Malware Analysis Report

2025-01-03 03:00

Sample ID 241124-krqnpssngs
Target 9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe
SHA256 9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f
Tags
babadeda cryptbot crypter discovery loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f

Threat Level: Known bad

The file 9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe was found to be: Known bad.

Malicious Activity Summary

babadeda cryptbot crypter discovery loader spyware stealer

Babadeda Crypter

CryptBot

Babadeda family

Cryptbot family

Babadeda

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Blocklisted process makes network request

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 08:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 08:50

Reported

2024-11-24 08:52

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIE9EA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e459.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e456.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e456.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE6EA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE7D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE881.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE95D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF14B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e459.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 2844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 2324 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3036 wrote to memory of 1692 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
PID 3036 wrote to memory of 1692 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
PID 3036 wrote to memory of 1692 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
PID 3036 wrote to memory of 1692 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
PID 1692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2660 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2660 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2660 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe

"C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 56B2D0DF86A45115275E172299491CC0 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732178781 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B63C52D72B9C81ADE1C4DCF434A15C38

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe

"C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ecKYXcoxAlI & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

Files

\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi

MD5 2573636efacc233ed4f6568fe9bb7e20
SHA1 d9b3cae113dca1b9c29c79e61a5287944a82e26a
SHA256 ab40bac5608afcb9a1faf638f67fbbd626b624945cf7955a79627e711a2cacef
SHA512 8e9f478936495dd9b56c27cacaad930a976cd6e4f1e6da9fea0e3d6f017766ee171f8ed8617ec292f6ffd6d9152aa3e30b43f7a68345da5e1cd57bb38f65911c

C:\Users\Admin\AppData\Local\Temp\CabD74E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD7ED.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\MSIDC19.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSIDE0D.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 737c5d4463d6e1c392303edca116cd80
SHA1 5764939be08176838f2349ddc75c301df5c9fefe
SHA256 40206ef9b59bdbed9bbb9dbddd2bc1c79ef8b10a9e30afc3bd82cb013951ed3a
SHA512 448a7a91bfb994c9920cd3aa0e2a465f26776cf18cefae7d38381263f08f01b44fea89e50cb7ad4b3736e3025a8f335c09b98a7c720b0161a354c388b2d73e23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fcd3b84fec2c1fe2430da776f6e95bf
SHA1 e0bd28bdba8de0b6dd9910a7170e3c5cd1edc11c
SHA256 57c4435d7a940621c3e4bb07efad086f0f84f8fd90b0a54861f32fc1ff8534eb
SHA512 958f07c9247bb1995c9d5710ba2c552734794c23ce1b816d4c5b2b57c394d7ca89918b9da6dcedadb9b54f0249386d17d278b16e526e1054ee7d6dab70d54414

C:\Windows\Installer\MSIE9EA.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\basswma10.dll

MD5 6f326b02197d2eef82db11af9ddee965
SHA1 e1b365b2ed5557dc11b762f2e6a4ac184edb8a34
SHA256 2a991f9a34af0377a3acfdd7ff4be173b6f12b98ec5b867231e1535b3d075b1f
SHA512 7ee028ef32a8f137fdd4cc43c936032ec0d313090b9a4782b3d2345f91a7eb04aad2667fdf0442958f21883f931faa0bcab5fa35cfdf7be534869a6753446381

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\syncapp.exe

MD5 91d805c2e2ced4b1db0bb01fa8e2326a
SHA1 00f1f2446b1b8176696734a25e9c2f0e33c2ae1b
SHA256 d50fa02a182cb28251fe67355d255a4199d07037bbef2f4f195b59b8ca35394f
SHA512 79a0743273a0805e54b4871ca512bcb7b217a529d0216138ddb0d02ec7baff6a4c7f7f6636980e2833d8a0d253ab1badefa6fe4e838aeebce0aed51c269a72bb

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\dgh

MD5 378a5fc935f23699158dd188e9504ba1
SHA1 eb54533557c12f03d0b2bce83d27af8393e1378f
SHA256 2509ed4d893d62a8662745885d6bd927f052af5affe1149fadee13f88fbd3ba4
SHA512 152111bb0cd604a9fc9da528a37729b746894c410a243c27a482ca953108c7f657108fa185e0398b2b8bff7d4875125542a9d52a9657977168e477ce740b4125

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_MenuContext_TreeView.xml

MD5 254b075520bd91672a03d4938bab7ae7
SHA1 466cbea618ddbead509dff921703f5ebb6b19d83
SHA256 7f2ef800e1119c2e7ed4c3f78729016774613f15b08e56e75dcfab93418e9198
SHA512 f58d7721b7c7ca6a3cca10b88661b5e926788eeb147a111e3842824acb7e52dbe26a23012ec6fc6b8e3c3c6626173dd2210eaac9f30c25a097f25b897c59fbb2

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_MenuContext_Thumbview.xml

MD5 bb7515d7ab4b05965a4e0ac69f97bdc5
SHA1 1975b3d4c0ff70d22dcf1f87c19b484346c48ab0
SHA256 213167f577fb42e0b2b31d3adaf00ce8217da2e30b95694e20cf0217564343d7
SHA512 de9f89566887760322fa5822675a8296374782547c07441ef43f5e9f51668ecb44c3b521f2c620c29b1781ba689e2180e2c3767a0dc590e0869acff5578c7cf0

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_Menu.xml

MD5 8a501ba91a337b956aab9e7c428dbfd1
SHA1 126d109a2c518027ed8e1d6eb6694a02340f2a4f
SHA256 b9d94fa54b922c1b1adbe50a0947964daf6de8745e8bf9cae9d97bd7e2fcfebb
SHA512 9ae9a3a2127c0ddc5b94a3a68de48a5b46562b7402aeaa3620d7db0ce03a210a54a7d29f0812825eb337136a2121757639c771936c31bb3f8bd5a64d51269d90

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\searchhelp.rtf

MD5 e94f6d87535ec7a59ae0a16a8ef17271
SHA1 2662c1d22d459a892474d16661e254eee8adc513
SHA256 73e9ac882a25f8c364d817ca3d93bfa9f493397ccb3a740ec3377fbeb94a13f4
SHA512 18f6f9c1f38eb6d95de169cf42a8cad52064952fe90e0d7339dce5dfaf6f706de067ae59601cf9cceea47f7ffe0d037f92b7bd1f66a69ad4fc92ddabcfbac427

