2754e46e0d545ad8f6b5cbc526045732d964ebdfa18cb077d0fa91e58e659663

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe
Size

23.6MB
MD5

63a4f18e268767cca71f41e557b9a1d1
SHA1

64c2fbdac8e510c6554f159eb0e890c7dd92824f
SHA256

2754e46e0d545ad8f6b5cbc526045732d964ebdfa18cb077d0fa91e58e659663
SHA512

bc0cb39d0f2e0d178ce7dfaeb64002c79b5fddd7b14ef9203b14af3e99a93fd7196d4ab144246963dffd862b344c2c786d3ebf24cd8f31187094515d2f59d804
SSDEEP

393216:KBRW6T1WKIo36MfMt3xHgQp7UIs2N8sZmFl6Ct9qH72+8ypHe+Usrd7wZypXIUOW:36T9I9OMV4Id8JF809qiApysrd8ZyuUt

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

DocSAFERx64.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	DocSAFERx64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DocSAFERx64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DocSAFERx64.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

788 bcdedit.exe

pid	process
788	bcdedit.exe

Executes dropped EXE 64 IoCs

Processes:

DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exeDocSAFERx64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exevcredist_x86.exeinstall.exevcredist_x64.exeinstall.exeMADepUninstaller2_x64.exeImageSAFERSvc.exeImageSAFERSvc.exeImageSAFERSvc.exeImageSAFERSvc.exeImageSAFERSvc.exeexpsc.exeDSU_Service64.exeImageSAFERStart_X86.exeImageSAFERStart_X64.exeDSU_Service64.exe

pid	process
2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
1320	DocSAFERx64.exe
2352	ISBEW64.exe
1944	ISBEW64.exe
2232	ISBEW64.exe
1692	ISBEW64.exe
2924	ISBEW64.exe
336	ISBEW64.exe
2000	ISBEW64.exe
2296	ISBEW64.exe
2788	ISBEW64.exe
2156	ISBEW64.exe
1508	ISBEW64.exe
2596	ISBEW64.exe
2184	ISBEW64.exe
2756	ISBEW64.exe
1532	ISBEW64.exe
2368	ISBEW64.exe
1664	ISBEW64.exe
568	ISBEW64.exe
672	ISBEW64.exe
2452	ISBEW64.exe
1008	ISBEW64.exe
2036	ISBEW64.exe
1976	ISBEW64.exe
1948	ISBEW64.exe
1628	ISBEW64.exe
1768	ISBEW64.exe
3032	ISBEW64.exe
2404	ISBEW64.exe
1700	ISBEW64.exe
1608	ISBEW64.exe
1236	ISBEW64.exe
1536	ISBEW64.exe
2692	ISBEW64.exe
1532	ISBEW64.exe
672	ISBEW64.exe
1048	ISBEW64.exe
1996	ISBEW64.exe
1976	ISBEW64.exe
1992	ISBEW64.exe
1472	ISBEW64.exe
2136	ISBEW64.exe
1684	ISBEW64.exe
2656	ISBEW64.exe
1656	ISBEW64.exe
2648	ISBEW64.exe
3052	ISBEW64.exe
2384	ISBEW64.exe
2020	vcredist_x86.exe
1696	install.exe
2984	vcredist_x64.exe
280	install.exe
2072	MADepUninstaller2_x64.exe
1308	ImageSAFERSvc.exe
3060	ImageSAFERSvc.exe
2552	ImageSAFERSvc.exe
1884	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1104	expsc.exe
2288	DSU_Service64.exe
2592	ImageSAFERStart_X86.exe
2348	ImageSAFERStart_X64.exe
2832	DSU_Service64.exe

Loads dropped DLL 64 IoCs

Processes:

63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exeDRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exeDocSAFERx64.exeexpsc.exe

pid	process
2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe
2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe
2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
1104	expsc.exe
1104	expsc.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04093E41-E3D7-43FD-B1E2-7AC7EF3302CC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04093E41-E3D7-43FD-B1E2-7AC7EF3302CC}\InprocServer32\ = "C:\\MarkAny\\Document SAFER\\MAShlMgr64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F1DD1909-4DAB-4326-AAE5-F71EB01A1A62}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6F5F3D1-51B2-450E-B424-C8906C5851D3}\InprocServer32\ = "C:\\MarkAny\\Document SAFER\\AcapIcon64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8B11E6E-1D40-4EBE-A557-FEE3AF503396}\InprocServer32\ = "C:\\MarkAny\\Document SAFER\\ZipExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8B11E6E-1D40-4EBE-A557-FEE3AF503396}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04093E41-E3D7-43FD-B1E2-7AC7EF3302CC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F1DD1909-4DAB-4326-AAE5-F71EB01A1A62}\InprocServer32\ = "C:\\MarkAny\\Document SAFER\\AcapIcon64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F1DD1909-4DAB-4326-AAE5-F71EB01A1A62}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6F5F3D1-51B2-450E-B424-C8906C5851D3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6F5F3D1-51B2-450E-B424-C8906C5851D3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8B11E6E-1D40-4EBE-A557-FEE3AF503396}\InprocServer32	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DocSAFERx64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MADRMAgent = "C:\\MarkAny\\Document SAFER\\MADRMAgent.exe"	DocSAFERx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DocSAFERx64.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DocSAFERx64.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DocSAFERx64.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 64 IoCs

Processes:

DocSAFERx64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\ImageSAFERDrv64xp.sys	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\AcapCheck64.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERLang.xml	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSU_Web64.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\LIBDB41.DLL	DocSAFERx64.exe
File created	C:\Windows\system32\Ds_C88fe.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\MAPRINT.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\MADWC.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSU_Installer.ini	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\xerc8797.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\xerces_ma.dll	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\ciph8862.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\DSC_Config.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSU_Installer64.exe	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\ciph8863.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\masysid_x64.dll	DocSAFERx64.exe
File created	C:\Windows\system32\Imag8a65.rra	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\DSC_8778.rra	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\DS_C8797.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\AcapCheck.dll	DocSAFERx64.exe
File created	C:\Windows\system32\ciph892d.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERFilter.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERStart_X86.exe	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\MADNP2.exe	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\ImageSAFERMessage.exe	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\DS_CipherLayer_51014.dll	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\Acap87f5.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\cipher.dll	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\DSU_89d8.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\DSU_Installer.ini	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\IMGSFMgr.dll	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\MADN8af1.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\DS_CipherLayer.dll	DocSAFERx64.exe
File created	C:\Windows\system32\DSU_89f7.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERDrv.sys	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSC_XMLInfo64.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSU_89f7.rra	DocSAFERx64.exe
File created	C:\Windows\system32\DSC_8787.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\MaCheckRight.dll	DocSAFERx64.exe
File created	C:\Windows\system32\Imag8a84.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSC_8787.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\cipher2010R3_x64.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\DSU_Web.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERRecovery.exe	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\DSUt8af1.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\cipher2010R3.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\CipherMessage.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERMgr.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\IMGSFMgr.dll	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\DSX_89f7.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\SysWOW64\ImageSAFERProcMon.dll	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\Imgs8ac2.rra	DocSAFERx64.exe
File created	C:\Windows\system32\Imag8b9d.rra	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\MaCh8891.rra	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\ctma88b0.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\ImageSAFERFilter.dll	DocSAFERx64.exe
File created	C:\Windows\system32\masy894c.rra	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\MADW8b01.rra	DocSAFERx64.exe
File created	C:\Windows\system32\DSU_8b5e.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\ImageSAFERMgr.dll	DocSAFERx64.exe
File created	C:\Windows\SysWOW64\MAPR88df.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\DSC_Resource.dll	DocSAFERx64.exe
File created	C:\Windows\system32\Ciph893c.rra	DocSAFERx64.exe
File opened for modification	C:\Windows\system32\Imag8a65.rra	DocSAFERx64.exe

Drops file in Program Files directory 16 IoCs

Processes:

DocSAFERx64.exe

description	ioc	process
File created	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\data8585.rra	DocSAFERx64.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\0x0485a4.rra	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\data1.hdr	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\data1.cab	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\setup.inx	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\setup.ini	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\ISSetup.dll	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\0x0409.ini	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\0x0412.ini	DocSAFERx64.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\layo8585.rra	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\layout.bin	DocSAFERx64.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\setu8585.rra	DocSAFERx64.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\setup.exe	DocSAFERx64.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\ISSe8594.rra	DocSAFERx64.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\setu85a4.rra	DocSAFERx64.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exeDocSAFERx64.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20240521143824360.0\msvcr90.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143824360.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829383.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.2\mfc90ita.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829398.1\9.0.30729.1.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\f769a14.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.0\msvcr90.dll	msiexec.exe
File created	C:\Windows\Installer\f769a19.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143829383.0	msiexec.exe
File created	C:\Windows\Imag8bac.rra	DocSAFERx64.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824360.0\msvcp90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824391.0\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.2\mfc90chs.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143829320.0	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.0\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C61.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824406.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.1\mfc90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824328.0\vcomp90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.3\9.0.30729.1.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143829398.0	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824375.0\mfc90enu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824360.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\Installer\f769a13.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.1\mfcm90u.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143829352.0	msiexec.exe
File opened for modification	C:\Windows\vcredist_x86.exe	DocSAFERx64.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824360.1\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824391.1\9.0.30729.1.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143824328.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829398.1\9.0.30729.1.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143829367.3	msiexec.exe
File created	C:\Windows\vcre8bbc.rra	DocSAFERx64.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824406.1\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824360.1\mfc90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829352.1\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\F1DF8B29EA1C0573587736B1A08AD55F\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143829367.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143824406.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829352.0\amd64_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_1ece11b1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829352.1\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829398.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.0\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824375.0\mfc90fra.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824375.0\mfc90rus.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824406.1\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829367.1\mfc90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143829383.0\9.0.30729.1.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\f769a0e.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824375.0\mfc90jpn.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824360.1\mfcm90u.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240521143824375.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824313.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824375.0\mfc90cht.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824344.0\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824328.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824344.0\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\F1DF8B29EA1C0573587736B1A08AD55F\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File created	C:\Windows\vcre8bcb.rra	DocSAFERx64.exe
File created	C:\Windows\WinSxS\InstallTemp\20240521143824328.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest	msiexec.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1776 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1776	sc.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\MarkAny\Document SAFER\expsc.exe	nsis_installer_2
C:\MarkAny\Document SAFER\WIN7Old_CCF.exe	nsis_installer_2

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2860 taskkill.exe
2864 taskkill.exe
2980 taskkill.exe
2984 taskkill.exe
1528 taskkill.exe
3000 taskkill.exe
3052 taskkill.exe
2792 taskkill.exe

pid	process
2860	taskkill.exe
2864	taskkill.exe
2980	taskkill.exe
2984	taskkill.exe
1528	taskkill.exe
3000	taskkill.exe
3052	taskkill.exe
2792	taskkill.exe

Modifies data under HKEY_USERS 54 IoCs

Processes:

DrvInst.exeDSH_Loader.exemsiexec.exeDSH_Loader64.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	DSH_Loader.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	DSH_Loader64.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	DSH_Loader.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	DSH_Loader64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	DSH_Loader64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	DSH_Loader.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exemsiexec.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeDocSAFERx64.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E9E95D4-B344-4410-AC9B-E14E75E9E5DF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcapIcon.Icon\CurVer\ = "AcapIcon.Icon.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{683C394F-7677-41DC-87CF-060528AA2359}\ProgID\ = "Masdms02.CPpt9AddIn.1"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0063002e00410078003f007d0058003200710034003900530045006800470072004b0038007400360000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1DF8B29EA1C0573587736B1A08AD55F\FT_VC_Redist_CRT_x64 = "VC_Redist_12222_amd64_kor"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1DF8B29EA1C0573587736B1A08AD55F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53612D74-EDC4-4E13-ACCA-2ACFB4DB8F7B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E28471EA-1529-4FE5-9B39-B7E55056D36E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03903E-3343-4951-BB1D-7E9BE8D53A6A}\ProgID\ = "DSP_02_2010.PptAddin.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2EE8C6C-C74F-449C-8B8B-012B47C23E84}\ProgID\ = "MADWC.MADWCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Masdms02.CPpt9AddIn.1\CLSID\ = "{683C394F-7677-41DC-87CF-060528AA2359}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88942D08-458E-4506-AA92-65E827439C86}\NumMethods\ = "7"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB1F05E2-A88E-47EF-BA99-5A11C9A513FB}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E9E95D4-B344-4410-AC9B-E14E75E9E5DF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8478092F-0878-4337-8F7D-DDD9B6306C18}\TypeLib\ = "{5E67F07D-1724-4CBE-AFE2-28546A4347EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7A936BD-E3B3-4A9E-9D6D-30B64DD6DCFC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DBDD1A2E-8E8D-4E1D-9C7A-F448D7F21E80}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A693D778-A72F-4568-A281-5628251687B1}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MAFileUpload.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800\ = "Safe for initializing"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32-policy" = 37004f004100310057007600450031006b0035004e002b0037006d002b00290053002d0072007700460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800360034003e00580024004200430054004a002b002700720037004d003d005800250078004e002d0043004300730000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcapIcon.Icon\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E28471EA-1529-4FE5-9B39-B7E55056D36E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBDD1A2E-8E8D-4E1D-9C7A-F448D7F21E80}\ = "IIcon2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A817E7A2-43FA-11D0-9E44-00AA00B6770A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276F73-6B08-40A8-A855-DED9265A5EA5}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8B11E6E-1D40-4EBE-A557-FEE3AF503396}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DLLRegSvr	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F63F80EB-D22A-4350-8277-8385A0336E0A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2A111A6-D80E-46E5-8FA8-E6FF61016D27}\ProgID\ = "DSUtilityAX.DSUtilAX.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68356ACC-3A0C-4DA3-ACBC-70DA7D6749D7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04093E41-E3D7-43FD-B1E2-7AC7EF3302CC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70634F5A-F2D8-45D1-B912-4D359EF3CFCF}\ = "IMACipherContext"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A53A85AD-17A8-4887-B3D9-B5B9251F2E8F}\VersionIndependentProgID	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AcapIcon.Icon\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB1F05E2-A88E-47EF-BA99-5A11C9A513FB}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68356ACC-3A0C-4DA3-ACBC-70DA7D6749D7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Masdms03_2007.ExcelAddIn\CurVer\ = "Masdms03_2007.ExcelAddIn.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88942D08-458E-4506-AA92-65E827439C86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{883BC3FA-02E7-4E9F-AA88-DCEB5027F7FC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DSP_02_2010.PptAddin\CurVer\ = "DSP_02_2010.PptAddin.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3276F73-6B08-40A8-A855-DED9265A5EA5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DSP_01_2010.WordAddIn.1\ = "WordAddIn Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB38F920-ABD6-4829-BF37-C42BD7953694}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F49F6EB4-8D86-43C7-8FFB-D42A78F64983}\1.0\0\win32\ = "C:\\MarkAny\\Document SAFER\\masdms02_2007.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A53A85AD-17A8-4887-B3D9-B5B9251F2E8F}\TypeLib\ = "{2C6CB93C-ADFE-4ded-AF8C-FEC18A18DF84}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1DD1909-4DAB-4326-AAE5-F71EB01A1A62}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MaFileUpload.MaFileUploadCtrl.1\CLSID\ = "{883BC3FA-02E7-4E9F-AA88-DCEB5027F7FC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB887C9A-B776-4A7F-B8C1-9DB72E66F617}\TypeLib\ = "{38D648E5-1D4D-4DBE-AD56-ACEBC8B703BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B34147-14BD-4CC3-A4EE-FCE4BE0AE1CF}\TypeLib\ = "{33030E17-CA5E-4AA9-B270-2CBA1D5334E6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8EE7876A-011C-44D9-BA32-F1CFA440CFAB}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276F73-6B08-40A8-A855-DED9265A5EA5}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MarkAny DocumentSAFER	DocSAFERx64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AE749E0-0BB3-4C4F-A818-8980D67756C2}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7A936BD-E3B3-4A9E-9D6D-30B64DD6DCFC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B5E5F42-8687-4C9A-816F-2D5FCA859668}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F49F6EB4-8D86-43C7-8FFB-D42A78F64983}\1.0\ = "masdms02-2007 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{33030E17-CA5E-4AA9-B270-2CBA1D5334E6}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AE749E0-0BB3-4C4F-A818-8980D67756C2}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1DD1909-4DAB-4326-AAE5-F71EB01A1A62}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VDIConnect.VDICheck\CLSID\ = "{53612D74-EDC4-4E13-ACCA-2ACFB4DB8F7B}"	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeImageSAFERSvc.exeImageSAFERStart_X64.exeImageSAFERStart_X86.exeregsvr32.exeregsvr32.exeMADRMAgent.exeDSH_Service64.exeDSH_Loader.exeDSH_Loader64.exe

