c506f78705872620dd3363a1813db0903143338b7c63fc4cfa244e9e6077ab4b

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 19:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

_.exe
Size

5.7MB
MD5

5c27f2f209b25d4ecdf7da80c0f0dff1
SHA1

d47316267d523cb12322c38a5532a28f8c2a1a4b
SHA256

c506f78705872620dd3363a1813db0903143338b7c63fc4cfa244e9e6077ab4b
SHA512

4120f317eb7613585ae359f21c21c119b2fb7c88e4d164dd117fac75aaa005bae569e02bc7d7a956b0b627d5b195ab29aad2b51a12de13a4657161072fd9c283
SSDEEP

49152:aMdyl4lW0WDxDhdTKCM8XXpDYALLRENU9Qd+bukGMQ1nbHxjCjdJdYcirgDQMHLG:aMSDxDLrHXWU9w6ZoRHEK7+LU

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1804	Avira.Spotlight.Bootstrapper.exe

Loads dropped DLL 31 IoCs

pid	Process
1140	_.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1063

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper\MixpanelCommonProperties = "AAEAAAD/////AQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10SAAAACQIAAAAlAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAABIAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E/P///+QBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAAyRvcwYGAAAAB1dpbmRvd3MB+f////z///8GCAAAAAskb3NfdmVyc2lvbgYJAAAACDYuMS43NjAxAfb////8////BgsAAAALT3MgTGFuZ3VhZ2UGDAAAAAVlbi1VUwHz/////P///wYOAAAAC09zIFBsYXRmb3JtBg8AAAADeDY0AfD////8////BhEAAAAMc2hhMl9zdXBwb3J0CAEAAe7////8////BhMAAAAWLk5FVCBGcmFtZXdvcmsgVmVyc2lvbgkUAAAAAev////8////BhYAAAAKUHJvY2VzcyBJRAgIDAcAAAHp/////P///wYYAAAAEkNvbXBhdGliaWxpdHkgTW9kZQkZAAAAAeb////8////BhsAAAANRXhwZXJpbWVudElkcwkcAAAAAeP////8////Bh4AAAAQRXhwZXJpbWVudEdyb3VwcwkfAAAAAeD////8////BiEAAAAPRG93bmxvYWQgU291cmNlBiIAAAAAAd3////8////BiQAAAAJQnVuZGxlIElECSIAAAAB2v////z///8GJwAAABRCb290c3RyYXBwZXIgVmVyc2lvbgYoAAAACzEuMC4zMS4zNzk2Adf////8////BioAAAAGQWN0aW9uBisAAAAHSW5zdGFsbAHU/////P///wYtAAAAB1J1bk1vZGUGLgAAAAdEZWZhdWx0AdH////8////BjAAAAAGU2lsZW50CAEAAc/////8////BjIAAAAKU2Vzc2lvbiBJRAYzAAAAIDczNTQ1NzM3OTFiZDRhNTRiOGFlMjJlZTQ5N2NmMjgzAcz////8////BjUAAAASU3BvdGxpZ2h0IExhbmd1YWdlCQwAAAAEFAAAAA5TeXN0ZW0uVmVyc2lvbgQAAAAGX01ham9yBl9NaW5vcgZfQnVpbGQJX1JldmlzaW9uAAAAAAgICAgEAAAABwAAAAIAAAD/////ERkAAAAAAAAAERwAAAABAAAABjcAAAAUc3BvdGxpZ2h0c2FmZXNlYXJjaDIRHwAAAAEAAAAGOAAAAAtzcHRsaW5zdGFsbAs="	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Security\ConnectServices	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Avira\Security\UserInterface	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\UserInterface	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Security	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	Avira.Spotlight.Bootstrapper.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper	Avira.Spotlight.Bootstrapper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2040	schtasks.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\SessionId = "7354573791bd4a54b8ae22ee497cf283"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\Action = "Install"	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe	_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe\NoStartPage = "0"	_.exe
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "2f6f97d8958a41d7939f965ab1bf1bf213942deb"	Avira.Spotlight.Bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	Avira.Spotlight.Bootstrapper.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1804	Avira.Spotlight.Bootstrapper.exe
1804	Avira.Spotlight.Bootstrapper.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1804	1140	_.exe	27
PID 1140 wrote to memory of 1804	1140	_.exe	27
PID 1140 wrote to memory of 1804	1140	_.exe	27
PID 1140 wrote to memory of 1804	1140	_.exe	27
PID 1140 wrote to memory of 2040	1140	_.exe	28
PID 1140 wrote to memory of 2040	1140	_.exe	28
PID 1140 wrote to memory of 2040	1140	_.exe	28
PID 1140 wrote to memory of 2040	1140	_.exe	28

