3b1e29d6fde6e83f169c13b17f72c8a155fab8c7d296233703a0afdd6e714a63

Analysis

max time kernel
157s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PianoScrap.exe
Size

83KB
MD5

ad1faa076d04a9595ebb7c7c0034c35e
SHA1

cbe139b2ad2d73b3b82b1d808327cf4538cfc401
SHA256

3b1e29d6fde6e83f169c13b17f72c8a155fab8c7d296233703a0afdd6e714a63
SHA512

4098a3c8e91f2af9ab81424a28d9189b0b28c181c1d3a5a3ce96aa493111a77f584dbd2fcefc27c695669c71f06918059ea1f840d096732a6f74ca65c86dd120

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

pic_soft45181.exeInstall.exeupdate.exeabckantu_2722097895_shouheng_001.exePhotoViewer.exePhotoViewer.exePhotoViewer.exePdfReader.exePhotoViewer.exeReport.exe

pid	process
4148	pic_soft45181.exe
4420	Install.exe
2932	update.exe
5084	abckantu_2722097895_shouheng_001.exe
1388	PhotoViewer.exe
4448	PhotoViewer.exe
4476	PhotoViewer.exe
4420	PdfReader.exe
1108	PhotoViewer.exe
2332	Report.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pic_soft45181.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	pic_soft45181.exe

Loads dropped DLL 53 IoCs

Processes:

PianoScrap.exeInstall.exeupdate.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exesvchost.exePhotoViewer.exePhotoViewer.exePhotoViewer.exePdfReader.exePhotoViewer.exe

pid	process
3308	PianoScrap.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
4420	Install.exe
4420	Install.exe
4420	Install.exe
2932	update.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
3308	PianoScrap.exe
1412	regsvr32.exe
4620	regsvr32.exe
4620	regsvr32.exe
2984	regsvr32.exe
4232	regsvr32.exe
4012	regsvr32.exe
4344	svchost.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4476	PhotoViewer.exe
4476	PhotoViewer.exe
4476	PhotoViewer.exe
4476	PhotoViewer.exe
4476	PhotoViewer.exe
4476	PhotoViewer.exe
4420	PdfReader.exe
4420	PdfReader.exe
4420	PdfReader.exe
4420	PdfReader.exe
3164
1108	PhotoViewer.exe
1108	PhotoViewer.exe
1108	PhotoViewer.exe
1108	PhotoViewer.exe
1108	PhotoViewer.exe
1108	PhotoViewer.exe
3308	PianoScrap.exe
3308	PianoScrap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

abckantu_2722097895_shouheng_001.exeReport.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	abckantu_2722097895_shouheng_001.exe
File opened for modification	\??\PhysicalDrive0	Report.exe

Drops file in Windows directory 2 IoCs

Processes:

abckantu_2722097895_shouheng_001.exe

description	ioc	process
File created	C:\Windows\Tasks\PV_UPDATE.job	abckantu_2722097895_shouheng_001.exe
File created	C:\Windows\Tasks\PV_UPDATE2.job	abckantu_2722097895_shouheng_001.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

PhotoViewer.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.gif\DefaultIcon	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.jng\Shell\Open	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.nef\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\" \"%1\""	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.mef\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.xbm\Shell\Open	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.png\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",6"	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.raw\ = "图片格式"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.dng	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.3fr\Shell\Open	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.tif\Shell	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "PhotoViewer.jpg"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.jpe	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.lbm\DefaultIcon	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.pcd\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\" \"%1\""	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.pfm\ = "PhotoViewer.pfm"	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.pic\ = "图片格式"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.wap	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.wbmp\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B82F0AB0-90D7-480D-892D-850A92E9BA34}\Icon = "C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PreviewExt64.dll,201"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.raw\ShellEx\{20690236-7CA3-442C-AAB7-617C1C4C14EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nef\ShellEx\{20690236-7CA3-442C-AAB7-617C1C4C14EF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.pic\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\" \"%1\""	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.3fr\Shell\Open\Command	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.sr2\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\ShellEx\{20690236-7CA3-442C-AAB7-617C1C4C14EF}\ = "{B82F0AB0-90D7-480D-892D-850A92E9BA34}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.gif\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\" \"%1\""	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.jpe\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.jpe\Shell\Open\Command	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.tif\Shell\Open	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.dds\ = "PhotoViewer.dds"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.pgx	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.j2k	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.jp2\ = "PhotoViewer.jp2"	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.pic\Shell\Open	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.wap\Shell	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.pcd\Shell\Open\Command	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.pgm\DefaultIcon	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B82F0AB0-90D7-480D-892D-850A92E9BA34}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.dib	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.dds\Shell\Open	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.g3\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\" \"%1\""	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.jpc\Shell	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.jpeg\Shell\Open\Command	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.pbm\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.ppm\Shell	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.pbm\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.bmp	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.cur\DefaultIcon	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.lbm\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\",1"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.lbm\DefaultIcon	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.pnm\Shell	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.pnm\ = "图片格式"	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.nef\ = "图片格式"	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.mef\Shell	PhotoViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.dds\ = "图片格式"	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.iff\Shell\Open	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.iff\Shell	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.ppm\DefaultIcon	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.cr2\Shell\Open\Command	PhotoViewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.wap\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PhotoViewer\\PhotoViewer.exe\" \"%1\""	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.xbm\DefaultIcon	PhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\PhotoViewer.bmp\Shell\Open	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.ras\DefaultIcon	PhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.dng\Shell\Open\Command	PhotoViewer.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

