43e28d4243a4f1e6a5d7b24a38dbc2561debef5b8c4b0fb183b9c998131cfc70

Analysis

max time kernel
415s
max time network
422s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe Photoshop CS5.exe
Size

63.0MB
MD5

ec8ead035ad2a9f82455656a258676ad
SHA1

f8bb07915ed83a351b38d080c59fbe81c3b26722
SHA256

43e28d4243a4f1e6a5d7b24a38dbc2561debef5b8c4b0fb183b9c998131cfc70
SHA512

35f8a6ca3b748babbb45b62a1c68cbef5d75ca9afdb287a9424d89021c64dc90e8c6cfa67073b82fba07f89d23059d53647ab0fa9c2c5d6e56711d310750f8d7
SSDEEP

786432:7mNKkrSNtU2I9X83eCdX/huxc7s3s5xhL7ONvK2V17ZVw/gCLsWdFUXe4vI:70HSMv9X8/dP6EK8hWNPYgCLRy3I

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Photoshop.exePhotoshop.exe

pid process

1516 Photoshop.exe
1356 Photoshop.exe

Loads dropped DLL 64 IoCs

Processes:

Adobe Photoshop CS5.exeMsiExec.exePhotoshop.exe

pid	process
2000	Adobe Photoshop CS5.exe
1392	MsiExec.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exePhotoshop.exe

description	ioc	process
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Curves\Cross Process (RGB).acv	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\PANTONE(R) Duotones\blue 286 bl 4.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\adobe_caps.dll	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Digimarc\Win\Digiread\pl.lproj\Localizable.strings	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Digimarc\Win\Digiread\ro.lproj\Localizable.strings	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Color Swatches\HKS Z Process.aco	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Quadtones\Process Quadtones\CMYK neutral.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Volumes\White-Black Color Scale.p3r	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Custom Shapes\Music.csh	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\de_de\jobs.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Required\OWL\searchbar.eve	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Color Swatches\PANTONE color bridge CMYK PC.aco	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\fr_xm\countries.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\hr_hr\countries.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\lv_lv\countrySubdivisions.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\File Formats\PCX.8BI	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Custom Shapes\Arrows.csh	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Scripts\Event Scripts Only\Welcome.jsx	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Effects\Filter Gallery.8BF	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\PANTONE(R) Duotones\blue 072 bl 2.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Tools\Art History.tpl	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Digimarc\Win\Digiread\fr.lproj\Localizable.strings	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Brushes\Thick Heavy Brushes.abr	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Curves\Linear Contrast (RGB).acv	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\PANTONE(R) Duotones\blue 072 bl 3.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\cs_cz\jobs.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Automate\HDRMergeUI.8BF	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Custom Shapes\Symbols.csh	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\HDR Toning\Flat.hdt	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Render Settings\Shaded Vertices.p3r	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\sv_se\titles.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\File Formats\PBM.8BI	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\Gray-Black Duotones\Warm Gray 8 bl 4.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Zoomify\Zoomify Viewer with Navigator (Black Background).zvt	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Microsoft.VC90.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Custom Shapes\Ornaments.csh	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Tritones\PANTONE(R) Tritones\Bl 313 aqua 127 gold.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Tools\Crop and Marquee.tpl	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\PANTONE(R) Duotones\478 brown (100%) bl 3.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\he_il\registration.zdct	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\cache\cache.db-journal	Photoshop.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Digimarc\Win\Digisign\sv.lproj\Localizable.strings	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Widgets\AxisWidget.dae	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\de_de\countrySubdivisions.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\fi_fi\countrySubdivisions.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Tritones\Gray Tritones\Bl 404 WmGray 401 WmGray.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Gradients\Color Harmonies 1.grd	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Styles\Abstract Styles.asl	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Volumes\Enhanced Boundaries-Default.p3r	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Black and White\High Contrast Blue Filter.blw	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Color Books\PANTONE color bridge CMYK EC.acb	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\da_dk\titles.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\es_mx\registration.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\Locales\en_GB\Additional Presets\Win\Workspaces\2-Task-based Workspaces\Web	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\msvcp80.dll	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Extensions\ScriptingSupport.8li	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Color Books\TOYO 94 COLOR FINDER.acb	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\en_us\orgs.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\it_it\jobs.zdct	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\PANTONE(R) Duotones\327 aqua (50%) bl 1.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\Process Duotones\yellow bl 4.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Plug-ins\Filters\Lighting Styles\Soft Direct Lights	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Presets\Duotones\Duotones\PANTONE(R) Duotones\green 3405 bl 1.ADO	msiexec.exe
File created	C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\regloc\fi_fi\registration.zdct	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exePhotoshop.exeDrvInst.exePhotoshop.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\6d6f58.ipi	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	Photoshop.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	Photoshop.exe
File opened for modification	C:\Windows\Installer\6d6f57.msi	msiexec.exe
File created	C:\Windows\Installer\6d6f58.ipi	msiexec.exe
File created	C:\Windows\Installer\6d6f5a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{50B00A1F-CB20-4AAB-A448-66B24B1E83A9}\Photoshop.exe	msiexec.exe
File created	C:\Windows\Installer\{50B00A1F-CB20-4AAB-A448-66B24B1E83A9}\Photoshop.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6d6f57.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74D3.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

Photoshop.exePhotoshop.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\FontSmoothing = "2"	Photoshop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\FontSmoothing = "2"	Photoshop.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

