0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0.msi
Size

68.4MB
MD5

b16e4988d30f4d3138b151fcf1809966
SHA1

af374b8d8f52e182ca0fc3769cec8779cf1a2d39
SHA256

0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0
SHA512

195af50cff3bb07a63a1f8c1b37e8f60fabbb679db16dac1645e847d026504007780a3aa09db1548f101a6a79b9217afc966948d378dc88117b9df59eae40562
SSDEEP

1572864:f1Bktt21Ys9ZNJa8CPbxtVqfsY8yHEn8QO3ek4HHHsFIcXrKYGng:bktt21bl2xtVqfNEnuOkS2X2YGg

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1760	ICACLS.EXE
4736	ICACLS.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	violenceknowledgepro.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 1284	544	violenceknowledge.exe	118

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI34D9.tmp	msiexec.exe
File created	C:\Windows\Installer\e58124b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58124b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI3266.tmp	msiexec.exe
File created	C:\Windows\Installer\{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI3277.tmp	msiexec.exe
File created	C:\Windows\Installer\e58124d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14AC.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
2808	ClearArchitect_Install_sib.exe
1480	ClearArchitect_Install.exe
4756	javaw.exe
2496	violenceknowledgepro.exe
544	violenceknowledge.exe

Loads dropped DLL 17 IoCs

pid	Process
2872	MsiExec.exe
2808	ClearArchitect_Install_sib.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
2872	MsiExec.exe
2872	MsiExec.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe
4756	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4088	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	violenceknowledge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClearArchitect_Install_sib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClearArchitect_Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\064445EB4000C0D40AFE5F47BCD9D34B\8DD9417F4FF657442BCBECF560FACF6F	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\ProductName = "ClearArchitect"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\PackageCode = "43D26B19E8CB1DF4ABADF0729FF9FE5D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\064445EB4000C0D40AFE5F47BCD9D34B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\ProductIcon = "C:\\Windows\\Installer\\{F7149DD8-6FF4-4475-B2BC-CE5F06AFFCF6}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\PackageName = "0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DD9417F4FF657442BCBECF560FACF6F\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DD9417F4FF657442BCBECF560FACF6F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DD9417F4FF657442BCBECF560FACF6F\ProductFeature	msiexec.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2444	msiexec.exe
2444	msiexec.exe
3048	powershell.exe
3048	powershell.exe
544	violenceknowledge.exe
544	violenceknowledge.exe
544	violenceknowledge.exe
544	violenceknowledge.exe
544	violenceknowledge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4088	msiexec.exe
Token: SeSecurityPrivilege	2444	msiexec.exe
Token: SeCreateTokenPrivilege	4088	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4088	msiexec.exe
Token: SeLockMemoryPrivilege	4088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4088	msiexec.exe
Token: SeMachineAccountPrivilege	4088	msiexec.exe
Token: SeTcbPrivilege	4088	msiexec.exe
Token: SeSecurityPrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeLoadDriverPrivilege	4088	msiexec.exe
Token: SeSystemProfilePrivilege	4088	msiexec.exe
Token: SeSystemtimePrivilege	4088	msiexec.exe
Token: SeProfSingleProcessPrivilege	4088	msiexec.exe
Token: SeIncBasePriorityPrivilege	4088	msiexec.exe
Token: SeCreatePagefilePrivilege	4088	msiexec.exe
Token: SeCreatePermanentPrivilege	4088	msiexec.exe
Token: SeBackupPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeShutdownPrivilege	4088	msiexec.exe
Token: SeDebugPrivilege	4088	msiexec.exe
Token: SeAuditPrivilege	4088	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4088	msiexec.exe
Token: SeChangeNotifyPrivilege	4088	msiexec.exe
Token: SeRemoteShutdownPrivilege	4088	msiexec.exe
Token: SeUndockPrivilege	4088	msiexec.exe
Token: SeSyncAgentPrivilege	4088	msiexec.exe
Token: SeEnableDelegationPrivilege	4088	msiexec.exe
Token: SeManageVolumePrivilege	4088	msiexec.exe
Token: SeImpersonatePrivilege	4088	msiexec.exe
Token: SeCreateGlobalPrivilege	4088	msiexec.exe
Token: SeBackupPrivilege	4464	vssvc.exe
Token: SeRestorePrivilege	4464	vssvc.exe
Token: SeAuditPrivilege	4464	vssvc.exe
Token: SeBackupPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeBackupPrivilege	2892	srtasks.exe
Token: SeRestorePrivilege	2892	srtasks.exe
Token: SeSecurityPrivilege	2892	srtasks.exe