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\MathTree.dll

MD5 97e1bb42cd2e298262f3c89e00e1a676
SHA1 4bd34c09de674da580179acba00f051dab487b66
SHA256 6e877b42d70b20ddc4c73e710ceea0e1b06a357949c4698e9755568a0a44d490
SHA512 a2f68444f262e7a7b30d66dc718a75c016cb530b0cb772dcd01a7b11544cb6787779357c354dfc47a20fa4c3ef098c9daa61713414ad3a0725d495059d8354f9

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libmms-0.dll

MD5 bc738da6535b5015e9eaba90f56f8b59
SHA1 ce7c7865645a09dcf59daf519bade328ddf04b67
SHA256 4eea44b0b4ea4c248595bb1e573334005ec538792e3bb9d2a07ee01265443327
SHA512 fd2a5c1eb9c5fe4bd2fd87ef912297f463cb623e12d5e9ccf8cc7fccb39858765e289f4a9102fc02f68b0845048abb1390dd32afe2329b143ed331f678c4792b

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstfft-1.0-0.dll

MD5 29f7aab4e7367014db45f866ab052327
SHA1 f2bc284d7acbef09fea7136b9156ed79289059f7
SHA256 2204684f02ae5185deaa3704ed8355a737018cae320e68e3209311d1f2506237
SHA512 46917b7c58e46dcaaa7f9740bc65c7323fe4a999ce35d3c670c7b8dcb205be2667a7a5d21dfee8f32f42a1ee41f6118df896d02a96ad85a0b0f88c3b79b87143

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstcontroller-1.0-0.dll

MD5 6ba630b7efb75e1a7bd1dde921269caf
SHA1 747a70f6aa881371987d17c777a8ac2f9acd97df
SHA256 469082f964fedd6014cf97de7c30f85d471e6c41248a48a8870657e330d7e36c
SHA512 f401adb86f6cb3bdebff0c6310a2ae7c0b2e59bdfb9ec3c8008a941ae22dea3ee4d39ecb6d7c7331a8dedc96e03a8c1c70ac14dca5c183d509f253755fdfa376

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstapp-1.0-0.dll

MD5 613283ce438722cc027b2f0cafc910d7
SHA1 06d1f1b97a1041a58d55d6ee227df887511041a5
SHA256 d953e18d73af16d5b0e2ebc79cbb6f85871dd5cd4ebd45a5b1d54f50aabaad3e
SHA512 44897bbba77779a0dcaaabb8b91fc6338320b86a88b10132a1841d35d1605118fc7ffe66b1bea18813e40b0ee5bfb8942b831c5e52dfb767a2572c204a071112

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgpg-error-0.dll

MD5 40f2b954259ff75979920fa7546c89f0
SHA1 c93f6bc6c7f68dd02dcf66c57a71fcf8ddbc35e5
SHA256 460960b7a0a0f5f0a40b33203a46e840ad01e260afb4540ecd4e6c779d5b041b
SHA512 d992ddd9271422914335de85f0cb6991f4389f7e2c9a8b4606c435dc30ceee31671d725efa4da397502551d1b45f826692d486612afe435a51d30b13dacd295d

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libffi-6.dll

MD5 c4059a8eec8ad3abc6432238f7491a2b
SHA1 f1c6cf3fa216f73ba44bd481c685ef30cfd3d284
SHA256 a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da
SHA512 0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libchromaprint.dll

MD5 87b32e6ed0b33019ddb113db9ee52b23
SHA1 f6661c6150b3afa8f5603381911b87645f932b44
SHA256 4c99c72663c1944d031d6b4d0aa18c3356e964ef874103cbfac61589590d742b
SHA512 3d44792b6e556b2aefd9bd796e092067af72252aa38b70a7a2294f9718d4519d59c8106c59d2aaf7e08aaf6871fc4b1c306bad4c7b785e0365405386da1dd59f

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libplist.dll

MD5 49055810fcc813a8e1bde0a64233f06f
SHA1 70f9b4f9668cede76b785dd3a1d54146b7f8f68a
SHA256 d1111915f3e27ef605141a56cc5bedea25684ed44784de1213e99f5fe9e5a41e
SHA512 7fca8d488bc30385011aeac999943a7bc6ba9e2e15ce83d8ccb77ae72a7c0af1391d6f7a8966443c31f83c54c10a67722d976e7d69f0d442234264c8856a5c50

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\liborc-test-0.4-0.dll

MD5 00d68e20169f763376095705c1520c4f
SHA1 75ec5e1974654613c9eeeff047f1eb58694fd656
SHA256 3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f
SHA512 4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstsdp-1.0-0.dll

MD5 8b89a31d5d3f3173f5e3bb9118d04a7e
SHA1 b9829c7df23d7190928041753e2e07069c7abfee
SHA256 c5616071d5d2e858bf26cea64bcda17b6c494b1507ea96a17816811c6071e4a8
SHA512 67ed465d0af1e933dee09c95a3e5945cb33308f0de21182128f9d19c5ae85ed048b5cef685b322a6ba4c33830f5844a5eed507b3475017a845391305d872ff12

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstriff-1.0-0.dll

MD5 893c149773bff81b55530820207c73f0
SHA1 46c6b5f00b463d31140a0b9972d4bc2b04ba0d0a
SHA256 83f074dbacf3d3dc4c7d5646d056359bb7cb29dcd1a2d109cd07ee21dbdb42af
SHA512 33f1f08051632756396ee906bcb7285726484eba1d8c67ecf884a42f824261d9b73ba0bca52eb8a7d68e7544d79c6feea2c98a46c1e0e2ce98e3bbdc3b6b63ea

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\searchhelp.rtf

MD5 d6d456354649589f9ace65cafbdcc2ea
SHA1 dbacf271a8b8d5bbdf38bd4e1db5903ccb4033d5
SHA256 797e6178ed8403d7b4e84603b81950c99ae9ed432f98bba9d7958fb2db562c56
SHA512 04097ce38b2a936c1e614121a6776d705362ce6146b0c395c466f1d592263dc01e42123733de5b65e284b19efb446f20efbf8b17ae91b1ad33f0e9facb65a157

