babadeda | 9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f

Analysis

max time kernel
48s
max time network
62s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Size

6.3MB
MD5

cddb1119c5429d9dacbd8bfc82ce14af
SHA1

833ad9c9378cae89fc23a136188a7073caf7573f
SHA256

9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f
SHA512

9a2feff190c6794d1c56f5d2c56095fe3ef16c148f2916c251acd3f18c8db86fe5ace5c6dbe93db9276ab560352722560b769eec2a76cf2d031af36cd712f098
SSDEEP

98304:+Pdx/6o/EJ6N6ExIxrnumYqN2nup/iRfigVs/DHDVhGBL341RTY9Wi6NuToaBOqR:+L6ocnTSR1eP4IFYLXToa8ta/9QH6Q9S

Score

10^/10

babadeda cryptbot crypter discovery loader spyware stealer

Malware Config

Extracted

Family

cryptbot

veowvf15.top

morysl01.top

Attributes

payload_url
http://tyngle01.top/download.php?file=lv.exe

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0005000000019621-208.dat	family_babadeda

Babadeda family
babadeda
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Executes dropped EXE 1 IoCs

Processes:

syncapp.exe

pid	Process
1684	syncapp.exe

Loads dropped DLL 11 IoCs

Processes:

9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exeMsiExec.exeMsiExec.exesyncapp.exe

pid	Process
2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
2784	MsiExec.exe
2784	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
1684	syncapp.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exemsiexec.exe

flow	pid	Process
4	3064	msiexec.exe
6	2636	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exemsiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\N:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\T:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\M:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\O:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\S:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\W:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\Y:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\Q:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\V:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\U:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\X:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\Z:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\K:	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76a1db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA422.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA480.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4DF.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a1db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA345.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA385.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a1de.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA740.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a1de.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msiexec.exeMsiExec.exesyncapp.execmd.exetimeout.exe9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exeMsiExec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syncapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

syncapp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncapp.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1276	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid	Process
2636	msiexec.exe
2636	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe

description	pid	Process
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeCreateTokenPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeAssignPrimaryTokenPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeLockMemoryPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeIncreaseQuotaPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeMachineAccountPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeTcbPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSecurityPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeTakeOwnershipPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeLoadDriverPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSystemProfilePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSystemtimePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeProfSingleProcessPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeIncBasePriorityPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreatePagefilePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreatePermanentPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeBackupPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeRestorePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeShutdownPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeDebugPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeAuditPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSystemEnvironmentPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeChangeNotifyPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeRemoteShutdownPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeUndockPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSyncAgentPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeEnableDelegationPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeManageVolumePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeImpersonatePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreateGlobalPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreateTokenPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeAssignPrimaryTokenPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeLockMemoryPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeIncreaseQuotaPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeMachineAccountPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeTcbPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSecurityPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeTakeOwnershipPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeLoadDriverPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSystemProfilePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSystemtimePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeProfSingleProcessPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeIncBasePriorityPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreatePagefilePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreatePermanentPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeBackupPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeRestorePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeShutdownPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeDebugPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeAuditPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSystemEnvironmentPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeChangeNotifyPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeRemoteShutdownPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeUndockPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeSyncAgentPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeEnableDelegationPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeManageVolumePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeImpersonatePrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreateGlobalPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeCreateTokenPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeAssignPrimaryTokenPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
Token: SeLockMemoryPrivilege	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
3064	msiexec.exe
3064	msiexec.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

msiexec.exe9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exesyncapp.execmd.exe