Token: SeTakeOwnershipPrivilege	2892	srtasks.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeBackupPrivilege	2892	srtasks.exe
Token: SeRestorePrivilege	2892	srtasks.exe
Token: SeSecurityPrivilege	2892	srtasks.exe
Token: SeTakeOwnershipPrivilege	2892	srtasks.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe
Token: SeTakeOwnershipPrivilege	2444	msiexec.exe
Token: SeRestorePrivilege	2444	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4088	msiexec.exe
4088	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4756	javaw.exe
4756	javaw.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2892	2444	msiexec.exe	92
PID 2444 wrote to memory of 2892	2444	msiexec.exe	92
PID 2444 wrote to memory of 2872	2444	msiexec.exe	94
PID 2444 wrote to memory of 2872	2444	msiexec.exe	94
PID 2444 wrote to memory of 2872	2444	msiexec.exe	94
PID 2872 wrote to memory of 1760	2872	MsiExec.exe	97
PID 2872 wrote to memory of 1760	2872	MsiExec.exe	97
PID 2872 wrote to memory of 1760	2872	MsiExec.exe	97
PID 2872 wrote to memory of 3584	2872	MsiExec.exe	99
PID 2872 wrote to memory of 3584	2872	MsiExec.exe	99
PID 2872 wrote to memory of 3584	2872	MsiExec.exe	99
PID 2872 wrote to memory of 2808	2872	MsiExec.exe	101
PID 2872 wrote to memory of 2808	2872	MsiExec.exe	101
PID 2872 wrote to memory of 2808	2872	MsiExec.exe	101
PID 2808 wrote to memory of 1480	2808	ClearArchitect_Install_sib.exe	102
PID 2808 wrote to memory of 1480	2808	ClearArchitect_Install_sib.exe	102
PID 2808 wrote to memory of 1480	2808	ClearArchitect_Install_sib.exe	102
PID 1480 wrote to memory of 4756	1480	ClearArchitect_Install.exe	103
PID 1480 wrote to memory of 4756	1480	ClearArchitect_Install.exe	103
PID 1480 wrote to memory of 4756	1480	ClearArchitect_Install.exe	103
PID 2872 wrote to memory of 4736	2872	MsiExec.exe	104
PID 2872 wrote to memory of 4736	2872	MsiExec.exe	104
PID 2872 wrote to memory of 4736	2872	MsiExec.exe	104
PID 2872 wrote to memory of 2640	2872	MsiExec.exe	106
PID 2872 wrote to memory of 2640	2872	MsiExec.exe	106
PID 2872 wrote to memory of 2640	2872	MsiExec.exe	106
PID 4756 wrote to memory of 3544	4756	javaw.exe	108
PID 4756 wrote to memory of 3544	4756	javaw.exe	108
PID 4756 wrote to memory of 3544	4756	javaw.exe	108
PID 3544 wrote to memory of 3048	3544	cmd.exe	110
PID 3544 wrote to memory of 3048	3544	cmd.exe	110
PID 3544 wrote to memory of 3048	3544	cmd.exe	110
PID 4756 wrote to memory of 836	4756	javaw.exe	112
PID 4756 wrote to memory of 836	4756	javaw.exe	112
PID 4756 wrote to memory of 836	4756	javaw.exe	112
PID 4300 wrote to memory of 2496	4300	explorer.exe	114
PID 4300 wrote to memory of 2496	4300	explorer.exe	114
PID 2496 wrote to memory of 544	2496	violenceknowledgepro.exe	115
PID 2496 wrote to memory of 544	2496	violenceknowledgepro.exe	115
PID 2496 wrote to memory of 544	2496	violenceknowledgepro.exe	115
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 2996	544	violenceknowledge.exe	117
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118
PID 544 wrote to memory of 1284	544	violenceknowledge.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0d3099a1c2c980ff1cb0424c89254f704342037596ceaf7aa6c82d6cec8203e0.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9D24822AF27DC2427EB2B28228CBF151
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\files\ClearArchitect_Install_sib.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\files\ClearArchitect_Install_sib.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\ClearArchitect_Install.exe
      "C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\ClearArchitect_Install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\javaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "tts01\.;tts01\..;tts01\asm-all.jar;tts01\dn-compiled-module.jar;tts01\dn-php-sdk.jar;tts01\gson.jar;tts01\jfoenix.jar;tts01\jphp-app-framework.jar;tts01\jphp-core.jar;tts01\jphp-desktop-ext.jar;tts01\jphp-gui-ext.jar;tts01\jphp-gui-jfoenix-ext.jar;tts01\jphp-json-ext.jar;tts01\jphp-jsoup-ext.jar;tts01\jphp-runtime.jar;tts01\jphp-xml-ext.jar;tts01\jphp-zend-ext.jar;tts01\jphp-zip-ext.jar;tts01\jsoup.jar;tts01\slf4j-api.jar;tts01\slf4j-simple.jar;tts01\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\c4490ce12b95084fcb4996cf9ba46b3e.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Users\Admin\AppData\Local\Temp\violenceknowledgepro\violenceknowledgepro.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:836
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\violenceknowledgepro\violenceknowledgepro.exe
  "C:\Users\Admin\AppData\Local\Temp\violenceknowledgepro\violenceknowledgepro.exe"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\violenceknowledge.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\violenceknowledge.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58124c.rbs

