Analysis

  • max time kernel
    152s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 22:14

General

  • Target

    PianoScrap.exe

  • Size

    83KB

  • MD5

    ad1faa076d04a9595ebb7c7c0034c35e

  • SHA1

    cbe139b2ad2d73b3b82b1d808327cf4538cfc401

  • SHA256

    3b1e29d6fde6e83f169c13b17f72c8a155fab8c7d296233703a0afdd6e714a63

  • SHA512

    4098a3c8e91f2af9ab81424a28d9189b0b28c181c1d3a5a3ce96aa493111a77f584dbd2fcefc27c695669c71f06918059ea1f840d096732a6f74ca65c86dd120

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Registers COM server for autorun 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe
    "C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
      C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
        "C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Users\Admin\AppData\Local\Mtkantu\update.exe
          C:\Users\Admin\AppData\Local\Mtkantu\update.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops Chrome extension
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1568
    • C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
      C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\ShellExt64.dll
        3⤵
          PID:1904
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
          3⤵
            PID:1760
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
            3⤵
              PID:1944
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
              3⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1832
              • C:\Windows\system32\regsvr32.exe
                /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
                4⤵
                • Loads dropped DLL
                • Modifies registry class
                PID:1896
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
              3⤵
              • Loads dropped DLL
              PID:1948
              • C:\Windows\system32\regsvr32.exe
                /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
                4⤵
                • Loads dropped DLL
                • Modifies registry class
                PID:364
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
              3⤵
              • Loads dropped DLL
              PID:776
            • C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
              "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -unregdigitext
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1644
            • C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
              "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -regall
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies registry class
              PID:2000
            • C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
              "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -deloldshellext
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1364
            • C:\Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe
              "C:\Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe" -regall
              3⤵
              • Executes dropped EXE
              PID:480
            • C:\Users\Admin\AppData\Roaming\PhotoViewer\Report.exe
              "C:\Users\Admin\AppData\Roaming\PhotoViewer\Report.exe"
              3⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              PID:1900
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k PhotoviewerService
          1⤵
            PID:1800
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe -k PhotoviewerService
            1⤵
            • Loads dropped DLL
            PID:2044
          • C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
            "C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -regcapturehotkey
            1⤵
            • Executes dropped EXE
            PID:1944

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Mtkantu\cfg.dat

            Filesize

            3KB

            MD5

            b13beabfd4a0f52dc882f5b8fc3a5d19

            SHA1

            26efa417370d64f98464ec332a44050270346a5c

            SHA256

            80a40709cd766a0adb9f555e801b125c9a140b9f8ff660bd5afe4c111e30f8cd

            SHA512

            2e6e0455d3e05c8f8179741f4f05f2c66ef990953642da0b0bc06722808d6307fa0b12b062b88895339293b9261245843bba4f2d08483545dbdcdb26cd7b234b

          • C:\Users\Admin\AppData\Local\Mtkantu\update.exe

            Filesize

            1.2MB

            MD5

            70c61db7fd0623b87799787dd79298ed

            SHA1

            8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

            SHA256

            11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

            SHA512

            b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

          • C:\Users\Admin\AppData\Local\Mtkantu\update.exe

            Filesize

            1.2MB

            MD5

            70c61db7fd0623b87799787dd79298ed

            SHA1

            8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

            SHA256

            11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

            SHA512

            b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

          • C:\Users\Admin\AppData\Local\Temp\Mtkantu\7z.dll

            Filesize

            1.1MB

            MD5

            d6486f5ff18881f5161126dcc85cb6d4

            SHA1

            4e3d8456a9af18ca190063c425907bdeaf3d4a14

            SHA256

            0bab62532bf3ce4c7ecaf13c023f58c2246971e8ab888fd1a828c60a2109dbe0

            SHA512

            62f27de0b5944f0feaf72cd6852e28148ea540bdcc96b27d91c10b12dd618e3a152adea848d7d67c087191aa1a14e9db86038d9cb7a5f5b5b758ca994941d7d1