pid	process
1768	msiexec.exe
1768	msiexec.exe
1768	msiexec.exe
1768	msiexec.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
2348	ImageSAFERStart_X64.exe
2592	ImageSAFERStart_X86.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1576	ImageSAFERSvc.exe
1172	regsvr32.exe
1008	regsvr32.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2644	DSH_Service64.exe
2644	DSH_Service64.exe
2644	DSH_Service64.exe
2644	DSH_Service64.exe
2644	DSH_Service64.exe
2644	DSH_Service64.exe
1292	DSH_Loader.exe
1700	DSH_Loader64.exe
1292	DSH_Loader.exe
1700	DSH_Loader64.exe
1292	DSH_Loader.exe
1700	DSH_Loader64.exe
2644	DSH_Service64.exe
2644	DSH_Service64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DocSAFERx64.exe

pid process

1320 DocSAFERx64.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

476
476
476

pid	process
1320	DocSAFERx64.exe

pid	process
476
476
476

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeDrvInst.exeinstall.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeLoadDriverPrivilege	2852	DrvInst.exe
Token: SeLoadDriverPrivilege	2852	DrvInst.exe
Token: SeLoadDriverPrivilege	2852	DrvInst.exe
Token: SeShutdownPrivilege	1696	install.exe
Token: SeIncreaseQuotaPrivilege	1696	install.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeSecurityPrivilege	1768	msiexec.exe
Token: SeCreateTokenPrivilege	1696	install.exe
Token: SeAssignPrimaryTokenPrivilege	1696	install.exe
Token: SeLockMemoryPrivilege	1696	install.exe
Token: SeIncreaseQuotaPrivilege	1696	install.exe
Token: SeMachineAccountPrivilege	1696	install.exe
Token: SeTcbPrivilege	1696	install.exe
Token: SeSecurityPrivilege	1696	install.exe
Token: SeTakeOwnershipPrivilege	1696	install.exe
Token: SeLoadDriverPrivilege	1696	install.exe
Token: SeSystemProfilePrivilege	1696	install.exe
Token: SeSystemtimePrivilege	1696	install.exe
Token: SeProfSingleProcessPrivilege	1696	install.exe
Token: SeIncBasePriorityPrivilege	1696	install.exe
Token: SeCreatePagefilePrivilege	1696	install.exe
Token: SeCreatePermanentPrivilege	1696	install.exe
Token: SeBackupPrivilege	1696	install.exe
Token: SeRestorePrivilege	1696	install.exe
Token: SeShutdownPrivilege	1696	install.exe
Token: SeDebugPrivilege	1696	install.exe
Token: SeAuditPrivilege	1696	install.exe
Token: SeSystemEnvironmentPrivilege	1696	install.exe
Token: SeChangeNotifyPrivilege	1696	install.exe
Token: SeRemoteShutdownPrivilege	1696	install.exe
Token: SeUndockPrivilege	1696	install.exe
Token: SeSyncAgentPrivilege	1696	install.exe
Token: SeEnableDelegationPrivilege	1696	install.exe
Token: SeManageVolumePrivilege	1696	install.exe
Token: SeImpersonatePrivilege	1696	install.exe
Token: SeCreateGlobalPrivilege	1696	install.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

DocSAFERx64.exeMADRMAgent.exe

pid process

1320 DocSAFERx64.exe
1320 DocSAFERx64.exe
2232 MADRMAgent.exe
2232 MADRMAgent.exe
2232 MADRMAgent.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

MADRMAgent.exe

pid process

2232 MADRMAgent.exe
2232 MADRMAgent.exe
2232 MADRMAgent.exe

pid	process
1320	DocSAFERx64.exe
1320	DocSAFERx64.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe

pid	process
2232	MADRMAgent.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

MADepUninstaller2_x64.exeImageSAFERStart_X64.exeImageSAFERStart_X86.exeMADRMAgent.exe

pid	process
2072	MADepUninstaller2_x64.exe
2348	ImageSAFERStart_X64.exe
2348	ImageSAFERStart_X64.exe
2348	ImageSAFERStart_X64.exe
2592	ImageSAFERStart_X86.exe
2592	ImageSAFERStart_X86.exe
2592	ImageSAFERStart_X86.exe
2232	MADRMAgent.exe
2232	MADRMAgent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exeDRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).execmd.exenet.exe

description	pid	process	target process
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2368 wrote to memory of 2652	2368	63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2652 wrote to memory of 2472	2652	DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe	cmd.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2732	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2880	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2672	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2568	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2356	2472	cmd.exe	reg.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2472 wrote to memory of 2632	2472	cmd.exe	net.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2632 wrote to memory of 2640	2632	net.exe	net1.exe
PID 2472 wrote to memory of 2512	2472	cmd.exe	net.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

DocSAFERx64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	DocSAFERx64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	DocSAFERx64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DocSAFERx64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DocSAFERx64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\63a4f18e268767cca71f41e557b9a1d1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\MarkAny\Document SAFER\temp\DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe
    "C:\MarkAny\Document SAFER\temp\DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\3958.tmp\DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe delete "HKEY_CLASSES_ROOT\MarkAny DocumentSAFER" /f
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\MarkAny" /f
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}" /f
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MarkAny" /f
        5⤵
        
        PID:2568
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}" /f
        5⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\net.exe
        
        net stop "Image Protection"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Image Protection"
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\net.exe
        
