f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe
Size

1.6MB
MD5

8157423494ad7f97246131d29f7980c5
SHA1

f8ca3db0fada6172a97b7a17b4013d94104a27c5
SHA256

f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176
SHA512

8ed4cc1fc2d3036aceb95f0dc40d10853ad3a2a30ae91a23132f137d9b7a67045035cb163365c735f69f050c247f1102e6490da11551ec9b7ed75b872d0b2ffd
SSDEEP

24576:nXhZgPlXp/4Ec/RVV2sWhzSFiy96TxwkF4HWkDgqm1NTfzdJyHIFQOMyOvOzeAHr:XI5QEdzad62kFm1Q1ZzmLwzegnZY9qE2

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\TextCaptureLib.dll	acprotect
C:\L7\TextCaptureLib.dll	acprotect
\L7\TextCaptureLib.dll	acprotect
\L7\TextCaptureLib.dll	acprotect
\L7\TextCaptureLib.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

ik-add-ca.exeadclient.exewatchad.exe

pid process

1880 ik-add-ca.exe
1456 adclient.exe
1228 watchad.exe
Loads dropped DLL 10 IoCs

Processes:

cmd.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

2012 cmd.exe
2012 cmd.exe
776 regsvr32.exe
776 regsvr32.exe
2012 cmd.exe
2012 cmd.exe
664 regsvr32.exe
664 regsvr32.exe
952 regsvr32.exe
952 regsvr32.exe