          • C:\Users\Admin\AppData\Local\Temp\Mtkantu\DuiLib.dll

            Filesize

            589KB

            MD5

            19b65fd4f0929b10808562a26f94b097

            SHA1

            9fd183755d1ef10b90dd13acb7dbcd1365385d52

            SHA256

            f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

            SHA512

            1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

          • C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe

            Filesize

            1.0MB

            MD5

            cfe78a8e6bae19a071ef95f788e97acf

            SHA1

            38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

            SHA256

            da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

            SHA512

            de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

          • C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe

            Filesize

            1.0MB

            MD5

            cfe78a8e6bae19a071ef95f788e97acf

            SHA1

            38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

            SHA256

            da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

            SHA512

            de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

          • C:\Users\Admin\AppData\Local\Temp\Mtkantu\pic.7z

            Filesize

            3.7MB

            MD5

            bfc25051a4ad54bbd98f17192ef29f8f

            SHA1

            94e79c4b4e356256a009683b49574c9364661dac

            SHA256

            8847e549efab5f409d70129f793eb51b6a52577c1abd1746870d7d4b0a887391

            SHA512

            869951aac40b24cc4e0ced314ae05340915973036a91f34df0dfa5e86fa84361537574811a183a6e81f73e17c50969b94f22a3f9064ed504ba996a298779afb4

          • C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe

            Filesize

            13.7MB

            MD5

            320ceb0beeced0acc640e4c800558a99

            SHA1

            3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

            SHA256

            3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

            SHA512

            3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

          • C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe

            Filesize

            13.7MB

            MD5

            320ceb0beeced0acc640e4c800558a99

            SHA1

            3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

            SHA256

            3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

            SHA512

            3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

          • C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe

            Filesize

            5.0MB

            MD5

            33094d00b807ee9759c38901455ada0c

            SHA1

            005ee3ca0a418e89c91f714a79b3330507c9d036

            SHA256

            ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

            SHA512

            81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

          • C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe

            Filesize

            5.0MB

            MD5

            33094d00b807ee9759c38901455ada0c

            SHA1

            005ee3ca0a418e89c91f714a79b3330507c9d036

            SHA256

            ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

            SHA512

            81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll

            Filesize

            974KB

            MD5

            4ec0754233ba4f6c0d21e456e372c3b9

            SHA1

            3f8aad42e66dbe1923057d96c5be910fbe8bc115

            SHA256

            78ed624131e1ec7c18d29b88948679ed2df0ed282e1fd5c390ff147adec024a7

            SHA512

            37c5f6cd730d12c45d14e723cefb20b3c62a74a3fd6864fa53069632d55b352edaaa272def276d45b8a0dc0820b1d7e0aa3567641b527ca145bf290d31a20ea4

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage.dll

            Filesize

            5.7MB

            MD5

            425906766aae6f064f52b8db926afb3b

            SHA1

            8d67d02ee61880dbb9ab35245aaac0a2210bd6b7

            SHA256

            a5fadba0252cffea8e0206162f2f779ef4a887f4f8aab2d038b14b42978bcb87

            SHA512

            1b2407871edebc80d4ef9fd7bbfea891793ce00e115361404747e86864ef145b5f137af587c9ffb6b28868877eb7167f100e73cd01977700e7aab4c75d5ed697

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage64.dll

            Filesize

            6.6MB

            MD5

            3f80d3e3db53b051e7d346a2a7cafa86

            SHA1

            2631fafca4eae49748fe5876bb7b68d4feda35fd

            SHA256

            b7cf7c9aa419f9a1296f01d2a78e8bef75dddd20b6250991de94a4436abf0d04

            SHA512

            fb0d1c5089efdf78fd90e71bf30768b4f36d6c5b109ae8a397bf6d711075c67d769c84f24782cb42f523990055314e6c10dbc53d201057ec40b868cc23cbc286

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll

            Filesize

            1.2MB

            MD5

            9e3997c81af396b199c0767da250cff7

            SHA1

            c16aaeedf458b2b27d73d86f5c0d8310717464e8

            SHA256

            a124675f5df30180234805ae00812df7f83e0a553b18b06aa706744083461ce1

            SHA512

            b99ee23f07e51dfe7494b3dc74696944b0f5e2ef7649a79148461253fa226080248e3f46eaa1e7c21aca864eea87437608d7e2fc26f992995b046c1ba5f545cf

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe

            Filesize

            3.2MB

            MD5

            ef8ad25912f9b07bfe2127f815a264c5

            SHA1

            6c7fb7566ffb558a66683c854772d96ef22e470c

            SHA256

            bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

            SHA512

            899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll

            Filesize

            1.2MB

            MD5

            e3ed37624ad2858d6bf644c8e1a50d15

            SHA1

            9625ab2f8c927901df23f2f92b6e9cdf1ed868c4

            SHA256

            c7a871b6991d84f8526f04413fb941b084be45e1a2ebe98e9c7cb67318aca565

            SHA512

            8306821c9fb955c0f8d272df22e3074016b7678091b54b6914a929a651dc8bea76de0a4c75d6139191aa4750e196afe77330344852f90f0186783c9c8d387973