        net stop DSv4_DRM_Control
        5⤵
        
        PID:2512
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop DSv4_DRM_Control
        6⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM DSH_Service.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM DSH_Service64.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM DSU_Service.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM DSU_Service64.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM DSC_TSC.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM DSH_Loader.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM ImageSAFERSvc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM MADRMAgent.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
- - C:\MarkAny\Document SAFER\temp\DocSAFERx64.exe
    "C:\MarkAny\Document SAFER\temp\DocSAFERx64.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - System policy modification
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{35F01A73-C6AF-4B1B-8E08-5DBAFB51DDB5}
      4⤵
      Executes dropped EXE
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5811BAD6-0442-442C-9D25-6A41B2BB6E06}
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ACFCA881-5760-447F-A91C-55B29630EA1E}
      4⤵
      Executes dropped EXE
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{954DF1E5-64C4-4DF8-8B23-BC4E7D09880E}
      4⤵
      Executes dropped EXE
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C2E66CA-6A42-4DDD-80DC-76CA7681D763}
      4⤵
      Executes dropped EXE
      PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2001B7A0-20AB-45B4-A562-4D99DD379356}
      4⤵
      Executes dropped EXE
      PID:336
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5659FE19-C973-47F2-BD20-9EC2C6D14576}
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1AAA1FD6-9052-486C-A43B-2D7998F14B22}
      4⤵
      Executes dropped EXE
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{897CC764-ABBB-461A-A644-CAB5E19655C0}
      4⤵
      Executes dropped EXE
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E4F801A3-7AF7-4A0B-BD26-7229C221F6BA}
      4⤵
      Executes dropped EXE
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B001ECC-7662-4A54-9410-7099D1C37AF0}
      4⤵
      Executes dropped EXE
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6753FDC7-7B90-4F04-8EE7-0BAC6A70E163}
      4⤵
      Executes dropped EXE
      PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D2E231E-B923-4A36-BB0F-D3697286B769}
      4⤵
      Executes dropped EXE
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B1810532-39B9-4052-BC09-F4CA900182B4}
      4⤵
      Executes dropped EXE
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{21E9178E-4F86-4BD2-9247-C28091062EE5}
      4⤵
      Executes dropped EXE
      PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{15939532-5304-4427-93E6-B7C7BF9D875A}
      4⤵
      Executes dropped EXE
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5101FA38-F198-4905-A95C-8F3B035B919F}
      4⤵
      Executes dropped EXE
      PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9921A5BC-66B2-4CEF-899B-AE0C1D98A8B3}
      4⤵
      Executes dropped EXE
      PID:568
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{748D4364-6B3B-4358-95BC-742D1ED78A01}
      4⤵
      Executes dropped EXE
      PID:672
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FBA1641-DE14-4C4B-A3AF-76E99167FEAB}
      4⤵
      Executes dropped EXE
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7C68845-B7DE-4E60-8856-9A911F525034}
      4⤵
      Executes dropped EXE
      PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D83FA0DD-B7D5-4108-BD7F-096ED79E30F9}
      4⤵
      Executes dropped EXE
      PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ABF061DA-DC60-49DA-BF3B-84A8572CE002}
      4⤵
      Executes dropped EXE
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECB28D30-271F-435E-9E20-BBC07B2A7F25}
      4⤵
      Executes dropped EXE
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25FFD770-22C4-4BC8-B8A1-DA381196C985}
      4⤵
      Executes dropped EXE
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C682057-5DFD-49E0-A765-45A34F4EF4C3}
      4⤵
      Executes dropped EXE
      PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F1E89FB-B1F5-44FC-B91D-BBA48C3C8339}
      4⤵
      Executes dropped EXE
      PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FC7BE60-974D-40C0-9240-FF288CA87BC4}
      4⤵
      Executes dropped EXE
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{247F1422-BF83-4A83-B05A-2F69A46D6F68}
      4⤵
      Executes dropped EXE
      PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6AA5722B-59B7-4413-94CC-3022971B7264}
      4⤵
      Executes dropped EXE
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8D420FCB-1C1B-448A-8B98-DB6F64E787F6}
      4⤵
      Executes dropped EXE
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A974E9EB-3E6D-4137-AA32-B388292D6FCD}
      4⤵
      Executes dropped EXE
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FD7D23DF-442C-40F2-A182-1CD56CA0B936}
      4⤵
      Executes dropped EXE
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19CCB10C-950D-4098-9ED2-1045616C2ACB}
      4⤵
      Executes dropped EXE
      PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{181D2A66-6481-462E-BDB6-0CBE6F1E181F}
      4⤵
      Executes dropped EXE
      PID:672
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B19EB3C1-3529-49EC-AB6C-972E68C02D3D}
      4⤵
      Executes dropped EXE
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B568732-68A0-4881-B820-AF03EC3A5210}
      4⤵
      Executes dropped EXE
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49F29CD4-9A0E-48B5-B037-53B1DBC12ED7}
      4⤵
      Executes dropped EXE
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA86C9E7-96FD-43B3-A7B2-FD1BE309C1AA}
      4⤵
      Executes dropped EXE
      PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B60E6B6B-7C3B-4A30-AC7A-E13A9D12605A}
      4⤵
      Executes dropped EXE
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F0D63D38-EA5C-4624-96F0-14A49D11E3A4}
      4⤵
      Executes dropped EXE
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{87481423-DDDF-4F22-9D55-91B7616EB14E}
      4⤵
      Executes dropped EXE
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41F9030B-7836-4147-BD7C-D2B302CC6192}
      4⤵
      Executes dropped EXE
      PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91A0A8A1-E8A3-4894-ACFA-B0725AE77166}
      4⤵
      Executes dropped EXE
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{68FE611C-1502-4BCB-908F-CA33F51522C1}
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8A268D99-7A5A-4355-AA7F-320667C81C56}
      4⤵
      Executes dropped EXE
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7209B91B-6F56-42DA-8507-232D6EA25F05}
      4⤵
      Executes dropped EXE
      PID:2384
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe /unregister
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe /regserver
      4⤵
      PID:2564
  - - C:\Windows\vcredist_x86.exe
      C:\Windows\vcredist_x86.exe /q
      4⤵
      Executes dropped EXE
      PID:2020
    - - \??\f:\ff42b01a46c770e4028fc41c69161170\install.exe
        
        f:\ff42b01a46c770e4028fc41c69161170\.\install.exe /q
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe /unregister
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe /regserver
      4⤵
      PID:1252
  - - C:\Windows\vcredist_x64.exe
      C:\Windows\vcredist_x64.exe /q
      4⤵
      Executes dropped EXE
      PID:2984
    - - \??\f:\120629a92e8c86c4c6ce86\install.exe
        
        f:\120629a92e8c86c4c6ce86\.\install.exe /q
        5⤵
        Executes dropped EXE
        
        PID:280
  - - C:\MarkAny\Document SAFER\MADepUninstaller2_x64.exe
      "C:\MarkAny\Document SAFER\MADepUninstaller2_x64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2072
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set NX AlwaysOFF
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:788
  - - C:\Windows\ImageSAFERSvc.exe
      C:\Windows\ImageSAFERSvc.exe -stop
      4⤵
      Executes dropped EXE
      PID:1308
  - - C:\Windows\ImageSAFERSvc.exe
      C:\Windows\ImageSAFERSvc.exe -remove
      4⤵
      Executes dropped EXE
      PID:3060
  - - C:\Windows\ImageSAFERSvc.exe
      C:\Windows\ImageSAFERSvc.exe -install
      4⤵
      Executes dropped EXE
      PID:2552
  - - C:\Windows\ImageSAFERSvc.exe
      C:\Windows\ImageSAFERSvc.exe -start
      4⤵
      Executes dropped EXE
      PID:1884
  - - C:\MarkAny\Document SAFER\expsc.exe
      "C:\MarkAny\Document SAFER\expsc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C sc.exe config "Image Protection" start= auto
        5⤵
        
        PID:688
      - C:\Windows\SysWOW64\sc.exe
        
        sc.exe config "Image Protection" start= auto
        6⤵
        Launches sc.exe
        
        PID:1776
  - - C:\MarkAny\Document SAFER\DSU_Service64.exe
      "C:\MarkAny\Document SAFER\DSU_Service64.exe" stop
      4⤵
      Executes dropped EXE
      PID:2288
  - - C:\MarkAny\Document SAFER\DSU_Service64.exe
      "C:\MarkAny\Document SAFER\DSU_Service64.exe" uninstall
      4⤵
      Executes dropped EXE
      PID:2832
  - - C:\MarkAny\Document SAFER\DSU_Service64.exe
      "C:\MarkAny\Document SAFER\DSU_Service64.exe" install
      4⤵
      PID:1512
  - - C:\MarkAny\Document SAFER\DSU_Service64.exe
      "C:\MarkAny\Document SAFER\DSU_Service64.exe" start
      4⤵
      PID:832
  - - C:\MarkAny\Document SAFER\SetSite.exe
      "C:\MarkAny\Document SAFER\SetSite.exe" 192.168.1.152
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\MAShlMgr64.dll" /s
      4⤵
      PID:484
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\MarkAny\Document SAFER\MAShlMgr64.dll" /s
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:2928
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\AcapIcon64.dll" /s
      4⤵
      PID:1240
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\MarkAny\Document SAFER\AcapIcon64.dll" /s
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:1460
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\AcapIconEtcDRM64.dll" /s
      4⤵
      PID:1436
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\MarkAny\Document SAFER\AcapIconEtcDRM64.dll" /s
        5⤵
        