description	pid	Process	procid_target
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2636 wrote to memory of 2784	2636	msiexec.exe	31
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2436 wrote to memory of 3064	2436	9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe	32
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1640	2636	msiexec.exe	33
PID 2636 wrote to memory of 1684	2636	msiexec.exe	34
PID 2636 wrote to memory of 1684	2636	msiexec.exe	34
PID 2636 wrote to memory of 1684	2636	msiexec.exe	34
PID 2636 wrote to memory of 1684	2636	msiexec.exe	34
PID 1684 wrote to memory of 2780	1684	syncapp.exe	36
PID 1684 wrote to memory of 2780	1684	syncapp.exe	36
PID 1684 wrote to memory of 2780	1684	syncapp.exe	36
PID 1684 wrote to memory of 2780	1684	syncapp.exe	36
PID 2780 wrote to memory of 1276	2780	cmd.exe	38
PID 2780 wrote to memory of 1276	2780	cmd.exe	38
PID 2780 wrote to memory of 1276	2780	cmd.exe	38
PID 2780 wrote to memory of 1276	2780	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
"C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732178631 " AI_EUIMSI=""
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9BAD0DBDFFCB64618C027AA91241BD9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58E513AE90E12DF49296D85957D0EA7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
  "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\VoVmwXZV & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a1df.rbs

Filesize
11KB

MD5
c39a9a36787d94589d204b3389234bc0

SHA1
53e43e984274ae46c877953187d1b388ec6bd790

SHA256
27ef3d6c1063c40281465f678a4db78248866b2c67101b177fba5698ba5e43db

SHA512
dbc3c64c7099e4196de0dc32154466785a33b43b63bf330ebdd2b58686bce2ccc1cab15b44fc3f9d4831419c7db073a3c3a338cd7a19749dc82bbe632f715b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fd78747f2a4d1a0d6602d6069979d5e

SHA1
6fc1971250b3ac59bbfaf5f4913725e64e4fc8fa

SHA256
15094cd9c914ec68392eaa8766b27dbafe73ef0e90f0933943521b65e109e2bc

SHA512
27368a72dc112b36db47a1ad940c38259e3a4536426d81655de8588af688fac0bf4398464cab250be7c7d6948365c19e00b834806d11609d6911807a53fc2afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbe13872f3784f328e98476f5199ccce

SHA1
90391605b400ecfc398ab56013883f8b9967c55a

SHA256
81c763cee68fcfc8076b53d8bedf49eb996c444ba368b84f0c0a426fd2305d4a

SHA512
cd1276bd814933bf181b0b3be8ca6f0782726c13f7831c58d312c9c591d774b8fcfdebce8e54a6aa6da157f9833aa9e99b38ad1932d63a3ce032e916a06c862b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9DE7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9FE4.tmp

Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA052.tmp

Filesize
866KB

MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E09.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\Phototheca EULA.rtf

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\searchhelp.rtf

Filesize
50KB

MD5
e94f6d87535ec7a59ae0a16a8ef17271

SHA1
2662c1d22d459a892474d16661e254eee8adc513

SHA256
73e9ac882a25f8c364d817ca3d93bfa9f493397ccb3a740ec3377fbeb94a13f4

SHA512
18f6f9c1f38eb6d95de169cf42a8cad52064952fe90e0d7339dce5dfaf6f706de067ae59601cf9cceea47f7ffe0d037f92b7bd1f66a69ad4fc92ddabcfbac427

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_Menu.xml

Filesize
6KB

MD5
8a501ba91a337b956aab9e7c428dbfd1

SHA1
126d109a2c518027ed8e1d6eb6694a02340f2a4f

SHA256
b9d94fa54b922c1b1adbe50a0947964daf6de8745e8bf9cae9d97bd7e2fcfebb

SHA512
9ae9a3a2127c0ddc5b94a3a68de48a5b46562b7402aeaa3620d7db0ce03a210a54a7d29f0812825eb337136a2121757639c771936c31bb3f8bd5a64d51269d90

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_MenuContext_Thumbview.xml

Filesize
3KB

MD5
bb7515d7ab4b05965a4e0ac69f97bdc5

SHA1
1975b3d4c0ff70d22dcf1f87c19b484346c48ab0

SHA256
213167f577fb42e0b2b31d3adaf00ce8217da2e30b95694e20cf0217564343d7

SHA512
de9f89566887760322fa5822675a8296374782547c07441ef43f5e9f51668ecb44c3b521f2c620c29b1781ba689e2180e2c3767a0dc590e0869acff5578c7cf0