Photoshop.exePhotoshop.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABD0F9CE-822B-4BB1-A811-3EC852B43C0F}\ProxyStubClsid32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7988107-6CC2-4B7F-BC78-CC633129AA61}\verb\	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6da9d53f-4fe6-42ab-a6b9-88eb5a1a2926}\LocalServer32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6b4caef5-1043-477c-87ca-c27ef3a91ce9}\LocalServer32\ = "C:\\Program Files (x86)\\Foroozani Software\\Adobe Photoshop CS5\\Photoshop.exe /Automation"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{632F36B3-1D76-48BE-ADC3-D7FB62A0C2FB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}\1.0\HELPDIR	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F168D2A-F9EA-4866-8C55-4875E0940622}\TypeLib\Version = "1.0"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{372B4D75-EB10-4D0A-8203-5778D521253D}\ = "_TiffSaveOptions"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750824C6-C347-4CDB-AA96-8ABA1EBDF9EA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f491aff3-a34f-4bc0-ba31-e57527bb55ba}\LocalServer32\ = "C:\\Program Files (x86)\\Foroozani Software\\Adobe Photoshop CS5\\Photoshop.exe /Automation"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F715C957-54CE-4E55-9856-591D4CD082FD}\TypeLib\Version = "1.0"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D54491EF-6F09-4DE3-B49A-D57EDB2F40B8}\ProxyStubClsid32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E01C1DA-DF69-4C2C-85EC-616370DF1CF0}\TypeLib\ = "{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Photoshop.PlugIn\DefaultIcon	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D7F5C2-37DB-4DF7-8A7D-528902056596}\TypeLib\ = "{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{323DD2BC-0205-4A44-9F8E-0CF2556F00DF}\TypeLib\ = "{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55031766-E456-4E54-A0D0-8E545601A2D8}\TypeLib\Version = "1.0"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F715C957-54CE-4E55-9856-591D4CD082FD}\ProxyStubClsid32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e68ab4b1-0182-409f-a657-1b1027b93a80}\LocalServer32\ = "C:\\Program Files (x86)\\Foroozani Software\\Adobe Photoshop CS5\\Photoshop.exe /Automation"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46AB9A1D-1B32-4C59-8142-B223ECCF1F74}\TypeLib\Version = "1.0"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE8364D9-B811-4C7D-A3A8-97C4EBFAB83A}\TypeLib\ = "{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a5fdbb10-1148-4014-ac7a-a710d789ac76}\LocalServer32\ = "C:\\Program Files (x86)\\Foroozani Software\\Adobe Photoshop CS5\\Photoshop.exe /Automation"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{620205c8-6cc8-4b06-a1ed-25cd6993c1d6}	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7A940CD-9AC7-4D76-975D-24D6BA0FDD16}\TypeLib\Version = "1.0"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Photoshop.Application.12	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D14BA29-1672-482F-8F48-9DA1E94800FD}\ = "PathPoint"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5148663B-F632-4AB0-9484-2DBC197CEA82}\TypeLib\Version = "1.0"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86d61cd0-22fe-422c-ba9e-7724efaee6a9}\LocalServer32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E21694-AEBF-44FB-90AB-EECD58C1B6F3}\ = "_TargaSaveOptions"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C81463CFFB7DAA4F8772B3CA9A42D54\F1A00B0502BCBAA44A84662BB4E1389A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Photoshop.Image.12\protocol\StdFileEditing\server	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16BE80A3-57B1-4871-83AC-7F844EEEB1CA}\ = "ArtLayer"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90CED625-8D78-11CF-86B4-444553540000}\TypeLib\ = "{4B0AB3E1-80F1-11CF-86B4-444553540000}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0D18870-EAC3-4D35-8612-6F734B3FA656}	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC08B435-5F19-49DF-ABE7-ADCE9F0729FF}\TypeLib\ = "{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7988107-6CC2-4B7F-BC78-CC633129AA61}\DataFormats\GetSet	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a190f1a7-8dd0-4d60-adc2-e1b1ae6882bd}\LocalServer32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EB2592D-F02D-4117-A22C-26E5CDFAEEE2}\TypeLib\Version = "1.0"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C81463CFFB7DAA4F8772B3CA9A42D54	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7988107-6CC2-4B7F-BC78-CC633129AA61}\DataFormats\GetSet\	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29C13F49-BCEF-4FE2-BFC7-6F03B82B726F}	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750824C6-C347-4CDB-AA96-8ABA1EBDF9EA}\ProxyStubClsid32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7988107-6CC2-4B7F-BC78-CC633129AA61}\AuxUserType\3\ = "Adobe Photoshop CS5"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Photoshop.Image.12\shell	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3C35001-B625-48D7-9D3B-C9D66D9CF5F1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1fcf72fe-56fc-40ef-9409-3b15e524cf57}\LocalServer32\ = "C:\\Program Files (x86)\\Foroozani Software\\Adobe Photoshop CS5\\Photoshop.exe /Automation"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B125A66B-4C94-4E55-AF2F-57EC4DCB484B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75bf0078-35b3-41cd-b8b6-790415c9126c}\LocalServer32	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89417281-E1AF-4800-B82A-9F37ED0478EF}\TypeLib	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D7F5C2-37DB-4DF7-8A7D-528902056596}	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55031766-E456-4E54-A0D0-8E545601A2D8}\TypeLib	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8B0CB532-4ACC-4BF3-9E42-0949B679D120}\TypeLib	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2783141-B50D-4F0C-9E2E-BF76EA8A4E60}\ProxyStubClsid32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2783141-B50D-4F0C-9E2E-BF76EA8A4E60}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90CED625-8D78-11CF-86B4-444553540000}\TypeLib	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ee48e8d-e8c5-41b8-82d3-966d5ce4de6e}\LocalServer32\ = "C:\\Program Files (x86)\\Foroozani Software\\Adobe Photoshop CS5\\Photoshop.exe /Automation"	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D69B63-B319-44D3-8307-C988E96E7E58}\TypeLib\ = "{E891EE9A-D0AE-4CB4-8871-F92C0109F18E}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0901ce4f-96ee-4c25-9fcb-34835bd80531}\LocalServer32	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B785D83-5B5F-4402-A712-BAEBD8C5B812}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DECC242-87EF-11cf-86B4-444553540000}	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{064BBE94-396D-4B25-9071-AC5B14D0487F}	Photoshop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D334A509-00F8-4092-A9AF-6E1176D06536}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0901ce4f-96ee-4c25-9fcb-34835bd80531}\LocalServer32	Photoshop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D14BA29-1672-482F-8F48-9DA1E94800FD}\ProxyStubClsid32	Photoshop.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msiexec.exechrome.exechrome.exePhotoshop.exechrome.exePhotoshop.exe

pid	process
1552	msiexec.exe
1552	msiexec.exe
580	chrome.exe
1588	chrome.exe
1588	chrome.exe
1516	Photoshop.exe
1516	Photoshop.exe
1588	chrome.exe
1588	chrome.exe
1804	chrome.exe
1356	Photoshop.exe
1356	Photoshop.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Photoshop.exePhotoshop.exe