        PID:1088
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\ZipExt64.dll" /s
      4⤵
      PID:2772
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\MarkAny\Document SAFER\ZipExt64.dll" /s
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:820
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\DSU_Web64.dll" /s
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\masdms01.dll" /s
      4⤵
      Modifies registry class
      PID:2764
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\masdms01_2007.dll" /s
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\DSP_01_2010.dll" /s
      4⤵
      Modifies registry class
      PID:2040
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\masdms02.dll" /s
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1172
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\masdms02_2007.dll" /s
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1008
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\DSP_02_2010.dll" /s
      4⤵
      Modifies registry class
      PID:2012
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\masdms03.dll" /s
      4⤵
      Modifies registry class
      PID:2452
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\masdms03_2007.dll" /s
      4⤵
      Modifies registry class
      PID:3040
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\DSP_03_2010.dll" /s
      4⤵
      Modifies registry class
      PID:1552
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\VDIConnect.dll" /s
      4⤵
      Modifies registry class
      PID:2196
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\MarkAny\Document SAFER\AcapIcon.dll" /s
      4⤵
      Modifies registry class
      PID:3028
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\DrmSSO.dll" /s
      4⤵
      Modifies registry class
      PID:2460
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\DSUtilityAX.dll" /s
      4⤵
      Modifies registry class
      PID:2740
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\MADWC.dll" /s
      4⤵
      Modifies registry class
      PID:2616
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\MAFileUpload.dll" /s
      4⤵
      Modifies registry class
      PID:2580
  - - C:\MarkAny\Document SAFER\DSC_TSC.exe
      "C:\MarkAny\Document SAFER\DSC_TSC.exe" -install
      4⤵
      PID:2512
  - - C:\MarkAny\Document SAFER\DSC_TSC.exe
      "C:\MarkAny\Document SAFER\DSC_TSC.exe" -start
      4⤵
      PID:1088
  - - C:\MarkAny\Document SAFER\DSH_Service64.exe
      "C:\MarkAny\Document SAFER\DSH_Service64.exe" -stop
      4⤵
      PID:2192
  - - C:\MarkAny\Document SAFER\DSH_Service64.exe
      "C:\MarkAny\Document SAFER\DSH_Service64.exe" -remove
      4⤵
      PID:2952
  - - C:\MarkAny\Document SAFER\DSH_Service64.exe
      "C:\MarkAny\Document SAFER\DSH_Service64.exe" -install
      4⤵
      PID:1448
  - - C:\MarkAny\Document SAFER\DSH_Service64.exe
      "C:\MarkAny\Document SAFER\DSH_Service64.exe" -start
      4⤵
      PID:2100
  - - C:\MarkAny\Document SAFER\MADRMAgent.exe
      "C:\MarkAny\Document SAFER\MADRMAgent.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2232
  - - C:\MarkAny\Document SAFER\WIN7Old_CCF.exe
      "C:\MarkAny\Document SAFER\WIN7Old_CCF.exe"
      4⤵
      PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003DC" "0000000000000580"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\ImageSAFERSvc.exe
C:\Windows\ImageSAFERSvc.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1576
- C:\Windows\system32\ImageSAFERStart_X86.exe
  "ImageSAFERStart_X86.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Windows\system32\ImageSAFERStart_X64.exe
  "ImageSAFERStart_X64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2348

C:\MarkAny\Document SAFER\DSU_Service64.exe
"C:\MarkAny\Document SAFER\DSU_Service64.exe"
1⤵
PID:836

C:\MarkAny\Document SAFER\DSC_TSC.exe
"C:\MarkAny\Document SAFER\DSC_TSC.exe"
1⤵
PID:1572

C:\MarkAny\Document SAFER\DSH_Service64.exe
"C:\MarkAny\Document SAFER\DSH_Service64.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644
- C:\MarkAny\Document SAFER\DSH_Loader.exe
  "C:\MarkAny\Document SAFER\DSH_Loader.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- - C:\MarkAny\Document SAFER\DSH_Inj64.exe
    "C:\MarkAny\Document SAFER\DSH_Inj64.exe" 1180 "C:\MarkAny\Document SAFER\DSH_Ex64.dll"
    3⤵
    PID:756
- C:\MarkAny\Document SAFER\DSH_Loader64.exe
  "C:\MarkAny\Document SAFER\DSH_Loader64.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- - C:\MarkAny\Document SAFER\DSH_Inj64.exe
    "C:\MarkAny\Document SAFER\DSH_Inj64.exe" 1180 "C:\MarkAny\Document SAFER\DSH_Ex64.dll"
    3⤵
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MarkAny\Document SAFER\DSC_TSC.exe

Filesize
96KB

MD5
f0591bdb89d4e809ab2cddb1a2dd81a9

SHA1
685ff8473e1c2d8730cc87a175f1907fb131293a

SHA256
a12842729b7f426e89423249e1a1ce8653ef050692e6e0eb7cde48f8fbfce1b1

SHA512
549d6936801caa7721399c8921571d4ecd34751e3db36d7304e3d41f63edd6a360a8094350c2f8bda54d20318eb29f81ac11f802d038846bd2ab9eb3d98316e6

Download Submit
C:\MarkAny\Document SAFER\DSH_Service64.exe

Filesize
107KB

MD5
e7b2327737246f255a8dcdda65c600c9

SHA1
2f17a81161aebe910c8315d9d73259414474fda6

SHA256
d57ad67dc3998fd833296eacbbbc9f8bdd238554746f01405870ed57f9f058a0

SHA512
026521b8ed000570b9d35e75ced54c82e10642010e3266fdbdc2650b0572b85dc3db778eee509c9dd16e8b764617d239e7428ecf5c2340637ed652b9714f3b4b

Download Submit
C:\MarkAny\Document SAFER\DSU_Installer64.exe

Filesize
260KB

MD5
51ed03edc431b9f90375b06c879c129b

SHA1
a1306cdaa00b23488ad5831a4e30d2b2e128754e

SHA256
de1cfbaff1e639bcc99a407d91bf9a7e41355d80abfd28e36a217cb1071f80b0

SHA512
8262b55a8dc8cbc9b7e5fb4843081c5724aa9b7cae3bd5c5f45bec0f8aa816531c0a6264bafe00c039fb0a3c8b5391551138dc8810eb86800c5ce7ebb27e5772

Download Submit
C:\MarkAny\Document SAFER\DSU_Service64.exe

Filesize
49KB

MD5
8fff51566d86f6bdaab9624393795253

SHA1
0317cbbf89e9b2bbb2a58117f7d264f8fe0f4ae7

SHA256
cac9bbb6538ff1bbe81b1c11f9113f4a86e7c35de62479f00e512d5343e300c5

SHA512
0e1e57ff56eea9f7ce29eccb7167fdf5b05782d1b6ebe9834ca99c27d306ed557fd2aa24e8a1db24675b71b1536cbaf74d4c685968e9ca908fd7fb9e8c4ea88c

Download Submit
C:\MarkAny\Document SAFER\DSX_InstallerMessage.xml

Filesize
1KB

MD5
666c1ebbaabc3809e53fca3c3f2cb45c

SHA1
46726c2fcb24036b2d5b58bb6b9151e6305a2fcd

SHA256
a919a55c73d33e23bbe8528dbca814b982b31a07d356e38ce64f0fb02914d074

SHA512
f603154c7415eb57d390143aa160773eae926b29822706f9d27d521fa6d8db1a48eb0b375a047054640b973dd4d80248f24e51d0febec6902c282750e645f455

Download Submit
C:\MarkAny\Document SAFER\MADRMAgent.exe

Filesize
1.6MB

MD5
a041f0609a4da4073e1a7aeb462e42c4

SHA1
9021cf8a89996c13621dbb715b6f786d2b839b33

SHA256
13d865b9452c9f1fa315aabfda8d66a7a0afde646bdcd432eccc87539557f031

SHA512
985857f62df2cce6f5bed9ce4b3649f6a6eecb840805acd9fbba6b7da907f60f06d1ebd7e1a5b257f04d32eec1967749fe5098d779daff5c92d9a0725972f1c0

Download Submit
C:\MarkAny\Document SAFER\SetSite.exe

Filesize
20KB

MD5
00cc18daebb96d748c1d3b0aae524a6c

SHA1
cad67226d6f51f39b8ff076845a3fce5dc89d153

SHA256
fdbdf1c5f90cab72b530c8694f9cfc4ab238c69dff67045c8a84fde59718baac

SHA512
8ab3332321fb45e260979ebce50411258c6f106bf035198d4901cbb42f38c07a592b07ef03258346d7babc07a89bc4c5933498364c685c5b10fa57a05da0900a

Download Submit
C:\MarkAny\Document SAFER\WIN7Old_CCF.exe

Filesize
55KB

MD5
2990678a8cd8c1ca1e3051d8cadcb274

SHA1
d2037167b8e93a8b7ace1ad7eb8b6333ecc103a7

SHA256
e194f18fc4154d27e51664b455224f9ca00542972a021ed8bae9be75b7a989cf

SHA512
50825bbc5d858f7ae858125141e9da03973028829633913ac2fdd45188319d4c179d96f1b1352e9286ef4d566a3cfa8d110ac4277db6c24d555c00bb89e4a10f