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_MenuContext_TreeView.xml

Filesize
524B

MD5
254b075520bd91672a03d4938bab7ae7

SHA1
466cbea618ddbead509dff921703f5ebb6b19d83

SHA256
7f2ef800e1119c2e7ed4c3f78729016774613f15b08e56e75dcfab93418e9198

SHA512
f58d7721b7c7ca6a3cca10b88661b5e926788eeb147a111e3842824acb7e52dbe26a23012ec6fc6b8e3c3c6626173dd2210eaac9f30c25a097f25b897c59fbb2

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\searchhelp.rtf

Filesize
2KB

MD5
d6d456354649589f9ace65cafbdcc2ea

SHA1
dbacf271a8b8d5bbdf38bd4e1db5903ccb4033d5

SHA256
797e6178ed8403d7b4e84603b81950c99ae9ed432f98bba9d7958fb2db562c56

SHA512
04097ce38b2a936c1e614121a6776d705362ce6146b0c395c466f1d592263dc01e42123733de5b65e284b19efb446f20efbf8b17ae91b1ad33f0e9facb65a157

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_Menu.xml

Filesize
6KB

MD5
4c0a4688786973dfbd57247ec8134f98

SHA1
34e1bd34ef7dff6def1bf049da4285010f56b8f8

SHA256
7eded3cd3aab0d9d2995b7372d55b004c1c1c246285a110109ca16413f826a84

SHA512
0884474da44357f8407746cb83f842850555d39ce0bbd6ef43b0e8b57920184cac705b7405e0e2ccbb603fa99e3f58c9c915438fa608a00e9a3025289c3620be

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_MenuContext_Thumbview.xml

Filesize
2KB

MD5
447fc41d865c6106bbf6ef6a904bece4

SHA1
61ae758686e4825f759f0ee3894aa8de22f9b29a

SHA256
1c9d8b48689f4865e9f04853ae55a18324c93916edd5c65016cf089de1b59f7a

SHA512
25cb0d82e5f7f9e5cfbbf58b4d971d7a8a6b6aa87d5b80580dbe221c83597d9ac4d548c2dc581d557b0e36b1958680eb0dc7f0d71e52df8c4c0172cdbca742b6

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_MenuContext_TreeView.xml

Filesize
470B

MD5
71d14cc9ecf9c7b117cf86201e8ad9a1

SHA1
10c7b21fea1af67aedd702d8a8d2915423cbae75

SHA256
859124fa394e6025f462c33099024309eb3014b341fa96f1b5702703c2c093fa

SHA512
e8972bad28e44664504734dc9beef478a217ad888d68fadabc3c0278201e9586cf842c088d60dcaedd2b1aee045d2e6137b43c3854aabf11ce9ca2fb15605698

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\searchhelp.rtf

Filesize
50KB

MD5
afc31b9d3c7bc3d9ffcbd6ceeb3aa386

SHA1
692f532bfdaabc046ce73d9947312cea1d6ab62e

SHA256
58ab8c24e1ec79d518771e64fe3a3929ac79612e6881cf9030054f452696496f

SHA512
eb7261f5afcdb39d32ef0c0fee631d4d0f17d45c12e2cbcbb1c53aab2df89ff774d3d183cdb5ba7ec6167b68addda479d5a1204cb428ec3959d2367c0805e464

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_Menu.xml

Filesize
6KB

MD5
e6978b85642b5f09c8feaee634cdf4af

SHA1
cd907a90b7fccc68b5eb889c1048b04567ad9494

SHA256
4c6d4ccac1e8c33a78177210acda678623d604bf889b282cff7df1f81008f37f

SHA512
46fa77d511dc42bc6eac0c96bb089dc2aa04aa87129f07e0bdefcffa824b930453bd1df3a3509b47db5c4b3ba1dd6400f46b399233361cfbe3e82daac5041b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_MenuContext_Thumbview.xml

Filesize
3KB

MD5
fa6f323c2332d43c213fb2f377580c14

SHA1
433b6e4c85c83132f7c8b04a23cb35c8730b60aa

SHA256
a2ff4a596e5f639a037707efa6bf880c8adce823a9a312af7622daa569659435

SHA512
6dcd4de583cf5763b83dceed143541571864cebe0653c012e70313e9399e05244c8db558dea3c8efb3e57c4d2c927253aa99dd39b053e0bb43929b48be8370af