pid	process
1880	ik-add-ca.exe
1456	adclient.exe
1228	watchad.exe

pid	process
2012	cmd.exe
2012	cmd.exe
776	regsvr32.exe
776	regsvr32.exe
2012	cmd.exe
2012	cmd.exe
664	regsvr32.exe
664	regsvr32.exe
952	regsvr32.exe
952	regsvr32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\TextCaptureLib.dll	upx
C:\L7\TextCaptureLib.dll	upx
\L7\TextCaptureLib.dll	upx
\L7\TextCaptureLib.dll	upx
\L7\TextCaptureLib.dll	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\adclient.exe = "C:\\L7\\adclient.vbs"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TextCaptureLib.DLL\AppID = "{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\ = "CInputWindow Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\InprocServer32\ = "c:\\l7\\TextCaptureLib.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\ProgID\ = "TextCaptureLib.TextCapture.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window\CLSID\ = "{F24E46BA-66FA-4954-80BA-D6601C63D9AD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.TextCapture.1\CLSID\ = "{9633F541-5346-460C-8B2D-43A6765AA207}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\AppID = "{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}\ = "TextCaptureLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.TextCapture.1\ = "CTextCapture Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90A5CBF6-CCE2-4518-A829-220430A42690}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}\1.0\HELPDIR	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\ProgID\ = "TextCaptureLib.Window.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.TextCapture\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\ProgID\ = "TextCaptureLib.TextCapture.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\AppID = "{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Wow6432Node\CLSID\{37F30353-E39B-46bc-BFC4-4AEF5E094DA4}\Info	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Wow6432Node\CLSID\{37F30353-E39B-46bc-BFC4-4AEF5E094DA4}\Info\Data = 000018600de2bffad0f8f9e593bb5b67af4ab635bc7ce1f50bc5224cab649c4c7b17db4de2a7b86e4572c5adc6e084926b620425b6513540cbf18f7db2e1ca414c9dda29100bede11c9a822a427af30282e70d4e3314e675bb35c3b2a3389d31e499919f290000d1018f732facafd0e901d5004a09da539c6789f5692a8b4e97749e5e33c9935f4f61254363321e638c365d6e0315307dd0a21a3ef0f2f1b505ecf7053a11cc9f7df261fc41025797c437604fbab8128abe7f489d6f2f76539b84a2acdc22cca3942b7d0000d05f7ffe5cf6f882577344aa5aa6745d16184a9334d0e09ba1bf876245e9558755af4f3e40ec2b42dab999694c000b075f4a6136bce511c53cc60ac54247800a4b35df95c3c107b730bd9be5bacf890dc9f303e41dfe9002a0749033e16d3069f1d1ae00002810f0c64f809ec747016596f0be911ee5964a7f5222332ee6e2c40e595cc9000932d314af22245d4ae1d78b8d47c4c89ebf6b905bea6171717e0d67962db44cfeb9161095fd9fa971030172117419eadd89898efeba6f3b014b8bc7c30b566159d74438a9b6c81d0a1fd2192ebe3d178c5897392285a0ddb97659011403a6721c22bc8d8a916f6c935311511347f524c974e0d09de34d70780e65e4acc4b3f8fe1236134a787591c224d3efdc50192b6587831ebb10e1ce4b8973cca4271faf6d0536d16ff951c804342e303000920be5a2701d00000018733f99140b209ee501c9fa6efee540000000004d6123e1e405386d855778d7	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.TextCapture.1\ = "CTextCapture Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\TypeLib\ = "{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\TypeLib\ = "{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\TypeLib\ = "{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90A5CBF6-CCE2-4518-A829-220430A42690}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\ProgID\ = "TextCaptureLib.Window.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90A5CBF6-CCE2-4518-A829-220430A42690}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\ProgID\ = "TextCaptureLib.TextCapture.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\InprocServer32\ = "C:\\L7\\TextCaptureLib.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}\1.0\ = "TextCaptureLib 1.0 Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\VersionIndependentProgID\ = "TextCaptureLib.Window"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E1A617E2-976F-4B6E-8E74-2CDEDD14C7E9}\ = "TextCaptureLib"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Wow6432Node\CLSID\{37F30353-E39B-46bc-BFC4-4AEF5E094DA4}\Info	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Wow6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window.1\ = "CInputWindow Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46AE537A-9886-4765-98DE-38947AA7B1D9}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Wow6432Node\CLSID\{37F30353-E39B-46bc-BFC4-4AEF5E094DA4}\Info\Data = 0000d6150f96a8253ca433fa364798669bb249317e2b48a3de5eb42acc625806e764a620f653dded4bf247811239c5b8eb5da19c52f651e2289a242d844616f110982caa07a6993132d9a66ee7b0f5bd76e4be297b268fe4060a9e2718de5c4dcaee3663d10000f875f121ed5380d60c96d8939f3c8e22eaced0d69c92a65b290741d92eca1aa044b86c4d6053cd992eca5cd47cbbd9ac2e792644c9e6edc68a54fb6e224c0c3004c78803dac88ef3a336a6fc72860554da2058a21be755d6696721910c133d529d109f0000fb921fdf1f024a678a62441105c56fb5cfd4c5b39944a26ac168f36c2319463c1679d949714fbff31c18abe48b63efed3837d34b671045705d9f053eb6f4d9d02537643cbb01a1667320bc5d3bb8294fa21bc404734161064dc3fad4244484479c150600001ffbbe2ac72d77bfe3e718f373e0a7002aa4c7628ecde66baef237d2b086e927441d344030b823e9933aba75067271f6ae7e844b0b7a1dad6d96ed81f9b51f1b9e15b01acf9e442c8df3de51eeca15e6c9a3be1f190296afcea4ec4736e351a974ba4f7df020329fa8ac5d991cbb36fd8689afd5ebe7645b361667a67d661f961aa9e397b005b900503ec5c1d09eec93087041cd8c350ebf19a7c606bd181bc9fb3ff3f581179bad08485a2324ce481e82559348d5788c0e015ba6af36d5cdcc191db68da8a50b2b04342e303000c8bc3f7efa1e0000009d0e75d7d1fc01b0e501c9fa6efee5400000000064a317e1ae1df17ebef620b4	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window\CurVer\ = "TextCaptureLib.Window.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\ = "CTextCapture Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TextCaptureLib.Window\ = "CInputWindow Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\VersionIndependentProgID\ = "TextCaptureLib.TextCapture"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9633F541-5346-460C-8B2D-43A6765AA207}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46AE537A-9886-4765-98DE-38947AA7B1D9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90A5CBF6-CCE2-4518-A829-220430A42690}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F24E46BA-66FA-4954-80BA-D6601C63D9AD}\ProgID\ = "TextCaptureLib.Window.1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

watchad.exeadclient.exe

pid	process
1228	watchad.exe
1456	adclient.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1228	watchad.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe
1228	watchad.exe
1456	adclient.exe
1456	adclient.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.execmd.exeik-add-ca.execmd.exewatchad.exeadclient.exe