pid process

1516 Photoshop.exe
1356 Photoshop.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1552	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	msiexec.exe
Token: SeSecurityPrivilege	1552	msiexec.exe
Token: SeCreateTokenPrivilege	1628	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1628	msiexec.exe
Token: SeLockMemoryPrivilege	1628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1628	msiexec.exe
Token: SeMachineAccountPrivilege	1628	msiexec.exe
Token: SeTcbPrivilege	1628	msiexec.exe
Token: SeSecurityPrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeLoadDriverPrivilege	1628	msiexec.exe
Token: SeSystemProfilePrivilege	1628	msiexec.exe
Token: SeSystemtimePrivilege	1628	msiexec.exe
Token: SeProfSingleProcessPrivilege	1628	msiexec.exe
Token: SeIncBasePriorityPrivilege	1628	msiexec.exe
Token: SeCreatePagefilePrivilege	1628	msiexec.exe
Token: SeCreatePermanentPrivilege	1628	msiexec.exe
Token: SeBackupPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeShutdownPrivilege	1628	msiexec.exe
Token: SeDebugPrivilege	1628	msiexec.exe
Token: SeAuditPrivilege	1628	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1628	msiexec.exe
Token: SeChangeNotifyPrivilege	1628	msiexec.exe
Token: SeRemoteShutdownPrivilege	1628	msiexec.exe
Token: SeUndockPrivilege	1628	msiexec.exe
Token: SeSyncAgentPrivilege	1628	msiexec.exe
Token: SeEnableDelegationPrivilege	1628	msiexec.exe
Token: SeManageVolumePrivilege	1628	msiexec.exe
Token: SeImpersonatePrivilege	1628	msiexec.exe
Token: SeCreateGlobalPrivilege	1628	msiexec.exe
Token: SeCreateTokenPrivilege	1628	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1628	msiexec.exe
Token: SeLockMemoryPrivilege	1628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1628	msiexec.exe
Token: SeMachineAccountPrivilege	1628	msiexec.exe
Token: SeTcbPrivilege	1628	msiexec.exe
Token: SeSecurityPrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeLoadDriverPrivilege	1628	msiexec.exe
Token: SeSystemProfilePrivilege	1628	msiexec.exe
Token: SeSystemtimePrivilege	1628	msiexec.exe
Token: SeProfSingleProcessPrivilege	1628	msiexec.exe
Token: SeIncBasePriorityPrivilege	1628	msiexec.exe
Token: SeCreatePagefilePrivilege	1628	msiexec.exe
Token: SeCreatePermanentPrivilege	1628	msiexec.exe
Token: SeBackupPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeShutdownPrivilege	1628	msiexec.exe
Token: SeDebugPrivilege	1628	msiexec.exe
Token: SeAuditPrivilege	1628	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1628	msiexec.exe
Token: SeChangeNotifyPrivilege	1628	msiexec.exe
Token: SeRemoteShutdownPrivilege	1628	msiexec.exe
Token: SeUndockPrivilege	1628	msiexec.exe
Token: SeSyncAgentPrivilege	1628	msiexec.exe
Token: SeEnableDelegationPrivilege	1628	msiexec.exe
Token: SeManageVolumePrivilege	1628	msiexec.exe
Token: SeImpersonatePrivilege	1628	msiexec.exe
Token: SeCreateGlobalPrivilege	1628	msiexec.exe
Token: SeCreateTokenPrivilege	1628	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exePhotoshop.exechrome.exePhotoshop.exe

pid	process
1628	msiexec.exe
1628	msiexec.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1516	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1588	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Photoshop.exechrome.exePhotoshop.exe

pid	process
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1516	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Photoshop.exePhotoshop.exe

pid	process
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1516	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe
1356	Photoshop.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Adobe Photoshop CS5.exemsiexec.exechrome.exe

description	pid	process	target process
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 2000 wrote to memory of 1628	2000	Adobe Photoshop CS5.exe	msiexec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 1392	1552	msiexec.exe	MsiExec.exe
PID 1588 wrote to memory of 1536	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1536	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1536	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 1368	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 580	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 580	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 580	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 668	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 668	1588	chrome.exe	chrome.exe
PID 1588 wrote to memory of 668	1588	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop CS5.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop CS5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\msiexec.exe
/i "C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Adobe Photoshop CS51.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop CS5.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5F29C2FC1B5E8581D76EDFDD86B24281 C
2⤵
- Loads dropped DLL
PID:1392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:840

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "0000000000000490"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1512

C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Photoshop.exe
"C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Photoshop.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c44f50,0x7fef5c44f60,0x7fef5c44f70
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1144 /prefetch:2
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:8
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3288 /prefetch:2
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3496 /prefetch:8
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3800 /prefetch:8
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:8
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:8
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:8
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3448 /prefetch:8
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 /prefetch:8
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1128,14631635902306348167,16553488498850934247,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:2004

C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Photoshop.exe
"C:\Program Files (x86)\Foroozani Software\Adobe Photoshop CS5\Photoshop.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI23F6.tmp
Filesize
23KB

MD5
e1ea4b6367cf0858d38bf67845de314a

SHA1
3c673d9de1a9fa3341129047818f6f9b73a035e5

SHA256
5a29c502112173342f4d658de452d58f5bdaf3c4367256a044802f0afe41e365

SHA512
2e1f9a90ccff4a7f9e8e545f9e635f340c7409b606c4021e6741f739db538db9e095f55e1943b9e1b5cc753c18f4159b3a867dfdbbd8f5b7e5b8883bc915c4d0

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\A3DLIBS.dll
Filesize
976KB

MD5
215b05bb6f6a445dc2d2433026107525

SHA1
3b2797d1b23423dff8d6217e70ba834bbfe13912

SHA256
e0f42972b3273aae1f3b186e464b42889b89e9d3e00de2797cea15aee6df06dc

SHA512
241562f9acbf355b2ada1633c55eba27fa88952a4cc6c346941bb21e2a810ff85edd1f3644f0b907af114462114cec25ee034841b3d86d5ea0e2c0642647be2a

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\ACE.dll
Filesize
981KB

MD5
11619f9b2d9c089a91d7392a5c1cd489

SHA1
00c51825ca7badea24431960eb341e1723b31118

SHA256
c5a85e9fea830c85efd9058bedf432e81cd79ffded3a0e424a301f4d838c8a45

SHA512
8fec1b66554a747ea662b1ccc7d0d14810b8d20afa6146bc81e25dd6c17db0a197b5444071101766634c24c5d97c754cacbd8eade25190d86fb53ac4d5c804e4

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AFlame.dll
Filesize
7.0MB

MD5
ec0bd4a6fff6385ab1835f8d7fa1a215

SHA1
596a3b759f031fe24033160da65df694a28fdd1d

SHA256
eaac104caf8361b5a279250bbee49cd9da4f1158e743c48d69fd0fdae045f765

SHA512
c592fa369ea5bd8058d1672aac662589bc00fa00661188db9f4085e65ee6287eb4924b0d757950b729f61196d0f4e73478c61727475f20edbbcc766c6b24be49

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AFlamingo.dll
Filesize
2.0MB

MD5
23f8d614ae251909c44d9f943ba4ac23

SHA1
92968e00788c6af3e19af54ca35446fef5b36883

SHA256
3fd34be151da9154bd9c5ab5b0954ccb6ed1332776274c94c155a9e482b2c377

SHA512
3b5439e0845ec740187978df09739eaedd1d3d765db5eca6f1a997b9fd03cda077917e33e8678474a2f3b71ab3a5a975fcc8acaebbf3825695bff925fc354e61

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AGM.dll
Filesize
3.2MB

MD5
2751063c36cdd5e8571fa4d9909b70ab

SHA1
cd123ba573d66f5fdc96c33af8e9d7e240c6ed4b

SHA256
118e3ef569c14a43d3448df7af235c33af16ebc41843aaa23b3a17cab5c227e7

SHA512
3ef4e01e5bd272691ad935090b8cf1bc77d1b45da922dbccdbf07c4a81d7c48e0a6d82ea51c0280faf4b7dc720c7fec6155d6436dda0cbb78ebdc838ba443f00

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AMT\SLConfig.xml
Filesize
11KB

MD5
581ae5953b853e46d38ac7d363f1c26a

SHA1
29964c8d0c4c852e5e007ce3a1eec6bc68c75e17

SHA256
081031f21ef8c0f4e0cddd1e9d58cdcbc12aad3673f8e71f72b7403a6b0d50a7

SHA512
47b051bb04ad2d3d63f319762bb70182a602c93f6825ebdf4d5ab4b37b6d3459042cac2b7cd3b0115b93bfed50a081745b3049c675c1fb3da32e7695555e11d4