Install.exeupdate.exeabckantu_2722097895_shouheng_001.exePhotoViewer.exePhotoViewer.exePhotoViewer.exePdfReader.exePhotoViewer.exeReport.exe

pid	process
4420	Install.exe
4420	Install.exe
4420	Install.exe
4420	Install.exe
4420	Install.exe
4420	Install.exe
2932	update.exe
2932	update.exe
2932	update.exe
2932	update.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
1388	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4448	PhotoViewer.exe
4476	PhotoViewer.exe
4476	PhotoViewer.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
5084	abckantu_2722097895_shouheng_001.exe
4420	PdfReader.exe
4420	PdfReader.exe
4420	PdfReader.exe
4420	PdfReader.exe
4420	PdfReader.exe
4420	PdfReader.exe
1108	PhotoViewer.exe
1108	PhotoViewer.exe
2332	Report.exe
2332	Report.exe
2332	Report.exe
2332	Report.exe
2332	Report.exe
2332	Report.exe
2332	Report.exe
2332	Report.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Install.exeupdate.exe

description	pid	process
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeTcbPrivilege	4420	Install.exe
Token: SeTcbPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	4420	Install.exe
Token: SeDebugPrivilege	2932	update.exe
Token: SeDebugPrivilege	2932	update.exe
Token: SeDebugPrivilege	2932	update.exe
Token: SeDebugPrivilege	2932	update.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

PianoScrap.exepic_soft45181.exeInstall.exeabckantu_2722097895_shouheng_001.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3308 wrote to memory of 4148	3308	PianoScrap.exe	pic_soft45181.exe
PID 3308 wrote to memory of 4148	3308	PianoScrap.exe	pic_soft45181.exe
PID 3308 wrote to memory of 4148	3308	PianoScrap.exe	pic_soft45181.exe
PID 4148 wrote to memory of 4420	4148	pic_soft45181.exe	Install.exe
PID 4148 wrote to memory of 4420	4148	pic_soft45181.exe	Install.exe
PID 4148 wrote to memory of 4420	4148	pic_soft45181.exe	Install.exe
PID 4420 wrote to memory of 2932	4420	Install.exe	update.exe
PID 4420 wrote to memory of 2932	4420	Install.exe	update.exe
PID 4420 wrote to memory of 2932	4420	Install.exe	update.exe
PID 3308 wrote to memory of 5084	3308	PianoScrap.exe	abckantu_2722097895_shouheng_001.exe
PID 3308 wrote to memory of 5084	3308	PianoScrap.exe	abckantu_2722097895_shouheng_001.exe
PID 3308 wrote to memory of 5084	3308	PianoScrap.exe	abckantu_2722097895_shouheng_001.exe
PID 5084 wrote to memory of 2448	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 2448	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 2448	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 3648	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 3648	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 3648	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 544	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 544	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 544	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 1412	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 1412	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 1412	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 1412 wrote to memory of 4620	1412	regsvr32.exe	regsvr32.exe
PID 1412 wrote to memory of 4620	1412	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 2984	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 2984	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 2984	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 2984 wrote to memory of 4232	2984	regsvr32.exe	regsvr32.exe
PID 2984 wrote to memory of 4232	2984	regsvr32.exe	regsvr32.exe
PID 5084 wrote to memory of 4012	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 4012	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 4012	5084	abckantu_2722097895_shouheng_001.exe	regsvr32.exe
PID 5084 wrote to memory of 1388	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 1388	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 1388	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4448	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4448	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4448	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4476	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4476	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4476	5084	abckantu_2722097895_shouheng_001.exe	PhotoViewer.exe
PID 5084 wrote to memory of 4420	5084	abckantu_2722097895_shouheng_001.exe	PdfReader.exe
PID 5084 wrote to memory of 4420	5084	abckantu_2722097895_shouheng_001.exe	PdfReader.exe
PID 5084 wrote to memory of 4420	5084	abckantu_2722097895_shouheng_001.exe	PdfReader.exe
PID 5084 wrote to memory of 2332	5084	abckantu_2722097895_shouheng_001.exe	Report.exe
PID 5084 wrote to memory of 2332	5084	abckantu_2722097895_shouheng_001.exe	Report.exe
PID 5084 wrote to memory of 2332	5084	abckantu_2722097895_shouheng_001.exe	Report.exe