description	pid	process	target process
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 1160 wrote to memory of 2012	1160	f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe	cmd.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1908	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 2024	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 2024	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 2024	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 2024	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1880	2012	cmd.exe	ik-add-ca.exe
PID 2012 wrote to memory of 1880	2012	cmd.exe	ik-add-ca.exe
PID 2012 wrote to memory of 1880	2012	cmd.exe	ik-add-ca.exe
PID 2012 wrote to memory of 1880	2012	cmd.exe	ik-add-ca.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 776	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 1588	2012	cmd.exe	reg.exe
PID 2012 wrote to memory of 1588	2012	cmd.exe	reg.exe
PID 2012 wrote to memory of 1588	2012	cmd.exe	reg.exe
PID 2012 wrote to memory of 1588	2012	cmd.exe	reg.exe
PID 1880 wrote to memory of 1612	1880	ik-add-ca.exe	cmd.exe
PID 1880 wrote to memory of 1612	1880	ik-add-ca.exe	cmd.exe
PID 1880 wrote to memory of 1612	1880	ik-add-ca.exe	cmd.exe
PID 1880 wrote to memory of 1612	1880	ik-add-ca.exe	cmd.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	adclient.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	adclient.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	adclient.exe
PID 2012 wrote to memory of 1456	2012	cmd.exe	adclient.exe
PID 2012 wrote to memory of 1228	2012	cmd.exe	watchad.exe
PID 2012 wrote to memory of 1228	2012	cmd.exe	watchad.exe
PID 2012 wrote to memory of 1228	2012	cmd.exe	watchad.exe
PID 2012 wrote to memory of 1228	2012	cmd.exe	watchad.exe
PID 1612 wrote to memory of 1476	1612	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1476	1612	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1476	1612	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1476	1612	cmd.exe	cmd.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1228 wrote to memory of 664	1228	watchad.exe	regsvr32.exe
PID 1612 wrote to memory of 592	1612	cmd.exe	certutil.exe
PID 1612 wrote to memory of 592	1612	cmd.exe	certutil.exe
PID 1612 wrote to memory of 592	1612	cmd.exe	certutil.exe
PID 1612 wrote to memory of 592	1612	cmd.exe	certutil.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe
PID 1456 wrote to memory of 952	1456	adclient.exe	regsvr32.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1908 attrib.exe
2024 attrib.exe

pid	process
1908	attrib.exe
2024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe
"C:\Users\Admin\AppData\Local\Temp\f186d6f1a9393e4becb4bbd04ca6c8f17b1b1f5c46c4de0ae50932fa6165e176.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ad_install\install.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\attrib.exe
attrib -h -s C:\L7
3⤵
- Views/modifies file attributes
PID:1908

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\L7
3⤵
- Views/modifies file attributes
PID:2024

C:\L7\ik-add-ca.exe
C:\L7\ik-add-ca.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DA8.tmp\add-ca.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:1476

C:\Windows\SysWOW64\certutil.exe
C:\Windows\System32\certutil.exe -f -addstore root ca.der
5⤵
PID:592

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\L7\TextCaptureLib.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:776

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "adclient.exe" /t REG_SZ /d "C:\L7\adclient.vbs" /f
3⤵
- Adds Run key to start application
PID:1588

\??\c:\l7\adclient.exe
c:\l7\adclient.exe 10.1.3.174 "[AD]Admin"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s c:\l7\TextCaptureLib.dll
4⤵
- Loads dropped DLL
- Modifies registry class
PID:952

\??\c:\l7\watchad.exe
c:\l7\watchad.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s c:\l7\TextCaptureLib.dll
4⤵
- Loads dropped DLL
- Modifies registry class
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\L7\TextCaptureLib.dll
Filesize
132KB

MD5
cdec1880342d88c9819d1c9a84f8b234

SHA1
90d85b856ff37a34d396a5a0f4e4de9aa04afce1

SHA256
60aa7f99f7730576248f098d199463de320939cc5abf2c0c2acd6a7120a4c342

SHA512
2c6869c37fcb6202d326ecc15e6186e0edffa6a726c66deb3e92fa06d3e57c6c51955ff9cc4eb5d0224f06af18de4a0243df8766bad2328cf5977ece028c3fc7

