore.exe
4372	iexplore.exe
4432	IEXPLORE.EXE
4432	IEXPLORE.EXE
4660	iexplore.exe
4660	iexplore.exe
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2416 wrote to memory of 2344	2416	TLauncher-Installer-1.4.8.exe	28
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2344 wrote to memory of 2804	2344	irsetup.exe	30
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2804 wrote to memory of 1964	2804	BrowserInstaller.exe	31
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 2344 wrote to memory of 836	2344	irsetup.exe	37
PID 836 wrote to memory of 4372	836	TLauncher.exe	38
PID 836 wrote to memory of 4372	836	TLauncher.exe	38
PID 836 wrote to memory of 4372	836	TLauncher.exe	38
PID 836 wrote to memory of 4372	836	TLauncher.exe	38
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4372 wrote to memory of 4432	4372	iexplore.exe	39
PID 4632 wrote to memory of 4660	4632	TLauncher.exe	42
PID 4632 wrote to memory of 4660	4632	TLauncher.exe	42
PID 4632 wrote to memory of 4660	4632	TLauncher.exe	42
PID 4632 wrote to memory of 4660	4632	TLauncher.exe	42
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4660 wrote to memory of 4712	4660	iexplore.exe	43
PID 4852 wrote to memory of 4864	4852	chrome.exe	46
PID 4852 wrote to memory of 4864	4852	chrome.exe	46
PID 4852 wrote to memory of 4864	4852	chrome.exe	46
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48
PID 4852 wrote to memory of 5076	4852	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe" "__IRCT:3" "__IRTSS:25232442" "__IRSID:S-1-5-21-2737914667-933161113-3798636211-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-2737914667-933161113-3798636211-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1964
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4372 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4432

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4660 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65e9758,0x7fef65e9768,0x7fef65e9778
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2816 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1392 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3400 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1440 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3020 --field-trial-handle=1340,i,16072710303402217000,11860193977048515681,131072 /prefetch:1
  2⤵
  PID:2304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNG

Filesize
206B

MD5
bdb247c44cbe2d5f63ac51a2378734f3

SHA1
024844330b6cc23986de94e2b80bc3c2e32c08de

SHA256
53f406badad3465d216d3f0b6f5a87adddec77b04f0bdc585d2de1e786d0aa13

SHA512
23bc82934d62081f6e662624990f2e823da11938d407ab1c0d1c00f4e0377527160ac82cce036b8804f8e76b0505ab7664bce2bfbe96e480baa466ab772820a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
92a58d4723329aef02eca2b8a6e93024

SHA1
dc8d96efd202343e40a12a1b51adcc8328b436fc

SHA256
7d75bce82c63370307200c2528783b8b6e460ad7f2386c82faf23e028896620b

SHA512
3a7824203b4a12d6257a4a54f8ffeebe11f81b964a6fbd373efa01dddb6d3b80f159dad385f454a5ebab257d0aa7621f19f367b2987407b9206859c159483104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
1468502e3f45c3c0a2ffe773591382be

SHA1
be58257e0f5142e6410a22546cc1b6ac0ef0ebc5

SHA256
4845843e4d406900aee87be95ddf84a9272d6660d294f8166b6012657b7a5849

SHA512
2e7f3b52a75d961c39fca45f0a8d2868374f3a543419a4d15fea5b874553ae15052740aa93e04e1a5966c97b4d182ff5171e4237b4e283304af819ab771408d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
10435cc0577cbd746d1855b1d0941e2e

SHA1
61c54d525919dc92540157fb856253d22514a46f

SHA256
d67c14da63fbf4e571195999898f593becb59783f7b9360417d890c2edf3cbef

SHA512
35d1aa70cdc8f791d1f327bcd2b51d3a88448f338762fc87ff97459c7c1a5860127e8bc66ad9cf5f5f4fc9a5bf752b8749c88c86eee13817d24a5a615bc26ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
151KB

MD5
c2be5f72a6cb93af45f70fcd786149a6

SHA1
91a3250d829e7019c7b96dc2886f1d961169a87f

SHA256
f616ad0cc12e4c8c01b1af5dd208aae46a5fdb1b02e8a192dfe84283e1161ca6

SHA512
522b82e48fc4d6c94236f6598352ef198500ef83f2b8d890dd14901173b35d179c567e9540908a9bf145f2492043fa6848182634ee4c58956418884449f223bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
751B

MD5
46392d0a3811fca2802bdf2a1c5d53ee

SHA1
0a178e9eb9aea899ede25eb88e87e64143935a74

SHA256
f6c5fe6575d34c8c3b705247527c09c71558369307c75a8959b1e453a8addfab

SHA512
b7174e54084f85e00c8746abe8c2b72757a8a77d36493afdbf5309d2dbd78c9d1b7ddba56726f824f521c709aec9b49967500d71184570dc252103a696281bc7

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
75271ec49105bb1ad1f2808eff816b2f

SHA1
3f5d1487b681fca37f61c136b5a82b601a9cee24

SHA256
8ce00af9dafad204fe53683a468465b18d6659ff2f2b067b481da2f1a519ec0d

SHA512
5cbf55741a58fb476712b27a321243f1b0d4bd445386bfded6a115eacff488691d7dd482f17849942da00d19e8f2afc3c922a7606dbef7fb345ad467e58f969b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
22KB