C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe
"C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Mtkantu\update.exe
C:\Users\Admin\AppData\Local\Mtkantu\update.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\ShellExt64.dll
3⤵
PID:2448

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
3⤵
PID:3648

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /u C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
3⤵
PID:544

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
4⤵
- Loads dropped DLL
- Modifies registry class
PID:4620

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
4⤵
- Loads dropped DLL
PID:4232

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
3⤵
- Loads dropped DLL
PID:4012

C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -unregdigitext
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -regall
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -deloldshellext
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\PdfReader.exe" -regall
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Users\Admin\AppData\Roaming\PhotoViewer\Report.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\Report.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k PhotoviewerService
1⤵
PID:3040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k PhotoviewerService
1⤵
- Loads dropped DLL
PID:4344

C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
"C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe" -regcapturehotkey
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Mtkantu\cfg.dat
Filesize
3KB

MD5
b9f42be15fb9d433b48f0223f06aedd2

SHA1
5ab6847cc3a66b2d88f1a517c299af13426398df

SHA256
464e61ae8896ae37e041ee1505a6d85456bddb1a184b68cfa7201b16486551ea

SHA512
24f414829240603cfd91e1effc38f5bbc5112444704cb2c135ed8f5a14f241f65882a0edc3b22c336a9ba5915519c97e2badcab0175d799ca52dec5bbdd00190

Download Submit
C:\Users\Admin\AppData\Local\Mtkantu\DuiLib.dll
Filesize
589KB

MD5
19b65fd4f0929b10808562a26f94b097

SHA1
9fd183755d1ef10b90dd13acb7dbcd1365385d52

SHA256
f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

SHA512
1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

Download Submit
C:\Users\Admin\AppData\Local\Mtkantu\DuiLib.dll
Filesize
589KB

MD5
19b65fd4f0929b10808562a26f94b097

SHA1
9fd183755d1ef10b90dd13acb7dbcd1365385d52

SHA256
f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

SHA512
1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

Download Submit
C:\Users\Admin\AppData\Local\Mtkantu\update.exe
Filesize
1.2MB

MD5
70c61db7fd0623b87799787dd79298ed

SHA1
8dcaf3b4a36dc3df4dcb17df3f1d3e87762a5bda

SHA256
11274d7d914519b9b3c0dbf4afbd26ef1ab76a47e716f46d65c5c4c2874bf621

SHA512
b3c526801d860694898f1ee7fb1e33037e653ae76086e46e396c3099e012fc83cc3510d6c881ac2d3588ed34ed40479530e07b0067887cd9b7f558010905941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\3.0.1\ImgCommon.dll
Filesize
750KB

MD5
52317cfc906bb75c72a414b495990542

SHA1
e052b0035e1160ebbcce88e9abf0495f62c3c30e

SHA256
25dfbd39c31f948726eb34884dcde2e10e496eef76e1e22f7162bc44c3692912

SHA512
b1831efb471c2462918db2e512169abd4b2f2493ca8e0c58c0b3a561b6d61205b2d931727cbc201811e99cd5c15d6d512cf7c60ea56c7b8d723ca9752f4283fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\7z.dll
Filesize
1.1MB

MD5
d6486f5ff18881f5161126dcc85cb6d4

SHA1
4e3d8456a9af18ca190063c425907bdeaf3d4a14

SHA256
0bab62532bf3ce4c7ecaf13c023f58c2246971e8ab888fd1a828c60a2109dbe0

SHA512
62f27de0b5944f0feaf72cd6852e28148ea540bdcc96b27d91c10b12dd618e3a152adea848d7d67c087191aa1a14e9db86038d9cb7a5f5b5b758ca994941d7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\7z.dll
Filesize
1.1MB

MD5
d6486f5ff18881f5161126dcc85cb6d4

SHA1
4e3d8456a9af18ca190063c425907bdeaf3d4a14

SHA256
0bab62532bf3ce4c7ecaf13c023f58c2246971e8ab888fd1a828c60a2109dbe0

SHA512
62f27de0b5944f0feaf72cd6852e28148ea540bdcc96b27d91c10b12dd618e3a152adea848d7d67c087191aa1a14e9db86038d9cb7a5f5b5b758ca994941d7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\DuiLib.dll
Filesize
589KB

MD5
19b65fd4f0929b10808562a26f94b097

SHA1
9fd183755d1ef10b90dd13acb7dbcd1365385d52

SHA256
f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

SHA512
1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\DuiLib.dll
Filesize
589KB