Filesize
7KB

MD5
503002d3c2d709819f1b0762c704ecde

SHA1
8fe3a3a389b7eb5d1bc8745ccf0604b102493580

SHA256
dc57e854517adb5225484e81bf9c3d2442babb045c260a9655561ecaa73002e4

SHA512
b887440111c1cae7f06133d3ce01f3852cd50065f898b65b7f80996bc945a13f3f36cbeb10b18f61d78fbb9dd2f0d6ae237533806c19c92accc711a09b9846bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\ClearArchitect_Install.exe

Filesize
77KB

MD5
af7a9efc5c0d8d3a339fec4385c32239

SHA1
cb14c6a21202c82a9e3135060d8c7c3f48dcf5e6

SHA256
e4f5f510bed08a788fff9050971a069b32b78d2e00b390d176438754413ff49c

SHA512
bd124c51877becb27d502eac95960424cae12b843856a6b15e531450498479bd6892422f479b4d703050f8232e25a377fe21eea14f33162ac933aa10c01d773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\client\jvm.dll

Filesize
3.7MB

MD5
39c302fe0781e5af6d007e55f509606a

SHA1
23690a52e8c6578de6a7980bb78aae69d0f31780

SHA256
b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc

SHA512
67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\java.dll

Filesize
123KB

MD5
73bd0b62b158c5a8d0ce92064600620d

SHA1
63c74250c17f75fe6356b649c484ad5936c3e871

SHA256
e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30

SHA512
eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\javaw.exe

Filesize
187KB

MD5
48c96771106dbdd5d42bba3772e4b414

SHA1
e84749b99eb491e40a62ed2e92e4d7a790d09273

SHA256
a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22

SHA512
9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\net.dll

Filesize
78KB

MD5
691b937a898271ee2cffab20518b310b

SHA1
abedfcd32c3022326bc593ab392dea433fcf667c

SHA256
2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61

SHA512
1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\nio.dll

Filesize
50KB

MD5
95edb3cb2e2333c146a4dd489ce67cbd

SHA1
79013586a6e65e2e1f80e5caf9e2aa15b7363f9a

SHA256
96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31

SHA512
ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\verify.dll

Filesize
38KB

MD5
de2167a880207bbf7464bcd1f8bc8657

SHA1
0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7

SHA256
fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3

SHA512
bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\bin\zip.dll

Filesize
68KB

MD5
cb99b83bbc19cd0e1c2ec6031d0a80bc

SHA1
927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd

SHA256
68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec

SHA512
29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\currency.data

Filesize
4KB

MD5
f6258230b51220609a60aa6ba70d68f3

SHA1
b5b95dd1ddcd3a433db14976e3b7f92664043536

SHA256
22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441

SHA512
b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\ext\jfxrt.jar

Filesize
17.3MB

MD5
042b3675517d6a637b95014523b1fd7d

SHA1
82161caf5f0a4112686e4889a9e207c7ba62a880

SHA256
a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22

SHA512
7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\ext\meta-index

Filesize
1KB

MD5
77abe2551c7a5931b70f78962ac5a3c7

SHA1
a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc

SHA256
c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4

SHA512
9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\i386\jvm.cfg

Filesize
657B

MD5
9fd47c1a487b79a12e90e7506469477b

SHA1
7814df0ff2ea1827c75dcd73844ca7f025998cc6

SHA256
a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e

SHA512
97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\jsse.jar

Filesize
619KB

MD5
fd1434c81219c385f30b07e33cef9f30

SHA1