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_MenuContext_TreeView.xml

Filesize
506B

MD5
ce0d1178f7a416f7749856a7c48a3aba

SHA1
5cf38efe0cfa006a4568359f225e837f44047d2a

SHA256
572d41e8a14de71b3476e6d59ed20456f30e1197f7b77ebead554d461e22f0a5

SHA512
4bfab59c47cf903e4773b2bfca2d9f158ff6b1f87695cb13fe8fb8e33cf99535beaab8431437f948d57647832c5dd4126ce319bd9e85b532744b43b51a60aaaa

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\searchhelp.rtf

Filesize
56KB

MD5
520077fd6d03c64c735258d4d87921d8

SHA1
1b8d82d7da2d85527ce91e72f179fb8a418d47de

SHA256
6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598

SHA512
8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_Menu.xml

Filesize
7KB

MD5
92b5062e658f21840e59fcad9bb84d25

SHA1
baba6fa64b43e27f31318c21c2685baf591026c9

SHA256
ef1bf2484d612b60866ddc454837acba243ae78890601d0a1ff3c2f4fdee9a7b

SHA512
b9ca5061652a31a484ce21f5e16269e7fe970c9d828e834ed492db10a14e10b9365d60f400f2417222225d90b8ff416c0fd0129333e0cd3c0e1166f72bd2c198

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_MenuContext_Thumbview.xml

Filesize
3KB

MD5
fac144ad086628e1ff23707eb2de6a3a

SHA1
fd4b1ab8df804f652c35dd4d7e634e4627bad6b3

SHA256
7597a9390624d4cb060b31a99f2c04e5b4f00743769bb2a3e19287e7a26365cd

SHA512
8832a8bbf8e38334a236d6588a5ecfb331976097358c9e5991bb85143b1da7fbc2e0f70aaf3e5deef2cd44eae707228aa5766e9c758b652da13f5261e36fdfa8

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_MenuContext_TreeView.xml

Filesize
525B

MD5
75eee29a00a8eb22627d235987202e03

SHA1
4fc4f9d96ae4210c5e9883a6ce16c75ee0a33fdb

SHA256
a817a747b2cc75047a60e6bef1986c71d283dbc8b5f986dbde9f044427ac297f

SHA512
866e1e42b87f6d2dd20930ad856b81f0a82e39e7be685ab9602ffa23e6783078551f8ce015c2becc28cbaae5129381572b41199030ef6dbfa7c599f6634f8719

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\searchhelp.rtf

Filesize
58KB

MD5
f7a53d17c2d207fe583a53ab324db20e

SHA1
03f958492f2d3e8df165219979cafdd325ce827f

SHA256
d0001d7e13fad28a05cbeb19eecaba1ab68112be65c7cb0f01320165a2a745c1

SHA512
c3f8c8db8cc270959ab70df94c3fb24d318200c9a85e6647baa24cadc8960b3f49fa9e55de4f11906dc1c27e61e64c9c8907d3a18f27bdeab288e11761d1d3b7

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\xml_Menu.xml

Filesize
6KB

MD5
30d18a363eb4ae208e0c59d15f17bf58

SHA1
87a57e55b7b3c82b8083575e8fc478dbf61ea9ef

SHA256
6228b88f2d4d0ead68e1534692becee9ccb7a7660a21b9d1647f2805fdb5945d

SHA512
27b74c947c293d70b9870b6131dc2ad2abba95ebd74aeb983a2c58f85b9048b4fe4019f3f621b047ab462860c26f73ba9cee2cc7b6a1341498c95bf6a420161a

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\xml_MenuContext_Thumbview.xml

Filesize
3KB

MD5
cdeaa622b682595567d16d72d4fa0eac

SHA1
a8668be0778318b675cb1839fc5705eb7612d1ed

SHA256
fde135130ad770b98032088e1266daca2e6a1c3a6a7ee4bb0070c597b81bb380

SHA512
69c711195772d3006cc4c09a01c0a3f08637b8c4e6b715cc6acef500737b893e95a3b98f77fc25254ebda1eb98f4248011a910ba20bae93330edb83856f58ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\xml_MenuContext_TreeView.xml

