lumma | 0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0

Analysis

max time kernel
137s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0.msi
Size

68.4MB
MD5

b16e4988d30f4d3138b151fcf1809966
SHA1

af374b8d8f52e182ca0fc3769cec8779cf1a2d39
SHA256

0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0
SHA512

195af50cff3bb07a63a1f8c1b37e8f60fabbb679db16dac1645e847d026504007780a3aa09db1548f101a6a79b9217afc966948d378dc88117b9df59eae40562
SSDEEP

1572864:f1Bktt21Ys9ZNJa8CPbxtVqfsY8yHEn8QO3ek4HHHsFIcXrKYGng:bktt21bl2xtVqfNEnuOkS2X2YGg

Score

10^/10

lumma discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
400	ICACLS.EXE
1776	ICACLS.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	violenceknowledgepro.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 1504	2796	violenceknowledge.exe	53

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2C02.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\f771382.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI145B.tmp	msiexec.exe
File created	C:\Windows\Installer\f771384.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E56.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f771381.msi	msiexec.exe
File created	C:\Windows\Installer\f771382.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI2BF1.tmp	msiexec.exe
File created	C:\Windows\Installer\{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f771381.msi	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
2124	ClearArchitect_Install_sib.exe
2804	ClearArchitect_Install.exe
2788	javaw.exe
2784	violenceknowledgepro.exe
2796	violenceknowledge.exe