0b5ee897864c8605ef69f66dfe1e15729cfcbc59

SHA256
bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5

SHA512
9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\resources.jar

Filesize
3.3MB

MD5
9a084b91667e7437574236cd27b7c688

SHA1
d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1

SHA256
a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d

SHA512
d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\security\java.security

Filesize
26KB

MD5
409c132fe4ea4abe9e5eb5a48a385b61

SHA1
446d68298be43eb657934552d656fa9ae240f2a2

SHA256
4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583

SHA512
7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\tzdb.dat

Filesize
101KB

MD5
5a7f416bd764e4a0c2deb976b1d04b7b

SHA1
e12754541a58d7687deda517cdda14b897ff4400

SHA256
a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d

SHA512
3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts00\lib\tzmappings

Filesize
8KB

MD5
b8dd8953b143685b5e91abeb13ff24f0

SHA1
b5ceb39061fce39bb9d7a0176049a6e2600c419c

SHA256
3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272

SHA512
c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\asm-all.jar

Filesize
241KB

MD5
f5ad16c7f0338b541978b0430d51dc83

SHA1
2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a

SHA256
7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d

SHA512
82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\dn-compiled-module.jar

Filesize
3.6MB

MD5
12cef28f52482a85de514a94a0e08439

SHA1
32e28f4685739537c37a9d6b82b58e494e6af4a9

SHA256
b013901d438ea680e2953cab80c8ba93d0c26872de7cd1ae5ca9cfa54ba4b6b1

SHA512
9b4e9145f87d2c1c1e3333a151dee5f075208b79dbd6fec5d4700e743753ef4e856ac7ee7d41fa1841f3202ca48435e6a011392271c69e7d0cdf91e8e5d54856

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\dn-php-sdk.jar

Filesize
12KB

MD5
3e5e8cccff7ff343cbfe22588e569256

SHA1
66756daa182672bff27e453eed585325d8cc2a7a

SHA256
0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4

SHA512
8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\gson.jar

Filesize
226KB

MD5
5134a2350f58890ffb9db0b40047195d

SHA1
751f548c85fa49f330cecbb1875893f971b33c4e

SHA256
2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32

SHA512
c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jfoenix.jar

Filesize
2.3MB

MD5
6316f84bc78d40b138dab1adc978ca5d

SHA1
b12ea05331ad89a9b09937367ebc20421f17b9ff

SHA256
d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17

SHA512
1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-app-framework.jar

Filesize
103KB

MD5
0c8768cdeb3e894798f80465e0219c05

SHA1
c4da07ac93e4e547748ecc26b633d3db5b81ce47

SHA256
15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669

SHA512
35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-core.jar

Filesize
464KB

MD5
7e5e3d6d352025bd7f093c2d7f9b21ab

SHA1
ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57

SHA256
5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a

SHA512
c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-desktop-ext.jar

Filesize
16KB

MD5
b50e2c75f5f0e1094e997de8a2a2d0ca

SHA1
d789eb689c091536ea6a01764bada387841264cb

SHA256
cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23

SHA512
57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-gui-ext.jar

Filesize
688KB

MD5
6696368a09c7f8fed4ea92c4e5238cee

SHA1
f89c282e557d1207afd7158b82721c3d425736a7

SHA256
c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4

SHA512
0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-gui-jfoenix-ext.jar