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AMT\application.sif
Filesize
72KB

MD5
e37e0f73242d44ce4ff9d485cf318254

SHA1
82431719feb1813f56fe522ed2c558789bde2bb9

SHA256
5b37934a8dff1a0569037caaabd5aac69521a808d34cd5eb1cddf48310b2732b

SHA512
53025c5fbcf7beceb104ddfdf93f4b4993d62bf60bc5942b2defc92a39e55e1af9b4d936bbeeb8e078f3f2b7badea3d7eba19ba697b1a675f9dab98fbb319678

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AMT\application.xml
Filesize
1KB

MD5
5436927580d559ef99871dd4653415e1

SHA1
daf95fb89056dc6501a3d25f44f3256cca427ad6

SHA256
16a9c4232707db66840fd6b85a71841a7f7128c5ed71bb57d9ff9a80a50ce338

SHA512
3ee3060651855ce96c2e693f6bdf55c013a035eaf6ce6681115b8f3f05f7a74cd985e5163f0fbd76ef0700468ddf9618452bb80b5a35df2a00a3ae762546d799

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AMT\aul.xml
Filesize
25KB

MD5
d197f4c73c035e48849c9b8bd2eb1523

SHA1
bd9b703c153d3e836d2544a5a1ab17b7f834ad39

SHA256
ff69fae4ee163d564b23920ec905db740200efb5b613c9d2cec419074291bad7

SHA512
7941a131d3a8e58dff4287106d4b148269dc1e3b0e0fdabe2453f301154f1b8371617c20d032cbd453c8ecf557ccb3d2e1a923f87088d174afd797c2151a46dd

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\ARE.dll
Filesize
312KB

MD5
24ef1d95eab8996b762c776646ba6894

SHA1
8bece0162ee308da4a14f65771ad12bfca7ce808

SHA256
30d2c35d49fbdbea6129c417c6316fd0c7a04e42c1cb9f9e5650f6943bc45bf2

SHA512
6a433250270d08cb230d24a63b8581f50cb72c5ad229eca0a154cad5696ad02e92f682ca1bd635312cb39594c84357374c52626540c3ff1ec2c975703962fd0b

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AXE8SharedExpat.dll
Filesize
170KB

MD5
70bd57cf35e97642d9be1d278e5dd257

SHA1
23f53a88aa5dfe36ba7f521aa213e81e827a745a

SHA256
3d90a7af68b044fb3b3670757aee73c0eb5f7dfe0393968e5e28e3c119eb1a4a

SHA512
7c04f10789bb4f8491d076323fd84c110bcfbcf5387e4fee6634dd59208adf6e74fcd44a972ec2b0b9c2a77e966002a752ec3cce4855f5e91717f1b5b85eb963

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AXEDOMCore.dll
Filesize
646KB

MD5
8c21ceb68a201811cdcb69c55c31c1af

SHA1
d9866a1e35b7c98c26818d46d255a5921c47ce78

SHA256
e3b185931143070cfb80a2ea9b6474239aa6639b212a3bd716f9387436b9c136

SHA512
06667e75fe13000e0682d5badc3e000785ac36883f88bb73b17e4d013b891b25b2128c7d8e8faf24600ce03f691554213ce4a6dc161e525500415d0164a626d2

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Adobe Photoshop CS51.msi
Filesize
304KB

MD5
cc4df6a5c0c47b9348b4c942ae789b66

SHA1
9a5d0c599a1b753d2af7805dc90196d43e24a354

SHA256
d066e61b06e3bced1bdd1e1dcee1f47984fdb45b5ebcc247e6096587c31b9c07

SHA512
9907191a6a90d5087608ce2dcf815e202a64d4528c2cbcae5a2905cf6fb807cfb97a06b139885c02fa67e642809dec07f3471e0766282fb545d039b24f6c1d6a

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobeLinguistic.dll
Filesize
1.6MB

MD5
af334ebd2a7736ed2d42af2fdfbe0f66

SHA1
38c42f8d16d6d7465ffc6d5e6976b9c5d9e7efbb

SHA256
782fcd3b31b219f454c5cd1151094aa7bef5288f8a7568b7a95638b5aaf1be75

SHA512
5ff85853e5d4ef6b90047b1cd0b774c28820ba86110b90311146afade9d666fb4757dfc6870b65cda6f8cf62ad424e35f8df951c8b5f577a8fb9bc9f35f053a6

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobeOwl.dll
Filesize
1.3MB

MD5
cd493548b8b87904c3ec868834d01618

SHA1
1c482973ade462395fdf8172fb65c2fdd45649a8

SHA256
a90809718f0c89f4125fabba0013b2660e419b5735148ec8a321269a9ecdfc41

SHA512
22ba636c3a3b4b1d3d1996875158cd1a0145a31805943cad44d997216b9dc75db35c7283addf571253339f8fd4ae5c691169540a279f93aeee1684c4b963cf3a

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobeOwlCanvas.dll
Filesize
276KB

MD5
e5f25a553211aa97f15033430b70d2d9

SHA1
a7a78af330afc826667e5317c69e914b5c410a27

SHA256
21f7fa6ae5a63d153b561261f9af65e9b7c3dc4dd02ffcc6f9f864f6b93057aa

SHA512
e6a0cc047005cff6fe911fd7159bfb6ebf4045d9f66f1aeead0d3c1369a052b8e82f5100194606025f9d87e06fb33b4b16806e9c569ce4ab30ca314746cec33d

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobePDFL.dll
Filesize
5.9MB

MD5
ac0ba52397126b6b375f41b965b303a5

SHA1
8f36b0793c00cc73c5d5e15dbdb726f899593ade

SHA256
35f71b7fa1c3d08e5a8819849aed1c2f0b7eebe9ef6e92092cb1a1709e67876b

SHA512
9f269175ca5549e6d3b38757974ba128e9c4ead01bb0f9b35f9a606dc3c385dc2ead49a46a2ed080766dda7727526bdb3fd4fed3638cc4c0becc4a25fff9d273

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobePIP.dll
Filesize
563KB

MD5
1e6bd7133d5455395e9861baf9368039

SHA1
00cca460fed2a5ae349e7dd8600c9bb78b97e39d

SHA256
050769e3f082a3e4b761133bc4da119676c87c8894de2fed22c4ecb0109b1f2a

SHA512
73151bdadb0949df5701223e904283b4e852833223b4b608024b97abde8cfdc827690960d092c93d2591db4f9a6f3a4f6b2f2f4a2ff57eda943546af0909d4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobeXMP.dll
Filesize
295KB