Download Submit
C:\MarkAny\Document SAFER\_ccf.bak

Filesize
12KB

MD5
c777588ae5ed25e8c556398f7dd4b2cf

SHA1
1124f50220bd92b082fff2529153d7103941d122

SHA256
d3832867ba1b6d5b40a31c0c4647cdd7c960f44dd58f983d1786f3262e885c60

SHA512
bad750afc1242184ad2b5cf62bb0fe19742f84e518387254a541114e035a96c6747a92678a6176ff3b092803c585f9fe252a29105b777af99e0056bec84e51fc

Download Submit
C:\MarkAny\Document SAFER\expsc.exe

Filesize
48KB

MD5
6df3130c92adb75bb69a1e239d4c8f41

SHA1
4718dcce7208503dc96ff782bd34666b5615751c

SHA256
a5576cd265f6f680a002934debe70f671121c76e899c37e08bf857c86dac44b5

SHA512
e8f9dff618515267825dc014a9fb0220a4df9b72e5d48f34fa2e1cffff1a48bfd5400976b1cb24271354e82d562ad757976a8c659bf3ca8c93913aaa8d6bc3c8

Download Submit
C:\MarkAny\Document SAFER\fasoo.ico

Filesize
302KB

MD5
c2d96d98ae05a7c062999b433c24e8a2

SHA1
8ac0d519c676c03210ec0ee8a37c3204a25d767a

SHA256
507fa4e1d95b43008629e0e8eb33364bce571ec1069efe69da85302115336268

SHA512
427a1ae951a80d4cf7ef9ec53d3d5cc5636252f534529a3c6659962b89081553b0d2526ffe00b78b783979bd06a686fffd73db0ed4d5a5050fa8ed536e479834

Download Submit
C:\MarkAny\Document SAFER\fasoo2.ico

Filesize
302KB

MD5
e174726590d5dae75e162e42e3cbe65a

SHA1
589639965dfda32d4ad715d2e5a4c7ceb0af8360

SHA256
2c4b55fc91743ff1a14f62af5e11edecebbb7e7577bc23af41a46e1fcf6e95a3

SHA512
0f4da3223f17e6455ff4a7124c61d19d33a242cf56ed5828f75d04343896b42061b53054c8837b1c3bdb5c30d9e9bdf6b61bd340577562df0158041d9d9774fd

Download Submit
C:\MarkAny\Document SAFER\temp\DocSAFERx64.exe

Filesize
24.8MB

MD5
fe45559b9dbbadbca1ede71fe24ae937

SHA1
b122550ccc65144a5f7a7649f46eb1412a5a98af

SHA256
f4548d69e0c8e812d08434af59897298201223be4bad408467b3e14441fbc58c

SHA512
620d3d1a249be8abe7428608d29390632ed5476ed507eee9a1d7a8c04cdddb2c7263152c1965a6c0a02d953cafa9c74471b37720f67bcb163edc616ff4cc5670

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\0x0412.ini

Filesize
13KB

MD5
73e70a6b9354e80237c8e2b3170830a0

SHA1
b4c8777ce9c2d2fff4c0c914825cbe698feaadaf

SHA256
316577cf74d3545d632b0de55513a3511d654849655157cb84821b871ec081e9

SHA512
f15e736e7c0b55437b39869a0bbce15d5365f04c70be23fc373d83ce0e99e0a806244c1c44cd298dc4970d20af6cb1198a9d84749f5d5ac02162c261b1460ed7

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\data1.cab

Filesize
730KB

MD5
86664b6451494d2ecb831592d401572d

SHA1
553fe8bc9c1a193c1e74c27ec943b726641d9453

SHA256
2fa94bffc20fe4c888de080f54bcfc390923702aee87df8b7b94264890f43505

SHA512
16f3c393736a4263ca63781cc35d04c3425b0dbca6429d2a631d968c174af4c69c783a6c1bae6a86f0fd31e062a76c266672867d9dd655547579a45469b5ce5e

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\layout.bin

Filesize
636B

MD5
320a6a945a17143fcf7681397f1881b5

SHA1
c02b56d7bcfb67e4d22ff606322424bcf65ea78d

SHA256
4a9c184c592f42d3123568f84291146cc4b2f0a6f58ab6866da9fb1fd005a0f7

SHA512
4f064e637cfcccaf4b4e3c63c9079b75fbab2906b55cc4f9b13c086cffd0b5c68c9b863f9e915c9bd65454fb8175391c51697a5a6e8061fa3b86da93509c48d6

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{18E14E7C-34E1-44C3-90AD-FFA12BF93349}\setup.ini

Filesize
2KB

MD5
c6aef56e44a576b41716cd7a90111b0a

SHA1
87030702d254a661b8aa3a1c88fc3e6ab193c25f

SHA256
c5071f8097db9b8451019ccc1ae31ceb388a7f2bdc8d05191cb17dea30fd4fc6

SHA512
d5f320680e61df1b32e76ab7fb56da7384863214b8caed70887f418e46c03d8399bff1546c146fdacc59b7bfef2f070d43d5c5a72a1b5b127866d0bddd6d605b

Download Submit
C:\Users\Admin\AppData\Local\MarkAny\Document SAFER\_ccf2010.mds

Filesize
64KB

MD5
e6b1795561bc6ebc91fdcab1f2bab9bc

SHA1
b117aa95a787540789655000c2ccd33bcd3d509f

SHA256
98dbea65ebd98f6410c26ef8e0bcd2d9be4922fc60ba903ff81d6aafe2c6e4c7

SHA512
44b4bdf7a892d122c7a6278978ddc033b0716380f17910140f813ef0c433133be3100228cecadc84a5de6fdd60f62e883f2c517451eec5b4d6b2869088c5e1c7

Download Submit
C:\Users\Admin\AppData\Local\MarkAny\Document SAFER\_ccf2010.mds

Filesize
64KB

MD5
8c421ade817f8056cce56309cdfa8649

SHA1
f556ef728c26516b48a5d8b847d9f7280ec8ea28

SHA256
9d550236978f8c62eec7b9c02744a4f9c86b757c1da5e82620355a8b378336b8

SHA512
e2ca329b696173c7b444d6e7d9ae9eb15cbefdbda8b303a7af417baf7998f02b3a1ecb904f555230ae4dd073568e5d1cb710c90ec039dcbfd55a25f85edda3c0

Download Submit
C:\Users\Admin\AppData\Local\MarkAny\Document SAFER\_ccf2010.mds

Filesize
64KB

MD5
b6f413c991e253ef8b093537fa62c44e

SHA1
14032779ff9c4b502dc814db9805b54ee6265cc7

SHA256
9db6605e47bd60d1cb12bd4af59ed2247cbb9584e0ee340cde0d9258e9ce5568

SHA512
22b8413be9b5f6fe44dc45f5f9c2aa21247370f6022cd7688fa5cde8fe3d9fa7c48b750bd29afa3e38418063ea5e149836e85622a53f8d5f9221ee20d0e90967

Download Submit
C:\Users\Admin\AppData\Local\MarkAny\Document SAFER\_ccf2010.mds

Filesize
64KB

MD5
11d268ad59ed0b9f430015b8b88734f9

SHA1
141a9b402ae716ecaec8bd571bab0c1fefda82fb

SHA256
94ce28bca9afe600e49c09701d6ead18bee44e6e7af5cd74ae59750f7be93303

SHA512
a157d8a9d6c75e885630aa9f7331ca4fa72fe37e805060e989d711bd6d064b115497e3d75d0ab6d95bd3e959167fab51a9720a4870ad89578ae53a8576c7d93a

Download Submit
C:\Users\Admin\AppData\Local\MarkAny\Document SAFER\_ccf2010.mds

Filesize
64KB

MD5
3762924ae8291d55e5cf55bc917aff2e

SHA1
0f4af6f3717bc2082de4afe96b61560a1a96abd9

SHA256
6a64d52b464ec55900ee5a4c48ea96c5b67bc296cde0afeb839452e94e73a5cc

SHA512
c80e10882b744c7cbe0f7c94ca7a538310ebb4b21cce3d0e70e744a9188392787b20a21d02d702470314fd479dc9b7ed878af0a60df2c986fb18389fffb1262d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3958.tmp\DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).bat