Filesize
493B

MD5
8056cc56680916bcf5d06b82c4e4a116

SHA1
46c04fe68c11d1a2235b83d9b25deb4936efccff

SHA256
a00f220f0fd86a7f58128eabcbca3bd2c83045ec70eadb7ddcce68c7deb18e82

SHA512
05afdabd4cc83342fd6b225bae45d2fe131254929dccfd2f720aadf3ead5aaff8a4d8d02ead1e6ca5b5035be48d924aa7753e337a6753cae587841eff9b755f2

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\searchhelp.rtf

Filesize
54KB

MD5
6a60791a0901d5f8baad05bcc77ccac4

SHA1
724a2547019d3ec3a8514a6c97dc68e9681d2a22

SHA256
5530e12f0e3d0049df4d5d7bea4cef171625b10fec3a671bcf5f8eca0c768d26

SHA512
448494a15730cf8d33ac4edd07b991eb970f475d27176c44236a19171e8431c858c252a79a3f66688d311ca3c0f6c9883e47b7cd9ba5da891038b174bc929a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\xml_Menu.xml

Filesize
6KB

MD5
ba4161cb2bf4a39be5db36a539f535cb

SHA1
e5d9c8422da7f133e74727bd51335ec1bf48a7fa

SHA256
db14bd3b8c834d38b9c5ed3652754ad6fa058811f94d027c9fc0c25705311d98

SHA512
8497ff0e0fdf61fabaaebef706eab679c0c948fb6dff6026383a1fd36a1691612d32369ea0e3f0b55736f591b9110d1fa559c67f47566ad9593eb2bb24ade05f

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\xml_MenuContext_Thumbview.xml

Filesize
3KB

MD5
2e6bd27857b6cd440e75ff2a3f2845aa

SHA1
cdb7785622156fe727f8a94c188ce0823fbec28f

SHA256
f73c231ee07f95c76b467951bf0a57269d32d1f34abc7fc4f3945ddcfae9252e

SHA512
8509c2490a72d4380d82c3a0d805ba6683035bec4f3aa3ad5d69f27b4a01c21e5d620470ec7c5103933bad31a55c70908a809fd67df893e4206a6853996e5125

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\xml_MenuContext_TreeView.xml

Filesize
496B

MD5
48c3c26e31224a83e1fb467683a48d05

SHA1
8b952c7e0d913ec6fad565f1df98617d7b9beb25

SHA256
6f97cdc258db1fef1dee20886207ef338fcd1f0e5bad561e02bf1868355d6ebb

SHA512
75938234fdc652f6f8b1e572c9837c282d5f4ae98cadfb84fd5336758b2dd22d08e16a306f7c54efbb44845a787e956800e4ec092e05f1d84b7cbb164708935c

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Bulgarian.txt

Filesize
34KB

MD5
5e68624302c465d6e29d970f735c0b9d

SHA1
c0692a057da9de0353586643cecb10c25187ca6e

SHA256
918717374890f30c9c46b13bdf1cf71c8463f18dc14ef3a97b6cfcb4da2102d2

SHA512
bb1c0a03a5026d444f3c997e03f664b37ffa3676db0868e4f27d4efbf5319662f397d042a13a39cade63a08ad2c4457efd18c4a0503c0e342980e09fd0d268fa

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Chinese.txt

Filesize
25KB

MD5
4ddd5a9820e99e8b79177a840d46d715

SHA1
bdd2a23141f0bc143161b37fdca6be07a890a8c8

SHA256
ec0979e55fea1d0f7893b254d5c4364aab80094417d410263390eaaf3d844e10

SHA512
311be5bcaf7057ef410cd84ea333dc6dcbcd31bfa2af752d365489bea0ebf983d408b22c659a18fd4316a617d17d845033b71114905d013d188b02161df1b502