MD5
a79f23a28ba16de7de2cfd3bd258f392

SHA1
6934ba1ccd71234897abebd032eb94c8dd91026d

SHA256
4a18d84c8bd38b7298ae395142137e11c5d24e95c28ffbcfa15f6f49a384e7f5

SHA512
5bce69d7d262ba424d65b549764d21ba41692dbc5b0f08d5d478d6e8d71191d5b605f2784ea9a6829677dca80baa1648e2fef3dba508c3bc543d35318af442e7

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobeXMPFiles.dll
Filesize
481KB

MD5
3bd34306f20883876308acc0b8ea1169

SHA1
f4eb6b60b4a3d6db73768f9e3cbf286ec4fc1952

SHA256
dc6175c7e118ca16602e84dc8ca9c620bc3c6c6f049e9e248e597c1c2fb9b14a

SHA512
872ecc53730b56424d04139c431e1741f156048ca5399c9c6ae6530d586f88eeb20fca06af2ecc7f0a10247e3e8589a04c1db184dbdee4303e056760771b2531

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AdobeXMPScript.dll
Filesize
101KB

MD5
21864e3539388ef97d0b5d803731d47c

SHA1
1029b5ba2508921fd7bf5c0fb9dc6302489f1b61

SHA256
1a854ef25229c1edc23fc1e4d28f05e2b9c22a9a07b738374a550fec24b70107

SHA512
28f9aeb843691ab9fe50f39704b1071666dd33db0bf7bd5b7ada9f3769ab2a58a77246e579b098723ed92cb9d2ae27f91d3410e890fdd29696d15bf6dc2e3354

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\AlignmentLib.dll
Filesize
3.8MB

MD5
59cdeddafe1085a4974e0caaab6c0a94

SHA1
a13021497d796d24abd8b114d7e9d8a10e77c3ba

SHA256
5ab38c781f05b28cf6a432aecf0d46594fd017c0e36cbe42b9eb3d70877479ed

SHA512
2498d1fd6c30a708b2a37990e1e2e3aecfb21fb2ee3ecb970cba170840ff6635315bfc7a4cabb9b995c3898c79b33f50c3fc0155cba7882048b492d6c676e99d

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\BIBUtils.dll
Filesize
242KB

MD5
a588b2202cbae408275e9abbca4a56a4

SHA1
a83300c35e7ac77647ade13e9aaa7274d03a424c

SHA256
bf93d79d1d40d56fae5ec0dfe076a3a01808fda4c6cb5a5d04ab7ac63e84e1d2

SHA512
5731e6f46cfec47abfdbbd83598107566481dc35c27c79cb87090d739f2372e269740a9b5475120ac92d1658af62735f832fcae058ef2207a8e1a81a56244129

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Bib.dll
Filesize
277KB

MD5
98cd9c99779ca4c1c32a51335ca1a86e

SHA1
9a8342716a31c2e441871519c55eea2b54b2d691

SHA256
94cdc033c068774e3b15d46ef5b33608f85ddbe95fc8daf1f3cf4b993ef3ac0e

SHA512
cfa6b008ff63d550c40351fed1444464dcbe293db470f87c0204b8f846ad7d3dacb68c910d6b4ac8ad51a96c2c51bb7e9431201237434522efc0d6b6699c1012

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Configuration\PS_exman_24px.png
Filesize
1KB

MD5
70c0e11ce5d705bf82285216662e41cb

SHA1
9467ed48e8789f98820d38993da98a8952487dbc

SHA256
2c291118db822a746f798218a1130ac062b2f98132fc128fab4fe77d78cb1e62

SHA512
7a4483b9a70dcbe5c4e9b46199be7d49277f8512b3eb389683e1f66c51795aa9a67663ccfc8b0f85cfa2b9cdfe583508fa335230152343e5255888692693f416

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Configuration\XManConfig.xml
Filesize
5KB

MD5
9fae47523ea69a52c33eb335cc764c18

SHA1
16254481148717d604460233759bf7415c98a627

SHA256
99e310ee8b908270ef5af89d26b4abf1c6c5b733854bc10496a423b68f0c4bd8

SHA512
2a2bba4f91a5f9eaf496751946dc726d755372d953f61e739cdb051c29b5d43c6d583eb6ce022b04d43b8769f32b50e03f56036a6ef77e78ecedc26e63d342bb

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\CoolType.dll
Filesize
2.9MB

MD5
36971b3dc99a80ea7c2ff09bf166f0aa

SHA1
f75eee0370b6090b1a82a0285ef59d1a1cdeeed0

SHA256
4de159ad462a00a372f8847698f4fbf837c94f80d88ebaa9ab066cb8ebccb479

SHA512
9bce82eb1f99d9795deffae2ce05710d5692cfa5ea7bbfcba1ab832a1c58e39b052ee7c35c5c337cef961efc82e1f8ed103ccde89bab7ffd4779dda4f48f3fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\ExtendScript.dll
Filesize
655KB

MD5
840162abf1527234d4cb53b82445ce91

SHA1
8d18084d391460eed0cefff4bfb0df93152ade17

SHA256
94bc5534555fae85934cad99b8e0e587db93580e98bd3a5472bb211e1d0bbb51

SHA512
74821983392d566f864e49619f0d03dab757e11c6119b3166e44d9aed8cae2d520611581f0ff84fcdb716b4326660dc1a9e7f539d527d0f54d791ba1125ab84e

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\FileInfo.dll
Filesize
564KB

MD5
42e11b825aa5c1f618e0095f557ff51d

SHA1
5dac2bed738259eb9c2a521388896ddaa3b53af5

SHA256
7b9018127e05986b4dc13ecf55b2f3b0368da9e5ffebf4e945b2d84a119f9cf3

SHA512
762a3b75ebbe104de49051d1e087cf1966bbd2ced434a1c0cdbbf08c9890b9485010edd37668e5ce0ed5d6cca1604f3986c63292249e5110ac10e866bd830b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\JP2KLib.dll
Filesize
659KB

MD5
5cc4757f9c9f22cc00ccdf2104e5f64a

SHA1
d862ed52883a5d98ae4fbde327a4fc9016917167

SHA256
da8cd5d84e694adf068988410bcaee839397fe0fd199c1cd63ebc919fef72b80

SHA512
d3dd3e4ae9e7052317e9293f73574db7553091cf93d601be75fccf0bfe8ed2b91b014489dd1bd3e07e8fcd6f064d4e589d41cc8c2ceaf79e77dcf8b8ea1c47c1

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\LegalNotices.pdf
Filesize
135KB

MD5
2823492950ffe1f5666a71fad523f695

SHA1
313d7bc105551ae5ad4493cab1b8e055f522aa77

SHA256
4c2eaeffae5cb71342220e2012747a477a18549017a08bc012999d82b0011e66

SHA512
c16dd5e0aa10440f38d444393df88d3596097ea7186841238accd3f0e1758df3469415bc462661599e7b1b476043598ca318a9e84b469b6b334e87b7a091e665

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Locales\en_GB\Additional Plug-Ins\Win\Filters\Variations.8BF
Filesize
63KB