Filesize
959B

MD5
414c64a755d7bf516a4ff82a75bc954b

SHA1
a8ffb14c164fad08324f21f63ecdb6737f131847

SHA256
8db5e1084e6f2a983fc808774195e2762fbea328534ecd3a671481a57db91279

SHA512
b214f10f25262f5cfb4e76b393d264560a81d8a8f9159d3133ad45343044d3733a33c8e8abe07b9391350c2c87e157acb1ca68725dcf0d137cc633f1df0c4e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWLB442.tmp

Filesize
392B

MD5
dc7941d65bf1102ec39e4a483b2bcaae

SHA1
47713aebcb7681fccdc3b50b678cd47a7cf822d3

SHA256
097c34e02955a7d1e07cbbf456e10d59656cef41fab2741f5140a7cc1825edac

SHA512
ec0cc22c6d88c2b5f98305068ee53c04a789db3d57337be1c3d1fc16d26920dcc92774f1dc8e42195cfae91d3a9eb9e611afce8b1ed1953594fd24aded4b06fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC498.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{778A9EB0-022F-46FB-80EA-ED345E17FECC}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{778A9EB0-022F-46FB-80EA-ED345E17FECC}\Disk1\data1.hdr

Filesize
58KB

MD5
ccb842864020cd89216ad4dd002d9567

SHA1
3f92ad5a1313c93a7ada79651aa5754a1b4967a3

SHA256
71d53af84bbffca25af052c4897eaab7bb93b970ddbe72fdf6ab1d7ed636615f

SHA512
30178b32dfe6bd19002df3dc091449c9ad4cfcf21174ae32db2909e61b42fa9c4cdc2b9f1135a00e0a91352b2fcd8ff2cec2e107de85b35d6af27adbbc311930

Download Submit
C:\Users\Admin\AppData\Local\Temp\{778A9EB0-022F-46FB-80EA-ED345E17FECC}\Disk1\setup.exe

Filesize
789KB

MD5
057b1ff1ecc105372f0d3a9bec2d6df2

SHA1
775d1a40dc3c3b0bf8a5411a74cd1ea0d763d189

SHA256
07b7c931ed6d31f1f9786519aa2601c7d47f7f7136d4346cb2c239e034639b02

SHA512
935bbc4a41930117463777391c165294bfee36a1d8dadabfcee52a230a084622f4ccb3c8eb46e15eca633c09d2874a7b6ac983980c41422abff8fa410cad5c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{778A9EB0-022F-46FB-80EA-ED345E17FECC}\Disk1\setup.inx

Filesize
241KB

MD5
2dc66af27507f919d0448a6fd475eb52

SHA1
53158d62d48493615176b4a223e28ffb2434c891

SHA256
fdc0c743279649696b7e3bfa610fd61a9e25697a3d208d9a67eeb15ea74b77bd

SHA512
1c5a4b35e73b147ff67ea22925612e4104b78808843dc0552d8d4bfd8e02b21d398416a7f8e732d9fd2db9593e7b95981b8f80a0edc816e93cfb03747bad1282

Download Submit
C:\Users\Admin\AppData\Local\Temp\{778A9EB0-022F-46FB-80EA-ED345E17FECC}\setup.ini

Filesize
2KB

MD5
6a60ee426fda234a208ab611eae9f96e

SHA1
9f4d942dfd9cd9d1f89437720220708b839af98d

SHA256
dda115cc431c8673e3118bdf6f899ee33fc04cf04fe05b08a0144cc3df89e88e

SHA512
d99985add449810a07879925f23e1641c1cfb8c1f4d24e7f03d801bfe264a7ee23b3df4ebb71e2b61f004c4d02a9242d4b5299f62ba6a5186e341a65facb3d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\{18e14e7c-34e1-44c3-90ad-ffa12bf93349}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\{18e14e7c-34e1-44c3-90ad-ffa12bf93349}\FontData.ini

Filesize
38B

MD5
d1bda1cbb8e18bc2977c5c29bac13891

SHA1
418093a89c55c38e6014e7a4b1300c40314de04f

SHA256
4586a347528185485758d2ea2d49e9893d6dc3df26afd70a611e1eeb31e303fc

SHA512
80b578a2b27e10ca89612164aa1b48bbf343eb2c59b267aaeb4415d04680496e33a8988b09d0f0d02f0bb745b4e2b204f20abdec43aefcc72f19e14e9154c366

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\{18e14e7c-34e1-44c3-90ad-ffa12bf93349}\_isres_0x0409.dll

Filesize
540KB

MD5
d1bb47446802afd706f2babed529db80

SHA1
47919e77e8868ac2df4fd7342ca0d0a72766f680

SHA256
b674d17a6cd5f472328f0f3620c5df73b3e40fbdf8e0435082bc5585d44d85b5

SHA512
dd551bb14d8a44a8713a6fe7758caa6632e085881cb9631e6cd5a61d21e2a87095d14e67fcb1fca29c748621bee2080381375a459ba362d6bb27156cdf5426d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\{18e14e7c-34e1-44c3-90ad-ffa12bf93349}\_isuser_0x0409.dll

Filesize
12KB

MD5
889877fa28258b0b090ed237f13ed913

SHA1
3855323a745849c2ad9e977e550b852a2b14547c

SHA256
c1e99d89bbcd86560beb3ee91b5903a73e6de7da838d0350f355dcf44657ca4c

SHA512
5e5ca3a3b63c35d743303dce0c1bbf94ca15ca96a2e6f8cc84e8649f611793c8e4c1fb2a3d3fe8c5a4074c468159193dfd7f8df1b569405c3fee604ab4840fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\{18e14e7c-34e1-44c3-90ad-ffa12bf93349}\isrt.dll

Filesize
262KB

MD5
5ecda0a54c4d9babcdb177d54f2e733d

SHA1
e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b

SHA256
e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c

SHA512
45cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616

Download Submit
C:\Windows\ImageSAFERSvc.exe

Filesize
232KB

MD5
fe6ce5653b2a3fb957a81b3f25a9af0d

SHA1
49e63520058854f5022948d24772010ab08c50cc

SHA256
a601934cc639c232c03e1b42dac730e14b922b21f12be805d98cb5ae02308c1b

SHA512
af438cdc02babd7dd948ff807f9948f42a9c548877ad9aebaf562452af1af505a27ae36648cfe1f547f4491aa4c1bfcf60b08b8c38e326042d76c0f11a78fc68

Download Submit
C:\Windows\Installer\f769a0e.msi

Filesize
227KB

MD5
6e17361f8e53b47656bcf0ed90ade095

SHA1
bce290a700e31579356f7122fb38ce3be452628a

SHA256
8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96

SHA512
a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

Download Submit
C:\Windows\Installer\f769a14.msi

Filesize
231KB

MD5
8d3da743a83b2652ae18bed6877d89f4

SHA1
031a0ea53fa75f097fc5aa5639b7df414bf1409e

SHA256
2090a9008b98f74f820e06553e0d06ee21e74b1da064fefb1f811f8bb6ef73a7

SHA512
d4c1f8fcbf90fc73d8d9b81ee712e9901613cad52722720c6a94777e3a5917e4ddba061c683f5e1a504add2d8a23870ec3beb7d3dd866bc6c40543a62d7447d7

Download Submit
C:\Windows\SysWOW64\DSC_Resource.dll

Filesize
35KB

MD5
de3d87b2cd9076f7806243c9a9ae56f1

SHA1
23bcb1ecd3f2ffe3eed99f5b116a8d77d9f1a61f

SHA256
fb14e057ff933e6f196510fd8f6d35a3b4ab517773306e63094a27b03f347b35

SHA512
25798b8514bba551bc045456f7d8f030d85b9762673602eda51ab9332a6be5e3580cc9c2e2233f458264d72437e44fcc761666b21f696e806b351b88bcb1824d