Filesize
50KB

MD5
d093f94c050d5900795de8149cb84817

SHA1
54058dda5c9e66a22074590072c8a48559bba1fb

SHA256
4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba

SHA512
3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-json-ext.jar

Filesize
16KB

MD5
fde38932b12fc063451af6613d4470cc

SHA1
bc08c114681a3afc05fb8c0470776c3eae2eefeb

SHA256
9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830

SHA512
0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-jsoup-ext.jar

Filesize
19KB

MD5
d963210c02cd1825e967086827da8294

SHA1
26c4d004b5ffdb8f81de2d6b158a3f34819faf01

SHA256
7908145cf17301bedefd6e3af8c93e0320582c0562919ffb56cc21b7fd532b96

SHA512
756c21dc1a02d579f0e2ed39e5bedca5491087cdc28e3e96c8663a493bcfeeeeea44dc40681ec6341426dfa995883dbce11b76d1f921e043ae220399a9e554fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-runtime.jar

Filesize
1.1MB

MD5
d5ef47c915bef65a63d364f5cf7cd467

SHA1
f711f3846e144dddbfb31597c0c165ba8adf8d6b

SHA256
9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6

SHA512
04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-xml-ext.jar

Filesize
19KB

MD5
0a79304556a1289aa9e6213f574f3b08

SHA1
7ee3bde3b1777bf65d4f62ce33295556223a26cd

SHA256
434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79

SHA512
1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-zend-ext.jar

Filesize
95KB

MD5
4bc2aea7281e27bc91566377d0ed1897

SHA1
d02d897e8a8aca58e3635c009a16d595a5649d44

SHA256
4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288

SHA512
da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jphp-zip-ext.jar

Filesize
12KB

MD5
20f6f88989e806d23c29686b090f6190

SHA1
1fdb9a66bb5ca587c05d3159829a8780bb66c87d

SHA256
9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16

SHA512
2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\jsoup.jar

Filesize
342KB

MD5
36145fee38e79b81035787f1be296a52

SHA1
33ee82e324f4b1e40167f3dc5e01234a1c5cab61

SHA256
6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a

SHA512
3b00b07320831f075a6af9ac1863b8756fe4f99a1b4f2e53578dca17fdaf7bdb147279225045e9eeeba4898fe321cf5457832b8e6a1a5b71acff9a1c10392659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\slf4j-api.jar

Filesize
40KB

MD5
caafe376afb7086dcbee79f780394ca3

SHA1
da76ca59f6a57ee3102f8f9bd9cee742973efa8a

SHA256
18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79

SHA512
5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\slf4j-simple.jar

Filesize
14KB

MD5
722bb90689aecc523e3fe317e1f0984b

SHA1
8dacf9514f0c707cbbcdd6fd699e8940d42fb54e

SHA256
0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874

SHA512
d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClearArchitect_Install\tts01\zt-zip.jar

Filesize
102KB

MD5
0fd8bc4f0f2e37feb1efc474d037af55

SHA1
add8fface4c1936787eb4bffe4ea944a13467d53

SHA256
1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b

SHA512
29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\msiwrapper.ini

Filesize
1KB

MD5
11c2647ce0bb40b6e4c164702ee527fb

SHA1
3ac03a32dbf07b94d002b5260b26bc84ad944f06

SHA256
0fb6f3ef10702056b57091671c2210180d19123f8a2a6362daf087374923095d

SHA512
2a81759cdd5556ed72979dbbe67e66c6804055e76951a8d2b7392a7acd1e075d4c3239fb2c20ed26d609b342a991537ace4fc303b0951a325a37e4413804b4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\msiwrapper.ini

Filesize
1KB

MD5
f8f6915a7851d61186492e16b7bce770

SHA1
163fa78827cb086aa038686604390ff1fadb292c

SHA256
7f94423b652ad7f349944b8f39122a41f1f53b1b5e8053738a81edb25fd85838

SHA512
b7bc060a7b03400791933de91d11d0fa89b2e2e65b20d21eac579c272a9830f8ea973c69c7424b5628d5801e327553ae43d718461e2e5d9e8f5116df1b3eaef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9bc63e09-1926-47f6-a5b0-a9c302ba1da9\msiwrapper.ini