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_Menu.xml

MD5 4c0a4688786973dfbd57247ec8134f98
SHA1 34e1bd34ef7dff6def1bf049da4285010f56b8f8
SHA256 7eded3cd3aab0d9d2995b7372d55b004c1c1c246285a110109ca16413f826a84
SHA512 0884474da44357f8407746cb83f842850555d39ce0bbd6ef43b0e8b57920184cac705b7405e0e2ccbb603fa99e3f58c9c915438fa608a00e9a3025289c3620be

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_MenuContext_Thumbview.xml

MD5 447fc41d865c6106bbf6ef6a904bece4
SHA1 61ae758686e4825f759f0ee3894aa8de22f9b29a
SHA256 1c9d8b48689f4865e9f04853ae55a18324c93916edd5c65016cf089de1b59f7a
SHA512 25cb0d82e5f7f9e5cfbbf58b4d971d7a8a6b6aa87d5b80580dbe221c83597d9ac4d548c2dc581d557b0e36b1958680eb0dc7f0d71e52df8c4c0172cdbca742b6

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_MenuContext_TreeView.xml

MD5 71d14cc9ecf9c7b117cf86201e8ad9a1
SHA1 10c7b21fea1af67aedd702d8a8d2915423cbae75
SHA256 859124fa394e6025f462c33099024309eb3014b341fa96f1b5702703c2c093fa
SHA512 e8972bad28e44664504734dc9beef478a217ad888d68fadabc3c0278201e9586cf842c088d60dcaedd2b1aee045d2e6137b43c3854aabf11ce9ca2fb15605698

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\searchhelp.rtf

MD5 afc31b9d3c7bc3d9ffcbd6ceeb3aa386
SHA1 692f532bfdaabc046ce73d9947312cea1d6ab62e
SHA256 58ab8c24e1ec79d518771e64fe3a3929ac79612e6881cf9030054f452696496f
SHA512 eb7261f5afcdb39d32ef0c0fee631d4d0f17d45c12e2cbcbb1c53aab2df89ff774d3d183cdb5ba7ec6167b68addda479d5a1204cb428ec3959d2367c0805e464

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_Menu.xml

MD5 e6978b85642b5f09c8feaee634cdf4af
SHA1 cd907a90b7fccc68b5eb889c1048b04567ad9494
SHA256 4c6d4ccac1e8c33a78177210acda678623d604bf889b282cff7df1f81008f37f
SHA512 46fa77d511dc42bc6eac0c96bb089dc2aa04aa87129f07e0bdefcffa824b930453bd1df3a3509b47db5c4b3ba1dd6400f46b399233361cfbe3e82daac5041b1b

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_MenuContext_Thumbview.xml

MD5 fa6f323c2332d43c213fb2f377580c14
SHA1 433b6e4c85c83132f7c8b04a23cb35c8730b60aa
SHA256 a2ff4a596e5f639a037707efa6bf880c8adce823a9a312af7622daa569659435
SHA512 6dcd4de583cf5763b83dceed143541571864cebe0653c012e70313e9399e05244c8db558dea3c8efb3e57c4d2c927253aa99dd39b053e0bb43929b48be8370af

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_MenuContext_TreeView.xml

MD5 ce0d1178f7a416f7749856a7c48a3aba
SHA1 5cf38efe0cfa006a4568359f225e837f44047d2a
SHA256 572d41e8a14de71b3476e6d59ed20456f30e1197f7b77ebead554d461e22f0a5
SHA512 4bfab59c47cf903e4773b2bfca2d9f158ff6b1f87695cb13fe8fb8e33cf99535beaab8431437f948d57647832c5dd4126ce319bd9e85b532744b43b51a60aaaa

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_Menu.xml

MD5 92b5062e658f21840e59fcad9bb84d25
SHA1 baba6fa64b43e27f31318c21c2685baf591026c9
SHA256 ef1bf2484d612b60866ddc454837acba243ae78890601d0a1ff3c2f4fdee9a7b
SHA512 b9ca5061652a31a484ce21f5e16269e7fe970c9d828e834ed492db10a14e10b9365d60f400f2417222225d90b8ff416c0fd0129333e0cd3c0e1166f72bd2c198

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_MenuContext_Thumbview.xml

MD5 fac144ad086628e1ff23707eb2de6a3a
SHA1 fd4b1ab8df804f652c35dd4d7e634e4627bad6b3
SHA256 7597a9390624d4cb060b31a99f2c04e5b4f00743769bb2a3e19287e7a26365cd
SHA512 8832a8bbf8e38334a236d6588a5ecfb331976097358c9e5991bb85143b1da7fbc2e0f70aaf3e5deef2cd44eae707228aa5766e9c758b652da13f5261e36fdfa8

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_MenuContext_TreeView.xml

MD5 75eee29a00a8eb22627d235987202e03
SHA1 4fc4f9d96ae4210c5e9883a6ce16c75ee0a33fdb
SHA256 a817a747b2cc75047a60e6bef1986c71d283dbc8b5f986dbde9f044427ac297f
SHA512 866e1e42b87f6d2dd20930ad856b81f0a82e39e7be685ab9602ffa23e6783078551f8ce015c2becc28cbaae5129381572b41199030ef6dbfa7c599f6634f8719

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\searchhelp.rtf

MD5 f7a53d17c2d207fe583a53ab324db20e
SHA1 03f958492f2d3e8df165219979cafdd325ce827f
SHA256 d0001d7e13fad28a05cbeb19eecaba1ab68112be65c7cb0f01320165a2a745c1
SHA512 c3f8c8db8cc270959ab70df94c3fb24d318200c9a85e6647baa24cadc8960b3f49fa9e55de4f11906dc1c27e61e64c9c8907d3a18f27bdeab288e11761d1d3b7