MD5
a23d5f5def87e9a0b3b807942d5d3619

SHA1
ad930df7e996d2f8ca418a9d6c54a8275390562c

SHA256
853ec937d38e9c6f8e0aebcce935768beda7fd451c63d9ecbed06906572ed740

SHA512
b5730cefa8e150d23432cdb4feecb7fa93a406c160b7786c263b445f5ee22d174ba049a52aa9b55937bdc0ec977ed40a9cc7cfd0804fbaa4d858dedcbbcb22d9

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Locales\en_GB\Additional Presets\Win\Menu Customization\Basic.mnu
Filesize
2KB

MD5
e65b4654534194ef00d2b9fb0f14a326

SHA1
afbe94de07f1f8adc4166e536787bf5885f36914

SHA256
14a279ff8287ac6082ba397072e1c626a0d92a9a971444a2be2334cb398a2962

SHA512
4c45cd0888f0173f350f45b9e5bffd6d69996be2fb44f3d5f92d4b751c22b415643768e4f013518aed77ad73889506a8ad163f8bc5a383308c9a8e20db503cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Locales\en_GB\Additional Presets\Win\Menu Customization\What's New in CS5.mnu
Filesize
2KB

MD5
7f7a00c698f0232df7ed779d0b0d396d

SHA1
de783cb9958ff7fffb75930dd33c2a61ecd3ed76

SHA256
434b65a0f52ac535953b91238ff97aa8cc6b66bfc4d57d166ef15381baf81cee

SHA512
b43e2d95bc61d2fc1cae3aad4c55aa30107703e6e989b6c4174a3c83391d9dc194aa9b10cfdc7e6e6b76c53abed32b4504639e8535668326c60d53f4388d31d1

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\Locales\en_GB\Additional Presets\Win\Workspaces\1-Basic Workspaces\Basic
Filesize
131KB

MD5
a5e8af2c83d6c7b6571b553f0cb08cda

SHA1
8faa71982ccf775a5c6d9fc8bbcfbc2fc3f22f5d

SHA256
9f51dc12506c77f211dd49efd9676b3ad3acc8dbd5ea1cff52bea6f4da5b50e9

SHA512
a1ad5fcae0b9131c312faf6ab39c9426836000ace46a2a937348c8cf54b777f8d87f155a83242ac88ec7f88fdc88c17ce593ff7d4a031e97d37ce2fbdb962718

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\adbeape.dll
Filesize
24KB

MD5
ba860a6298784e62993e52a5bf0ed7e5

SHA1
ba3d157bdbe5d31168f846f352150990c962b11d

SHA256
caf3f2f79fa082305c83dd200e78aa571eb4438cc49e3e55c5c4755f38f79497

SHA512
ae8bf65d8f6fc93e6d1bdfbb06fa96a8d6d15c7ce1ade8f0c3df27170dea205ae4bc5d5dafc355227a783e00b8752e27ae4ca103f8888a581eff1896d746a47c

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\adobe_OOBE_Launcher.dll
Filesize
227KB

MD5
eccb1eebe5ec986b97c475e7a6f34e66

SHA1
a52a5f44fb3f4e1654d19adbd481e3688b71160b

SHA256
6311531232091335a667ee2229708e6340ce3d6729e8c1f1a6ed1778a5e82de8

SHA512
13ab6373dfdd60072cd0e5ef0622f4efb6c7ade615897cd8fc9b36dba59b4d15f628f551cecb8a6823ce4d6e6dbf5a9aa1dd7d01edef7c3628c2131d7fdd0853

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\adobe_caps.dll
Filesize
413KB

MD5
37c15b5292ced82aba374c578dddbfa6

SHA1
a6c43e6481838ac47cf164888f852a4287ee7a7b

SHA256
5571347da53b75a3d337218d848790450e1be3bd2d75f6d8cd9965e2e46c1623

SHA512
48e756a919002931c5ec1b1b20fafd44709a8fcec5f29cf677552184874f116067f1e6932bb25701544c9f1b2440517463bb03f7e1e5f23f80c9768152167438

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\ahclient.dll
Filesize
218KB

MD5
ef2ccf3eda2b6533fcf42b61ef2814b1

SHA1
5e883cf23c2a57174174348bee5efa04aa7d43b3

SHA256
bdde12670c2b3514ed9b29e381965be3ec3c5cc74f817ca02fc731b87532bfe5

SHA512
d262da09f2cca991798f150db8870fb7f995e2bbc63ad82a7c026d8e2861b71596256689902b66c751b13af978837fd47ebc23cc041370902511ff6d08c5dded

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\aif_core.dll
Filesize
418KB

MD5
6a4d29aee4bef13271a45fd2317f71d1

SHA1
1dc6d1e90a6ae5fdd9caeaa93319719beee79fd0

SHA256
01190d018325b5f847e8e7c345e56cab2c600ce2e764ca16d40867a44a2d918d

SHA512
7a3259daee895f90735da94792fa26f18c7dfcbf58871ecf89dbe5d72b18bf66f97fa0b5653c4f4c5d81fbe6fba5c0daa5a844a31cc06ae1ad15bfb56aeb93a7

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\aif_ogl.dll
Filesize
2.2MB

MD5
01b1175b7ddd719f16630d3a04f0530d

SHA1
5f13989e66970415e028a26c643867f2da72c2d7

SHA256
71467ed8c5201b4d364880494bc91a449a4fec0d86c9b4bfcbd7ae3f1997b21f

SHA512
38e367d841339e05c26b723d7d969860c71d5755a121db81bdfd9fae246645ac1ab71a0ec96d9cc5f651343a462b4361afce2f611fb69f25e174a190ccd75a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\amtlib.dll
Filesize
2.7MB

MD5
f2345d24fcfc96d6d74628e95cf64dc5

SHA1
df35be660f1103941b5e53e2c63968329ad8bdcc

SHA256
7404951c440772dab5ca200f11f51c9aacb8ffa7f452755695bf4abd25a9e5f7

SHA512
158f0ff01027cb9e9e88164cc21eb7d00a94ef06fc455a7179a841fc6403f63b08bfb442e7e90e53aba4c5d8ef49f5dab9d02a695ad004b940928f40ecf2a44c

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\amtservices.dll
Filesize
1.1MB

MD5
71377e35e2f7c9852176357a4723f286

SHA1
822502b24ab6cceab06cbbd775862ab57c8496e5

SHA256
a5fb023d55702bc2ecb9b016eebd76df632931998efa5c49c92fb7e129f4f6d6

SHA512
5f766587bbed8c213048b90e968044c81eb0a04dcb885d94911db74a1cdf9d99f98b019eb29fb5c3cd5c985caee7553a3105bfaed4dabf402253581e662c1c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\arh.exe
Filesize
73KB

MD5
ff4f229bc63a0e9a7583b39663d9c59b

SHA1
94f6ad0c737a4d519586bfb9e2838779e32dbd39

SHA256
39a3f52f90c4f35121720da8a8e8b5734d5582ca683b6ea67d17527ccf965947

SHA512
377e95042ebf2e6ae2790143bfc562670f1fa523aef04e15fb8ff39ddddf2efecec9fbe6dbe7b9c22577cae8dfd5d58be0579ac72e7d39077fe57fc11925ec73