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\MathTree.dll

Filesize
74KB

MD5
97e1bb42cd2e298262f3c89e00e1a676

SHA1
4bd34c09de674da580179acba00f051dab487b66

SHA256
6e877b42d70b20ddc4c73e710ceea0e1b06a357949c4698e9755568a0a44d490

SHA512
a2f68444f262e7a7b30d66dc718a75c016cb530b0cb772dcd01a7b11544cb6787779357c354dfc47a20fa4c3ef098c9daa61713414ad3a0725d495059d8354f9

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi

Filesize
2.1MB

MD5
2573636efacc233ed4f6568fe9bb7e20

SHA1
d9b3cae113dca1b9c29c79e61a5287944a82e26a

SHA256
ab40bac5608afcb9a1faf638f67fbbd626b624945cf7955a79627e711a2cacef

SHA512
8e9f478936495dd9b56c27cacaad930a976cd6e4f1e6da9fea0e3d6f017766ee171f8ed8617ec292f6ffd6d9152aa3e30b43f7a68345da5e1cd57bb38f65911c

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\basswma10.dll

Filesize
2.7MB

MD5
6f326b02197d2eef82db11af9ddee965

SHA1
e1b365b2ed5557dc11b762f2e6a4ac184edb8a34

SHA256
2a991f9a34af0377a3acfdd7ff4be173b6f12b98ec5b867231e1535b3d075b1f

SHA512
7ee028ef32a8f137fdd4cc43c936032ec0d313090b9a4782b3d2345f91a7eb04aad2667fdf0442958f21883f931faa0bcab5fa35cfdf7be534869a6753446381

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\dgh

Filesize
847KB

MD5
378a5fc935f23699158dd188e9504ba1

SHA1
eb54533557c12f03d0b2bce83d27af8393e1378f

SHA256
2509ed4d893d62a8662745885d6bd927f052af5affe1149fadee13f88fbd3ba4

SHA512
152111bb0cd604a9fc9da528a37729b746894c410a243c27a482ca953108c7f657108fa185e0398b2b8bff7d4875125542a9d52a9657977168e477ce740b4125

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libchromaprint.dll

Filesize
78KB

MD5
87b32e6ed0b33019ddb113db9ee52b23

SHA1
f6661c6150b3afa8f5603381911b87645f932b44

SHA256
4c99c72663c1944d031d6b4d0aa18c3356e964ef874103cbfac61589590d742b

SHA512
3d44792b6e556b2aefd9bd796e092067af72252aa38b70a7a2294f9718d4519d59c8106c59d2aaf7e08aaf6871fc4b1c306bad4c7b785e0365405386da1dd59f

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libffi-6.dll

Filesize
49KB

MD5
c4059a8eec8ad3abc6432238f7491a2b

SHA1
f1c6cf3fa216f73ba44bd481c685ef30cfd3d284

SHA256
a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da

SHA512
0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgpg-error-0.dll

Filesize
56KB

MD5
40f2b954259ff75979920fa7546c89f0

SHA1
c93f6bc6c7f68dd02dcf66c57a71fcf8ddbc35e5

SHA256
460960b7a0a0f5f0a40b33203a46e840ad01e260afb4540ecd4e6c779d5b041b

SHA512
d992ddd9271422914335de85f0cb6991f4389f7e2c9a8b4606c435dc30ceee31671d725efa4da397502551d1b45f826692d486612afe435a51d30b13dacd295d

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstapp-1.0-0.dll

Filesize
70KB

MD5
613283ce438722cc027b2f0cafc910d7

SHA1
06d1f1b97a1041a58d55d6ee227df887511041a5

SHA256
d953e18d73af16d5b0e2ebc79cbb6f85871dd5cd4ebd45a5b1d54f50aabaad3e

SHA512
44897bbba77779a0dcaaabb8b91fc6338320b86a88b10132a1841d35d1605118fc7ffe66b1bea18813e40b0ee5bfb8942b831c5e52dfb767a2572c204a071112

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstcontroller-1.0-0.dll

Filesize
83KB

MD5
6ba630b7efb75e1a7bd1dde921269caf

SHA1
747a70f6aa881371987d17c777a8ac2f9acd97df

SHA256
469082f964fedd6014cf97de7c30f85d471e6c41248a48a8870657e330d7e36c

SHA512
f401adb86f6cb3bdebff0c6310a2ae7c0b2e59bdfb9ec3c8008a941ae22dea3ee4d39ecb6d7c7331a8dedc96e03a8c1c70ac14dca5c183d509f253755fdfa376