Download Submit
C:\Windows\SysWOW64\DSU_Installer.ini

Filesize
1KB

MD5
029626e8a06994a05e66100a4d0f551e

SHA1
28a967d83b2d86e7e5e2c28ef2330e90d2b3a06f

SHA256
854dade484745df11edb20e7e6860fa66e3c6a165578ab40e83d3edbcac17608

SHA512
febfb21f70c7880cd6d01a7d4554b26904649b016f927fa80d9e8bd574e4e62c91ea686f5d5e071efba8ceb846555d613f54a82043bc0832f8aa15d1fbd1e786

Download Submit
C:\Windows\SysWOW64\ImageSAFERMessage.exe

Filesize
61KB

MD5
93d49b9cf00e1174da8a39b37aa86784

SHA1
be36a1a90e620bca0e208da302725cdb5e6f1ca1

SHA256
468d2b8845d50b1f0e10f0a8feb9b45a50f585e3e66665e2ad72fb28a4055fe0

SHA512
d32b2a12fd92e66a771d3003278cfa8972e0a057175537b72718363cc34320c17209cdd39076a5e0dbabe15b2fb16e554cf71f95db04637c7b4d10fc389b38eb

Download Submit
C:\Windows\SysWOW64\ImageSAFERStart_X86.exe

Filesize
181KB

MD5
4ac5ebd8c9a060c8802d47701fedb53f

SHA1
cd2c7ce3fef7bc099342f97b825da9716f5fe33f

SHA256
3d542968ba44aea0fb2ccb1c628ddc3a5382dca877ee2dff80e860babfb08cbd

SHA512
f6933adec0c44ad6032d293c2559c30155a1ad8618ae37be6197afc42235f19743e01b0c1e2f682566019c2450d58877696742ef9aa997df17e05ea4a2d1fd6b

Download Submit
C:\Windows\SysWOW64\ImgsfprocPolicy.xml

Filesize
5KB

MD5
54d1acabe4b39fd198bfe92ed34af7ce

SHA1
7a8617027945c12fb3350672d1d84bbb3f566da7

SHA256
89c643b23a3956b88b13c001c70f25b1def8cb820dcbe24c443fc384b245d424

SHA512
5df5e7835f037c33e4d20a1b5e6a135e8f9a35125fc5d0759704bd2c7a837eb57dd1743b090df0b13b49ee036126332618391b0e84ce2badeedad45634c9a362

Download Submit
C:\Windows\SysWOW64\cipher.dll

Filesize
312KB

MD5
0963bf78ceddfdb1d1953a0f796290dd

SHA1
e644a66755da2e6465bb2f1b7fb653bfca9f7a36

SHA256
29a1ed6bb84724b4bba345b42325e7601d66ecbf2db3770869f45e0dedf0fd1a

SHA512
fe1508d28bc085f5af0be068fa2e80079069827cff4fece23ecf4285707d5b105739bb6565de9cf7112abd09437b610e115a050b8ff16e9ab615fdc14846d56f

Download Submit
C:\Windows\vcredist_x64.exe

Filesize
4.7MB

MD5
43dd623d2af3f36a12dee9d01963aefe

SHA1
3159ed4067fba68f1ddf981f39624fa608367e32

SHA256
ff95944c5d89a795161ea4b6554d49b1c74a8e642c497164580c72a6b24e2906

SHA512
8fb7583fb9c306f9c1fd818d28de24d87efc4802e0803df16a5b6c0df72bcb32ecfaaf92d6e9f50cc5f9eb11cabcc8dcf204aa85ecf4850fee7c7bf58e576569

Download Submit
C:\Windows\vcredist_x86.exe

Filesize
4.0MB

MD5
5689d43c3b201dd3810fa3bba4a6476a

SHA1
6939100e397cef26ec22e95e53fcd9fc979b7bc9

SHA256
41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

SHA512
4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

Download Submit
F:\120629a92e8c86c4c6ce86\install.exe

Filesize
835KB

MD5
87603ea025623b19954e460add532048

SHA1
d27fc9abbeccb60906d22906ef9a73bd05da2b7a

SHA256
8d08136a1964c72b6b450b11d9bf2b3d3d289c26dfadfc9f021114eac2cea1ca

SHA512
f2af8c8eab805a39ccd3ccc3b8d1c3401c81f1b3d2dbe719aa39f6fcc28af955d778465aec8b699460e6897629f758b7986b5f7fb4705ba174911c3736c4f520

Download Submit
\MarkAny\Document SAFER\temp\DRM_Delete (¼¿ï¹ÝµµÃ¼R3¿ë).exe

Filesize
61KB

MD5
515173853f81eeecb1e5cd9131883828

SHA1
25d51da0c4ac5fc7b047a571e589c3384c7a1f4c

SHA256
0c49009c4dda6486543563bc9c732ac85f8349e999e120d8e1628d8d27776e7e

SHA512
34f2364a4719d858926f2c0d237451f286f43931d8be0ed50a8b9b7bedbe37f09a2a43a892a1fbb3b79f64cae56558c38aef69eaf942b9576e9e55ec257441a0

Download Submit
\Users\Admin\AppData\Local\Temp\{778A9EB0-022F-46FB-80EA-ED345E17FECC}\Disk1\ISSetup.dll

Filesize
610KB

MD5
547b43e7c3a9fccfe33a0d1f630b4024

SHA1
9115ce93b4bdae29f3139e2dcca380ecbbfb8c9c

SHA256
b83d2753d39343fb75f1ce3b81664569a5558fd097ca8d75a43c7adee544ed1f

SHA512
3cc5f09c3dff8d993ca617b6de9d0f2978fdd650d71b7220c5d951afee1fd0c68e89237908fc3d37193dc4df0cb005afee4a9f0ed0407d0dbe482a3716edddf1

Download Submit
\Users\Admin\AppData\Local\Temp\{B46B64DB-1C85-49E5-8C5D-37A45F3C28CC}\ISBEW64.exe

Filesize
148KB

MD5
962b85d5bc8945d80b4839e47efe8fdd

SHA1
3291792ee90594baa9083ef544779d6b550d3fec

SHA256
1b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5

SHA512
6a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff

Download Submit
memory/280-1288-0x000007FEF83F0000-0x000007FEF8406000-memory.dmp

Filesize
88KB

Download
memory/1172-1393-0x00000000001F0000-0x0000000000251000-memory.dmp

Filesize
388KB

Download
memory/1320-1336-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1320-1333-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1320-144-0x0000000003FA0000-0x0000000004047000-memory.dmp

Filesize
668KB

Download
memory/1320-202-0x0000000003FA0000-0x0000000004047000-memory.dmp

Filesize
668KB

Download
memory/1320-68-0x0000000010000000-0x00000000101EE000-memory.dmp

Filesize
1.9MB

Download
memory/1320-1331-0x0000000004BD0000-0x0000000004BF8000-memory.dmp

Filesize
160KB

Download
memory/1320-201-0x0000000010000000-0x00000000101EE000-memory.dmp

Filesize
1.9MB

Download
memory/1320-1335-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1320-1334-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1320-147-0x00000000043A0000-0x0000000004429000-memory.dmp

Filesize
548KB

Download
memory/1320-976-0x0000000010000000-0x00000000101EE000-memory.dmp

Filesize
1.9MB

Download
memory/1584-1388-0x00000000744C0000-0x00000000744C5000-memory.dmp

Filesize
20KB

Download
memory/1696-1125-0x0000000074410000-0x0000000074427000-memory.dmp

Filesize
92KB

Download
memory/2028-1377-0x00000000744C0000-0x00000000744C5000-memory.dmp

Filesize
20KB

Download
memory/2348-1328-0x0000000001B60000-0x0000000001B7E000-memory.dmp

Filesize
120KB

Download
memory/2368-9-0x0000000000440000-0x0000000000462000-memory.dmp

Filesize
136KB

Download
memory/2368-8-0x0000000000440000-0x0000000000462000-memory.dmp

Filesize
136KB

Download
memory/2592-1329-0x00000000000B0000-0x00000000000CB000-memory.dmp

Filesize
108KB

Download
memory/2652-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2652-18-0x0000000000417000-0x0000000000418000-memory.dmp

Filesize
4KB

Download
memory/2652-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2652-13-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2652-17-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2652-16-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2780-1350-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1346-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1344-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1351-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1348-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1349-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1347-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2780-1354-0x00000000744C0000-0x00000000744C5000-memory.dmp

Filesize
20KB

Download
memory/2780-1345-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download