MD5
19b65fd4f0929b10808562a26f94b097

SHA1
9fd183755d1ef10b90dd13acb7dbcd1365385d52

SHA256
f611f99d5f73a9aba2552c0c13470af8bc99adb195c246bafee94199d963cb83

SHA512
1f36814054a68bfbb069bac4d0a9a5ed4f0d624f09761f42e668eabb3e81b582dbdb4a444beb8cd9d6d4d5cd3c29c5ef63b44cdf989e06dd272dde712cba878b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
Filesize
1.0MB

MD5
cfe78a8e6bae19a071ef95f788e97acf

SHA1
38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

SHA256
da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

SHA512
de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\Install.exe
Filesize
1.0MB

MD5
cfe78a8e6bae19a071ef95f788e97acf

SHA1
38c8de8a3bf0208fcce18e4759e8b1d9ba91f5c8

SHA256
da1a3e7c261c5c04a81c98176dc0b979177985d89d8f7ce031032d4e073fc2dd

SHA512
de6a95173c835759a83788da8ba370d45e19fbda739cf691d38bd45c41879eabd0f19d8f7b1f62d8e4632a677c8459e97c4bb55990b2e3b0514c79fe7b495da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtkantu\pic.7z
Filesize
3.7MB

MD5
bfc25051a4ad54bbd98f17192ef29f8f

SHA1
94e79c4b4e356256a009683b49574c9364661dac

SHA256
8847e549efab5f409d70129f793eb51b6a52577c1abd1746870d7d4b0a887391

SHA512
869951aac40b24cc4e0ced314ae05340915973036a91f34df0dfa5e86fa84361537574811a183a6e81f73e17c50969b94f22a3f9064ed504ba996a298779afb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
Filesize
13.7MB

MD5
320ceb0beeced0acc640e4c800558a99

SHA1
3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

SHA256
3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

SHA512
3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

Download Submit
C:\Users\Admin\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
Filesize
13.7MB

MD5
320ceb0beeced0acc640e4c800558a99

SHA1
3be72c3e1ed22e7dbf88a3ddfdcfeccb523b5546

SHA256
3dc642ebe18943d74a6ffb5cff0e2f3e93893b0948bdac449535373ae6ae15f4

SHA512
3132e8c0b3c02aefba45133ac04e6d470fe36f6c33744f8f03979592111d31147809e7a533635653014717c4a6b3ba5e6ca1493e53725c4d3a762927d4ddec32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAE08.tmp\NsisCrypt.dll
Filesize
15KB

MD5
2b2ce6a4724773710667d8e892b8d71e

SHA1
bc497b829d52d0bca139e7db9792b58a6c5ccac2

SHA256
393b83eea1a26874e0148e2609438f05fb59cd3172509c6c1a356e25c3b4fb17

SHA512
ee86bb39956733408d9669f28ca04cab5429ddead9e02f889b5e3d1346b7b34df48591acdba364aad8faf434dceee2a12812c7066c61651c6c01a6f27a0ea918

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
Filesize
5.0MB

MD5
33094d00b807ee9759c38901455ada0c

SHA1
005ee3ca0a418e89c91f714a79b3330507c9d036

SHA256
ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

SHA512
81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic_soft45181.exe
Filesize
5.0MB

MD5
33094d00b807ee9759c38901455ada0c

SHA1
005ee3ca0a418e89c91f714a79b3330507c9d036

SHA256
ee8a6bcf0c410b3201b679196b3bf24b0e569931a73cda09efb9fea3ff3b18bf

SHA512
81d4ea464227badab87b03f75d989ee41fb9f3fcf3a978c53495901db9ec7507c3ab4aa51296e3b48d47b2d3f41cc4cc881250f8b8f5a95527fc91fd16fbcd94

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
Filesize
974KB

MD5
4ec0754233ba4f6c0d21e456e372c3b9

SHA1
3f8aad42e66dbe1923057d96c5be910fbe8bc115

SHA256
78ed624131e1ec7c18d29b88948679ed2df0ed282e1fd5c390ff147adec024a7

SHA512
37c5f6cd730d12c45d14e723cefb20b3c62a74a3fd6864fa53069632d55b352edaaa272def276d45b8a0dc0820b1d7e0aa3567641b527ca145bf290d31a20ea4

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
Filesize
974KB

MD5
4ec0754233ba4f6c0d21e456e372c3b9

SHA1
3f8aad42e66dbe1923057d96c5be910fbe8bc115

SHA256
78ed624131e1ec7c18d29b88948679ed2df0ed282e1fd5c390ff147adec024a7

SHA512
37c5f6cd730d12c45d14e723cefb20b3c62a74a3fd6864fa53069632d55b352edaaa272def276d45b8a0dc0820b1d7e0aa3567641b527ca145bf290d31a20ea4