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\asneu.dll
Filesize
146KB

MD5
300787f89bf55b7488ff9137f0c7ebda

SHA1
3b39a467f926c21eacf1b8e02d6409ee936c05ff

SHA256
8f0a27343354d6ce89b7194465e837fe793c8d4efc50ae816dbd406346720c45

SHA512
79020b7101f45546c617479adc0909bff271be33b05a46d47a09637d1eefdbb21ffca4ffc533dd85a4a8ee8435ea0c75e1d8446cc1b3b66d3b5e9e2c8ff5ebf6

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\boost_threads.dll
Filesize
50KB

MD5
9145fad46a4304b9e7528248f595e2b6

SHA1
2950575cf9c2d18bff0b40d104f60ed1613e6ecc

SHA256
d4bf0244b533be4d822c3e7f09fec9b2e782c7942c90c98966eb3badfd9aa342

SHA512
ec36c6cc2546e6f9b90046e1b79732ab1ec6a1743d9b89611acde4002afd81f9d18a4becdd454c6dbdbde5f92a0af2d8c396b95a26ff55318e196c499043283e

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\cg.dll
Filesize
2.6MB

MD5
788b4834c70e660bdeb45c272b045e79

SHA1
60b51c79ae36a9187870fc27392de80055c562f7

SHA256
6079016dfedfdc6d65e145e057d6397e11441e8b03345021cabae8337c5f0d77

SHA512
1211fd166496806e93c819d3e31d238ab02996798eb990eb2e08a0dab5507d844dcd46f14b96cc54cf10374874460594cde1490fe5f31c4b8cdcc000d3719640

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\cgGL.dll
Filesize
296KB

MD5
30020d75f178d877d913e03ff6778280

SHA1
9a8eb8b1c2827d75a34b297c0cea2ebebbf97b94

SHA256
a3b6761f60625a93fd85926ce0e7d0776bbc5eee88aa9cf79184d919632eb5af

SHA512
481efe7574a863c3f1217bc99dadd2903e86455a446b6b9eec5389ee246769fbdf77592e757b2edb04126c50a56036da5d5a367ef5b9271c7631190df92d5674

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\data_flow.dll
Filesize
107KB

MD5
ccedf1ed4c3132bfed7013dd60a4432e

SHA1
ea37eeb853759e04dd9e862d9d943c10b386117e

SHA256
43739da359953c6214d9796dc64c324d8842d7cd70bca8ab7833886ea5131661

SHA512
d09c4557fd7fe1e90e739dfbfc890e240e5f6a5c43aa8ba59b308ec247df5a847cbacce18ed687f2523cb5bb1d7ebad4577ee130ea3491800b37023da11e3471

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\dvaadameve.dll
Filesize
3.3MB

MD5
4f62da912d06d2c6a8726c318ae42e5c

SHA1
a67f119567c058adba7bc9f111568a8f699fb6c0

SHA256
614068c923281882f0236c5015360d4fbc3612cb4c33066d52717b724f0a6ac4

SHA512
07e8a450f51ce842f49c8cbe19e4e1f9c016ce83eb7094b297d7ee947df03fd1e53db1324d9922b177910850fd1b4b5152ff88dfe9de4a1b4e3d8e71adbca4a9

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\dvacore.dll
Filesize
1.5MB

MD5
f1fa037ab3c809b94fffd71fb9b1a59e

SHA1
c8ec751e095d7db4e58edcc97b30a26e5162e1d3

SHA256
fca87ec55f5f7f63aa0502405acc9f7e3e510a8637afad22175488bc49c8f917

SHA512
896d773c6ded88745735c2c3c52e75074e8f34f51aebe85334b3094ee85c545fbadc97eb7dcee108aef74c7ca4e85795834c7385ef29109e02f48a6476d4d740

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\dvaui.dll
Filesize
3.5MB

MD5
37c0d7bb95502bac4794fbe95a0b7eca

SHA1
66ece484d7b811f55c3afa35cf4890844e4d8e15

SHA256
4a601dca3aceea2faea09fec77490226cf001ef24524e6e9f5d4640eac4e86dc

SHA512
8f3b0609ceeaa99c4ec578055f978d7ef820d8b12d8125d0c4de3f1716c898d27aef37ed80e0d079381849b432284f83cd8762e7af74d0007afe39e0cf1457a1

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\icucnv36.dll
Filesize
664KB

MD5
b8c61bfa5db67d53ea6e864bf38a7715

SHA1
9fac20b3b6b9fa58e77578b3b17bb9b9ddb0ed5f

SHA256
732716d4b9747e4f45efc82817af90b688106d803dcec5300a272837ea4b4e1a

SHA512
cbbb9394490e13f5714ed86739496aad3d98e333134d9de7ce576d0a57a9ca6675b6e3158c1a0886dab78d890fbb4fb966b6c62522d240e8210052bd9f4e867b

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\icudt36.dll
Filesize
92KB

MD5
7e527f3c0eac93206d7c90865fb1f7f3

SHA1
0ceb5355d5d4a2eff2526677afaa196f6e5e1212

SHA256
df486e840244018942ba12d7d7de37c2ad741bb607276232623bf2622eaef049

SHA512
49c0e8924a02f8f8d99ebc02291b362578ce349b275eb0fcd803b4db5294a93aed8ac64343fc33f0165fc8dabaaeab72d72521c54841a730cd837caa12aea3bd

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\image_flow.dll
Filesize
690KB

MD5
d8a74a71b87a8cb329174c592478e504

SHA1
3db3737f96cc39a4046a63b24fe512c19cfd42b2

SHA256
944f1f809e02b5097befee01e62d22cb704391248c9bd5bc48cf8bf077881bb7

SHA512
8fb5a06dd8ed5a44d6e9bc93c1db9f10f9cf26791f81dfbb90d9e8d8ffd04fae3ba95be035c0107055eb7e79982f61e86942bc2730519334d4cacf9047748d38

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\image_runtime.dll
Filesize
145KB

MD5
cf4221df18330751a9c953276e596bb2

SHA1
7990ddc173c5816fe19f9674547bd750d6237f06

SHA256
f5903f966ba2db7acc7a216cd1f49e68ed1c95e7c358bb7e41a31f062d06b531

SHA512
d16783c731a06450722b2fc36ad8bdfd882ec07ca87cfc1d87f3f0ebe447134bb873f8a471e533d2e64fe7c9d8872b47f930df56547d69c57f954fb20a23fc0c

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\libcurl.dll
Filesize
180KB

MD5
311c8da6329e072cd9e185a34f140680

SHA1
75c043ac8ac14ba44d9bd1ae3ed7d5c83a0057c8

SHA256
eb2fb60a9462a07c51b73726103885a1fbca728f77c8207b6639576d7d4b09cf

SHA512
78532ae5e7ddfae3d1f7da64e52c9cfacaf4697518dac5241ec81d8a76b81123602a197dcb9297deed24ea1d4e73a7919342bbb3fbe8b810c1565e3fb171eb11