MD5
41ab50b3934447b580a3f05a0919de5b

SHA1
a7f811516242d5ec9ec9897f2a7f1af5363705a7

SHA256
49c7cee51e5cc0dabb2cd026c4ab58ac24e8a511619379795806c9aa1f0ad21f

SHA512
63de6de7cd1f087b69e5f69d78266d0d14aee0e22d085eb460b029af053b3a76e39910b26f4486c258d498105f8213574f5a9810ae4f779d3c4310c48dee2687

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
36c744011f2c71f2caa553236b339d03

SHA1
1739c336922e03a8a138999d8247668a279c6d95

SHA256
a7eab595e57de5a17cfe132117b4fef50234dc9a15e452d900b63f9c377f6aa1

SHA512
b1b236dbaf45c78fbdfc5441ec05f95fbf4a64be45d07baf30a70a0c962921d436137e8d618ee872662476615740e88f05cc18d45f0af48511a886c2c165a3a8

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
c4aba50a1fac1d4d5e13c5bcd9e852c9

SHA1
9c74e687194c16c8853298b75f1e859392280a1d

SHA256
09aee04971d4f9bb30f0b9fd17b0c6c17fd8a2d3d0a78d9a9b580bc73f1b7f2e

SHA512
88c1b12eb8d915386ecb1145fcd913e3648fc881adaed7264a7ed41ef4993b3d69fb09466464955a93895a65957a6e77e68cc0d808e8f1bca97e362c3b104bbf

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
6ac0e4f3277501ec673ea0c50869f7ee

SHA1
7a469e8fb0f7cbbf9a3dd605c265961e8b939676

SHA256
e1f08449a822c655b834b5cb8cea3e1e78e1aab14d5f9b20743f1fb36a0a3759

SHA512
1b03065fa39fcc84c6bef735e7ce357960f7df29a64d72350ee54af34b5b3de579d00ec9b8f2297bcf48fd9f1d27834a1cb1bc5590afb39a148980740a4df121

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG9.PNG

Filesize
438B

MD5
c62000dc4b635684ceca46116344bcd8

SHA1
9202be85e22535f2312b7db7c77707a05e803336

SHA256
dd7f7f45410e999f2bc0147dc120974c574028a1507ddb14eaeaccb49479bdf1

SHA512
dcce6fa45ac77a99e52079308972d8f44c79cb8c036efb25171ff04b09e52af8cb99830391acbe2f5ee7b5c1240215432b1f88e82f6332a297cdd953bf6a74cc

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
db6b76c1253b79f8d501b8218214cdb7

SHA1
e95adcf91f828348df8904ae6d0a78cde8e43dc3

SHA256
8c754e87ea40adc95697289f6354b53b2d8e2679207f64cb74289dc6d2680b7d

SHA512
abb624438807ed9e28cb4ba9069a10afca11c7cc81a3826fe46e86ecf7a75b206f5fb9845ba97e32f764ae30afe5d5ca3719d1528cfef7847d425c63d62c663a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
b5043eda3b89c980a4957f3667d7d53b

SHA1
2c0a4c924a255e57cd00dc65ff5fe2db45050d49

SHA256
6041dcdad508a9063d182479cf2f25d75b4bc38cb3f0c6f2067843a6b7dcfa08

SHA512
b3b85f7d023b6b59409721d5c4016d436319dee693d036d4498dc68d46a778bdefc7b35aee661a9a1e179ac2fa469dc47c4d5cc45c17df3893b5404eccafbd71

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
07552732fa64db456300880d52e81b2f

SHA1
9a653ea405f5f26ec0c2d9a0bc9bcb11ba010efc

SHA256
94bc1aa272183daf13f24594493eea40e02cb9861c76f9de3711c139f5315226

SHA512
47e97e300330ec1523f4af6e87b9866fae2e90cd9b59fc4d02e53e29b223691f980daf1f221f5286dbc1a9a9ddf6e01e7a597c5cf763710c51d84c8d5bac60b0

Download Submit
memory/836-2231-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1964-798-0x0000000000950000-0x0000000000D39000-memory.dmp

Filesize
3.9MB

Download
memory/1964-1544-0x0000000000950000-0x0000000000D39000-memory.dmp

Filesize
3.9MB

Download
memory/1964-1545-0x0000000000950000-0x0000000000D39000-memory.dmp

Filesize
3.9MB

Download
memory/2344-1543-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2344-686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2344-687-0x00000000009D0000-0x00000000009D3000-memory.dmp

Filesize
12KB

Download
memory/2344-692-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-693-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2344-2230-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-732-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2344-1554-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-19-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-1542-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-751-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/2344-807-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-731-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-1549-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/2344-1550-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-1552-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2416-710-0x0000000003560000-0x0000000003949000-memory.dmp

Filesize
3.9MB

Download
memory/2416-15-0x0000000003560000-0x0000000003949000-memory.dmp

Filesize
3.9MB

Download
memory/2416-14-0x0000000003560000-0x0000000003949000-memory.dmp

Filesize
3.9MB

Download
memory/2804-795-0x0000000003590000-0x0000000003979000-memory.dmp

Filesize
3.9MB

Download
memory/2804-794-0x0000000003590000-0x0000000003979000-memory.dmp

Filesize
3.9MB

Download
memory/2804-797-0x0000000003590000-0x0000000003979000-memory.dmp

Filesize
3.9MB

Download
memory/2804-796-0x0000000003590000-0x0000000003979000-memory.dmp

Filesize
3.9MB

Download
memory/4632-2244-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download