Loads dropped DLL 34 IoCs

pid	Process
2024	MsiExec.exe
2024	MsiExec.exe
2024	MsiExec.exe
2024	MsiExec.exe
2024	MsiExec.exe
2124	ClearArchitect_Install_sib.exe
2124	ClearArchitect_Install_sib.exe
2124	ClearArchitect_Install_sib.exe
2124	ClearArchitect_Install_sib.exe
2124	ClearArchitect_Install_sib.exe
2804	ClearArchitect_Install.exe
2804	ClearArchitect_Install.exe
2804	ClearArchitect_Install.exe
2804	ClearArchitect_Install.exe
2804	ClearArchitect_Install.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2024	MsiExec.exe
2024	MsiExec.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
1964	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2812	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	violenceknowledge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClearArchitect_Install_sib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClearArchitect_Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\064445EB4000C0D40AFE5F47BCD9D34B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DD9417F4FF657442BCBECF560FACF6F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\ProductIcon = "C:\\Windows\\Installer\\{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}\\ProductIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\064445EB4000C0D40AFE5F47BCD9D34B\8DD9417F4FF657442BCBECF560FACF6F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DD9417F4FF657442BCBECF560FACF6F\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\PackageName = "0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\ProductName = "ClearArchitect"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\PackageCode = "43D26B19E8CB1DF4ABADF0729FF9FE5D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2712	msiexec.exe
2712	msiexec.exe
2628	powershell.exe
2796	violenceknowledge.exe
2796	violenceknowledge.exe
2796	violenceknowledge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeCreateTokenPrivilege	2812	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2812	msiexec.exe
Token: SeLockMemoryPrivilege	2812	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2812	msiexec.exe
Token: SeMachineAccountPrivilege	2812	msiexec.exe
Token: SeTcbPrivilege	2812	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeTakeOwnershipPrivilege	2812	msiexec.exe
Token: SeLoadDriverPrivilege	2812	msiexec.exe
Token: SeSystemProfilePrivilege	2812	msiexec.exe
Token: SeSystemtimePrivilege	2812	msiexec.exe
Token: SeProfSingleProcessPrivilege	2812	msiexec.exe
Token: SeIncBasePriorityPrivilege	2812	msiexec.exe
Token: SeCreatePagefilePrivilege	2812	msiexec.exe
Token: SeCreatePermanentPrivilege	2812	msiexec.exe
Token: SeBackupPrivilege	2812	msiexec.exe
Token: SeRestorePrivilege	2812	msiexec.exe
Token: SeShutdownPrivilege	2812	msiexec.exe
Token: SeDebugPrivilege	2812	msiexec.exe
Token: SeAuditPrivilege	2812	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2812	msiexec.exe
Token: SeChangeNotifyPrivilege	2812	msiexec.exe
Token: SeRemoteShutdownPrivilege	2812	msiexec.exe
Token: SeUndockPrivilege	2812	msiexec.exe
Token: SeSyncAgentPrivilege	2812	msiexec.exe
Token: SeEnableDelegationPrivilege	2812	msiexec.exe
Token: SeManageVolumePrivilege	2812	msiexec.exe
Token: SeImpersonatePrivilege	2812	msiexec.exe
Token: SeCreateGlobalPrivilege	2812	msiexec.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeBackupPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeLoadDriverPrivilege	3048	DrvInst.exe
Token: SeLoadDriverPrivilege	3048	DrvInst.exe
Token: SeLoadDriverPrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2812	msiexec.exe
2812	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	javaw.exe
2788	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2712 wrote to memory of 2024	2712	msiexec.exe	34
PID 2024 wrote to memory of 400	2024	MsiExec.exe	35
PID 2024 wrote to memory of 400	2024	MsiExec.exe	35
PID 2024 wrote to memory of 400	2024	MsiExec.exe	35
PID 2024 wrote to memory of 400	2024	MsiExec.exe	35
PID 2024 wrote to memory of 2416	2024	MsiExec.exe	37
PID 2024 wrote to memory of 2416	2024	MsiExec.exe	37
PID 2024 wrote to memory of 2416	2024	MsiExec.exe	37
PID 2024 wrote to memory of 2416	2024	MsiExec.exe	37
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2024 wrote to memory of 2124	2024	MsiExec.exe	39
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2124 wrote to memory of 2804	2124	ClearArchitect_Install_sib.exe	40
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2804 wrote to memory of 2788	2804	ClearArchitect_Install.exe	41
PID 2024 wrote to memory of 1776	2024	MsiExec.exe	42
PID 2024 wrote to memory of 1776	2024	MsiExec.exe	42
PID 2024 wrote to memory of 1776	2024	MsiExec.exe	42
PID 2024 wrote to memory of 1776	2024	MsiExec.exe	42
PID 2024 wrote to memory of 2464	2024	MsiExec.exe	44
PID 2024 wrote to memory of 2464	2024	MsiExec.exe	44
PID 2024 wrote to memory of 2464	2024	MsiExec.exe	44
PID 2024 wrote to memory of 2464	2024	MsiExec.exe	44
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 2788 wrote to memory of 1748	2788	javaw.exe	46
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 1748 wrote to memory of 2628	1748	cmd.exe	48
PID 2788 wrote to memory of 1744	2788	javaw.exe	49
PID 2788 wrote to memory of 1744	2788	javaw.exe	49
PID 2788 wrote to memory of 1744	2788	javaw.exe	49
PID 2788 wrote to memory of 1744	2788	javaw.exe	49
PID 2788 wrote to memory of 1744	2788	javaw.exe	49
PID 2788 wrote to memory of 1744	2788	javaw.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96A763AD3CF1DF3212DC42565CB627D0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\files\ClearArchitect_Install_sib.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\files\ClearArchitect_Install_sib.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\ClearArchitect_Install.exe
      "C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\ClearArchitect_Install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "tts01\.;tts01\..;tts01\asm-all.jar;tts01\dn-compiled-module.jar;tts01\dn-php-sdk.jar;tts01\gson.jar;tts01\jfoenix.jar;tts01\jphp-app-framework.jar;tts01\jphp-core.jar;tts01\jphp-desktop-ext.jar;tts01\jphp-gui-ext.jar;tts01\jphp-gui-jfoenix-ext.jar;tts01\jphp-json-ext.jar;tts01\jphp-jsoup-ext.jar;tts01\jphp-runtime.jar;tts01\jphp-xml-ext.jar;tts01\jphp-zend-ext.jar;tts01\jphp-zip-ext.jar;tts01\jsoup.jar;tts01\slf4j-api.jar;tts01\slf4j-simple.jar;tts01\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\6cbc6aa9377701afc1e4443a98ab3374.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Users\Admin\AppData\Local\Temp\violenceknowledgepro\violenceknowledgepro.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000564" "0000000000000324"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
PID:1964
- C:\Users\Admin\AppData\Local\Temp\violenceknowledgepro\violenceknowledgepro.exe
  "C:\Users\Admin\AppData\Local\Temp\violenceknowledgepro\violenceknowledgepro.exe"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\violenceknowledge.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\violenceknowledge.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771383.rbs

Filesize
7KB

MD5
2069194de96c9b47a88d85efab2ca2bf

SHA1
6436090ea698c25608de6d0e13092070852f08b6

SHA256
18abb1ee832ceaba65eca5c85a08488dda3d4e54dbb517fe3022d0dde1b91b23

SHA512
37a24960010c326c582fa7c7b7a73eec46eed3adb244b1d05a9b27ee3a78d4a6fbb56040cd055014d866882fa892bb146bad79916d792fc8c817029b5d7a9bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cbc6aa9377701afc1e4443a98ab3374.bat