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\soui.dll

            Filesize

            1.0MB

            MD5

            f7a20b43a2d25bd83f21fe872e76b56d

            SHA1

            bb84a51adcaec3df4181eda47d1c3ff8cb2c668b

            SHA256

            3956e5df30a8328b64159f626b69e78cd498d365ef9972cbd901e67921c5573d

            SHA512

            c669b78cbd6bc4cf587f5a9a005253f9e388fdcd9ab03f9d3c7595de9bc39bfc6b534dee457e6c04ee3bbe56f7c07a05114d7274fde50f8c228d09642e16cd47

          • C:\Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll

            Filesize

            230KB

            MD5

            d5342f08f2d25ec76f5756dce587972a

            SHA1

            aeaff71a881dc097b5f65091a7d2e87d38463a19

            SHA256

            a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

            SHA512

            b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

          • \Users\Admin\AppData\Local\Mtkantu\Mtkantu.exe

            Filesize

            1.1MB

            MD5

            85f6d19f07f8938c837c3737664d2237

            SHA1

            43121b212ddc73161006b4638dcca077e434ec55

            SHA256

            d04113cf30c0a0aaaaf0a76998f5808cdbd10bbc4e0aabf53071e1826f1cb2a4

            SHA512

            736edb6890156773c42bdb6e7c5615293a69fd3e5bdb80d3f58d5843f02d6a5583b149d21749f0a47630a166d56e186de9fa615f815cb1f5376aa27a825e5a42

          • \Users\Admin\AppData\Local\Mtkantu\Mtkantu.exe

            Filesize

            1.1MB

            MD5

            85f6d19f07f8938c837c3737664d2237

            SHA1

            43121b212ddc73161006b4638dcca077e434ec55

            SHA256

            d04113cf30c0a0aaaaf0a76998f5808cdbd10bbc4e0aabf53071e1826f1cb2a4

            SHA512

            736edb6890156773c42bdb6e7c5615293a69fd3e5bdb80d3f58d5843f02d6a5583b149d21749f0a47630a166d56e186de9fa615f815cb1f5376aa27a825e5a42

          • \Users\Admin\AppData\Local\Mtkantu\uninst.exe

            Filesize

            900KB

            MD5

            5c6cee942aa957ba7c118940d8a5f8e6

            SHA1

            cf3f20c74c7c01b7331a937caeb01ba6f9c5062c

            SHA256

            5f93b130188bfb9d601be1a835f9a32c6c1ace0acbe188b912e497efc4fbe66f

            SHA512

            81458e3347d775024bcf885ed16933fa6656aba7f682e115107c6a427abec299a43bd30d91d3c5df0785aa5f0feab252c92d0b9bb953701ef29d732a4fcd30de

          • \Users\Admin\AppData\Local\Mtkantu\update.exe

            Filesize

            1.2MB

            MD5

            70c61db7fd0623b87799787dd79298ed

            SHA1

            8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

            SHA256

            11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

            SHA512

            b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

          • \Users\Admin\AppData\Local\Mtkantu\update.exe

            Filesize

            1.2MB

            MD5

            70c61db7fd0623b87799787dd79298ed

            SHA1

            8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

            SHA256

            11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

            SHA512

            b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

          • \Users\Admin\AppData\Local\Mtkantu\update.exe

            Filesize

            1.2MB

            MD5

            70c61db7fd0623b87799787dd79298ed

            SHA1

            8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

            SHA256

            11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

            SHA512

            b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

          • \Users\Admin\AppData\Local\Temp\Mtkantu\3.0.1\ImgCommon.dll

            Filesize

            750KB

            MD5

            52317cfc906bb75c72a414b495990542

            SHA1

            e052b0035e1160ebbcce88e9abf0495f62c3c30e

            SHA256

            25dfbd39c31f948726eb34884dcde2e10e496eef76e1e22f7162bc44c3692912

            SHA512

            b1831efb471c2462918db2e512169abd4b2f2493ca8e0c58c0b3a561b6d61205b2d931727cbc201811e99cd5c15d6d512cf7c60ea56c7b8d723ca9752f4283fc

          • \Users\Admin\AppData\Local\Temp\Mtkantu\7z.dll

            Filesize

            1.1MB

            MD5

            d6486f5ff18881f5161126dcc85cb6d4

            SHA1

            4e3d8456a9af18ca190063c425907bdeaf3d4a14

            SHA256

            0bab62532bf3ce4c7ecaf13c023f58c2246971e8ab888fd1a828c60a2109dbe0

            SHA512

            62f27de0b5944f0feaf72cd6852e28148ea540bdcc96b27d91c10b12dd618e3a152adea848d7d67c087191aa1a14e9db86038d9cb7a5f5b5b758ca994941d7d1

          • \Users\Admin\AppData\Local\Temp\Mtkantu\DuiLib.dll

            Filesize

            589KB

            MD5

            19b65fd4f0929b10808562a26f94b097

            SHA1

            9fd183755d1ef10b90dd13acb7dbcd1365385d52

            SHA256

            f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

            SHA512

            1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

          • \Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe

            Filesize

            1.0MB

            MD5

            cfe78a8e6bae19a071ef95f788e97acf

            SHA1

            38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

            SHA256

            da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

            SHA512

            de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

          • \Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe

            Filesize

            1.0MB

            MD5

            cfe78a8e6bae19a071ef95f788e97acf

            SHA1

            38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

            SHA256

            da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

            SHA512

            de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

          • \Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe

            Filesize

            1.0MB

            MD5

            cfe78a8e6bae19a071ef95f788e97acf

            SHA1

            38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

            SHA256

            da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

            SHA512

            de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

          • \Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe

            Filesize

            13.7MB

            MD5

            320ceb0beeced0acc640e4c800558a99

            SHA1

            3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

            SHA256

            3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

            SHA512

            3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

          • \Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe

            Filesize

            13.7MB

            MD5

            320ceb0beeced0acc640e4c800558a99

            SHA1

            3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

            SHA256

            3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

            SHA512

            3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

          • \Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe

            Filesize

            13.7MB

            MD5

            320ceb0beeced0acc640e4c800558a99

            SHA1

            3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

            SHA256

            3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

            SHA512

            3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\INetC.dll

            Filesize

            21KB

            MD5

            2b342079303895c50af8040a91f30f71

            SHA1

            b11335e1cb8356d9c337cb89fe81d669a69de17e

            SHA256

            2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

            SHA512

            550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NSISdl.dll

            Filesize

            14KB

            MD5

            254f13dfd61c5b7d2119eb2550491e1d

            SHA1

            5083f6804ee3475f3698ab9e68611b0128e22fd6

            SHA256

            fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

            SHA512

            fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          • \Users\Admin\AppData\Local\Temp\nsy3101.tmp\NsisCrypt.dll

            Filesize

            15KB

            MD5

            2b2ce6a4724773710667d8e892b8d71e

            SHA1

            bc497b829d52d0bca139e7db9792b58a6c5ccac2

            SHA256

            393b83eea1a26874e0148e2609438f05fb59cd3172509c6c1a356e25c3b4fb17

            SHA512

            ee86bb39956733408d9669f28ca04cab5429ddead9e02f889b5e3d1346b7b34df48591acdba364aad8faf434dceee2a12812c7066c61651c6c01a6f27a0ea918

          • \Users\Admin\AppData\Local\Temp\pic_soft45181.exe

            Filesize

            5.0MB

            MD5

            33094d00b807ee9759c38901455ada0c

            SHA1

            005ee3ca0a418e89c91f714a79b3330507c9d036

            SHA256

            ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

            SHA512

            81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

          • \Users\Admin\AppData\Local\Temp\pic_soft45181.exe

            Filesize

            5.0MB

            MD5

            33094d00b807ee9759c38901455ada0c

            SHA1

            005ee3ca0a418e89c91f714a79b3330507c9d036

            SHA256

            ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

            SHA512

            81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

          • \Users\Admin\AppData\Local\Temp\pic_soft45181.exe

            Filesize

            5.0MB

            MD5

            33094d00b807ee9759c38901455ada0c

            SHA1

            005ee3ca0a418e89c91f714a79b3330507c9d036

            SHA256

            ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

            SHA512

            81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

          • \Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll

            Filesize

            974KB

            MD5

            4ec0754233ba4f6c0d21e456e372c3b9

            SHA1

            3f8aad42e66dbe1923057d96c5be910fbe8bc115

            SHA256

            78ed624131e1ec7c18d29b88948679ed2df0ed282e1fd5c390ff147adec024a7

            SHA512

            37c5f6cd730d12c45d14e723cefb20b3c62a74a3fd6864fa53069632d55b352edaaa272def276d45b8a0dc0820b1d7e0aa3567641b527ca145bf290d31a20ea4

          • \Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll

            Filesize

            974KB

            MD5

            4ec0754233ba4f6c0d21e456e372c3b9

            SHA1

            3f8aad42e66dbe1923057d96c5be910fbe8bc115

            SHA256

            78ed624131e1ec7c18d29b88948679ed2df0ed282e1fd5c390ff147adec024a7

            SHA512

            37c5f6cd730d12c45d14e723cefb20b3c62a74a3fd6864fa53069632d55b352edaaa272def276d45b8a0dc0820b1d7e0aa3567641b527ca145bf290d31a20ea4

          • \Users\Admin\AppData\Roaming\PhotoViewer\FreeImage.dll

            Filesize

            5.7MB

            MD5

            425906766aae6f064f52b8db926afb3b

            SHA1

            8d67d02ee61880dbb9ab35245aaac0a2210bd6b7

            SHA256

            a5fadba0252cffea8e0206162f2f779ef4a887f4f8aab2d038b14b42978bcb87

            SHA512

            1b2407871edebc80d4ef9fd7bbfea891793ce00e115361404747e86864ef145b5f137af587c9ffb6b28868877eb7167f100e73cd01977700e7aab4c75d5ed697

          • \Users\Admin\AppData\Roaming\PhotoViewer\FreeImage64.dll

            Filesize

            6.6MB

            MD5

            3f80d3e3db53b051e7d346a2a7cafa86

            SHA1

            2631fafca4eae49748fe5876bb7b68d4feda35fd

            SHA256

            b7cf7c9aa419f9a1296f01d2a78e8bef75dddd20b6250991de94a4436abf0d04

            SHA512

            fb0d1c5089efdf78fd90e71bf30768b4f36d6c5b109ae8a397bf6d711075c67d769c84f24782cb42f523990055314e6c10dbc53d201057ec40b868cc23cbc286

          • \Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll

            Filesize

            1.2MB

            MD5

            9e3997c81af396b199c0767da250cff7

            SHA1

            c16aaeedf458b2b27d73d86f5c0d8310717464e8

            SHA256

            a124675f5df30180234805ae00812df7f83e0a553b18b06aa706744083461ce1

            SHA512

            b99ee23f07e51dfe7494b3dc74696944b0f5e2ef7649a79148461253fa226080248e3f46eaa1e7c21aca864eea87437608d7e2fc26f992995b046c1ba5f545cf

          • \Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll

            Filesize

            1.2MB

            MD5

            9e3997c81af396b199c0767da250cff7

            SHA1

            c16aaeedf458b2b27d73d86f5c0d8310717464e8

            SHA256

            a124675f5df30180234805ae00812df7f83e0a553b18b06aa706744083461ce1

            SHA512

            b99ee23f07e51dfe7494b3dc74696944b0f5e2ef7649a79148461253fa226080248e3f46eaa1e7c21aca864eea87437608d7e2fc26f992995b046c1ba5f545cf

          • \Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe

            Filesize

            2.2MB

            MD5

            f7a9a4f1afae3db58a43e075223f7667

            SHA1

            1e0ea21e1c57c8b04b376b6a76e39098f5d42ce5

            SHA256

            577fefd788d012d5b7b1b0db7d93e37d8e4b5a12ace9a3b6afd92a808551c43d

            SHA512

            6bcd7ef79108e0337324f3d0b08ceb2098cbfe8b5442d6820e425c8a22b3aaf4e8c3c0fd049d1268cbe559e723be266ca4b0761aa045ced02c4276b734498a64

          • \Users\Admin\AppData\Roaming\PhotoViewer\PhotoManager.exe

            Filesize

            1.3MB

            MD5

            8f4ef81b3d65de3e9fe8dfe42accaac4

            SHA1

            5852396132c4af42960f812991a2645347133de4

            SHA256

            435395137975e09cefc55944f89f8149b50fa8c16e77c900fb884aad5262b4db

            SHA512

            bd9a9be38ce276d56690c9fd22a99e4f2df15a6a456349d1785b569cc592a0ae083ec694938f5731ffd20a764f5d291336911ddf4f41eaf3d549d60eb5332e37

          • \Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe

            Filesize

            3.2MB

            MD5

            ef8ad25912f9b07bfe2127f815a264c5

            SHA1

            6c7fb7566ffb558a66683c854772d96ef22e470c

            SHA256

            bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

            SHA512

            899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

          • \Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe

            Filesize

            3.2MB

            MD5

            ef8ad25912f9b07bfe2127f815a264c5

            SHA1

            6c7fb7566ffb558a66683c854772d96ef22e470c

            SHA256

            bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

            SHA512

            899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

          • \Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe

            Filesize

            3.2MB

            MD5

            ef8ad25912f9b07bfe2127f815a264c5

            SHA1

            6c7fb7566ffb558a66683c854772d96ef22e470c

            SHA256

            bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

            SHA512

            899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

          • \Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe

            Filesize

            3.2MB

            MD5

            ef8ad25912f9b07bfe2127f815a264c5

            SHA1

            6c7fb7566ffb558a66683c854772d96ef22e470c

            SHA256

            bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

            SHA512

            899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

          • \Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll

            Filesize

            1.2MB

            MD5

            e3ed37624ad2858d6bf644c8e1a50d15

            SHA1

            9625ab2f8c927901df23f2f92b6e9cdf1ed868c4

            SHA256

            c7a871b6991d84f8526f04413fb941b084be45e1a2ebe98e9c7cb67318aca565

            SHA512

            8306821c9fb955c0f8d272df22e3074016b7678091b54b6914a929a651dc8bea76de0a4c75d6139191aa4750e196afe77330344852f90f0186783c9c8d387973

          • \Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll

            Filesize

            1.2MB

            MD5

            e3ed37624ad2858d6bf644c8e1a50d15

            SHA1

            9625ab2f8c927901df23f2f92b6e9cdf1ed868c4

            SHA256

            c7a871b6991d84f8526f04413fb941b084be45e1a2ebe98e9c7cb67318aca565

            SHA512

            8306821c9fb955c0f8d272df22e3074016b7678091b54b6914a929a651dc8bea76de0a4c75d6139191aa4750e196afe77330344852f90f0186783c9c8d387973

          • \Users\Admin\AppData\Roaming\PhotoViewer\uninst.exe

            Filesize

            2.6MB

            MD5

            38acc42ae8ac7a25c74c10ab9fc31b16

            SHA1

            d7352c7a8f701170e0fbb08793cd051d5945102a

            SHA256

            3fad0736c5e75924e644d988eb39b98ab058ffb516046e16475350de1c6e3b10

            SHA512

            5af61ad41575f55bf7b48437bb7e42784d05deafb7f97f2c254a90afe1a47b4e289b485fa9f65b22fa23538e98ec8f47c7089102ea91ad9f37eae6dfaed345b2

          • \Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll

            Filesize

            230KB

            MD5

            d5342f08f2d25ec76f5756dce587972a

            SHA1

            aeaff71a881dc097b5f65091a7d2e87d38463a19

            SHA256

            a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

            SHA512

            b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

          • memory/364-140-0x0000000000000000-mapping.dmp

          • memory/468-63-0x0000000000000000-mapping.dmp

          • memory/480-161-0x0000000000000000-mapping.dmp

          • memory/776-143-0x0000000000000000-mapping.dmp

          • memory/884-54-0x0000000075801000-0x0000000075803000-memory.dmp

            Filesize

            8KB

          • memory/1216-70-0x0000000000000000-mapping.dmp

          • memory/1364-159-0x0000000000000000-mapping.dmp

          • memory/1568-86-0x0000000000000000-mapping.dmp

          • memory/1644-149-0x0000000000000000-mapping.dmp

          • memory/1760-117-0x0000000000000000-mapping.dmp

          • memory/1832-127-0x0000000000000000-mapping.dmp

          • memory/1896-132-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

            Filesize

            8KB

          • memory/1896-131-0x0000000000000000-mapping.dmp

          • memory/1900-164-0x0000000000000000-mapping.dmp

          • memory/1904-115-0x0000000000000000-mapping.dmp

          • memory/1944-119-0x0000000000000000-mapping.dmp

          • memory/1948-136-0x0000000000000000-mapping.dmp

          • memory/2000-157-0x0000000000000000-mapping.dmp

          • memory/2032-97-0x0000000000000000-mapping.dmp

          • memory/2032-109-0x0000000003FE0000-0x0000000004179000-memory.dmp

            Filesize

            1.6MB

          • memory/2032-103-0x0000000010000000-0x00000000100E0000-memory.dmp

            Filesize

            896KB