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\xml_Menu.xml

MD5 30d18a363eb4ae208e0c59d15f17bf58
SHA1 87a57e55b7b3c82b8083575e8fc478dbf61ea9ef
SHA256 6228b88f2d4d0ead68e1534692becee9ccb7a7660a21b9d1647f2805fdb5945d
SHA512 27b74c947c293d70b9870b6131dc2ad2abba95ebd74aeb983a2c58f85b9048b4fe4019f3f621b047ab462860c26f73ba9cee2cc7b6a1341498c95bf6a420161a

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\xml_MenuContext_Thumbview.xml

MD5 cdeaa622b682595567d16d72d4fa0eac
SHA1 a8668be0778318b675cb1839fc5705eb7612d1ed
SHA256 fde135130ad770b98032088e1266daca2e6a1c3a6a7ee4bb0070c597b81bb380
SHA512 69c711195772d3006cc4c09a01c0a3f08637b8c4e6b715cc6acef500737b893e95a3b98f77fc25254ebda1eb98f4248011a910ba20bae93330edb83856f58ad8

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\it\xml_MenuContext_TreeView.xml

MD5 8056cc56680916bcf5d06b82c4e4a116
SHA1 46c04fe68c11d1a2235b83d9b25deb4936efccff
SHA256 a00f220f0fd86a7f58128eabcbca3bd2c83045ec70eadb7ddcce68c7deb18e82
SHA512 05afdabd4cc83342fd6b225bae45d2fe131254929dccfd2f720aadf3ead5aaff8a4d8d02ead1e6ca5b5035be48d924aa7753e337a6753cae587841eff9b755f2

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\searchhelp.rtf

MD5 6a60791a0901d5f8baad05bcc77ccac4
SHA1 724a2547019d3ec3a8514a6c97dc68e9681d2a22
SHA256 5530e12f0e3d0049df4d5d7bea4cef171625b10fec3a671bcf5f8eca0c768d26
SHA512 448494a15730cf8d33ac4edd07b991eb970f475d27176c44236a19171e8431c858c252a79a3f66688d311ca3c0f6c9883e47b7cd9ba5da891038b174bc929a5c

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\xml_Menu.xml

MD5 ba4161cb2bf4a39be5db36a539f535cb
SHA1 e5d9c8422da7f133e74727bd51335ec1bf48a7fa
SHA256 db14bd3b8c834d38b9c5ed3652754ad6fa058811f94d027c9fc0c25705311d98
SHA512 8497ff0e0fdf61fabaaebef706eab679c0c948fb6dff6026383a1fd36a1691612d32369ea0e3f0b55736f591b9110d1fa559c67f47566ad9593eb2bb24ade05f

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\xml_MenuContext_Thumbview.xml

MD5 2e6bd27857b6cd440e75ff2a3f2845aa
SHA1 cdb7785622156fe727f8a94c188ce0823fbec28f
SHA256 f73c231ee07f95c76b467951bf0a57269d32d1f34abc7fc4f3945ddcfae9252e
SHA512 8509c2490a72d4380d82c3a0d805ba6683035bec4f3aa3ad5d69f27b4a01c21e5d620470ec7c5103933bad31a55c70908a809fd67df893e4206a6853996e5125

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\xml_MenuContext_TreeView.xml

MD5 48c3c26e31224a83e1fb467683a48d05
SHA1 8b952c7e0d913ec6fad565f1df98617d7b9beb25
SHA256 6f97cdc258db1fef1dee20886207ef338fcd1f0e5bad561e02bf1868355d6ebb
SHA512 75938234fdc652f6f8b1e572c9837c282d5f4ae98cadfb84fd5336758b2dd22d08e16a306f7c54efbb44845a787e956800e4ec092e05f1d84b7cbb164708935c

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Bulgarian.txt

MD5 5e68624302c465d6e29d970f735c0b9d
SHA1 c0692a057da9de0353586643cecb10c25187ca6e
SHA256 918717374890f30c9c46b13bdf1cf71c8463f18dc14ef3a97b6cfcb4da2102d2
SHA512 bb1c0a03a5026d444f3c997e03f664b37ffa3676db0868e4f27d4efbf5319662f397d042a13a39cade63a08ad2c4457efd18c4a0503c0e342980e09fd0d268fa

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Chinese.txt

MD5 4ddd5a9820e99e8b79177a840d46d715
SHA1 bdd2a23141f0bc143161b37fdca6be07a890a8c8
SHA256 ec0979e55fea1d0f7893b254d5c4364aab80094417d410263390eaaf3d844e10
SHA512 311be5bcaf7057ef410cd84ea333dc6dcbcd31bfa2af752d365489bea0ebf983d408b22c659a18fd4316a617d17d845033b71114905d013d188b02161df1b502

C:\Config.Msi\f76e45a.rbs

MD5 71fc5b9110e2ac94acc4ded2c31f413f
SHA1 1e34cd55d34f27b6a5ff16c16a6a40dd25908460
SHA256 78062fb35da248410bea96920df167eba188027f28c702b752b579ac2210cd01
SHA512 949d9d9b49363827af42fbc0c2e48a54298d189a8e147513d534805eb01e504a4f1c6bcce9aeb0436d980f2fcfaa6a74ef1184d84a36d73f4a23c1bf3faddd11

memory/1692-323-0x00000000003F0000-0x000000000078B000-memory.dmp

memory/1692-328-0x00000000003F0000-0x000000000078B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 08:50

Reported

2024-11-24 08:52

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

CryptBot

spyware stealer cryptbot

Cryptbot family

cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI9751.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9772.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9967.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579664.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e579664.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI96F0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9730.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9750.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9762.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{41FE8904-EAB3-489E-ADD8-A651DB615D1E} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 2020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4104 wrote to memory of 2020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4104 wrote to memory of 2020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3080 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 3080 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 3080 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe C:\Windows\SysWOW64\msiexec.exe
PID 4104 wrote to memory of 1796 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4104 wrote to memory of 1796 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4104 wrote to memory of 1796 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4104 wrote to memory of 4752 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
PID 4104 wrote to memory of 4752 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
PID 4104 wrote to memory of 4752 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe

"C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D87E24C9640C2A6112CF2FF4281221C9 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\9c9cb6d2d576ce60305c87aade6a2259c962ac94da96d83cf094c4d1ed0a856f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732197603 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E59E53F6E009D5CF104794F3B437149C