Download Submit
C:\L7\adclient.bat
Filesize
77B

MD5
ff6e8e4b10c1d59c463ae68f26c7f7f8

SHA1
04b04ff7fb5af90bd05432e782fdbd7e376ee7fd

SHA256
c9996693d05f7465f99485ad92694ae278953bb00b787450eb5f225d494b6056

SHA512
d1cfa24c297ffcf46cc87d249fad2cfae18335fd505ad58d93be910ea83d62b82b28a6ac2e7c0e1830668229c33a173d905cdabd9d0f9ac7534a9b13332e8199

Download Submit
C:\L7\adclient.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
C:\L7\adclient.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
C:\L7\ik-add-ca.exe
Filesize
326KB

MD5
a774893f64b3e0b080f5541a4ccf4083

SHA1
03cb3a97d85165ec14a122dff2dca4083ce2c439

SHA256
86e06629cdd717bde4d4c64a0920f6f5e7dcb6ae67325a48f0a319bd16bbff68

SHA512
36e56802ff011e163b4fbf1b81d305cd375103374e9317db6ce24c20e808a40a21ee9548bf29a844299e4afc2c5ce0e2f60668cef1d81e2321e4c9a22104b21d

Download Submit
C:\L7\ik-add-ca.exe
Filesize
326KB

MD5
a774893f64b3e0b080f5541a4ccf4083

SHA1
03cb3a97d85165ec14a122dff2dca4083ce2c439

SHA256
86e06629cdd717bde4d4c64a0920f6f5e7dcb6ae67325a48f0a319bd16bbff68

SHA512
36e56802ff011e163b4fbf1b81d305cd375103374e9317db6ce24c20e808a40a21ee9548bf29a844299e4afc2c5ce0e2f60668cef1d81e2321e4c9a22104b21d

Download Submit
C:\L7\tc_hook.dll
Filesize
336KB

MD5
79576c147cea698432e72da3531025fc

SHA1
50eea800c28387852ba6ca5ddcd59910aaf1485d

SHA256
c8bb58f8d17829e59b780ce96db9f41049ea5a23e7961c67515a440835061733

SHA512
b0afd5394f46695e44374911da587099a39f2faf1d5c4bd7387fe7ca7e1a4aec2979974b6d85017e720060093105840bbd344bd431a94769689c85fbf07c6b0c

Download Submit
C:\L7\watchad.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA8.tmp\add-ca.bat
Filesize
487B

MD5
fcd4e1de0b0adfb1623915448b68e89a

SHA1
70d6a83ca17eaadf4af00c085824be5f15041b94

SHA256
95ea2cdbc0a6d316913f279e64faab2da76a3fa4036e2d44926506b081b6ddd0

SHA512
bfbbd1a88ebcbefb2af643be2613e9eb1c4164b9ac7cfc7c7cea3c87f665293b7889d9c7edc5226ddfd65e03a5ab4cb7d0c5d17584ae5246a94b4f865273522a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA8.tmp\add-ca.bat
Filesize
487B

MD5
fcd4e1de0b0adfb1623915448b68e89a

SHA1
70d6a83ca17eaadf4af00c085824be5f15041b94

SHA256
95ea2cdbc0a6d316913f279e64faab2da76a3fa4036e2d44926506b081b6ddd0

SHA512
bfbbd1a88ebcbefb2af643be2613e9eb1c4164b9ac7cfc7c7cea3c87f665293b7889d9c7edc5226ddfd65e03a5ab4cb7d0c5d17584ae5246a94b4f865273522a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA8.tmp\ca.der
Filesize
620B

MD5
f2d2ce991f8b27da19488a4e64f122b8

SHA1
90985c75eaafd5facdb7a2f902a80df8edd48754

SHA256
f0a3445fb5e1922715fd8a1f6bbe3da1141509179da269e918d013ff3c16d4d8

SHA512
3819d8376af71a4bd57b06099cd050b581b86939c5143756a25a20edb2c0720596edd616e81548d497c467f112fd51229c611f151de6db02f460f109824b4838