C:\Users\Admin\AppData\Local\Temp\_.exe
"C:\Users\Admin\AppData\Local\Temp\_.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\.CR.8526\Avira.Spotlight.Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\.CR.8526\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.8526\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=_.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1804
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.24207\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"
  2⤵
  - Creates scheduled task(s)
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.CR.24207\Avira_Security_Installation.xml

Filesize
1KB

MD5
c692e4a6b718c46a41a966d79eb84d4d

SHA1
939ba660b53d39aa3392c93fc45961caec83b87f

SHA256
17797c01379ee5da9fa4587842c2b8102b14024e8bf4e2a8b90526690491f450

SHA512
375865c5642301ce4a3b7a41b984273a41dbfe1fba16431ecd12aec56c32e61738ed0b97ac55104ac36fb7beb4d6084ab27dbe4c8b3c0ad741313aa384987dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

Filesize
1.5MB

MD5
cb8c80df0f410612c7f6d7be612364fa

SHA1
079234a9c582e630b4a72cf0768d7c3e0097ed16

SHA256
a373c45154c49899e757cbe65be4c111aa4b2fa6af4006232ecc83d6afd6266d

SHA512
1bbc66c51bd670818527163d584e0d9e4cdd3335e0566bdfef064ae45e841879866f3c08a0d4f3599e1f3b18f31d9ed6baafdc15967004ae393b60a7bc8272e8

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.COMMON.GUARDS.DLL

Filesize
17KB

MD5
6cf81b96db8fdfff68430face73bad08

SHA1
6f4cdc34ab357d373c3701cdbc7ca015c811acd9

SHA256
3b6d79226ccabb6136810f921a1f1688d30f442ce8867eeae0e8d5023e2602d2

SHA512
2f823d2f904dc0dd5e9be5b4f58672f8f719991fbb46bc43b425e6b7287b8fab80e37bb761e62fbcf1e3a4b7dbd098dd1ea8d099429b6fd03beeb73d001eaf74

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.COMMON.GUARDS.DLL

Filesize
17KB

MD5
6cf81b96db8fdfff68430face73bad08

SHA1
6f4cdc34ab357d373c3701cdbc7ca015c811acd9

SHA256
3b6d79226ccabb6136810f921a1f1688d30f442ce8867eeae0e8d5023e2602d2

SHA512
2f823d2f904dc0dd5e9be5b4f58672f8f719991fbb46bc43b425e6b7287b8fab80e37bb761e62fbcf1e3a4b7dbd098dd1ea8d099429b6fd03beeb73d001eaf74

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.COMMON.MIXPANEL.DLL

Filesize
63KB

MD5
8c8ef664a54a610a2dbf669ec61ccb5c

SHA1
d2cfb0d895de042497e30edcd93c30e12b569616

SHA256
326202cc3709126e12aa3c73da3e89f5995b6ce8e982468bb4d7b05d3af118e5

SHA512
56983c8659c32b2465b8f8d59ab244d274bb91946b878c38b40ede0bee6e7d0852410a7ba49d10043ba6eaebb79c71d8244c546ca8ea75fc3fb4214a31f06214

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.COMMON.MIXPANEL.DLL

Filesize
63KB

MD5
8c8ef664a54a610a2dbf669ec61ccb5c

SHA1
d2cfb0d895de042497e30edcd93c30e12b569616

SHA256
326202cc3709126e12aa3c73da3e89f5995b6ce8e982468bb4d7b05d3af118e5

SHA512
56983c8659c32b2465b8f8d59ab244d274bb91946b878c38b40ede0bee6e7d0852410a7ba49d10043ba6eaebb79c71d8244c546ca8ea75fc3fb4214a31f06214