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\libeay32.dll
Filesize
1008KB

MD5
995a420b93969b2237ca68035fb495a3

SHA1
ce07d4acadc15ad4ff9373451b7fd031bd577a88

SHA256
3f35f84a7b1edcc878bc407fb47ffa580c46e8ae2bbdece22dadc99d070ee3e4

SHA512
732e6b0f5b184deab1c672d9595052cd0628e4a6ab7f3026121d7c4a560c9a28e23a4099949f4893009bc392f810a390c916181d2151a3809aebaae8c67eb818

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\libexpat.dll
Filesize
101KB

MD5
db8c7ed383deaf2466fd55c23e574c51

SHA1
e0ab5e6b491527bfc74e369dcbc7ab0355aba6c1

SHA256
b6c73499734e635092657c8a7f87916c9ef72ba966f88df356ec261135a6bc3f

SHA512
ba58c8bf35074c96f962913eb0920d573f7848d22bd54f8f1f6da7615f53990c5cff553da9d55941e68600dfee2a211c9d28a56427011550f3bf0f9fa6512456

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\libifcoremd.dll
Filesize
868KB

MD5
a705bcdea7a014352db92eabd93fbe8e

SHA1
f74b886246c8723d880a7310f579a2ec5a682b6f

SHA256
2a94c04f10f9275a9d89dd30fd044984d6a5cbafdb96e88d00df5e2db2707a0d

SHA512
bab7ec4c52833cf1e3eab6be284cfa3f6178fea7e7c69ee8224e597a2c54e6ba3dc6b863220ba0c0d44cec7a2974b17a9a976c5deffb7c7a2d35bdd196da3500

Download Submit
C:\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\4B1E83A\libmmd.dll
Filesize
2.8MB

MD5
24d52adf2166c504efedfba7924e24bd

SHA1
6acd5ed130a2c3bc892ea213898c2f2627a0b0fd

SHA256
163fe1bc8b3d43b28ac60067e5840260cfcbe50590c4d6fd825a204e8733f976

SHA512
183b199031af969f5e280e4e164e9e82aec6e7df5e0e3cea688b93eff94ba8c468e4de09ecda29f27d63f6f34360a477af6f189ea25cdfd8b57f7f0f9dfd4776

Download Submit
\Users\Admin\AppData\Local\Temp\MSI23F6.tmp
Filesize
23KB

MD5
e1ea4b6367cf0858d38bf67845de314a

SHA1
3c673d9de1a9fa3341129047818f6f9b73a035e5

SHA256
5a29c502112173342f4d658de452d58f5bdaf3c4367256a044802f0afe41e365

SHA512
2e1f9a90ccff4a7f9e8e545f9e635f340c7409b606c4021e6741f739db538db9e095f55e1943b9e1b5cc753c18f4159b3a867dfdbbd8f5b7e5b8883bc915c4d0

Download Submit
\Users\Admin\AppData\Roaming\Foroozani Software\Adobe Photoshop CS5\install\decoder.dll
Filesize
91KB

MD5
3f1941d09333ab7a071c59c2d46f0a96

SHA1
09eed8c0c8b7c68a5c780584384df168cdca503e

SHA256
d8ce067628956ad47e5e28e2e82d16f9d003247cad463adaa2357ac6edcb9475

SHA512
be3a0b536b691fe57f92b92ebd1f7a9ee82e86045c829470060cc1d097c1b28ddcad8702c0b6400db75d08c2503f40cee21a7c0e931db7ca9055fae56fbf7e95

Download Submit
memory/1392-60-0x0000000000000000-mapping.dmp

Download
memory/1516-142-0x00000000081A0000-0x00000000081C8000-memory.dmp

Filesize
160KB

Download
memory/1516-159-0x00000000081F1000-0x00000000081F8000-memory.dmp

Filesize
28KB

Download
memory/1516-192-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-124-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1516-126-0x00000000031B0000-0x00000000033E8000-memory.dmp

Filesize
2.2MB

Download
memory/1516-128-0x0000000000270000-0x0000000000320000-memory.dmp

Filesize
704KB

Download
memory/1516-130-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/1516-132-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/1516-135-0x0000000002C50000-0x0000000002C98000-memory.dmp

Filesize
288KB

Download
memory/1516-137-0x0000000005EA0000-0x0000000006041000-memory.dmp

Filesize
1.6MB

Download
memory/1516-139-0x0000000007D20000-0x0000000008029000-memory.dmp

Filesize
3.0MB

Download
memory/1516-190-0x0000000009471000-0x00000000097FD000-memory.dmp

Filesize
3.5MB

Download
memory/1516-144-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-146-0x0000000008700000-0x000000000870E000-memory.dmp

Filesize
56KB

Download
memory/1516-150-0x0000000009471000-0x0000000009666000-memory.dmp

Filesize
2.0MB

Download
memory/1516-151-0x0000000009470000-0x00000000097F8000-memory.dmp

Filesize
3.5MB

Download
memory/1516-156-0x0000000009471000-0x00000000095C6000-memory.dmp

Filesize
1.3MB

Download
memory/1516-157-0x0000000009470000-0x00000000097F8000-memory.dmp

Filesize
3.5MB

Download
memory/1516-158-0x0000000008170000-0x000000000817E000-memory.dmp

Filesize
56KB

Download
memory/1516-191-0x00000000097FD000-0x00000000098C4000-memory.dmp

Filesize
796KB

Download
memory/1516-161-0x0000000009588000-0x00000000095E2000-memory.dmp

Filesize
360KB

Download
memory/1516-160-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-162-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-163-0x000000000955B000-0x00000000095AE000-memory.dmp

Filesize
332KB

Download
memory/1516-165-0x0000000009560000-0x00000000095B1000-memory.dmp

Filesize
324KB

Download
memory/1516-164-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-167-0x00000000095A9000-0x0000000009607000-memory.dmp

Filesize
376KB

Download
memory/1516-166-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-173-0x0000000009816000-0x0000000009855000-memory.dmp

Filesize
252KB

Download
memory/1516-172-0x0000000009771000-0x0000000009816000-memory.dmp

Filesize
660KB

Download
memory/1516-174-0x0000000009880000-0x000000000989E000-memory.dmp

Filesize
120KB

Download
memory/1516-175-0x0000000008180000-0x000000000818E000-memory.dmp

Filesize
56KB

Download
memory/1516-177-0x0000000009585000-0x00000000095E3000-memory.dmp

Filesize
376KB

Download
memory/1516-176-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1516-178-0x0000000008170000-0x000000000817E000-memory.dmp

Filesize
56KB

Download
memory/1516-179-0x0000000008200000-0x000000000820E000-memory.dmp

Filesize
56KB

Download
memory/1516-185-0x0000000009470000-0x00000000095AB000-memory.dmp

Filesize
1.2MB

Download
memory/1628-56-0x0000000000000000-mapping.dmp

Download
memory/1628-57-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download