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\Checker.dll
Filesize
974KB

MD5
4ec0754233ba4f6c0d21e456e372c3b9

SHA1
3f8aad42e66dbe1923057d96c5be910fbe8bc115

SHA256
78ed624131e1ec7c18d29b88948679ed2df0ed282e1fd5c390ff147adec024a7

SHA512
37c5f6cd730d12c45d14e723cefb20b3c62a74a3fd6864fa53069632d55b352edaaa272def276d45b8a0dc0820b1d7e0aa3567641b527ca145bf290d31a20ea4

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage.dll
Filesize
5.7MB

MD5
425906766aae6f064f52b8db926afb3b

SHA1
8d67d02ee61880dbb9ab35245aaac0a2210bd6b7

SHA256
a5fadba0252cffea8e0206162f2f779ef4a887f4f8aab2d038b14b42978bcb87

SHA512
1b2407871edebc80d4ef9fd7bbfea891793ce00e115361404747e86864ef145b5f137af587c9ffb6b28868877eb7167f100e73cd01977700e7aab4c75d5ed697

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage.dll
Filesize
5.7MB

MD5
425906766aae6f064f52b8db926afb3b

SHA1
8d67d02ee61880dbb9ab35245aaac0a2210bd6b7

SHA256
a5fadba0252cffea8e0206162f2f779ef4a887f4f8aab2d038b14b42978bcb87

SHA512
1b2407871edebc80d4ef9fd7bbfea891793ce00e115361404747e86864ef145b5f137af587c9ffb6b28868877eb7167f100e73cd01977700e7aab4c75d5ed697

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage.dll
Filesize
5.7MB

MD5
425906766aae6f064f52b8db926afb3b

SHA1
8d67d02ee61880dbb9ab35245aaac0a2210bd6b7

SHA256
a5fadba0252cffea8e0206162f2f779ef4a887f4f8aab2d038b14b42978bcb87

SHA512
1b2407871edebc80d4ef9fd7bbfea891793ce00e115361404747e86864ef145b5f137af587c9ffb6b28868877eb7167f100e73cd01977700e7aab4c75d5ed697

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage.dll
Filesize
5.7MB

MD5
425906766aae6f064f52b8db926afb3b

SHA1
8d67d02ee61880dbb9ab35245aaac0a2210bd6b7

SHA256
a5fadba0252cffea8e0206162f2f779ef4a887f4f8aab2d038b14b42978bcb87

SHA512
1b2407871edebc80d4ef9fd7bbfea891793ce00e115361404747e86864ef145b5f137af587c9ffb6b28868877eb7167f100e73cd01977700e7aab4c75d5ed697

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage64.dll
Filesize
6.6MB

MD5
3f80d3e3db53b051e7d346a2a7cafa86

SHA1
2631fafca4eae49748fe5876bb7b68d4feda35fd

SHA256
b7cf7c9aa419f9a1296f01d2a78e8bef75dddd20b6250991de94a4436abf0d04

SHA512
fb0d1c5089efdf78fd90e71bf30768b4f36d6c5b109ae8a397bf6d711075c67d769c84f24782cb42f523990055314e6c10dbc53d201057ec40b868cc23cbc286

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\FreeImage64.dll
Filesize
6.6MB

MD5
3f80d3e3db53b051e7d346a2a7cafa86

SHA1
2631fafca4eae49748fe5876bb7b68d4feda35fd

SHA256
b7cf7c9aa419f9a1296f01d2a78e8bef75dddd20b6250991de94a4436abf0d04

SHA512
fb0d1c5089efdf78fd90e71bf30768b4f36d6c5b109ae8a397bf6d711075c67d769c84f24782cb42f523990055314e6c10dbc53d201057ec40b868cc23cbc286

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
Filesize
1.2MB

MD5
9e3997c81af396b199c0767da250cff7

SHA1
c16aaeedf458b2b27d73d86f5c0d8310717464e8

SHA256
a124675f5df30180234805ae00812df7f83e0a553b18b06aa706744083461ce1

SHA512
b99ee23f07e51dfe7494b3dc74696944b0f5e2ef7649a79148461253fa226080248e3f46eaa1e7c21aca864eea87437608d7e2fc26f992995b046c1ba5f545cf

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
Filesize
1.2MB

MD5
9e3997c81af396b199c0767da250cff7

SHA1
c16aaeedf458b2b27d73d86f5c0d8310717464e8

SHA256
a124675f5df30180234805ae00812df7f83e0a553b18b06aa706744083461ce1

SHA512
b99ee23f07e51dfe7494b3dc74696944b0f5e2ef7649a79148461253fa226080248e3f46eaa1e7c21aca864eea87437608d7e2fc26f992995b046c1ba5f545cf