Filesize
1KB

MD5
20ec82eac2419dffd48338bc43c2f670

SHA1
6912ca486a4c62425eafe1fe6862ee2497609547

SHA256
7682b47198310c4cb0d2b663d5dcce913f7695c543a0e41a58ba6ce51207b4e5

SHA512
4a8913655226e4dfd73bc1683b31f820ce0eef4a7678de678a4a942fbac3e382f6cbb7885276912e0964d1cbe3e672b894e4d8d415f0d16044725066d09c6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qv54cvb2.gvb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2AB6.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Windows\Installer\MSI14AC.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
66001af87bc007a3c76f15cebb994bce

SHA1
5f42511dca26960c0ffd12fa923036fc6a2341f7

SHA256
997bfb6e6bdb3383564bec2d0f2b1fed43379398b9fe37428733c2ce8de7c70d

SHA512
7d5fda3aae49d3bceb6a5ced3c88d9fd8bd577e53b8b465b585235dd74afd9a21d7a314234d4deed269b7370543b0de559ab21c6be0ec4451f861c3c48cbdc8c

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7963a3fd-5545-4e8c-86b1-ce6b43fa65ec}_OnDiskSnapshotProp

Filesize
6KB

MD5
5a6e3113678f57b9cb4fa4824ef6eedd

SHA1
1467cca087b2aa43fc93ff6754532205602acd97

SHA256
2d380ab29785f568faabf8b11f2250ddb016619b5245192a5b7921127a867242

SHA512
605962248376168e38ea728868af864e15cf7fe1e0a65307ab84a67b520a9b377e608cd4e58986852629da6350aab9299515a7df5e76cef192da129c6e433f8f

Download Submit
memory/544-578-0x0000000007730000-0x000000000774A000-memory.dmp

Filesize
104KB

Download
memory/544-579-0x000000000A3A0000-0x000000000A3A6000-memory.dmp

Filesize
24KB

Download
memory/544-544-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/544-542-0x0000000006290000-0x0000000006834000-memory.dmp

Filesize
5.6MB

Download
memory/544-541-0x0000000005900000-0x0000000005942000-memory.dmp

Filesize
264KB

Download
memory/544-540-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/544-539-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/544-538-0x0000000000FE0000-0x00000000010E4000-memory.dmp

Filesize
1.0MB

Download
memory/1480-301-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3048-487-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/3048-516-0x0000000007F50000-0x0000000007FE6000-memory.dmp

Filesize
600KB

Download
memory/3048-482-0x00000000033A0000-0x00000000033D6000-memory.dmp

Filesize
216KB

Download
memory/3048-486-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/3048-483-0x0000000005C40000-0x0000000006268000-memory.dmp

Filesize
6.2MB

Download
memory/3048-497-0x00000000064C0000-0x0000000006814000-memory.dmp

Filesize
3.3MB

Download
memory/3048-498-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/3048-499-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/3048-500-0x0000000007950000-0x0000000007982000-memory.dmp

Filesize
200KB

Download
memory/3048-501-0x000000006EE00000-0x000000006EE4C000-memory.dmp

Filesize
304KB

Download
memory/3048-511-0x0000000006F70000-0x0000000006F8E000-memory.dmp

Filesize
120KB

Download
memory/3048-512-0x0000000007B90000-0x0000000007C33000-memory.dmp

Filesize
652KB

Download
memory/3048-513-0x0000000008310000-0x000000000898A000-memory.dmp

Filesize
6.5MB

Download
memory/3048-514-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/3048-515-0x0000000007D60000-0x0000000007D6A000-memory.dmp

Filesize
40KB

Download
memory/3048-485-0x0000000005AF0000-0x0000000005B12000-memory.dmp

Filesize
136KB

Download
memory/3048-517-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

Filesize
68KB

Download
memory/3048-518-0x0000000007F10000-0x0000000007F1E000-memory.dmp

Filesize
56KB

Download
memory/3048-519-0x0000000007F20000-0x0000000007F34000-memory.dmp

Filesize
80KB

Download
memory/3048-520-0x0000000008010000-0x000000000802A000-memory.dmp

Filesize
104KB

Download
memory/3048-521-0x0000000007FF0000-0x0000000007FF8000-memory.dmp

Filesize
32KB

Download
memory/4756-524-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-484-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-368-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-472-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-449-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-446-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-543-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-443-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-441-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4756-386-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download