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe

"C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.249.72.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 veowvf15.top udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi

MD5 2573636efacc233ed4f6568fe9bb7e20
SHA1 d9b3cae113dca1b9c29c79e61a5287944a82e26a
SHA256 ab40bac5608afcb9a1faf638f67fbbd626b624945cf7955a79627e711a2cacef
SHA512 8e9f478936495dd9b56c27cacaad930a976cd6e4f1e6da9fea0e3d6f017766ee171f8ed8617ec292f6ffd6d9152aa3e30b43f7a68345da5e1cd57bb38f65911c

C:\Users\Admin\AppData\Local\Temp\MSI9490.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSI94FE.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Windows\Installer\MSI9772.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\basswma10.dll

MD5 6f326b02197d2eef82db11af9ddee965
SHA1 e1b365b2ed5557dc11b762f2e6a4ac184edb8a34
SHA256 2a991f9a34af0377a3acfdd7ff4be173b6f12b98ec5b867231e1535b3d075b1f
SHA512 7ee028ef32a8f137fdd4cc43c936032ec0d313090b9a4782b3d2345f91a7eb04aad2667fdf0442958f21883f931faa0bcab5fa35cfdf7be534869a6753446381

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\syncapp.exe

MD5 91d805c2e2ced4b1db0bb01fa8e2326a
SHA1 00f1f2446b1b8176696734a25e9c2f0e33c2ae1b
SHA256 d50fa02a182cb28251fe67355d255a4199d07037bbef2f4f195b59b8ca35394f
SHA512 79a0743273a0805e54b4871ca512bcb7b217a529d0216138ddb0d02ec7baff6a4c7f7f6636980e2833d8a0d253ab1badefa6fe4e838aeebce0aed51c269a72bb

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libplist.dll

MD5 49055810fcc813a8e1bde0a64233f06f
SHA1 70f9b4f9668cede76b785dd3a1d54146b7f8f68a
SHA256 d1111915f3e27ef605141a56cc5bedea25684ed44784de1213e99f5fe9e5a41e
SHA512 7fca8d488bc30385011aeac999943a7bc6ba9e2e15ce83d8ccb77ae72a7c0af1391d6f7a8966443c31f83c54c10a67722d976e7d69f0d442234264c8856a5c50

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_MenuContext_TreeView.xml

MD5 71d14cc9ecf9c7b117cf86201e8ad9a1
SHA1 10c7b21fea1af67aedd702d8a8d2915423cbae75
SHA256 859124fa394e6025f462c33099024309eb3014b341fa96f1b5702703c2c093fa
SHA512 e8972bad28e44664504734dc9beef478a217ad888d68fadabc3c0278201e9586cf842c088d60dcaedd2b1aee045d2e6137b43c3854aabf11ce9ca2fb15605698

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_MenuContext_Thumbview.xml

MD5 447fc41d865c6106bbf6ef6a904bece4
SHA1 61ae758686e4825f759f0ee3894aa8de22f9b29a
SHA256 1c9d8b48689f4865e9f04853ae55a18324c93916edd5c65016cf089de1b59f7a
SHA512 25cb0d82e5f7f9e5cfbbf58b4d971d7a8a6b6aa87d5b80580dbe221c83597d9ac4d548c2dc581d557b0e36b1958680eb0dc7f0d71e52df8c4c0172cdbca742b6

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Polish.txt

MD5 99c26bb117ceab99ba6a1b442127c78b
SHA1 978d058d37518c99f5e4ab55d2934129f4ac9ca5
SHA256 9fb2589b26a4fc137f5c569198a3c006e0301ef562b547947f01b9dfce6fe3f4
SHA512 84f8323781469aa03c1e41ce2a715e8367ad1bc4c20e25e9d90621feaa8b463e12eaea7e60273158c4da7598d730d8ec8c79b7cad54a7e8868591090ae62c8fc

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\French.txt

MD5 b38d3a41ca99121e7df38fcf586fc730
SHA1 a633dbeb51a32cb77a1f3bb356bbd7c7bdef0cde
SHA256 52b77c71ff21c212316a71feea496108a16d4aa8047f67b37775f700db422e28
SHA512 c6554933488dc2c76c9cd08158a895f49ec9858621242ae82507390b5ca0990e85ab4db282e9200364f58518fcc372550bd174ac3589d958acb5e25c16cdc7d8

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_MenuContext_TreeView.xml

MD5 254b075520bd91672a03d4938bab7ae7
SHA1 466cbea618ddbead509dff921703f5ebb6b19d83
SHA256 7f2ef800e1119c2e7ed4c3f78729016774613f15b08e56e75dcfab93418e9198
SHA512 f58d7721b7c7ca6a3cca10b88661b5e926788eeb147a111e3842824acb7e52dbe26a23012ec6fc6b8e3c3c6626173dd2210eaac9f30c25a097f25b897c59fbb2

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Chinese.txt

MD5 4ddd5a9820e99e8b79177a840d46d715
SHA1 bdd2a23141f0bc143161b37fdca6be07a890a8c8
SHA256 ec0979e55fea1d0f7893b254d5c4364aab80094417d410263390eaaf3d844e10
SHA512 311be5bcaf7057ef410cd84ea333dc6dcbcd31bfa2af752d365489bea0ebf983d408b22c659a18fd4316a617d17d845033b71114905d013d188b02161df1b502

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Slovak.txt

MD5 14f093e90e0520cae5258bb4e36aeb15
SHA1 8a600725b34b9d0c61778b16e1afd4c73c904433
SHA256 4b5816c518ff6baf87ccf9a8d5bfca71a13a641e862ae7bce5baf065803ad419
SHA512 c43fcd0ac4a1b11c4f4f433ebb2f4305b67771c4fe35692257f4033624f178beb8fb8f8fc8e9be6446424e8726640dbef9a57d4da0b05266b1d5bcbae560a419

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_Menu.xml

MD5 8a501ba91a337b956aab9e7c428dbfd1
SHA1 126d109a2c518027ed8e1d6eb6694a02340f2a4f
SHA256 b9d94fa54b922c1b1adbe50a0947964daf6de8745e8bf9cae9d97bd7e2fcfebb
SHA512 9ae9a3a2127c0ddc5b94a3a68de48a5b46562b7402aeaa3620d7db0ce03a210a54a7d29f0812825eb337136a2121757639c771936c31bb3f8bd5a64d51269d90

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\xml_Menu.xml

MD5 4c0a4688786973dfbd57247ec8134f98
SHA1 34e1bd34ef7dff6def1bf049da4285010f56b8f8
SHA256 7eded3cd3aab0d9d2995b7372d55b004c1c1c246285a110109ca16413f826a84
SHA512 0884474da44357f8407746cb83f842850555d39ce0bbd6ef43b0e8b57920184cac705b7405e0e2ccbb603fa99e3f58c9c915438fa608a00e9a3025289c3620be

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\xml_MenuContext_TreeView.xml

MD5 ce0d1178f7a416f7749856a7c48a3aba
SHA1 5cf38efe0cfa006a4568359f225e837f44047d2a
SHA256 572d41e8a14de71b3476e6d59ed20456f30e1197f7b77ebead554d461e22f0a5
SHA512 4bfab59c47cf903e4773b2bfca2d9f158ff6b1f87695cb13fe8fb8e33cf99535beaab8431437f948d57647832c5dd4126ce319bd9e85b532744b43b51a60aaaa

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Turkish.txt

MD5 32befd603ce11029f858190e7679feb9
SHA1 cf7ad5082bb614692bca61f75848a59e1a1a5822
SHA256 6680498105c2bc239a468a0cfa05f3a8bf06f38323b02f9cb7e609196ff0986a
SHA512 dfd932a5145983ef43370d3942d3f957f258672e901a1852d2832c2f85a20d9f228eae690c1baf800143c44e12eadab250a939829a8ecc37364c89b5a8ff82ae

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Croatian.txt

MD5 81b83d9806d9b9f601c8c997b7bcbd04
SHA1 9efa4e7541234555d88b4bc42afc7cbd7cd98977
SHA256 1171f7c5f21d48b754662d3d217473070abe893c3a1b6c485695f1a3a48bf1a7
SHA512 1b203101ae0bfe56eb97b6a4740b135c704d7c7ddb2e92ea4d58a1c0caaa43ec0414ec176e04f36026da125fb6d4b8f0bd121ed8d88f9ac29bb7bc2cb5016262

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\xml_MenuContext_Thumbview.xml

MD5 fac144ad086628e1ff23707eb2de6a3a
SHA1 fd4b1ab8df804f652c35dd4d7e634e4627bad6b3
SHA256 7597a9390624d4cb060b31a99f2c04e5b4f00743769bb2a3e19287e7a26365cd
SHA512 8832a8bbf8e38334a236d6588a5ecfb331976097358c9e5991bb85143b1da7fbc2e0f70aaf3e5deef2cd44eae707228aa5766e9c758b652da13f5261e36fdfa8

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\xml_MenuContext_Thumbview.xml

MD5 bb7515d7ab4b05965a4e0ac69f97bdc5
SHA1 1975b3d4c0ff70d22dcf1f87c19b484346c48ab0
SHA256 213167f577fb42e0b2b31d3adaf00ce8217da2e30b95694e20cf0217564343d7
SHA512 de9f89566887760322fa5822675a8296374782547c07441ef43f5e9f51668ecb44c3b521f2c620c29b1781ba689e2180e2c3767a0dc590e0869acff5578c7cf0

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Swedish.txt

MD5 c07810393930edfbbbdbca8a0f3a6b20
SHA1 3e75518fbe40334db4c3554ecafc944d280184c8
SHA256 5ac4e6d56ce6b6a82a59610aa4ae174a1b4d638d605423cd4daccb4501868ab2
SHA512 2719e8a3a0a6b2aa0948eb9574ca891304802d6d59d802fd908f87de9cb232d0c8fc6cd9ab66010fcfa6705a4dc7fc86e8d0b7c0d8a1721cfac441a7ecd7eeda

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Transponders\TerFiles\all.list

MD5 e28de9af5066f83d06a749cd70062f3e
SHA1 1e70274e70a54f81bcbdc14d6aa00d8b5e869300
SHA256 d84f7ebe5517180d9c231898c30339a07c19ca7b045b21f33eb4dbe625ec7865
SHA512 81c7b3a6668213f33ccd10cbe950bdc7204a8e74eb52ee911d2c41132f072ffb9026e2878666883fa2f9f69fe9c80b8c076093d6aeeada2d2008396535416e47

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\pl\searchhelp.rtf

MD5 6a60791a0901d5f8baad05bcc77ccac4
SHA1 724a2547019d3ec3a8514a6c97dc68e9681d2a22
SHA256 5530e12f0e3d0049df4d5d7bea4cef171625b10fec3a671bcf5f8eca0c768d26
SHA512 448494a15730cf8d33ac4edd07b991eb970f475d27176c44236a19171e8431c858c252a79a3f66688d311ca3c0f6c9883e47b7cd9ba5da891038b174bc929a5c

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Transponders\CabFiles\all.list

MD5 c5349bec3b6306b6e96004b330488a26
SHA1 638b3c445e4b3c8bcd7fd7e87ffec0b86beb0581
SHA256 b411c1e7c81150434a4cf4144b200a45be088366051f883a3f3e3cca4930c9bb
SHA512 d5a55be25b4ae903ba75e6c64de90ad953a82bc8e2bb63e4d014d282a7950365d43eb33984ad475b1ec32a15994c40181a9ba86d0845257fe4d07a7835e10ea0

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Transponders\IPTV\Rostelecom.m3u

MD5 9a9cf633adcf233d12162df92379fc98
SHA1 c3b87cb0328a56b583903769f28df25e3c68a928
SHA256 5077544d1644d1738f45b28743639e848802d1a8484ed6cd3f25d798a745cee6
SHA512 2b7b23eb385cd01b9a638d97a17c05c1b6d2e9e249ee415488e964ce1e7d69e7c9e3412feae62c039420c367209e446706015badbe09fec95fc58e3e64221bb7

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\Lang\en\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Transponders\ATSC\list.txt

MD5 3e43a289a247b121e0ff2c19656df76a
SHA1 4f2ecb02984ef1de43eb9ee7b17d6b702df92b6f
SHA256 1a11293293b03edcfb86c5404b83d09ca1292df0771f053c0a639f575e9b8515
SHA512 07dca1f9bbfbacccb205a5249788670da7b0e44c5731364f1c0c123848034f600fdf304bf5bf79682a692d1c341d690f11a647d47e6992e8e9b4d370cf70a9f4

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Transponders\All.list

MD5 1b724e22c141bf7a93091437198a18a6
SHA1 fd2399d2cf769e292a046d07d7faf9540d3ff765
SHA256 dcaadd15a5079d2dfe8f861d9d987f1f7169c668c00aaf02654bbbd7f0262f96
SHA512 d62375b5e9437f665f57cb6d8d4200488a80e90037a470f6dc140d0986e1ac90e903dd72daae43a203ba89241f5f932ea436d5078dda9087c627b51778f42787

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Localization\Bulgarian.txt

MD5 5e68624302c465d6e29d970f735c0b9d
SHA1 c0692a057da9de0353586643cecb10c25187ca6e
SHA256 918717374890f30c9c46b13bdf1cf71c8463f18dc14ef3a97b6cfcb4da2102d2
SHA512 bb1c0a03a5026d444f3c997e03f664b37ffa3676db0868e4f27d4efbf5319662f397d042a13a39cade63a08ad2c4457efd18c4a0503c0e342980e09fd0d268fa

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\es\searchhelp.rtf

MD5 afc31b9d3c7bc3d9ffcbd6ceeb3aa386
SHA1 692f532bfdaabc046ce73d9947312cea1d6ab62e
SHA256 58ab8c24e1ec79d518771e64fe3a3929ac79612e6881cf9030054f452696496f
SHA512 eb7261f5afcdb39d32ef0c0fee631d4d0f17d45c12e2cbcbb1c53aab2df89ff774d3d183cdb5ba7ec6167b68addda479d5a1204cb428ec3959d2367c0805e464

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\en\searchhelp.rtf

MD5 d6d456354649589f9ace65cafbdcc2ea
SHA1 dbacf271a8b8d5bbdf38bd4e1db5903ccb4033d5
SHA256 797e6178ed8403d7b4e84603b81950c99ae9ed432f98bba9d7958fb2db562c56
SHA512 04097ce38b2a936c1e614121a6776d705362ce6146b0c395c466f1d592263dc01e42123733de5b65e284b19efb446f20efbf8b17ae91b1ad33f0e9facb65a157

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\Lang\de\searchhelp.rtf

MD5 e94f6d87535ec7a59ae0a16a8ef17271
SHA1 2662c1d22d459a892474d16661e254eee8adc513
SHA256 73e9ac882a25f8c364d817ca3d93bfa9f493397ccb3a740ec3377fbeb94a13f4
SHA512 18f6f9c1f38eb6d95de169cf42a8cad52064952fe90e0d7339dce5dfaf6f706de067ae59601cf9cceea47f7ffe0d037f92b7bd1f66a69ad4fc92ddabcfbac427

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\MathTree.dll

MD5 97e1bb42cd2e298262f3c89e00e1a676
SHA1 4bd34c09de674da580179acba00f051dab487b66
SHA256 6e877b42d70b20ddc4c73e710ceea0e1b06a357949c4698e9755568a0a44d490
SHA512 a2f68444f262e7a7b30d66dc718a75c016cb530b0cb772dcd01a7b11544cb6787779357c354dfc47a20fa4c3ef098c9daa61713414ad3a0725d495059d8354f9

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libmms-0.dll

MD5 bc738da6535b5015e9eaba90f56f8b59
SHA1 ce7c7865645a09dcf59daf519bade328ddf04b67
SHA256 4eea44b0b4ea4c248595bb1e573334005ec538792e3bb9d2a07ee01265443327
SHA512 fd2a5c1eb9c5fe4bd2fd87ef912297f463cb623e12d5e9ccf8cc7fccb39858765e289f4a9102fc02f68b0845048abb1390dd32afe2329b143ed331f678c4792b

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstfft-1.0-0.dll

MD5 29f7aab4e7367014db45f866ab052327
SHA1 f2bc284d7acbef09fea7136b9156ed79289059f7
SHA256 2204684f02ae5185deaa3704ed8355a737018cae320e68e3209311d1f2506237
SHA512 46917b7c58e46dcaaa7f9740bc65c7323fe4a999ce35d3c670c7b8dcb205be2667a7a5d21dfee8f32f42a1ee41f6118df896d02a96ad85a0b0f88c3b79b87143

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstcontroller-1.0-0.dll

MD5 6ba630b7efb75e1a7bd1dde921269caf
SHA1 747a70f6aa881371987d17c777a8ac2f9acd97df
SHA256 469082f964fedd6014cf97de7c30f85d471e6c41248a48a8870657e330d7e36c
SHA512 f401adb86f6cb3bdebff0c6310a2ae7c0b2e59bdfb9ec3c8008a941ae22dea3ee4d39ecb6d7c7331a8dedc96e03a8c1c70ac14dca5c183d509f253755fdfa376

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstapp-1.0-0.dll

MD5 613283ce438722cc027b2f0cafc910d7
SHA1 06d1f1b97a1041a58d55d6ee227df887511041a5
SHA256 d953e18d73af16d5b0e2ebc79cbb6f85871dd5cd4ebd45a5b1d54f50aabaad3e
SHA512 44897bbba77779a0dcaaabb8b91fc6338320b86a88b10132a1841d35d1605118fc7ffe66b1bea18813e40b0ee5bfb8942b831c5e52dfb767a2572c204a071112

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgpg-error-0.dll

MD5 40f2b954259ff75979920fa7546c89f0
SHA1 c93f6bc6c7f68dd02dcf66c57a71fcf8ddbc35e5
SHA256 460960b7a0a0f5f0a40b33203a46e840ad01e260afb4540ecd4e6c779d5b041b
SHA512 d992ddd9271422914335de85f0cb6991f4389f7e2c9a8b4606c435dc30ceee31671d725efa4da397502551d1b45f826692d486612afe435a51d30b13dacd295d

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libffi-6.dll

MD5 c4059a8eec8ad3abc6432238f7491a2b
SHA1 f1c6cf3fa216f73ba44bd481c685ef30cfd3d284
SHA256 a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da
SHA512 0bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libchromaprint.dll

MD5 87b32e6ed0b33019ddb113db9ee52b23
SHA1 f6661c6150b3afa8f5603381911b87645f932b44
SHA256 4c99c72663c1944d031d6b4d0aa18c3356e964ef874103cbfac61589590d742b
SHA512 3d44792b6e556b2aefd9bd796e092067af72252aa38b70a7a2294f9718d4519d59c8106c59d2aaf7e08aaf6871fc4b1c306bad4c7b785e0365405386da1dd59f

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\liborc-test-0.4-0.dll

MD5 00d68e20169f763376095705c1520c4f
SHA1 75ec5e1974654613c9eeeff047f1eb58694fd656
SHA256 3c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f
SHA512 4e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstsdp-1.0-0.dll

MD5 8b89a31d5d3f3173f5e3bb9118d04a7e
SHA1 b9829c7df23d7190928041753e2e07069c7abfee
SHA256 c5616071d5d2e858bf26cea64bcda17b6c494b1507ea96a17816811c6071e4a8
SHA512 67ed465d0af1e933dee09c95a3e5945cb33308f0de21182128f9d19c5ae85ed048b5cef685b322a6ba4c33830f5844a5eed507b3475017a845391305d872ff12

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\libgstriff-1.0-0.dll

MD5 893c149773bff81b55530820207c73f0
SHA1 46c6b5f00b463d31140a0b9972d4bc2b04ba0d0a
SHA256 83f074dbacf3d3dc4c7d5646d056359bb7cb29dcd1a2d109cd07ee21dbdb42af
SHA512 33f1f08051632756396ee906bcb7285726484eba1d8c67ecf884a42f824261d9b73ba0bca52eb8a7d68e7544d79c6feea2c98a46c1e0e2ce98e3bbdc3b6b63ea

C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\dgh

MD5 378a5fc935f23699158dd188e9504ba1
SHA1 eb54533557c12f03d0b2bce83d27af8393e1378f
SHA256 2509ed4d893d62a8662745885d6bd927f052af5affe1149fadee13f88fbd3ba4
SHA512 152111bb0cd604a9fc9da528a37729b746894c410a243c27a482ca953108c7f657108fa185e0398b2b8bff7d4875125542a9d52a9657977168e477ce740b4125

memory/4752-246-0x0000000000500000-0x000000000089B000-memory.dmp

C:\Config.Msi\e579667.rbs

MD5 31f05c63d684c63531543be0ccc17d94
SHA1 435de8a30c4a31846e1aea023d44045ebf161293
SHA256 0d597566db99552a709caf65822acaa84ecda5623b6b8b58a99475386256f3f8
SHA512 5d2f4a0754aa902ee6e12ba58e26674f2b2ca87ac92af19330a05bb5cb70315298514bf3edb3e1d83d7b328445d61aa4acb688311a4d28ebff24308553bdba31

C:\Users\Admin\AppData\Local\Temp\wxJHGMNbU\_Files\_Information.txt

MD5 152ab3215846a203eaa06d60dad5015d
SHA1 bfcaa4f686cd78035b80cc4a9dd651f4e9bf1a8a
SHA256 f253a060de8a75b675dcd6e614c2870fe723be322d307ef0cfc882aa2377d55b
SHA512 30fc28d92a232d51bbbd3c0478f35502daf804ee7ecbff13b3a1c849c0475664521dabb8b450d899285c4438ae1f102d3a78a31ea56074fe2a1e4d49da20da5a

C:\Users\Admin\AppData\Local\Temp\wxJHGMNbU\_Files\_Screen_Desktop.jpeg

MD5 4f5362b01a29438efd06a77da7fa19bb
SHA1 1f179bdf734c303596407e8a216cc3082fb91545
SHA256 54ec36b5407eddf2f3e73e85bbd0289317e59b426532a763dae2963e35c96db4
SHA512 33614271f3a9a2b5e756d76ea500beafe6219f24758159bbdfe427a8397b56bad8b833cf07bb70a468ee66d303eb30859a44dfccd80ffbf96eb9248ad6c4c8b5

C:\Users\Admin\AppData\Local\Temp\wxJHGMNbU\_Files\_Information.txt

MD5 e16a54490d2349123902b8ec485c511f
SHA1 81c3945c0fb252ca9bd7e471cbcf66c9a34cdab8
SHA256 dd13ecf33b7b131ca2bbbb3034595fc17b4783fe1723df7aa1c00ab1f544b806
SHA512 d1b85c6d1c8394f524c72b685a41b588c1b8cdc54cd83cc85ccf8579faedebc67dbbccc435a254e7ea144d9a50e41b81b277ab7ee154ac4e009741b8a2b11f3d

C:\Users\Admin\AppData\Local\Temp\wxJHGMNbU\_Files\_Information.txt

MD5 22d40d58a2de4646a408c2adad1e68ea
SHA1 cd05702013cc9afb1fd6dfe7a5010adf44b54611
SHA256 7866992421db1f40f70d5da15246c22db350e1821482b5ed1411da01c7dc4d07
SHA512 41cbf401b18aca1a916ae8773f51110431e8c7d5d0e548c1888d49a5ac15dacfae446317419ea4f597c981b0a6e284ff458e9db8cd665d2e403760d0623fd829

C:\Users\Admin\AppData\Local\Temp\wxJHGMNbU\KZMwYERswySxA.zip

MD5 a72d3cabe38e1ac8be3957354d8a6b81
SHA1 a39610ade87d075ed4259ddf20363f5cb69bde00
SHA256 0516dde690c9fcd99b152a0316c89a163445515b9623bd457b887656f27b2d36
SHA512 95168c18e2fb8553416ae0cd95e118c4f112a4eaea343dd116f11de719ece461bc89907dc80db3b3b1e51aca35fe15f5de61e272fbb7809f62a3356996109fce

memory/4752-378-0x0000000000500000-0x000000000089B000-memory.dmp