Filesize
155B

MD5
2658dfc63032f1c8c59c0233c1cc9769

SHA1
7aad97674e967259ead769fe60f8e40b30a9edd8

SHA256
ccfa651cc1c739b06adca460daea6a1fbf871457e23bd7bca52b6a7f0ee767c1

SHA512
e37e43bb9fceadd01758d4e6e21ac173f70d3120307a99d9b4a0292ecc0a341322fc77ab9f6765343371a70d1591488d294f9d536d372e372eba94f02294558a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\currency.data

Filesize
4KB

MD5
f6258230b51220609a60aa6ba70d68f3

SHA1
b5b95dd1ddcd3a433db14976e3b7f92664043536

SHA256
22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441

SHA512
b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\ext\jfxrt.jar

Filesize
17.3MB

MD5
042b3675517d6a637b95014523b1fd7d

SHA1
82161caf5f0a4112686e4889a9e207c7ba62a880

SHA256
a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22

SHA512
7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\asm-all.jar

Filesize
241KB

MD5
f5ad16c7f0338b541978b0430d51dc83

SHA1
2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a

SHA256
7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d

SHA512
82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\dn-compiled-module.jar

Filesize
3.6MB

MD5
12cef28f52482a85de514a94a0e08439

SHA1
32e28f4685739537c37a9d6b82b58e494e6af4a9

SHA256
b013901d438ea680e2953cab80c8ba93d0c26872de7cd1ae5ca9cfa54ba4b6b1

SHA512
9b4e9145f87d2c1c1e3333a151dee5f075208b79dbd6fec5d4700e743753ef4e856ac7ee7d41fa1841f3202ca48435e6a011392271c69e7d0cdf91e8e5d54856

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\dn-php-sdk.jar

Filesize
12KB

MD5
3e5e8cccff7ff343cbfe22588e569256

SHA1
66756daa182672bff27e453eed585325d8cc2a7a

SHA256
0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4

SHA512
8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\gson.jar

Filesize
226KB

MD5
5134a2350f58890ffb9db0b40047195d

SHA1
751f548c85fa49f330cecbb1875893f971b33c4e

SHA256
2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32

SHA512
c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jfoenix.jar

Filesize
2.3MB

MD5
6316f84bc78d40b138dab1adc978ca5d

SHA1
b12ea05331ad89a9b09937367ebc20421f17b9ff

SHA256
d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17

SHA512
1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-app-framework.jar

Filesize
103KB

MD5
0c8768cdeb3e894798f80465e0219c05

SHA1
c4da07ac93e4e547748ecc26b633d3db5b81ce47

SHA256
15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669

SHA512
35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-core.jar

Filesize
464KB

MD5
7e5e3d6d352025bd7f093c2d7f9b21ab

SHA1
ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57

SHA256
5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a

SHA512
c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-desktop-ext.jar

Filesize
16KB

MD5
b50e2c75f5f0e1094e997de8a2a2d0ca

SHA1
d789eb689c091536ea6a01764bada387841264cb

SHA256
cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23

SHA512
57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-gui-ext.jar

Filesize
688KB

MD5
6696368a09c7f8fed4ea92c4e5238cee

SHA1
f89c282e557d1207afd7158b82721c3d425736a7

SHA256
c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4

SHA512
0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-gui-jfoenix-ext.jar

Filesize
50KB

MD5
d093f94c050d5900795de8149cb84817

SHA1
54058dda5c9e66a22074590072c8a48559bba1fb

SHA256
4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba

SHA512
3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-json-ext.jar

Filesize
16KB

MD5
fde38932b12fc063451af6613d4470cc

SHA1
bc08c114681a3afc05fb8c0470776c3eae2eefeb

SHA256
9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830

SHA512
0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-jsoup-ext.jar

Filesize
19KB

MD5
d963210c02cd1825e967086827da8294

SHA1
26c4d004b5ffdb8f81de2d6b158a3f34819faf01

SHA256
7908145cf17301bedefd6e3af8c93e0320582c0562919ffb56cc21b7fd532b96

SHA512
756c21dc1a02d579f0e2ed39e5bedca5491087cdc28e3e96c8663a493bcfeeeeea44dc40681ec6341426dfa995883dbce11b76d1f921e043ae220399a9e554fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-runtime.jar