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

Filesize
344KB

MD5
a5ab1d34a45484dc43f68aacbbade71f

SHA1
93ce2525247445bb485950608a3ad96bf588e3a1

SHA256
eb569c9de9a237c25b1dad79e03e8563e8cea3136767ba0ca68e7e18324d88ec

SHA512
93f016c17416815cab41630e19a70b8bfd40d478aad391864400126dbed9d45af12a68b13a40baa7d5af43e28814fe1349819f82d5ba0f06a54ece01ceb91a07

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

Filesize
344KB

MD5
a5ab1d34a45484dc43f68aacbbade71f

SHA1
93ce2525247445bb485950608a3ad96bf588e3a1

SHA256
eb569c9de9a237c25b1dad79e03e8563e8cea3136767ba0ca68e7e18324d88ec

SHA512
93f016c17416815cab41630e19a70b8bfd40d478aad391864400126dbed9d45af12a68b13a40baa7d5af43e28814fe1349819f82d5ba0f06a54ece01ceb91a07

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

Filesize
342KB

MD5
b8a7f067de778bec2dc9e3e4a6088d81

SHA1
4e5ba1534f53d818ac71fc62a00574e481439c8b

SHA256
6fa10d8bdc93b0f7a2ce82199a9f0e56a491da195208637cb7283c6d836fa302

SHA512
e8601794f4cf45f29342b6716ab2c3dd6244e8ad27c8286d54c2a166d7e5c7e1391490e3834cbfa50c2778b45d45df80c2be304c6e1eced6bbdab4ddc1aff7ed

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

Filesize
342KB

MD5
b8a7f067de778bec2dc9e3e4a6088d81

SHA1
4e5ba1534f53d818ac71fc62a00574e481439c8b

SHA256
6fa10d8bdc93b0f7a2ce82199a9f0e56a491da195208637cb7283c6d836fa302

SHA512
e8601794f4cf45f29342b6716ab2c3dd6244e8ad27c8286d54c2a166d7e5c7e1391490e3834cbfa50c2778b45d45df80c2be304c6e1eced6bbdab4ddc1aff7ed

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

Filesize
1.5MB

MD5
cb8c80df0f410612c7f6d7be612364fa

SHA1
079234a9c582e630b4a72cf0768d7c3e0097ed16

SHA256
a373c45154c49899e757cbe65be4c111aa4b2fa6af4006232ecc83d6afd6266d

SHA512
1bbc66c51bd670818527163d584e0d9e4cdd3335e0566bdfef064ae45e841879866f3c08a0d4f3599e1f3b18f31d9ed6baafdc15967004ae393b60a7bc8272e8

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

Filesize
168KB

MD5
d421e10965b3d0b526faa0a0ac4fba95

SHA1
3c6f7288ac3afe52cbcc2acb125e8c121ef42a68

SHA256
d2dfc3e94b8eb2ecdef1952d31820e3857f582437900a2bc03e4aeb81f0d7981

SHA512
18009621f362a8f3466a81b7b8e014a15db78f1e3b30efd93f70cb92cef0316b291d52e3f5853cc9042fcc4153807535269d2c9e509888266e3303d11c328e82

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

Filesize
168KB

MD5
d421e10965b3d0b526faa0a0ac4fba95

SHA1
3c6f7288ac3afe52cbcc2acb125e8c121ef42a68

SHA256
d2dfc3e94b8eb2ecdef1952d31820e3857f582437900a2bc03e4aeb81f0d7981

SHA512
18009621f362a8f3466a81b7b8e014a15db78f1e3b30efd93f70cb92cef0316b291d52e3f5853cc9042fcc4153807535269d2c9e509888266e3303d11c328e82

