dc066e7868eeceb3941d836e88da4ef81120006603ec5ed81ea82a53a81685d4

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SEPAgent.exe
Size

40.1MB
MD5

af6f73b416a773fa91f61297290e2075
SHA1

4f09ce94716d7d202d1796f81b4946743a433290
SHA256

dc066e7868eeceb3941d836e88da4ef81120006603ec5ed81ea82a53a81685d4
SHA512

df7f989059afe2509edcd34bf896928f16560f872e24adf4e3d53731257abfb9408bcaefa7fc13002b4aebb64d5cae1a2d5de5d80552872d7b40e54e5ec81ba2

Score

10^/10

bootkit evasion link pdf persistence trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 5 IoCs

Processes:

SEPBootstrap.exeSEPBootstrap64.exeSEPBootstrap64.exeSEPAux64.exeSEPMain64.exe

pid process

912 SEPBootstrap.exe
4592 SEPBootstrap64.exe
2552 SEPBootstrap64.exe
3384 SEPAux64.exe
2296 SEPMain64.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SEPAgent.exeSEPBootstrap.exeSEPBootstrap64.exeSEPBootstrap64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SEPAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SEPBootstrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SEPBootstrap64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SEPBootstrap64.exe

Loads dropped DLL 6 IoCs

Processes:

SEPBootstrap64.exeSEPMain64.exe

pid process

4592 SEPBootstrap64.exe
4592 SEPBootstrap64.exe
2296 SEPMain64.exe
2296 SEPMain64.exe
2296 SEPMain64.exe
2296 SEPMain64.exe

pid	process
4592	SEPBootstrap64.exe
4592	SEPBootstrap64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SEPBootstrap.exeSEPBootstrap64.exeSEPBootstrap64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SEPBootstrap.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SEPBootstrap64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SEPBootstrap64.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SEPMain64.exe

description	ioc	process
File opened (read-only)	\??\N:	SEPMain64.exe
File opened (read-only)	\??\P:	SEPMain64.exe
File opened (read-only)	\??\W:	SEPMain64.exe
File opened (read-only)	\??\Z:	SEPMain64.exe
File opened (read-only)	\??\I:	SEPMain64.exe
File opened (read-only)	\??\Q:	SEPMain64.exe
File opened (read-only)	\??\U:	SEPMain64.exe
File opened (read-only)	\??\B:	SEPMain64.exe
File opened (read-only)	\??\E:	SEPMain64.exe
File opened (read-only)	\??\F:	SEPMain64.exe
File opened (read-only)	\??\G:	SEPMain64.exe
File opened (read-only)	\??\Y:	SEPMain64.exe
File opened (read-only)	\??\H:	SEPMain64.exe
File opened (read-only)	\??\J:	SEPMain64.exe
File opened (read-only)	\??\M:	SEPMain64.exe
File opened (read-only)	\??\X:	SEPMain64.exe
File opened (read-only)	\??\R:	SEPMain64.exe
File opened (read-only)	\??\S:	SEPMain64.exe
File opened (read-only)	\??\T:	SEPMain64.exe
File opened (read-only)	\??\V:	SEPMain64.exe
File opened (read-only)	\??\A:	SEPMain64.exe
File opened (read-only)	\??\K:	SEPMain64.exe
File opened (read-only)	\??\L:	SEPMain64.exe
File opened (read-only)	\??\O:	SEPMain64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

SEPMain64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SEPMain64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SEPMain64.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\451637.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

204 timeout.exe

pid	process
204	timeout.exe

Modifies registry class 64 IoCs

Processes:

SEPAux64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\ = "IProcessMgr"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\TypeLib	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\TypeLib\Version = "1.0"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}\ = "IServiceManager"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\TypeLib	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\TypeLib\Version = "1.0"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0\HELPDIR\ = "C:\\programdata\\iqpad\\sep\\packages\\286562bf-e713-41c1-b192-7ca9c50a6804"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\ = "IInstallMgr"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\TypeLib\Version = "1.0"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\ProxyStubClsid32	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\ProxyStubClsid32	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\ProxyStubClsid32	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\TypeLib\ = "{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\TypeLib\Version = "1.0"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}\TypeLib\ = "{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}\TypeLib\Version = "1.0"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\ = "InstallMgr Class"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0\FLAGS\ = "0"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0\0\win64\ = "C:\\programdata\\iqpad\\sep\\packages\\286562bf-e713-41c1-b192-7ca9c50a6804\\SEPAux64.exe"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\ = "IInstallMgr"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\TypeLib	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\TypeLib\ = "{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\ProxyStubClsid32	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\LocalServer32\ServerExecutable = "C:\\programdata\\iqpad\\sep\\packages\\286562bf-e713-41c1-b192-7ca9c50a6804\\SEPAux64.exe"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0\ = "SEPInstalLib"	SEPAux64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\Elevation\Enabled = "1"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\ProxyStubClsid32	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\TypeLib\ = "{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\LocalServer32	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\TypeLib	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0\0	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\ProxyStubClsid32	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\ = "IProcessMgr"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\TypeLib\ = "{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\Version\ = "1.0"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\Elevation	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F04CB2-3237-42EF-95E6-2BE082F6BDE2}\TypeLib	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\ = "IFirewallMgr"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAF9E70C-CA26-4D5F-886F-70738BE0C5F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\LocalServer32\ = "\"C:\\programdata\\iqpad\\sep\\packages\\286562bf-e713-41c1-b192-7ca9c50a6804\\SEPAux64.exe\""	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\TypeLib	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\ProxyStubClsid32	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}\TypeLib\Version = "1.0"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\TypeLib\Version = "1.0"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C22D300-687C-4DCF-9F20-2B15C8672CE8}\Programmable	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\ProxyStubClsid32	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6A7F2E3-80E9-47F1-8F8C-32A46DA2A1CD}\ = "IubDriver"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA8F1192-387E-441D-998A-90E0C7B14144}\ = "IServiceManager"	SEPAux64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B582DE0F-17FC-4FBF-B4D1-EF77ABD3890A}\ = "IFirewallMgr"	SEPAux64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D98CFA95-1B80-4D96-BC9D-14F4F65156A0}\1.0\HELPDIR	SEPAux64.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

SEPBootstrap.exeSEPBootstrap64.exeSEPBootstrap64.exeSEPMain64.exe

pid	process
912	SEPBootstrap.exe
912	SEPBootstrap.exe
4592	SEPBootstrap64.exe
4592	SEPBootstrap64.exe
4592	SEPBootstrap64.exe
4592	SEPBootstrap64.exe
4592	SEPBootstrap64.exe
4592	SEPBootstrap64.exe
2552	SEPBootstrap64.exe
2552	SEPBootstrap64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe
2296	SEPMain64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SEPMain64.exe

pid process

2296 SEPMain64.exe
2296 SEPMain64.exe

pid	process
2296	SEPMain64.exe
2296	SEPMain64.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SEPAgent.exeSEPBootstrap.exeSEPBootstrap64.execmd.exeSEPBootstrap64.exe

description	pid	process	target process
PID 1276 wrote to memory of 912	1276	SEPAgent.exe	SEPBootstrap.exe
PID 1276 wrote to memory of 912	1276	SEPAgent.exe	SEPBootstrap.exe
PID 1276 wrote to memory of 912	1276	SEPAgent.exe	SEPBootstrap.exe
PID 912 wrote to memory of 4592	912	SEPBootstrap.exe	SEPBootstrap64.exe
PID 912 wrote to memory of 4592	912	SEPBootstrap.exe	SEPBootstrap64.exe
PID 4592 wrote to memory of 2552	4592	SEPBootstrap64.exe	SEPBootstrap64.exe
PID 4592 wrote to memory of 2552	4592	SEPBootstrap64.exe	SEPBootstrap64.exe
PID 4592 wrote to memory of 4748	4592	SEPBootstrap64.exe	cmd.exe
PID 4592 wrote to memory of 4748	4592	SEPBootstrap64.exe	cmd.exe
PID 4748 wrote to memory of 204	4748	cmd.exe	timeout.exe
PID 4748 wrote to memory of 204	4748	cmd.exe	timeout.exe
PID 2552 wrote to memory of 3384	2552	SEPBootstrap64.exe	SEPAux64.exe
PID 2552 wrote to memory of 3384	2552	SEPBootstrap64.exe	SEPAux64.exe
PID 2552 wrote to memory of 2296	2552	SEPBootstrap64.exe	SEPMain64.exe
PID 2552 wrote to memory of 2296	2552	SEPBootstrap64.exe	SEPMain64.exe

C:\Users\Admin\AppData\Local\Temp\SEPAgent.exe
"C:\Users\Admin\AppData\Local\Temp\SEPAgent.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276

C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap.exe
"C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap.exe" /configpath:SEPConfig.xml /package:C:\Users\Admin\AppData\Local\Temp\SEPAgent.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap64.exe
"C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap64.exe" "/configpath:SEPConfig.xml" "/package:C:\Users\Admin\AppData\Local\Temp\SEPAgent.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592

C:\programdata\iqpad\sep\packages\286562bf-e713-41c1-b192-7ca9c50a6804\SEPBootstrap64.exe
"C:\programdata\iqpad\sep\packages\286562bf-e713-41c1-b192-7ca9c50a6804\SEPBootstrap64.exe" "/configpath:SEPConfig.xml" "/package:C:\Users\Admin\AppData\Local\Temp\SEPAgent.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552

C:\programdata\iqpad\sep\packages\286562bf-e713-41c1-b192-7ca9c50a6804\SEPAux64.exe
"C:\programdata\iqpad\sep\packages\286562bf-e713-41c1-b192-7ca9c50a6804\SEPAux64.exe" /RegServer /s
5⤵
- Executes dropped EXE
- Modifies registry class
PID:3384

C:\programdata\iqpad\sep\packages\286562bf-e713-41c1-b192-7ca9c50a6804\SEPMain64.exe
"C:\programdata\iqpad\sep\packages\286562bf-e713-41c1-b192-7ca9c50a6804\SEPMain64.exe" "/configpath:SEPConfig.xml" "/package:C:\Users\Admin\AppData\Local\Temp\SEPAgent.exe" "/mode:install"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\{1A8F5F79-B610-456F-8072-C77C81469C04}.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\system32\timeout.exe
timeout 4 /nobreak
1⤵
- Delays execution with timeout.exe
PID:204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap.exe
Filesize
2.2MB

MD5
3bb6af7f8f36ca1837762f1f1db1443f

SHA1
d284cc0c62b7e74f5113cb09eff585725b6d8e6f

SHA256
99fc43c0b74dc7da63fc5ba7d9fc2925cb5c14b15b039f081c923a375dd74984

SHA512
fd55ce0b53cf98d0c2f40bcc205fc9f9bf593ec0a08e65c52ac37e68371409e9fe4f75ad1e09ae99eef32a8738c5a58072aad356185f5f83641353a685deb810

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap.exe
Filesize
2.2MB

MD5
3bb6af7f8f36ca1837762f1f1db1443f

SHA1
d284cc0c62b7e74f5113cb09eff585725b6d8e6f

SHA256
99fc43c0b74dc7da63fc5ba7d9fc2925cb5c14b15b039f081c923a375dd74984

SHA512
fd55ce0b53cf98d0c2f40bcc205fc9f9bf593ec0a08e65c52ac37e68371409e9fe4f75ad1e09ae99eef32a8738c5a58072aad356185f5f83641353a685deb810

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap64.exe
Filesize
3.1MB

MD5
29d4506c007f2228780fd6fc2712f188

SHA1
794cc25b4805beaea0e17739d603a0204d981991

SHA256
3546ee239dcc63a86f4a4e504ce3dd93a9c7329f8103a5d12733b32e0cda9bd9

SHA512
82c7c9dc524b63da455b845be93f056e840e03300d96abcb36de2ae14bc4087467cc4f0030d686f334766efff31fb60e6db71a6d594abb9fcfec84b15bde12e3

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPBootstrap64.exe
Filesize
3.1MB

MD5
29d4506c007f2228780fd6fc2712f188

SHA1
794cc25b4805beaea0e17739d603a0204d981991

SHA256
3546ee239dcc63a86f4a4e504ce3dd93a9c7329f8103a5d12733b32e0cda9bd9

SHA512
82c7c9dc524b63da455b845be93f056e840e03300d96abcb36de2ae14bc4087467cc4f0030d686f334766efff31fb60e6db71a6d594abb9fcfec84b15bde12e3

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPConfig.xml
Filesize
51KB

MD5
0808c49587ecb6dc5a36688f01ceea07

SHA1
c33874de03a82c1f73b789cf7f908b1d781b4f23

SHA256
5e55e23d221c397541fd827f3de07b6fec4b2d193c80a8d90fb5cec5488a1642

SHA512
09210f5f64191fe039e34505ac7ce14aaef70a781c54dc9b61c4a16db66d3efee224b9e8e9818920668ffe75366a6f88510c856c178d3a1d05466acf043d363d

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\SEPhosts.xml
Filesize
717B

MD5
373961bb234771cdd0af0436c234f6d7

SHA1
9228692f68b06efc81184667214ac81feff10d5d

SHA256
17fab0b99607815752076905b822626be425067fb53d5b4a8172d4f6a95f2b08

SHA512
47fbaf453563308cc5eb11746efd6a90df2d35934959a8b2e8d10e26615b0915653701722fd9d98fe876cd3742981f29b43c18c389d07feeefdc99d27ba54ab8

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x64\UbFSFTProtocol.dll
Filesize
1.5MB

MD5
7dd3fa364f063fc95bdb88ae98366038

SHA1
699c78640efb3577e955a0ce887770f14a7f2593

SHA256
5bb3744f68eae85588d28c3c10cdd27e89735d88ae52890ae34dc6930a660ae1

SHA512
ed87d039d5237b0077a3cbc418fc1f51cb10afbb007c56ea9de62ff9c34b2a35b36e7d3f4e14ad9fdffaf236be15c525c32bafd78465379f9b7d7cd34dece445

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x64\ubXFSEncryption.dll
Filesize
1.6MB

MD5
86ccae09d6cb7f34d67d210df0db3da9

SHA1
282f70d8b037f4d58cb921f238f544e23c951538

SHA256
d7d195cf139a7cdb8370e83f0bbb428c9c9cf5b501453dc2bae43b5a9288f730

SHA512
6c78f99f82dda92b3c02e570f1d8f3716d1b84396be1c23754b06bcefedde789aecfe886dcc008d8f47b1e2664aa354cd957264b1d52c205e7de93d187f0c415

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x64\ubXFSEncryption.dll
Filesize
1.6MB

MD5
86ccae09d6cb7f34d67d210df0db3da9

SHA1
282f70d8b037f4d58cb921f238f544e23c951538

SHA256
d7d195cf139a7cdb8370e83f0bbb428c9c9cf5b501453dc2bae43b5a9288f730

SHA512
6c78f99f82dda92b3c02e570f1d8f3716d1b84396be1c23754b06bcefedde789aecfe886dcc008d8f47b1e2664aa354cd957264b1d52c205e7de93d187f0c415

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x64\ubXFSSimpleCrypto64.dll
Filesize
2.0MB

MD5
9c9d5c88ed67057f89be666681a7e6b7

SHA1
edaa98f5e076c80e8b124fa0a87b9231044cfbc4

SHA256
9aecc8e00b9f03dd2a444a1a9ce52ffa440ca56f644fbc0898d4f7f287443a70

SHA512
480afc273cfcdf44f3249901f6537359cbb96702994da52d29e96479566e1c813fc0460b91627a72597ea22aa67644751bd01ddb7d0a9f4c98f9c6824021b816

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x64\ubXFSSimpleCrypto64.dll
Filesize
2.0MB

MD5
9c9d5c88ed67057f89be666681a7e6b7

SHA1
edaa98f5e076c80e8b124fa0a87b9231044cfbc4

SHA256
9aecc8e00b9f03dd2a444a1a9ce52ffa440ca56f644fbc0898d4f7f287443a70

SHA512
480afc273cfcdf44f3249901f6537359cbb96702994da52d29e96479566e1c813fc0460b91627a72597ea22aa67644751bd01ddb7d0a9f4c98f9c6824021b816

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x86\UbFSFTProtocol.dll
Filesize
1.1MB

MD5
305916f88d67dd3a0a1c15518b47b745

SHA1
2919fa3928efcfd684aaa477aaea035895a4c946

SHA256
ace4b26b33f9968e17645567bbdb99e08c7f263d6a8f51c2f94b4bfec0bf0ef2

SHA512
4d0b7a95e5f0b2c40d47aa40f2d872e76497c10aef8cb6029e8d8d00f87c08865cfab6407f79d38b98b6245de8b0fbcf60804469af36c971867c08080908febb

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x86\ubXFSEncryption.dll
Filesize
1.4MB

MD5
37ed1deed810faafcbcb1ecd90ff30a5

SHA1
c90ba3ee217000873e8450cd8fa705c5e9f13849

SHA256
7ef1bba37821e8ef50334921a60d7550af71c2d557293c2b394be62ec76a0f8c

SHA512
b1b65dc03ae2772b67552f2d9e7a07ba8c8541b2d7a192f9de11fe89b06bc3d8b2602cd8141d334ee0143ab2e53f425d3b1bd3f078a2617d6049eadf63b05b1e

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\bin\x86\ubXFSSimpleCrypto.dll
Filesize
1.3MB

MD5
6261bfdafbf592711d6b9fff6f9eecaf

SHA1
368e4d81af6e2336ff4468d803a5216ae794807d

SHA256
38370b5894dd7c32a7f2662c5663e91d6b405b9d2274b2b233a3bdbb8e86a378

SHA512
011d80f8771f98e89165da2d211e73ac2efff7975102ab0efe2a97493bfee685f3b7ad082537475b1bf95b3591b3794a2880483da849951cb158941fa171b2ee

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\16_843_1902.TIF
Filesize
1.1MB

MD5
d8df6c2277a34ead6f18b5f3de9a7709

SHA1
acfe0943acd87a0c3767ecd0cd5eed98964a9cb5

SHA256
671476fcc3d31c8f2ae79d618193af74ceb742d4929c28e5079729d9a2d4d665

SHA512
862fcfd832fb6e65f20143e34f1ba8a8ddd78cf87e4478756af218b2aa073bac8dbc3940af0bb00e90394abde04d9606eb174d8b66402b2b129b5b5f75d4b731

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_006_0130.dwg
Filesize
293KB

MD5
9676289b76e0fd0c14f744d548c8a9bd

SHA1
8ed60ab408c0bbcb6f781e9ad06052d5bb8059ba

SHA256
b61308243f51ffb0147a56ad875e2f05d55590adc35f2f4db8e3038512a0b4c0

SHA512
fefa70b5b76f41dcb3c33b2957eed73e73bd6905352c765b133eb5464bb9568b40688ef397e01f47f7a1035b298426b3aee5471e48f0c96737c48eff38b58aba

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_103_4340.dwg
Filesize
150KB

MD5
a1e56dd3449b770a40d3efff72055cc5

SHA1
06e700307e2a01e721cc7c7b7c7cff5938c310ff

SHA256
8579aee850a832f177f589d22308758cbaaff9a8d716cbd3dc759f355955ebe5

SHA512
7dd5ecf328c45729250bce06422fe54299c3c5cbad2d5cfad0f8c11792937d586348df6b9552d5fec8313f54c4eb1f426a5e7c20c792c4a558a388fd90379d6f

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_451_9101.dwg
Filesize
291KB

MD5
861065aac88eb5940a1e34594f97d072

SHA1
5d58afb65ae79c41db26496c6725ef2692a40401

SHA256
69fd897dbb52934812eee993a9f4a842e8a6cfa989d5dfe7bd84b0d03ef1c360

SHA512
4d958fa18800816015297e0f857c6dc8322c4e12298acb0b8eac3aceb94921169b613113fde344a1fabf722781e5373a198a01721a7a83f4d7190700528dbe48

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_800_0705.dwg
Filesize
757KB

MD5
6d71693af07d1b0a80a2b0d28b21d8f8

SHA1
d651234d4767917a1db8280a0d1e7942c1cc13b7

SHA256
e4f96a9f4caad70ea7220ef37b0f8c872a052ef133ad5225930f15207355afce

SHA512
cfb4ebfdcf8a006e6e905cb5f4c30ce4e5de25a3ad3d928300aefe0363ead2092519a98bc3101612c03953f27ba28a066335f7a7dce4dad03d6114bbadac95f2

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_802_4315.dwg
Filesize
330KB

MD5
aef1aeea90b78d4c1977d5290605334c

SHA1
706659970af0f8ae0b2c83c3a31df6917d7739f1

SHA256
b7edf207ead40c7a6ae27d8a0e4f983e43b7554c7da3670bf9161b088be7c6c5

SHA512
1135ccdc9ea769a46ace6384b722228e20baecfc7f6d97a7925c2400d74e12513964a8b0bf4144ecc690e647e7bb09b65d886170913946c0ae6b698b417313f2

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_820_9436.xlsx
Filesize
12KB

MD5
a314e09c5048aa2fd12f73ce1882a6db

SHA1
56c3e4ed1f21e9c2189f6edc3d3f07fce08a94a9

SHA256
da57f13eade0b2c122bd7cea85412f300b0292fd9022a2f6577b847d8b786d7f

SHA512
04927a19f97b6cf92cd49c26aa94076bffabc4e7863c0ee1ad67dd5abdd7592907b03ad7089bd929ebfb08b54f95327520eeefcec1b15986ae6ceffecfa49632

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0119.TIF
Filesize
532KB

MD5
340baff42258e88a575916221ef1be3d

SHA1
aea129ca0716bbe02a2e9802054647c48c4151ea

SHA256
9c7cbc5ed6da13805cabee12e8284229f612e7455bf68e7417b946cf4fac8bf1

SHA512
2b26c2933b65547ba99d6cf7875e4e5e3f35efabc445611e4d3c7692f563e0e3c19c5c886301dd3219b76dd280e05bd8207042d64ef6d7c0953d3a3aaddffd10

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0120.TIF
Filesize
400KB

MD5
8b349606a052722171ec466950846e8c

SHA1
271e1b9a466c1dd33bab52d76efa79dff88044db

SHA256
a171315942fde953c44b578b6352f985149de56be1fd58b81df4baa86ad3302a

SHA512
4581974111cbbb6c6f7f97e7ff63a0ec4d9b1da8d0cbf590babcf76c44e0d05faf7118fb6223a30a769055706d01c2e4e5d8df1d202abec3e9250ae685fc1b0a

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0121.dwg
Filesize
526KB

MD5
07afe0335e3fdfba804ee6d8f2104166

SHA1
9c590e1fdf8f91e94d9925207f0bd3823c8cab76

SHA256
dd730a5dd867829b992241dd5b19e5069042bf39c332d736f331676360db34ef

SHA512
26d6a8280c87e8a5eae89f3152202985924155d15932c4e84163e0dfcfd9341049dcec76c4680170d2effa311de167dc2d106e51a7c7ba4acd59105bdc42ca03

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0134.tif
Filesize
316KB

MD5
d02efa17871f23ac60c7c3840cca2669

SHA1
7267a250d6e1b90aaff0d1bbba23d17d75dff539

SHA256
970a7987f16020d155bfb51f1db9df79df079f7dbf258d9c057e6d80e83265bc

SHA512
820784513eb5d51608b5dd364d971b7879e2064c5ed95f438c9993453eedaf2943746b6805aa5d4b7b4c1633fb91b5ca980c73e7d982b3a976782e20003004d3

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0136.pdf
Filesize
384KB

MD5
565ddc1964d98e265e7bf25d518f8fe9

SHA1
88d30ebbee33e85d667b23840bce8db1ff70632f

SHA256
68e2c0b86cf800cb0d89414c2507878d8f8d8486f406d28d349eeb2929e30659

SHA512
537d43b8ed12b231c7d25d4d26a9394308c851b64eb1798d8dd18fb80535726ba2a0e1b740f494ce2cc3abe02346bfc1eacf50faa6704257b9336bf33f31564b

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0137.pdf
Filesize
415KB

MD5
df1f54234a6aba665ee3c0edbe1de853

SHA1
50e6bac1f8992fa47e71b08cb765932c723da231

SHA256
b8920022d9d24a95b5fd62c78f7736b3accf9fc69ee363ade251b3e891fbe08e

SHA512
73999d41b05f887cba9a8dacb1d3395b2889cc5f8e457406f53854e9ce5d87ddac6a5d2680a16376701a71f6b1410e754dfb3d3c3c6f125e89c0e487ac8eff83

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0138.pdf
Filesize
381KB

MD5
ee90cae7683bf82e54755272d6108127

SHA1
d0ccf2b215320b708e79957afcdb821ef1592f25

SHA256
a3cf3454dfa40230f4e2b7fcfa2020436fdaf9e0a76fa440b27cbf53b69af71e

SHA512
daeb73196ea4b483659564f67883a32870c32152b68f4582efcac8a043aae6a58ac3e84cc92b9ac6b04456d35525b2ec94bbe070943a40b75d85e5b563c8bacf

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0139.pdf
Filesize
415KB

MD5
781315152fa0b688566949284daa06b3

SHA1
94aa4b3ac619989730e4362f9e98ae237c32a00a

SHA256
bc8d1a6df6941c82b14bedfee5c9eb81cab7a529960e35e1d89e4a042cb7debe

SHA512
ed242fef5c32175a5207c38af627c947d8464f75b618faab492486f13ff1b37d4ecbf77d94bfbdb9d8acd76135aaf28e5a744a792231db25cd2bc1eb4bf85f91

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0140.pdf
Filesize
385KB

MD5
3122693438b127dba6c66ebf7e166f2a

SHA1
bf7953e47e5522271b5c53437c7232b7e7c4519e

SHA256
af11e6bc47e31f5593ce0fd85bb274a64d5b5859d2cfe75a60210ce92dbdd5f3

SHA512
33bf3ecd712d41e327adf45556c0068b097f0d4d8a4c3d587c5dca53cd1f61329ccceeaed95b3fe8a7af18e7d1055b3e60c4c5bc3bb19d0b144a7f6b8ad7842c

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0141.pdf
Filesize
387KB

MD5
ecaf1a1b8790fa6d556abd574bc5ea61

SHA1
f54d39c0130e20d0a71e6d2ff023a6693e18582a

SHA256
48648eda4e439afbe577857ce2bf3694e80cded4770f08ea0d33110be87c921d

SHA512
d569d9829875477d985a689843e194c3e58402713043dfa34eec2eba91cd87587d074253f9177a4ab99cf2a19f0b844c9fc6a6ccf3f1d77c3863e8da42602793

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_0142.pdf
Filesize
715KB

MD5
af67d07d7002c7fd8cbc378c52d48dca

SHA1
88a1cea645f98235b8e46f03f93e98e2eff7cdbd

SHA256
49afc4993793e2c49dc592c71a9e1cb4b6348824389210dfb9535e5af2f3ae89

SHA512
10c19d6b189def99577e5fc3a797abbcd0428b4f31db41c97b8d5e6f7d173887d75efe6db39cd67a2f5dd37b1763447c1f8c302cc96309a0214c74ea1bcb964b

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_2009.dwg
Filesize
369KB

MD5
3eec478095b8f4f2b763f91d5ada4e98

SHA1
b426a582e58586dc66741c45071db761c914afd4

SHA256
ba19fdd53c8f005d6c47b49a9cc8a2aa8fd7997df54b1f311a3b4c5159f92a3e

SHA512
41b41523aa337cc42dcc82f72f2f9b8f466612d225ffd12b628ce2ad106f9774ee509d006ed909544959f522de063bea2ef375deb90632ed9e7aa63b284ccb53

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_2010.dwg
Filesize
480KB

MD5
530b5038627f3c5605dec3720d47cd9a

SHA1
bae8e99f82f432d6133f0b393443c366d1c9797e

SHA256
9bd119b695037c3410be7ce4016342237f523eaacd334eb0de419c4513c54193

SHA512
662c116a2bfd0e82a852a22f0008d8b68f4caf3fb2567b8c38b4d75507c2a899bcccbbe1c2e277ff3f038b704a6fb6b1b664b7729e6c19167d4853dc35b09ca8

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_2011.dwg
Filesize
337KB

MD5
4cb8f23f7366217619462802ae1defd6

SHA1
2127adab0acf6bb8c558637b954028aca47dda35

SHA256
67f9d45e0fe329f786e701972d16ee501856419927288b807a99f74bb2eef177

SHA512
0cc504a54ec8162c5baed81dcd04ae0ed39430cf2c550311161124bd40ef8e6145b42d588b37174cda3bded4d3c696b05a2dc50e031e600d6ac58df53ab46eac

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_840_7501_a_182760.dwg
Filesize
185KB

MD5
43da524f20b87bc41bb6e75f5706b5eb

SHA1
8d4cbd0294dc80ebc8e325f7326e1c817776b7d1

SHA256
8f6fc01f10b16fc609d5c2e1393dc4d7dc9e442ed6d47295527d1efbf565c425

SHA512
9144ea374b4bd65665f3bacd4146196cc52f6ae5244789270eb4cbebf4041c01aecd76bd71726604fe441083f278353bbb7fb7dc2adc48ab0b2846736b2f2546

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_842_0701.dwg
Filesize
619KB

MD5
6c5648d5c6848e23f8b42f9c4d98614a

SHA1
63410f6c4fe27baf3d80e554bd1626e28dfb4ed9

SHA256
7feb2aea0bbb8efe3a56c59ee956d31afa5d5a45ea45641ff13aa6b0ef464f60

SHA512
9413186b50fd5049547445657881c3dbbf2eade405c37a6e6bfb3e5ae73385360a810bf66ed506f0add89d1cfe72c45216e2d238fa00aff1ed00e73e6deaa120

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_842_8501.TIF
Filesize
92KB

MD5
17cef9fc74a56019a6a319bb7ffa54e2

SHA1
e7c22919e138257a303eae1af4523f26cd169d84

SHA256
87f65cf8c7091a7eadaf0e1521a7d976a26dec2eb80485d71b6d0c56fe306e88

SHA512
a6f0e25893de45adfa19f6cf5b5d53af2bd3116f64ee147d8e5f5d5459dee65a55b78c42f55b15565d003aeacb3ea021a209ed9606c9af11a739b182e9a69ac1

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_0304.dwg
Filesize
311KB

MD5
c2dc369761de2b0002acb69bf4b47e10

SHA1
308cfceca86d8c9f972a0b8e4ac27c9426efbf06

SHA256
0dc9c8f6ef87cb7f42572351648c1302bb3f23d22f1ce8e9c46f9bf2bdd9b8d8

SHA512
54c6d643d3c26e090deac1e4e4bc272238107d0b302fec12914501ad2a809a985bfe5863c355d0e1e1caa1b4ff15286896d64f49d9f9d2da540c5ec3fc27620e

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_1001.dwg
Filesize
303KB

MD5
f99be93d40c9b1d3d6e5201de0c65828

SHA1
e8fb00769eadfce33a3a4e9a43f0bb52526af55e

SHA256
9b112640579c2dc0f8dfc62631a833d2c0d4fec67e694947504bb7c8276eacf7

SHA512
464eb698d1728ae03d25164e9fdc782906272a517d2dc62d7a740d5f2b0d32b3f151058cf4d0725148a8a46f8583450d1c7e3b388d1ba16a1da324a2c25ff0e3

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_2507.dwg
Filesize
323KB

MD5
37f87dce03a2bbefcf3bb71686c2cc78

SHA1
8c1b9d701c7f024eba5820ea2f245766e213b40e

SHA256
eb33ecc67a231ef5ee20bd81ca606cf27dcf0d37314c4f313117961176524f4a

SHA512
a49ba06414ad8e3f4c330477efda57e2035f1c42136e2bc594ee50bd150fa8946efec7798cb2625b8fb9313daebcd9a90175ffad6943ff4c4d8cc1318d4850f8

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_2508.dwg
Filesize
312KB

MD5
d7eaa565bb7bf47fb1daf112b864c455

SHA1
51f6972917340cc408ccda9a7a28e865501393db

SHA256
c4769dd433b3d9904704dc6a012a9d1fd2dcb7e92e930eca400de71f9d8b11d6

SHA512
bca23d266ef70f90e63a1b71a98484bb0a99e81c207a7b5327dc7474c91ccca304959b3a0e5ce93b26644d019ae087b970b7cec52c0380848e7457175c70a432

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_2509.dwg
Filesize
307KB

MD5
a7231c7b01200f8ad259912c4e1942e1

SHA1
0cb40766f5799ba4d64b6498555fd62d7de29e8b

SHA256
6b739ad8464d53f72656fd579fa6d0b6b13baeaa93fbd13fa96aaecf136045ca

SHA512
aaea3969215663006ca6e05420803306a058fb5650d8494ca0abbc2aab457d17768690ab29534a1671215551722c8deb8ada8dca256d90f564ae10f5f8136031

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_4801.dwg
Filesize
298KB

MD5
8d68270c1461f3a189fa561de4267baf

SHA1
cb48a4b9903931a41e56f3b534c3f02a699a2385

SHA256
c6d43b1b78f98d4a26311b0d465ba805b262f65b77b8468f52ff653758581a2c

SHA512
1d8431c655feb87d49a26e0d00368673285038b456a91ff56bb2b85acd551616ac8f7278b97771cf1c26aa4ade10c5e9fb677a805447502e813963b9e74ee74f

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_5001.dwg
Filesize
309KB

MD5
76b8c7e062ce92332d39e4dde465e0d8

SHA1
0ad1186b55b326eb470f6c105082c8f264f923a9

SHA256
f12764efd5bfaddeb553937968eaf13588dc59ee573692bf6d861f87dd3e2cfa

SHA512
8a887a7c5f4925f6c4ec6e19aeef0eee206fa49608a859e5a640328202f0f81e6973e5a7c0c92f842126d57b7faa63ad9e78ed1e8c6894519e243c12f1106c09

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_5506.dwg
Filesize
301KB

MD5
dec9a6f2bc9abaaf90bf1309dd695c0d

SHA1
f886247675944b20243e38ea955e1c94a921cd6d

SHA256
511e740b359ac7684b6254bf13e953c17681a26d472bc6b83c97ac45432d98a7

SHA512
e80d623da19bac4c1d0c8d8f3c3fc2d882ae74bebbfd8dd9b9f8d854a6db71319bcd25aecc1440495ed65791a66b2295df8a639c8372e4def4d17fe8083d5ee8

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_5507.dwg
Filesize
301KB

MD5
e75e9d17dd4890be66f7a342101ba381

SHA1
596922f4ea9321611f1d73f2488241586df3367d

SHA256
b6e602c8369236ef85740f8d08183267f538a9083a212e06758a8eae167b7a75

SHA512
f375134c86753283cb4fc2989a571f5a738181d3c37a92b663410b326db63785645965eaffac0e16fade1f941eeb3a15ff6071bb38fa0ca0496070101abaa789

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_6901.TIF
Filesize
248KB

MD5
ce7280a2cf29c51c62d25a9ab8b6cee0

SHA1
11c7e493c28f1eda72c42f3faaf85574d44da3d7

SHA256
b6ce6f9dbfd6002045edee77f113c3e976ded424807a039c96ecffabe23c24da

SHA512
835fa5b0e30d49873d3526779713da89363f17fd35165a91b628d79f3f51b062a02e631845c9a7114d9d3ca302c30f07d5810fa581228d0084448ac5cb963d39

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_849_7601.dwg
Filesize
331KB

MD5
e9852e500aff2a5a8f89b7d416f21aea

SHA1
4c5e94585f77206a34adf5cbf5d7a1b51ab16a70

SHA256
1dfb51e5f302414241867568e700017ff3f3518ef513de0d39b89bed146ecdef

SHA512
48501a47702f10a534892e688448ccee5fae469c79a32f576a30924a44b0e5d68f60f74c07e280463f19f9532bfcfbd94fa22aecce451c3c2408cb72451d4432

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_927_1505.TIF
Filesize
306KB

MD5
3ad62f9c0648f022bf2d8aa045f56919

SHA1
acd7d483515134295aa70af0ecfa314d96a5da7c

SHA256
18fe0b4be38e21917f49f349a28282ddc0ca677e137394f03141e976395b5967

SHA512
c29399067fad81924609c893d266d556bfd333c2619ee1791b59c90dca48f0ecefe33cdce7fb45a907306e17d12de526b5a79ff95c30dd0ac0a44d7161d8e958

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\18_927_2950.dwg
Filesize
372KB

MD5
a793cac14df87d065bde5c5e2557545a

SHA1
76809a961eed271485a760f5a8d7143ff72e1ac6

SHA256
3db46566cd0e53619f323a92287d0b15a0a4be24ca0f101a1084297751f32627

SHA512
5089deab20c3d74175ffa97e2703e88265c4ef0a128f6cb02141679c9d75306347f7cce366bff3439e1aa5002040f022da95a43ac39e8efe6a7f31253d11e4d0

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\450300.pdf
Filesize
77KB

MD5
2085570b895f3643119d68d8837cf37f

SHA1
db46c182acb35709fe5204f352f538da1082bc8b

SHA256
3ebece57191c7eb9956344cfbf7e74e8a09fa2e07830e99de22b7ce34212ae2c

SHA512
df040fb53cd2dc53f6b30981783e4364f747bacbe37268d5830c7c9cc88ff9997d3455033ffae8ed933a536088920edb7a5ce65c268f352fcaab5daa337f2311

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\450369.pdf
Filesize
88KB

MD5
14e30be5072c43c1a49b4807d8c973e6

SHA1
0886c4b80e0726e959825da8e9c1b60bc06c4474

SHA256
ef84915dc23ad7dd17796c88d940dffb30032845889845de3e0f3b4e4289b7fa

SHA512
4eea725176e02d2848b54b2c87906e80c7033bb1b0794243fdd54040c048a16ffa7e6b5676308f214dbd76542389cca25c1c9315b58fb0659e8daee36a8115d1

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\451637.pdf
Filesize
254KB

MD5
359fa62e0bc0c040898a183702aa14b9

SHA1
be65dbe7ba8e9a34ab518539c539db163465dd5c

SHA256
83713d5c144c2355d0a068f96da8c59a84f71b95c1a43c85efd8e4ab77522832

SHA512
cdaa7396780040059b1fd14736828d61db6279f79ada3d4f861f080545ec6385e69c832eb8e3ed3d056031157f10c94e67bd5c716229d27dbfcb1dcaed255c03

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\660216.pdf
Filesize
456KB

MD5
858b3caf28dec3c73b4132aa44279dd3

SHA1
eae39305f11230177691cf6e4697833c105d9735

SHA256
1c204a9466e6967b98bf35d1bf7557ab925e3fc70278ce2ef0bcd4953862d288

SHA512
d12883d0b55a80ca32f46f7ed67df95f111f61d6b8f7c556d65eec0fe59d2e46928f1fedd96a272a69b0c91a627be01c696f637abb9ff3c32cf3019cac3e5487

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_802_8201.pdf
Filesize
222KB

MD5
09e758a462b3af70d3331fd176939409

SHA1
61e50dde65afe55ef5de97a1903354f4f2eaaec9

SHA256
bab309cb05a3feb4f999c9ff925f28b625dcbb5aa0fa9643cedb56d42588342b

SHA512
abc0c696e1dec9e3f8d22d01f1d259d77428f500ae6a16071049326f289b65965440af1bf4cfc5ea35192f63a5383275961fbed468b8dd4b91b62981b10a164e

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_804_7107.pdf
Filesize
286KB

MD5
55b84a8a7c83bfb9c5bdb4686ee217f1

SHA1
587d307d832ac61b35b91d94449b6c0d4e806fb7

SHA256
474c86b4c21f93269ecc0c0b174744a42809178488cd50bcd0978986f3f60a25

SHA512
f6937e09bc4f15b229c0b1ad42d9bb3d475cb3894d5927b30c123a67a14813bdfd5db4f5734f3c9d6421aa937c2d53d310f27687a81b6394f5f0353a8062f6d3

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_804_7175.pdf
Filesize
63KB

MD5
280f603ac1516b528d2497de92dd1571

SHA1
5bf84d259e16994bab965afa1613355de431c134

SHA256
490722745349c69946ddb263c410c35f6009924c0b775c405e22443ef7fd7aef

SHA512
2c073b6baeea570d0c4861951f0ee7e06b8de255d02daea5b31159141ab355be21357237f1dffd76d208ca96f2dc2d5b25e31ca9933fcee68811f66a96b5a000

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_804_7177.pdf
Filesize
63KB

MD5
bebd7a2ac7085767066c5f38c93a724a

SHA1
5c621ab6526d663936c40249be808280e02552e4

SHA256
8d039be15ef026c678c9ac83b63f3906882f8bd7aae5c4012325afaff4b7ce05

SHA512
9ebd4150925f8b92e3c87b9500150617b6a1154add7cab5e1873ce79b63ced904e49975b5bf25a5c08b4d8f5b98a2975df69edf0db80bdf71a5a9cedcb563986

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_807_0159.TIF
Filesize
169KB

MD5
49d17430fed8a29d31b7e2dc4674a9b3

SHA1
b7b1505219548381385161f7c29719ea5d4f551a

SHA256
f58e66029b0c807b6f6a438377b30febdf756a2b88d784c5f097928561ae14e2

SHA512
bc5a669e19e14ea17451be3e14e0c66d590d248b2b3253bef608d8d50976047d5f3e564175909c78df6f27b7e839f9d1f45da42ffd0590034c69ec31733eb37d

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_807_0328.pdf
Filesize
1.6MB

MD5
153dd82773029cf93f5c0f41a828f5f1

SHA1
0a73cf1894609eedd793f727eb459b813fd32bb2

SHA256
e629b2fa1efa23a5541c6a2eba218d5895326b299633fffe920c6279b9550cd0

SHA512
99dbaa1690db2ee1eb018ccab4d83d698954cf58c7b00c1ec9a3d62c4e1b16e4cc917411775cdacac6ec0a6f8bccc40ad955e727df689dcbf6f7ba8bb378dcd7

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_808_5054.pdf
Filesize
203KB

MD5
e3afc7eed59231c1c3a491dd9b93bace

SHA1
eb25258be1ed48fd7d856e02dfbb3851780f542c

SHA256
cf31253edd0184bf6728ebbe72ab494d9377fff42be74f057a21d6f368513bf4

SHA512
33c6257ecc5761e150ea1f6ba6ae8005f45722833159bcbb9caad18e39c74415acfaad6b64b7f80b36c250f9c21ebb3d3ad9e811482e89ba84acc3d808dc484c

Download Submit
C:\ProgramData\Iqpad\SEP\Packages\286562bf-e713-41c1-b192-7ca9c50a6804_Temp\doc\90_811_3019.pdf
Filesize
162KB

MD5
e81e9909f693e9dbfbdcb8f411bf78fc

SHA1
c0ce708c666804ca4225622b18e89f76bed3de7e

SHA256
502abed21b8211f8334c64e3c79ccfe682561d4e94f217c6e239a8fd5a90590e

SHA512
130c7cd963f613ca3bc470a8f996c4d269ba177235b70c38414c7abedf69cd412d82511d535a8fad44cd47382a56a574f572541a93389ae60caa20f3d22fd9a8

Download Submit
C:\Users\Admin\AppData\Local\iqpad\SEP\20220503_SEPBootstrap_000000.log
Filesize
1KB

MD5
c7cbffdadcbf54f324c71c43f71da730

SHA1
36b833f8bf6f2102305af08f8c31ef7e0a49fcff

SHA256
f52e10944f178189026568f6b471fcd68f9c4d27774739995cec91d109306e70

SHA512
5444b6f3723914246d6b08ee0224887085b3821c1171b3836259b15e65917b1455f75fab9cf1ccf257d6fcc092b8bedc3ee9a0dc821ef6bb77fd87683174ca68

Download Submit
memory/204-198-0x0000000000000000-mapping.dmp

Download
memory/912-130-0x0000000000000000-mapping.dmp

Download
memory/2296-200-0x0000000000000000-mapping.dmp

Download
memory/2552-196-0x0000000000000000-mapping.dmp

Download
memory/3384-199-0x0000000000000000-mapping.dmp

Download
memory/4592-134-0x0000000000000000-mapping.dmp

Download
memory/4748-197-0x0000000000000000-mapping.dmp

Download