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PVShellExt64.dll
Filesize
1.2MB

MD5
9e3997c81af396b199c0767da250cff7

SHA1
c16aaeedf458b2b27d73d86f5c0d8310717464e8

SHA256
a124675f5df30180234805ae00812df7f83e0a553b18b06aa706744083461ce1

SHA512
b99ee23f07e51dfe7494b3dc74696944b0f5e2ef7649a79148461253fa226080248e3f46eaa1e7c21aca864eea87437608d7e2fc26f992995b046c1ba5f545cf

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
Filesize
3.2MB

MD5
ef8ad25912f9b07bfe2127f815a264c5

SHA1
6c7fb7566ffb558a66683c854772d96ef22e470c

SHA256
bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

SHA512
899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
Filesize
3.2MB

MD5
ef8ad25912f9b07bfe2127f815a264c5

SHA1
6c7fb7566ffb558a66683c854772d96ef22e470c

SHA256
bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

SHA512
899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PhotoViewer.exe
Filesize
3.2MB

MD5
ef8ad25912f9b07bfe2127f815a264c5

SHA1
6c7fb7566ffb558a66683c854772d96ef22e470c

SHA256
bd1f8625c1f731c4efbbbe0067f6bbc061d4abb4173089ea37fe924fc0d26510

SHA512
899323f60b70ff70e743d634315956f408b39e1dd050b699cf954415d66b30cdcb983c04e481dd50766c700a91b13a2f93d10e5071699d957374189e000add07

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
Filesize
1.2MB

MD5
e3ed37624ad2858d6bf644c8e1a50d15

SHA1
9625ab2f8c927901df23f2f92b6e9cdf1ed868c4

SHA256
c7a871b6991d84f8526f04413fb941b084be45e1a2ebe98e9c7cb67318aca565

SHA512
8306821c9fb955c0f8d272df22e3074016b7678091b54b6914a929a651dc8bea76de0a4c75d6139191aa4750e196afe77330344852f90f0186783c9c8d387973

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
Filesize
1.2MB

MD5
e3ed37624ad2858d6bf644c8e1a50d15

SHA1
9625ab2f8c927901df23f2f92b6e9cdf1ed868c4

SHA256
c7a871b6991d84f8526f04413fb941b084be45e1a2ebe98e9c7cb67318aca565

SHA512
8306821c9fb955c0f8d272df22e3074016b7678091b54b6914a929a651dc8bea76de0a4c75d6139191aa4750e196afe77330344852f90f0186783c9c8d387973

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\PreviewExt64.dll
Filesize
1.2MB

MD5
e3ed37624ad2858d6bf644c8e1a50d15

SHA1
9625ab2f8c927901df23f2f92b6e9cdf1ed868c4

SHA256
c7a871b6991d84f8526f04413fb941b084be45e1a2ebe98e9c7cb67318aca565

SHA512
8306821c9fb955c0f8d272df22e3074016b7678091b54b6914a929a651dc8bea76de0a4c75d6139191aa4750e196afe77330344852f90f0186783c9c8d387973

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dll
Filesize
103KB

MD5
589010c33a1285447fb0b8794456ad44

SHA1
360ac3b8d7e7b20d592157e8e4db701f9939689a

SHA256
968fa40635ef313c33497671475db4bac30f17c568f4637fce82f79aa2963f65

SHA512
226f6313d38ad951495583a2c08f07d8a71f50673575d5f909ff2208d38b039e9bc9e8979c4f6e06aed37edae7beaa945d84a7f0c9bc15c33f6e4c01c7201bcb

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dll
Filesize
103KB

MD5
589010c33a1285447fb0b8794456ad44

SHA1
360ac3b8d7e7b20d592157e8e4db701f9939689a

SHA256
968fa40635ef313c33497671475db4bac30f17c568f4637fce82f79aa2963f65

SHA512
226f6313d38ad951495583a2c08f07d8a71f50673575d5f909ff2208d38b039e9bc9e8979c4f6e06aed37edae7beaa945d84a7f0c9bc15c33f6e4c01c7201bcb

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dll
Filesize
103KB

MD5
589010c33a1285447fb0b8794456ad44

SHA1
360ac3b8d7e7b20d592157e8e4db701f9939689a

SHA256
968fa40635ef313c33497671475db4bac30f17c568f4637fce82f79aa2963f65

SHA512
226f6313d38ad951495583a2c08f07d8a71f50673575d5f909ff2208d38b039e9bc9e8979c4f6e06aed37edae7beaa945d84a7f0c9bc15c33f6e4c01c7201bcb

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\render-gdi.dll
Filesize
124KB