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

Filesize
205KB

MD5
1f186b30425445379b7c3b34304584f8

SHA1
4c441880a5f223a5fe726dc1a3c44425e1789e74

SHA256
7ecd883bf7cb8973b7b8f8353efc4ce8bf9377dcd192cb483a2d0275fdb17abc

SHA512
628e2eacc771d183fb550e14ede1f36a6614cbcfada0ceceef190697187cbd484d5e1cda27dbeadde139a74de047e4c9e45f23f4f98ba7c6e8ff4bfe516d979b

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

Filesize
205KB

MD5
1f186b30425445379b7c3b34304584f8

SHA1
4c441880a5f223a5fe726dc1a3c44425e1789e74

SHA256
7ecd883bf7cb8973b7b8f8353efc4ce8bf9377dcd192cb483a2d0275fdb17abc

SHA512
628e2eacc771d183fb550e14ede1f36a6614cbcfada0ceceef190697187cbd484d5e1cda27dbeadde139a74de047e4c9e45f23f4f98ba7c6e8ff4bfe516d979b

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\DRYIOC.DLL

Filesize
439KB

MD5
9c3e44f1c05ff49c180ba62ec357155e

SHA1
41a8e67e3de7a30593f9cf75e9a86a338cf55113

SHA256
60e3d6c4a0f5adfdfd69f74434d42288d13cb835960a2c17f47a64eb1eb4fa9d

SHA512
68d6674656df384fb0e539f3b902ac69f6e0bb266e3b1749171aa0c49c0000c82e6125a56a6872c7daf4b05c54adf8cae7471fccca2d2c29551c864ed009645a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\DRYIOC.DLL

Filesize
439KB

MD5
9c3e44f1c05ff49c180ba62ec357155e

SHA1
41a8e67e3de7a30593f9cf75e9a86a338cf55113

SHA256
60e3d6c4a0f5adfdfd69f74434d42288d13cb835960a2c17f47a64eb1eb4fa9d

SHA512
68d6674656df384fb0e539f3b902ac69f6e0bb266e3b1749171aa0c49c0000c82e6125a56a6872c7daf4b05c54adf8cae7471fccca2d2c29551c864ed009645a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\DRYIOC.MEFATTRIBUTEDMODEL.DLL

Filesize
69KB

MD5
6f97f648452c03fecc388783e029026f

SHA1
4833f0f57e67940fb32bc4f319e3d1df3302baf4

SHA256
24b66db252ac5a8ce1c5d21042303a09918b972d682bf0b230bb874601628459

SHA512
09c6b1820bbd57acd6602e625b9276debf2f9640c8fe92dafabd3fb156bba0d7838f9a28c693bab15543eaaed1d19340ca6663f3b59feb03ab7817c7533c3723

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\DRYIOC.MEFATTRIBUTEDMODEL.DLL

Filesize
69KB

MD5
6f97f648452c03fecc388783e029026f

SHA1
4833f0f57e67940fb32bc4f319e3d1df3302baf4

SHA256
24b66db252ac5a8ce1c5d21042303a09918b972d682bf0b230bb874601628459

SHA512
09c6b1820bbd57acd6602e625b9276debf2f9640c8fe92dafabd3fb156bba0d7838f9a28c693bab15543eaaed1d19340ca6663f3b59feb03ab7817c7533c3723

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\DRYIOCATTRIBUTES.DLL

Filesize
33KB

MD5
2f21f975faf09b536bd3a68edaf5159c

SHA1
f776707cfccbf83a6a7cebd4d49dc803bd8bb52d

SHA256
44084ec2455d6b6c0e00d8fcc562530e59f19a8924dfec38351b8f26f75be777

SHA512
69937553aa153466fe574d61a99da91c79d175c8816f87a328df82ff917fea6679ebe0c236d8d8bfe61dfc3970dc17fa20445dd4da6044c36294648990e71825

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\DRYIOCATTRIBUTES.DLL

Filesize
33KB

MD5
2f21f975faf09b536bd3a68edaf5159c

SHA1
f776707cfccbf83a6a7cebd4d49dc803bd8bb52d

SHA256
44084ec2455d6b6c0e00d8fcc562530e59f19a8924dfec38351b8f26f75be777

SHA512
69937553aa153466fe574d61a99da91c79d175c8816f87a328df82ff917fea6679ebe0c236d8d8bfe61dfc3970dc17fa20445dd4da6044c36294648990e71825