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA8.tmp\ca.der
Filesize
620B

MD5
f2d2ce991f8b27da19488a4e64f122b8

SHA1
90985c75eaafd5facdb7a2f902a80df8edd48754

SHA256
f0a3445fb5e1922715fd8a1f6bbe3da1141509179da269e918d013ff3c16d4d8

SHA512
3819d8376af71a4bd57b06099cd050b581b86939c5143756a25a20edb2c0720596edd616e81548d497c467f112fd51229c611f151de6db02f460f109824b4838

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\CPAU.exe
Filesize
542KB

MD5
7100f979b8516b8c1ae6ff858435626e

SHA1
c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7

SHA256
5ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3

SHA512
d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\LineView.exe
Filesize
585KB

MD5
139f08da56b0b02a64fb780f217110b0

SHA1
bdcb6d936703c40a1ed1beac920ba33ab456b32f

SHA256
51635f8b45d5a24361641260fc1bbc9b4284940b816c6984626260eb57aa2c90

SHA512
12998b91c0f79b7211b7cdaf98204b5430186fe76009e6bef2f52d84094092f375ffa8c5da696c0c9abed37e2a18f3939abaf1751764ab1905d1788d5e017e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\TextCaptureLib.dll
Filesize
132KB

MD5
cdec1880342d88c9819d1c9a84f8b234

SHA1
90d85b856ff37a34d396a5a0f4e4de9aa04afce1

SHA256
60aa7f99f7730576248f098d199463de320939cc5abf2c0c2acd6a7120a4c342

SHA512
2c6869c37fcb6202d326ecc15e6186e0edffa6a726c66deb3e92fa06d3e57c6c51955ff9cc4eb5d0224f06af18de4a0243df8766bad2328cf5977ece028c3fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\adclient.bat
Filesize
77B

MD5
ff6e8e4b10c1d59c463ae68f26c7f7f8

SHA1
04b04ff7fb5af90bd05432e782fdbd7e376ee7fd

SHA256
c9996693d05f7465f99485ad92694ae278953bb00b787450eb5f225d494b6056

SHA512
d1cfa24c297ffcf46cc87d249fad2cfae18335fd505ad58d93be910ea83d62b82b28a6ac2e7c0e1830668229c33a173d905cdabd9d0f9ac7534a9b13332e8199

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\adclient.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\adclient.reg
Filesize
146B

MD5
c299d43d703f69916a5876d87e0cfd76

SHA1
0fbda67eb4735697cd5b20519fd33edfdf9c88cf

SHA256
dc897451a9c7d77398e7d10e4f7cb7bc71897e6d588337f4728528e332e65f82

SHA512
06cc0ce82db44d7d6c6b12156fd17e0623b07eabbb0c3f0883970950d9080bb127dae43deac543a5813320d8b1979f42b2401ef6b6d6665081cf6d5a2ed12ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\adclient.vbs
Filesize
63B

MD5
b2abc0168864391faee270d2b1f7d628

SHA1
d680e5f1a77c415dbf62a8bc36c67254a66c46ff

SHA256
e1db7394ebf5bb551c4856084fc39c92a3e4ea25c38dac274ed4873918e83690

SHA512
c5a65a8f627fd07fb1f9f06aa2ebd52230ea239a489e4f443f1eefbe261b6b8bd9c84f8d5e0d48431762bf9856969d58b819743a6b12856b778209de5368c268

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\ca.der
Filesize
620B

MD5
f2d2ce991f8b27da19488a4e64f122b8

SHA1
90985c75eaafd5facdb7a2f902a80df8edd48754

SHA256
f0a3445fb5e1922715fd8a1f6bbe3da1141509179da269e918d013ff3c16d4d8

SHA512
3819d8376af71a4bd57b06099cd050b581b86939c5143756a25a20edb2c0720596edd616e81548d497c467f112fd51229c611f151de6db02f460f109824b4838

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\fileblock.conf
Filesize
12B

MD5
04bd021a523ea187b0acbc788f19b7c3

SHA1
ba8de702a13f19daa12276187f63917a4b1624b5

SHA256
0ccc6762184c39f8660e91b519e063ca92d720bbf6b86aa941ccae6fae883855

SHA512
500469ff017c7ff1626228748c9908ed27f2ead4e654fae1293f9dc319b4d30ab5ffe88f07d16ba5c21d63367d5333bbe318308ee80338f77894aeb64c45fe88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\filecheck.conf
Filesize
3B

MD5
900150983cd24fb0d6963f7d28e17f72

SHA1
a9993e364706816aba3e25717850c26c9cd0d89d

SHA256
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

SHA512
ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\filecontrol.conf
Filesize
16B

MD5
48c6beb0ab8713ae47fb817c4873c3d3

SHA1
8ca20cdc74723b64eb83d19a5d2b320e77a0fbc7

SHA256
8e6548329d398e3875b4de086e479bba5249e01f813735b09a667472b87741e2

SHA512
4446400aa130c1d1bd21b1af4ce8ece826dd48f3b5aa60703fd77c45c0b60f50b9c390228e8cdf95c843ba35a9592c94cc75db540ba034b82f6d905d2a8b8485

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\filescan.conf
Filesize
20B

MD5
e19e43cfa58dade99042bd0b62d1c959

SHA1
bc9a4aaa79a8028e75ea65891f94b113d711765f

SHA256
21f20ce627a6a11a4fbe49b31deb85de3a06cc4158c208fd0429ccf3f1ee9519

SHA512
d4e8764f897e21088e751b2be97e4913d28b5f867f19d82aa005eec981354c5762b250120c38efb171ddffd91de423d4a2d6e0b0242c1b7ef3d31ba0e402c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\ik-add-ca.exe
Filesize
326KB

MD5
a774893f64b3e0b080f5541a4ccf4083

SHA1
03cb3a97d85165ec14a122dff2dca4083ce2c439

SHA256
86e06629cdd717bde4d4c64a0920f6f5e7dcb6ae67325a48f0a319bd16bbff68

SHA512
36e56802ff011e163b4fbf1b81d305cd375103374e9317db6ce24c20e808a40a21ee9548bf29a844299e4afc2c5ce0e2f60668cef1d81e2321e4c9a22104b21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\setting.ini
Filesize
258B

MD5
ec9d2413c9c869f0395b26b6657c7855

SHA1
d796b155032d2090a7388775dd0d736dc5f53215

SHA256
4b4b44d8607910047dd1f8df00734269163c342d90125a2ebb83abad28285921

SHA512
21c476b03cb1d796fbbc892ddce2f1633f77dfcf79445c581fbcf9883e6868432bb097d0ffa0349dea3e31636fc4d766e011369dc5414ae53bb56e3aa9ba8f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\skypeuser.conf
Filesize
13B

MD5
78aa25c1cd134c40fad289a0d7b3bc90

SHA1
34105a912b9284bf5e650d159443f16a26237008

SHA256
17b2fe32cc2805b13fff78a0052c2c691c987fba30896da9dfda01b7dd884f53

SHA512
1fada63312c3b4a464e018de0adc5f3580c682d0277b701b35d64da6a9616294453364ed4d07384c7d15f4ed78db1fd1cdf75976b905c6de53d10227b80a9e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\sview.exe
Filesize
604KB

MD5
e46c125295646d84c8a18a35273d0d38

SHA1
f2a9bcf7966bbf7fd227b7fa1e42609d64026fdb

SHA256
ba07b185b877a89cde55ec161557fa90f033da8bdc8eab935cd5888d61f9af13

SHA512
3cad02c4a6105dab61fd3055376b18c033e125e8042cd367420121bb5a4be19fe0fc23d0089f93d9bd7c8cd3cb75209c7e660a02d5a0c14274db152a6b73c98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\tc_hook.dll
Filesize
336KB

MD5
79576c147cea698432e72da3531025fc

SHA1
50eea800c28387852ba6ca5ddcd59910aaf1485d

SHA256
c8bb58f8d17829e59b780ce96db9f41049ea5a23e7961c67515a440835061733

SHA512
b0afd5394f46695e44374911da587099a39f2faf1d5c4bd7387fe7ca7e1a4aec2979974b6d85017e720060093105840bbd344bd431a94769689c85fbf07c6b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\L7\watchad.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\install.bat
Filesize
446B

MD5
c0f2943d66cfbc1b8b65fb949828e88d

SHA1
bf025ac2d5710c7d5d94d12572ab5d860099bd55

SHA256
bd322c1f2c3a9b378cd8508e14a81c25b27e77074c14822811f8ddcdc794592a

SHA512
740c20590e0308639c8e4f39d8758b32efdace18c021a607448c394444446e18f465331bf842ba5ff9baa12bcbeb0eaad8587aed6082ed3ba375918a038ecb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad_install\install.bat
Filesize
446B

MD5
c0f2943d66cfbc1b8b65fb949828e88d

SHA1
bf025ac2d5710c7d5d94d12572ab5d860099bd55

SHA256
bd322c1f2c3a9b378cd8508e14a81c25b27e77074c14822811f8ddcdc794592a

SHA512
740c20590e0308639c8e4f39d8758b32efdace18c021a607448c394444446e18f465331bf842ba5ff9baa12bcbeb0eaad8587aed6082ed3ba375918a038ecb17

Download Submit
\??\c:\l7\setting.ini
Filesize
264B

MD5
0dc0cb7d4f3c094ff61f2a834d64c94d

SHA1
ab27cc62dc91afef51fa1edb8c13bd65e24ecaaf

SHA256
05a33361651782e523ec08a14912b9092ade0facec53eb577ecf24a5d28e93e4

SHA512
46155e0b6d5e0e66e804d64945883741a19e2cc0a22899a53a1ad49820016034a39c93042bca073673a957e36edf083bbbb385ec8f772f79896e9b41fad0cacf

Download Submit
\??\c:\l7\setting.ini
Filesize
264B

MD5
0dc0cb7d4f3c094ff61f2a834d64c94d

SHA1
ab27cc62dc91afef51fa1edb8c13bd65e24ecaaf

SHA256
05a33361651782e523ec08a14912b9092ade0facec53eb577ecf24a5d28e93e4

SHA512
46155e0b6d5e0e66e804d64945883741a19e2cc0a22899a53a1ad49820016034a39c93042bca073673a957e36edf083bbbb385ec8f772f79896e9b41fad0cacf

Download Submit
\??\c:\l7\setting.ini
Filesize
296B

MD5
a9b3c8b4c20dcc9dd9f0a77133fb3998

SHA1
caac2972d03900bede304c89b272aa44f6c6199b

SHA256
9b1f3947c9d78591f7a2c1725f290567814b2acbbdf7ff3f0c3ecf639e3fa6e7

SHA512
80efafa444f33ccf2d6ffdced0836fd7dade8edf9ade8424ab401db1c71437ffa233df7835a2e9fc7398e64cac0c118a1257a0bd9e99cbd95616581840a17f13

Download Submit
\??\c:\l7\setting.ini
Filesize
296B

MD5
a9b3c8b4c20dcc9dd9f0a77133fb3998

SHA1
caac2972d03900bede304c89b272aa44f6c6199b

SHA256
9b1f3947c9d78591f7a2c1725f290567814b2acbbdf7ff3f0c3ecf639e3fa6e7

SHA512
80efafa444f33ccf2d6ffdced0836fd7dade8edf9ade8424ab401db1c71437ffa233df7835a2e9fc7398e64cac0c118a1257a0bd9e99cbd95616581840a17f13

Download Submit
\L7\TextCaptureLib.dll
Filesize
132KB

MD5
cdec1880342d88c9819d1c9a84f8b234

SHA1
90d85b856ff37a34d396a5a0f4e4de9aa04afce1

SHA256
60aa7f99f7730576248f098d199463de320939cc5abf2c0c2acd6a7120a4c342

SHA512
2c6869c37fcb6202d326ecc15e6186e0edffa6a726c66deb3e92fa06d3e57c6c51955ff9cc4eb5d0224f06af18de4a0243df8766bad2328cf5977ece028c3fc7

Download Submit
\L7\TextCaptureLib.dll
Filesize
132KB

MD5
cdec1880342d88c9819d1c9a84f8b234

SHA1
90d85b856ff37a34d396a5a0f4e4de9aa04afce1

SHA256
60aa7f99f7730576248f098d199463de320939cc5abf2c0c2acd6a7120a4c342

SHA512
2c6869c37fcb6202d326ecc15e6186e0edffa6a726c66deb3e92fa06d3e57c6c51955ff9cc4eb5d0224f06af18de4a0243df8766bad2328cf5977ece028c3fc7

Download Submit
\L7\TextCaptureLib.dll
Filesize
132KB

MD5
cdec1880342d88c9819d1c9a84f8b234

SHA1
90d85b856ff37a34d396a5a0f4e4de9aa04afce1

SHA256
60aa7f99f7730576248f098d199463de320939cc5abf2c0c2acd6a7120a4c342

SHA512
2c6869c37fcb6202d326ecc15e6186e0edffa6a726c66deb3e92fa06d3e57c6c51955ff9cc4eb5d0224f06af18de4a0243df8766bad2328cf5977ece028c3fc7

Download Submit
\L7\adclient.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
\L7\ik-add-ca.exe
Filesize
326KB

MD5
a774893f64b3e0b080f5541a4ccf4083

SHA1
03cb3a97d85165ec14a122dff2dca4083ce2c439

SHA256
86e06629cdd717bde4d4c64a0920f6f5e7dcb6ae67325a48f0a319bd16bbff68

SHA512
36e56802ff011e163b4fbf1b81d305cd375103374e9317db6ce24c20e808a40a21ee9548bf29a844299e4afc2c5ce0e2f60668cef1d81e2321e4c9a22104b21d

Download Submit
\L7\ik-add-ca.exe
Filesize
326KB

MD5
a774893f64b3e0b080f5541a4ccf4083

SHA1
03cb3a97d85165ec14a122dff2dca4083ce2c439

SHA256
86e06629cdd717bde4d4c64a0920f6f5e7dcb6ae67325a48f0a319bd16bbff68

SHA512
36e56802ff011e163b4fbf1b81d305cd375103374e9317db6ce24c20e808a40a21ee9548bf29a844299e4afc2c5ce0e2f60668cef1d81e2321e4c9a22104b21d

Download Submit
\L7\tc_hook.dll
Filesize
336KB

MD5
79576c147cea698432e72da3531025fc

SHA1
50eea800c28387852ba6ca5ddcd59910aaf1485d

SHA256
c8bb58f8d17829e59b780ce96db9f41049ea5a23e7961c67515a440835061733

SHA512
b0afd5394f46695e44374911da587099a39f2faf1d5c4bd7387fe7ca7e1a4aec2979974b6d85017e720060093105840bbd344bd431a94769689c85fbf07c6b0c

Download Submit
\L7\tc_hook.dll
Filesize
336KB

MD5
79576c147cea698432e72da3531025fc

SHA1
50eea800c28387852ba6ca5ddcd59910aaf1485d

SHA256
c8bb58f8d17829e59b780ce96db9f41049ea5a23e7961c67515a440835061733

SHA512
b0afd5394f46695e44374911da587099a39f2faf1d5c4bd7387fe7ca7e1a4aec2979974b6d85017e720060093105840bbd344bd431a94769689c85fbf07c6b0c

Download Submit
\L7\tc_hook.dll
Filesize
336KB

MD5
79576c147cea698432e72da3531025fc

SHA1
50eea800c28387852ba6ca5ddcd59910aaf1485d

SHA256
c8bb58f8d17829e59b780ce96db9f41049ea5a23e7961c67515a440835061733

SHA512
b0afd5394f46695e44374911da587099a39f2faf1d5c4bd7387fe7ca7e1a4aec2979974b6d85017e720060093105840bbd344bd431a94769689c85fbf07c6b0c

Download Submit
\L7\watchad.exe
Filesize
130KB

MD5
2e5aa01cd5fca865830558904a6f85c9

SHA1
bb106d058dcbd6248a5beaac3bc222b8216a94ef

SHA256
77afd2b96e7e302f506601ad1989966a4a1d9934296c7b17ff4b85dd2de88b68

SHA512
b559923f2dd4f4cd121366abdf486c1d9b196a1eb492e5cfac6e926034aafb5659e06ae1b19ac4d554a0a2e348e040cf882a0b5487512830ad82c68bc7fc6a03

Download Submit
memory/1880-226-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download