MD5
f6411dd2c5d30775cd8e2290b18892a6

SHA1
cde8e2c9b5a391fb4f89c414dc657556a4dc8de9

SHA256
2ab3607019c1f91a9dc8caf15d74a2a0850db0d91e3f62bb6b52b04f8d792338

SHA512
bea61ca4fc3e6b48801d66bf60a9211f2a190892062f7673316661f2dba781be9160dbe2d607e0cb2c8100f0f1761b466d60c73a39b67e6864e544adf3ad5348

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\render-gdi.dll
Filesize
124KB

MD5
f6411dd2c5d30775cd8e2290b18892a6

SHA1
cde8e2c9b5a391fb4f89c414dc657556a4dc8de9

SHA256
2ab3607019c1f91a9dc8caf15d74a2a0850db0d91e3f62bb6b52b04f8d792338

SHA512
bea61ca4fc3e6b48801d66bf60a9211f2a190892062f7673316661f2dba781be9160dbe2d607e0cb2c8100f0f1761b466d60c73a39b67e6864e544adf3ad5348

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\render-gdi.dll
Filesize
124KB

MD5
f6411dd2c5d30775cd8e2290b18892a6

SHA1
cde8e2c9b5a391fb4f89c414dc657556a4dc8de9

SHA256
2ab3607019c1f91a9dc8caf15d74a2a0850db0d91e3f62bb6b52b04f8d792338

SHA512
bea61ca4fc3e6b48801d66bf60a9211f2a190892062f7673316661f2dba781be9160dbe2d607e0cb2c8100f0f1761b466d60c73a39b67e6864e544adf3ad5348

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\soui-sys-resource.dll
Filesize
108KB

MD5
e2f7ea1b7a945d56071377bbfdfa8f30

SHA1
792adab93b19adb0328f929c6f22389e58c21e09

SHA256
a48c81cfe4e093bb134b65e5bb7cdb1d823b3c71691cee7e8e88a4eb7efea810

SHA512
eeeb9a6a4501adaebd475b0bdbedcacaab49fe4bb40ba982fb88b46aecbafaf4f07f464a3a9566748375a4585dcfb02dd266ce5cdcb84db3075507c41845b8b6

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\soui.dll
Filesize
1.0MB

MD5
f7a20b43a2d25bd83f21fe872e76b56d

SHA1
bb84a51adcaec3df4181eda47d1c3ff8cb2c668b

SHA256
3956e5df30a8328b64159f626b69e78cd498d365ef9972cbd901e67921c5573d

SHA512
c669b78cbd6bc4cf587f5a9a005253f9e388fdcd9ab03f9d3c7595de9bc39bfc6b534dee457e6c04ee3bbe56f7c07a05114d7274fde50f8c228d09642e16cd47

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\soui.dll
Filesize
1.0MB

MD5
f7a20b43a2d25bd83f21fe872e76b56d

SHA1
bb84a51adcaec3df4181eda47d1c3ff8cb2c668b

SHA256
3956e5df30a8328b64159f626b69e78cd498d365ef9972cbd901e67921c5573d

SHA512
c669b78cbd6bc4cf587f5a9a005253f9e388fdcd9ab03f9d3c7595de9bc39bfc6b534dee457e6c04ee3bbe56f7c07a05114d7274fde50f8c228d09642e16cd47

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\soui.dll
Filesize
1.0MB

MD5
f7a20b43a2d25bd83f21fe872e76b56d

SHA1
bb84a51adcaec3df4181eda47d1c3ff8cb2c668b

SHA256
3956e5df30a8328b64159f626b69e78cd498d365ef9972cbd901e67921c5573d

SHA512
c669b78cbd6bc4cf587f5a9a005253f9e388fdcd9ab03f9d3c7595de9bc39bfc6b534dee457e6c04ee3bbe56f7c07a05114d7274fde50f8c228d09642e16cd47

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\soui.dll
Filesize
1.0MB

MD5
f7a20b43a2d25bd83f21fe872e76b56d

SHA1
bb84a51adcaec3df4181eda47d1c3ff8cb2c668b

SHA256
3956e5df30a8328b64159f626b69e78cd498d365ef9972cbd901e67921c5573d

SHA512
c669b78cbd6bc4cf587f5a9a005253f9e388fdcd9ab03f9d3c7595de9bc39bfc6b534dee457e6c04ee3bbe56f7c07a05114d7274fde50f8c228d09642e16cd47

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\sqlite3.dll
Filesize
846KB

MD5
8b07760d5dbdd114b5d49077a367c084

SHA1
71230e21bb3d9a829d6d8958a5f41ed637e5bcc7

SHA256
7e0096e25256c168620bd449c0404e7388de71ea2e93704672daa3c34937db67

SHA512
27292ee6ebe4fd88fbff68063d1bc6e7ef67f30d9632e457ec677c698af74e1ce7fb2a59e17ce5760adf6994010ed8a8b8431ffc287af40b96d012a5a9dd5f2c

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\sqlite3.dll
Filesize
846KB

MD5
8b07760d5dbdd114b5d49077a367c084

SHA1
71230e21bb3d9a829d6d8958a5f41ed637e5bcc7

SHA256
7e0096e25256c168620bd449c0404e7388de71ea2e93704672daa3c34937db67

SHA512
27292ee6ebe4fd88fbff68063d1bc6e7ef67f30d9632e457ec677c698af74e1ce7fb2a59e17ce5760adf6994010ed8a8b8431ffc287af40b96d012a5a9dd5f2c

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\sqlite3.dll
Filesize
846KB

MD5
8b07760d5dbdd114b5d49077a367c084

SHA1
71230e21bb3d9a829d6d8958a5f41ed637e5bcc7

SHA256
7e0096e25256c168620bd449c0404e7388de71ea2e93704672daa3c34937db67

SHA512
27292ee6ebe4fd88fbff68063d1bc6e7ef67f30d9632e457ec677c698af74e1ce7fb2a59e17ce5760adf6994010ed8a8b8431ffc287af40b96d012a5a9dd5f2c

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll
Filesize
230KB

MD5
d5342f08f2d25ec76f5756dce587972a

SHA1
aeaff71a881dc097b5f65091a7d2e87d38463a19

SHA256
a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

SHA512
b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll
Filesize
230KB

MD5
d5342f08f2d25ec76f5756dce587972a

SHA1
aeaff71a881dc097b5f65091a7d2e87d38463a19

SHA256
a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

SHA512
b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll
Filesize
230KB

MD5
d5342f08f2d25ec76f5756dce587972a

SHA1
aeaff71a881dc097b5f65091a7d2e87d38463a19

SHA256
a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

SHA512
b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll
Filesize
230KB

MD5
d5342f08f2d25ec76f5756dce587972a

SHA1
aeaff71a881dc097b5f65091a7d2e87d38463a19

SHA256
a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

SHA512
b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

Download Submit
C:\Users\Admin\AppData\Roaming\PhotoViewer\utilities.dll
Filesize
230KB

MD5
d5342f08f2d25ec76f5756dce587972a

SHA1
aeaff71a881dc097b5f65091a7d2e87d38463a19

SHA256
a2662f6961e7b8974df67a44b5e814f12dc90d2079694cd4a5e1bb876110101a

SHA512
b3ee5ee1cabc3ea845653f4ec15690783aac6d297c33483802845b3826399cd383f3fb1d57978cb05c0035e2ef41d42a2e5b7fb17a40d9c721234ab23a611bc2

Download Submit
C:\Users\Admin\Documents\ABCPhoto\PhotoViewer\cache.db
Filesize
16KB

MD5
69ffe3f95cb96a52e712953ae03a337b

SHA1
f02760feb3eb28c0ca0be0918267933dc65fc3fd

SHA256
7d053125c6402dc73aedb938b225058a376891809b0fb8e9c0295c810a726600

SHA512
42c010afdd0f605c6ad0be8e5c49bc23c24b39fd13d17e232d4b5e6a07f246a3ed34dc2cc6c2e637cc79ce0494e9b296f8651c86804dd9cb69cc46a98be5c30b

Download Submit
memory/544-174-0x0000000000000000-mapping.dmp

Download
memory/1388-191-0x0000000000000000-mapping.dmp

Download
memory/1412-175-0x0000000000000000-mapping.dmp

Download
memory/2332-222-0x0000000000000000-mapping.dmp

Download
memory/2448-172-0x0000000000000000-mapping.dmp

Download
memory/2932-148-0x0000000000000000-mapping.dmp

Download
memory/2984-182-0x0000000000000000-mapping.dmp

Download
memory/3648-173-0x0000000000000000-mapping.dmp

Download
memory/4012-187-0x0000000000000000-mapping.dmp

Download
memory/4148-137-0x0000000000000000-mapping.dmp

Download
memory/4232-185-0x0000000000000000-mapping.dmp

Download
memory/4420-140-0x0000000000000000-mapping.dmp

Download
memory/4420-221-0x0000000000000000-mapping.dmp

Download
memory/4448-207-0x0000000000000000-mapping.dmp

Download
memory/4476-216-0x0000000000000000-mapping.dmp

Download
memory/4620-178-0x0000000000000000-mapping.dmp

Download
memory/5084-166-0x0000000004100000-0x0000000004299000-memory.dmp

Filesize
1.6MB

Download
memory/5084-157-0x0000000000000000-mapping.dmp

Download
memory/5084-159-0x0000000010000000-0x00000000100E0000-memory.dmp

Filesize
896KB

Download