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
33KB

MD5
05321c44387786b213584378b2208290

SHA1
34565fc81aa8ff1c1a85f7abc348dd9de68525ae

SHA256
fbcebae0d9dcd4229afb79dfe4d3e3b23b7539ef8fce936890df79d69e8bb3dd

SHA512
047f39ed81e6bfae71695cd9027db5d6a473ef160f9a1e56346e2b60ee81c4c0884f6b8661e7302471087e801f6ad0cb5968310922203ea63ca05b9f307ae66a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
33KB

MD5
05321c44387786b213584378b2208290

SHA1
34565fc81aa8ff1c1a85f7abc348dd9de68525ae

SHA256
fbcebae0d9dcd4229afb79dfe4d3e3b23b7539ef8fce936890df79d69e8bb3dd

SHA512
047f39ed81e6bfae71695cd9027db5d6a473ef160f9a1e56346e2b60ee81c4c0884f6b8661e7302471087e801f6ad0cb5968310922203ea63ca05b9f307ae66a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\MICROSOFT.WINDOWS.SHELL.DLL

Filesize
160KB

MD5
277735b1c0968409dd4601662e3bc9dd

SHA1
7a8d8f964a4582a340262ec3975e4badda9fd022

SHA256
0b67a859ac20ca9c2f2abfc7a334bbb155421e3b6f01c21c821e149e149dc5eb

SHA512
d0271d97843dac34bf88421acda9ebc7c59716a8a154459abd961c2e6a0ead66623baca3a1ccd6c7b73ef6090e421201c6d2917fe3d7f6095e5f23af586e0982

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\MICROSOFT.WINDOWS.SHELL.DLL

Filesize
160KB

MD5
277735b1c0968409dd4601662e3bc9dd

SHA1
7a8d8f964a4582a340262ec3975e4badda9fd022

SHA256
0b67a859ac20ca9c2f2abfc7a334bbb155421e3b6f01c21c821e149e149dc5eb

SHA512
d0271d97843dac34bf88421acda9ebc7c59716a8a154459abd961c2e6a0ead66623baca3a1ccd6c7b73ef6090e421201c6d2917fe3d7f6095e5f23af586e0982

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.COMMON.DLL

Filesize
182KB

MD5
0b49eb7801840d69e1b4f55f676769e8

SHA1
4e4d3a019775bdcb39210b0719cae6d3d01ba855

SHA256
6ea9c2f479c9cb8784745acaf7742e05448a548beaf77cb77aef9ef878b26603

SHA512
2f04ea66b505c1908dfe66576197c142c2b737c83221e1562e7df7bbea87f452cda80a2cc71fa82017f63b130f9a1ff464b0f3c4e6b54745bf099c42b16da45a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.COMMON.DLL

Filesize
182KB

MD5
0b49eb7801840d69e1b4f55f676769e8

SHA1
4e4d3a019775bdcb39210b0719cae6d3d01ba855

SHA256
6ea9c2f479c9cb8784745acaf7742e05448a548beaf77cb77aef9ef878b26603

SHA512
2f04ea66b505c1908dfe66576197c142c2b737c83221e1562e7df7bbea87f452cda80a2cc71fa82017f63b130f9a1ff464b0f3c4e6b54745bf099c42b16da45a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.COMMON.DLL

Filesize
182KB

MD5
0b49eb7801840d69e1b4f55f676769e8

SHA1
4e4d3a019775bdcb39210b0719cae6d3d01ba855

SHA256
6ea9c2f479c9cb8784745acaf7742e05448a548beaf77cb77aef9ef878b26603

SHA512
2f04ea66b505c1908dfe66576197c142c2b737c83221e1562e7df7bbea87f452cda80a2cc71fa82017f63b130f9a1ff464b0f3c4e6b54745bf099c42b16da45a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.COMMON.DLL