Filesize
1.1MB

MD5
d5ef47c915bef65a63d364f5cf7cd467

SHA1
f711f3846e144dddbfb31597c0c165ba8adf8d6b

SHA256
9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6

SHA512
04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-xml-ext.jar

Filesize
19KB

MD5
0a79304556a1289aa9e6213f574f3b08

SHA1
7ee3bde3b1777bf65d4f62ce33295556223a26cd

SHA256
434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79

SHA512
1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-zend-ext.jar

Filesize
95KB

MD5
4bc2aea7281e27bc91566377d0ed1897

SHA1
d02d897e8a8aca58e3635c009a16d595a5649d44

SHA256
4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288

SHA512
da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-zip-ext.jar

Filesize
12KB

MD5
20f6f88989e806d23c29686b090f6190

SHA1
1fdb9a66bb5ca587c05d3159829a8780bb66c87d

SHA256
9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16

SHA512
2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jsoup.jar

Filesize
342KB

MD5
36145fee38e79b81035787f1be296a52

SHA1
33ee82e324f4b1e40167f3dc5e01234a1c5cab61

SHA256
6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a

SHA512
3b00b07320831f075a6af9ac1863b8756fe4f99a1b4f2e53578dca17fdaf7bdb147279225045e9eeeba4898fe321cf5457832b8e6a1a5b71acff9a1c10392659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\violenceknowledge.exe

Filesize
1022KB

MD5
ca0a2d7ad2bdecbca7a17b85966f82fa

SHA1
a965e0257112b3f16033ca8c4ba09cd95076c5f5

SHA256
e873ca0820b48f6000b4a709a39b841532cd7544c438846eec561d3c26e7eba0

SHA512
d4079f6b67be166700e32af296d2e9da4390fad46e8eb9f400fa450437ed3bd898e48a936d0578b068b0f12de0e2155022a60c279d785e50e9393f5e9fd7edf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\msiwrapper.ini

Filesize
418B

MD5
3f9d1d15f5ae6f698fbd40a71d5cfb65

SHA1
caf73dd1450422c33a062a3f68332d2da68c4a73

SHA256
a7dd0aaea48f10634b633ec1d22c022b75b5e2b58fe426581604ad51f27bee50

SHA512
b59c0731b32a5d1e07552a43414ddfbf93e8dd57427da4957fb1ddc772e54d5972882a52a4b6e05e95735c3f29a5d4857a1714a989b06bf4cac6ac18ec1077bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\msiwrapper.ini

Filesize
1KB

MD5
0e1d9b75af9d4f6624d1e949bf0b1446

SHA1
2e88725c2e014467ff132a7439deefef36f6bf99

SHA256
67501e705b0139dadca1e119a9ed78c81ac275768e31c7141b61a555276ef823

SHA512
f055ded2ffadb260741a85507031946e02c15c3a5a768d1455093209b79a028e81da143bf9ed629314da8970eb77f4917380d6ea540f7a37354e047984f06cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\msiwrapper.ini

Filesize
1KB

MD5
437ab5b3677822fdeed5a76408e2e16a

SHA1
4e83b10cd8445fbcb9833f1997907a8c23800693

SHA256
dfe7d8adfa8547160b9ac200746436008c3536d2fc940a3bffb0bda336c93ddf

SHA512
1a9448f85e0deb4b847a8612f0b5fc8075213f2b4055ef5891240ab3eac9512b8db62ce384cce21a8672d3da45a001bfa2839aa8a08f10b526f347003686dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-be4f049e-eb5c-49ba-badb-e2083a60f66f\msiwrapper.ini

Filesize
1KB

MD5
b691c59f8bb0132cc1f958161fc6d7fc

SHA1
c2baf7f5f41374f2511abcf8a8af68fe2ec52f51

SHA256
e46dce2eef93e8922235294ba536925969d03d2fe0f1a6c2167956973f481042

SHA512
85634e17e0ad03c7671d0d7017683a6404795e1356878c8fa0dec5352e06637a6aa02dceffa733a38a135f0e57369be15293553b267c811ccc62b630dd913dea

Download Submit
C:\Windows\Installer\MSI145B.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\ClearArchitect_Install.exe

Filesize
77KB

MD5
af7a9efc5c0d8d3a339fec4385c32239

SHA1
cb14c6a21202c82a9e3135060d8c7c3f48dcf5e6

SHA256
e4f5f510bed08a788fff9050971a069b32b78d2e00b390d176438754413ff49c

SHA512
bd124c51877becb27d502eac95960424cae12b843856a6b15e531450498479bd6892422f479b4d703050f8232e25a377fe21eea14f33162ac933aa10c01d773b

Download Submit
\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\javaw.exe

Filesize
187KB

MD5
48c96771106dbdd5d42bba3772e4b414

SHA1
e84749b99eb491e40a62ed2e92e4d7a790d09273

SHA256
a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22

SHA512
9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

Download Submit
\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2618.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1504-548-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1504-554-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1504-552-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1504-550-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1504-545-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1504-546-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2788-476-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-440-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2788-491-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-495-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-388-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-480-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-408-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-514-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2788-519-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-444-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2788-441-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2788-439-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2796-511-0x0000000000830000-0x0000000000934000-memory.dmp

Filesize
1.0MB

Download
memory/2796-543-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2796-542-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download
memory/2796-512-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2804-313-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download