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstfft-1.0-0.dll

Filesize
66KB

MD5
29f7aab4e7367014db45f866ab052327

SHA1
f2bc284d7acbef09fea7136b9156ed79289059f7

SHA256
2204684f02ae5185deaa3704ed8355a737018cae320e68e3209311d1f2506237

SHA512
46917b7c58e46dcaaa7f9740bc65c7323fe4a999ce35d3c670c7b8dcb205be2667a7a5d21dfee8f32f42a1ee41f6118df896d02a96ad85a0b0f88c3b79b87143

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstriff-1.0-0.dll

Filesize
84KB

MD5
893c149773bff81b55530820207c73f0

SHA1
46c6b5f00b463d31140a0b9972d4bc2b04ba0d0a

SHA256
83f074dbacf3d3dc4c7d5646d056359bb7cb29dcd1a2d109cd07ee21dbdb42af

SHA512
33f1f08051632756396ee906bcb7285726484eba1d8c67ecf884a42f824261d9b73ba0bca52eb8a7d68e7544d79c6feea2c98a46c1e0e2ce98e3bbdc3b6b63ea

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstsdp-1.0-0.dll

Filesize
77KB

MD5
8b89a31d5d3f3173f5e3bb9118d04a7e

SHA1
b9829c7df23d7190928041753e2e07069c7abfee

SHA256
c5616071d5d2e858bf26cea64bcda17b6c494b1507ea96a17816811c6071e4a8

SHA512
67ed465d0af1e933dee09c95a3e5945cb33308f0de21182128f9d19c5ae85ed048b5cef685b322a6ba4c33830f5844a5eed507b3475017a845391305d872ff12

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libmms-0.dll

Filesize
69KB

MD5
bc738da6535b5015e9eaba90f56f8b59

SHA1
ce7c7865645a09dcf59daf519bade328ddf04b67

SHA256
4eea44b0b4ea4c248595bb1e573334005ec538792e3bb9d2a07ee01265443327

SHA512
fd2a5c1eb9c5fe4bd2fd87ef912297f463cb623e12d5e9ccf8cc7fccb39858765e289f4a9102fc02f68b0845048abb1390dd32afe2329b143ed331f678c4792b

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\liborc-test-0.4-0.dll

Filesize
51KB

MD5
00d68e20169f763376095705c1520c4f

SHA1
75ec5e1974654613c9eeeff047f1eb58694fd656

SHA256
3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f

SHA512
4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libplist.dll

Filesize
62KB

MD5
49055810fcc813a8e1bde0a64233f06f

SHA1
70f9b4f9668cede76b785dd3a1d54146b7f8f68a

SHA256
d1111915f3e27ef605141a56cc5bedea25684ed44784de1213e99f5fe9e5a41e

SHA512
7fca8d488bc30385011aeac999943a7bc6ba9e2e15ce83d8ccb77ae72a7c0af1391d6f7a8966443c31f83c54c10a67722d976e7d69f0d442234264c8856a5c50

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\syncapp.exe

Filesize
3.6MB

MD5
91d805c2e2ced4b1db0bb01fa8e2326a

SHA1
00f1f2446b1b8176696734a25e9c2f0e33c2ae1b

SHA256
d50fa02a182cb28251fe67355d255a4199d07037bbef2f4f195b59b8ca35394f

SHA512
79a0743273a0805e54b4871ca512bcb7b217a529d0216138ddb0d02ec7baff6a4c7f7f6636980e2833d8a0d253ab1badefa6fe4e838aeebce0aed51c269a72bb

Download Submit
C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\decoder.dll

Filesize
202KB

MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
C:\Windows\Installer\MSIA4DF.tmp

Filesize
573KB

MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
memory/1684-325-0x0000000000380000-0x000000000071B000-memory.dmp

Filesize
3.6MB

Download
memory/1684-328-0x0000000000380000-0x000000000071B000-memory.dmp

Filesize
3.6MB

Download