Filesize
182KB

MD5
0b49eb7801840d69e1b4f55f676769e8

SHA1
4e4d3a019775bdcb39210b0719cae6d3d01ba855

SHA256
6ea9c2f479c9cb8784745acaf7742e05448a548beaf77cb77aef9ef878b26603

SHA512
2f04ea66b505c1908dfe66576197c142c2b737c83221e1562e7df7bbea87f452cda80a2cc71fa82017f63b130f9a1ff464b0f3c4e6b54745bf099c42b16da45a

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.DLL

Filesize
248KB

MD5
c25deccb6f63a3c5676c3bf7092801ab

SHA1
8c24cf66c2e37c4f80228aa92e27f833115c27d1

SHA256
18939c51f062af12d6d027571a88ff0bb5cce44c35e758de851408f30229ae8c

SHA512
dc1262e79b6b9eb6c6722880c830d5f0584db7ac5ab3a319accf07e5c6be2b95309768ac2d9fe96dd78f5d51c147ad13c8d23f0fa6051d52ef521264b7734496

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.DLL

Filesize
248KB

MD5
c25deccb6f63a3c5676c3bf7092801ab

SHA1
8c24cf66c2e37c4f80228aa92e27f833115c27d1

SHA256
18939c51f062af12d6d027571a88ff0bb5cce44c35e758de851408f30229ae8c

SHA512
dc1262e79b6b9eb6c6722880c830d5f0584db7ac5ab3a319accf07e5c6be2b95309768ac2d9fe96dd78f5d51c147ad13c8d23f0fa6051d52ef521264b7734496

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.DLL

Filesize
248KB

MD5
c25deccb6f63a3c5676c3bf7092801ab

SHA1
8c24cf66c2e37c4f80228aa92e27f833115c27d1

SHA256
18939c51f062af12d6d027571a88ff0bb5cce44c35e758de851408f30229ae8c

SHA512
dc1262e79b6b9eb6c6722880c830d5f0584db7ac5ab3a319accf07e5c6be2b95309768ac2d9fe96dd78f5d51c147ad13c8d23f0fa6051d52ef521264b7734496

Download Submit
\Users\Admin\AppData\Local\Temp\.CR.8526\PRODUCTLABEL.DLL

Filesize
248KB

MD5
c25deccb6f63a3c5676c3bf7092801ab

SHA1
8c24cf66c2e37c4f80228aa92e27f833115c27d1

SHA256
18939c51f062af12d6d027571a88ff0bb5cce44c35e758de851408f30229ae8c

SHA512
dc1262e79b6b9eb6c6722880c830d5f0584db7ac5ab3a319accf07e5c6be2b95309768ac2d9fe96dd78f5d51c147ad13c8d23f0fa6051d52ef521264b7734496

Download Submit
memory/1140-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1804-66-0x0000000000360000-0x000000000038C000-memory.dmp

Filesize
176KB

Download
memory/1804-73-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/1804-85-0x00000000022D0000-0x0000000002312000-memory.dmp

Filesize
264KB

Download
memory/1804-88-0x00000000022D0000-0x0000000002312000-memory.dmp

Filesize
264KB

Download
memory/1804-94-0x00000000049E0000-0x0000000004A38000-memory.dmp

Filesize
352KB

Download
memory/1804-82-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/1804-97-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/1804-79-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/1804-76-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1804-91-0x0000000002320000-0x000000000234C000-memory.dmp

Filesize
176KB

Download
memory/1804-69-0x0000000000610000-0x000000000066A000-memory.dmp

Filesize
360KB

Download
memory/1804-100-0x0000000004580000-0x0000000004594000-memory.dmp

Filesize
80KB

Download
memory/1804-63-0x0000000002100000-0x0000000002170000-memory.dmp

Filesize
448KB

Download
memory/1804-103-0x0000000004600000-0x000000000460A000-memory.dmp

Filesize
40KB

Download
memory/1804-60-0x00000000009E0000-0x0000000000B66000-memory.dmp

Filesize
1.5MB

Download
memory/1804-106-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/1804-108-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/1804-107-0x0000000005355000-0x0000000005366000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads