Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    103s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 21:59

Errors

Reason
Machine shutdown

General

  • Target

    cmd_fw_installer_138430009_eb.exe

  • Size

    5.4MB

  • MD5

    b48216dca6f745a40645248384659fdd

  • SHA1

    3bc265e7282bfb5c63be6cc73a2b7aad9a060904

  • SHA256

    9b6394b0d1da147c5c718ebf3aba211ce2d4aefc63eb0dc80ed5cfc0db269bcd

  • SHA512

    488fbd2b606c4f829b0ec05217b7d9be687cb885b988bc7cdcf7e1d61da2ef06fc422646696e24c2a1c1a63d793bda2293204037bd5a0178a673c00e91b226ec

  • SSDEEP

    98304:n3oeoi7dSeyJ6A89FbeCD25kvriejkx9sZjMK6vx6IF/M8aWzBWcPNkNzt9e:n3oeoYSeyJ6vnKCD25kvmeh6vFF//aFU

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Manipulates Digital Signatures 1 TTPs 4 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks for any installed AV software in registry 1 TTPs 64 IoCs
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 22 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 26 IoCs
  • Registers COM server for autorun 1 TTPs 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cmd_fw_installer_138430009_eb.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd_fw_installer_138430009_eb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe" -log -setupname "cmd_fw_installer_138430009_eb.exe" -sfx "C:\Users\Admin\AppData\Local\Temp" -theme lycia -type web -mode cfwfree
      2⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe" -log -theme "lycia" -setupname "cmd_fw_installer_138430009_eb.exe" -type "web" -mode "cfwfree" -sfx "C:\Users\Admin\AppData\Local\Temp" -logfile "C:\Users\Admin\AppData\Local\Temp\\cmdinstall.exe_24-02-12_22.01.06.log" -parent 692 "Admin" 1796
        3⤵
        • Checks for any installed AV software in registry
        • Enumerates connected drives
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3268
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Drops file in Drivers directory
    • Checks for any installed AV software in registry
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Registers COM server for autorun
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5624
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding D4F2FA9F1B717CC8B5DB1456BE7837DA
      2⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:5960
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding B65B27377F669C32C2DD00E362A6E1E9 E Global\MSI0000
      2⤵
      • Drops file in Drivers directory
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Drops file in Windows directory
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
        "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --langID 1033 --createConfig "active=fw;dplus=opt;esm=0;av=0;fw=1;cesfw=1;cesav=0;cessandbox=1;free=1;noalerts=1;cloud=1;sendstats=1;configfile=;fwstate=0;dfstate=0;avstate=0;bbstate=0;avservers=0;standalone=1;useblob=1;trustnewnets=0;"
        3⤵
        • Checks for any installed AV software in registry
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4764
      • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
        "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --upgradeBackuped=""
        3⤵
          PID:868
        • C:\Windows\system32\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          3⤵
            PID:5604
            • C:\Windows\System32\grpconv.exe
              "C:\Windows\System32\grpconv.exe" -o
              4⤵
                PID:1784
            • C:\Windows\system32\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              3⤵
                PID:5748
                • C:\Windows\System32\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  4⤵
                    PID:5992
              • C:\Windows\Installer\MSI95DA.tmp
                "C:\Windows\Installer\MSI95DA.tmp" -rptype 0 -descr "Installing COMODO Firewall" -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log"
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2380
                • C:\Windows\Installer\MSI95DA.tmp
                  "C:\Windows\Installer\MSI95DA.tmp" -rptype 0 -descr "Installing COMODO Firewall" -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log" -working
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3176
                  • C:\Windows\system32\srtasks.exe
                    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                    4⤵
                      PID:4988
                • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
                  "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --installCertificates
                  2⤵
                  • Manipulates Digital Signatures
                  • Enumerates connected drives
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  PID:4684
                • C:\Windows\system32\regsvr32.exe
                  "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll"
                  2⤵
                  • Loads dropped DLL
                  • Registers COM server for autorun
                  • Modifies registry class
                  PID:3312
                • C:\Windows\system32\regsvr32.exe
                  "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll"
                  2⤵
                  • Loads dropped DLL
                  • Registers COM server for autorun
                  • Modifies registry class
                  PID:4392
                • C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe
                  "C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe" /RegServer
                  2⤵
                  • Executes dropped EXE
                  • Registers COM server for autorun
                  • Modifies registry class
                  PID:4412
                • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
                  "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --updateHtml
                  2⤵
                  • Enumerates connected drives
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4048
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Checks SCSI registry key(s)
                • Suspicious use of AdjustPrivilegeToken
                PID:1664
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                1⤵
                  PID:6060
                  • C:\Windows\system32\DrvInst.exe
                    DrvInst.exe "4" "1" "C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\inspect.inf" "9" "471514ecf" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\COMODO\COMODO Internet Security\drivers\win10"
                    2⤵
                      PID:3688

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

                    Filesize

                    5.5MB

                    MD5

                    50a9b8ada65d917c4470c35a24e5321f

                    SHA1

                    cf7b45814560418fdef69aaad2f0bc348f95aa78

                    SHA256

                    604e6a806d37c436b5858d9521d52f18bb779caa23f7b79d534de19d141a2d8e

                    SHA512

                    b69049aef1f1f80e6a4494d265ea65e01a979b3e9521966a5f608ace6c4fa05e7cf3d4f44260d2f38d7f7ebd723221867ccdd8e31d7f728de18151fa2d8e367d

                  • C:\Program Files\COMODO\COMODO Internet Security\cfpver.dat

                    Filesize

                    13B

                    MD5

                    0889f8a78fdb667192b0a3617c51db9f

                    SHA1

                    32e9fe7b4f309e1605ff3a55ea1e613167f463f3

                    SHA256

                    6cc8b0fb91f5e5d31e6b58ecd11f33ef2c8e2d65a20639374fe0789deda57056

                    SHA512

                    a357766bef664ad1ae093f04c470078c5f2288d9ef6deb876b5e2b97ab6211c9cfb87c40c545ff3c5288cb04bac89c862fb21eefef784ab574bc8e3a5f6c1f47

                  • C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe

                    Filesize

                    251KB

                    MD5

                    0ac6f2e6487b82ccb89033ee84b615e1

                    SHA1

                    db55e4017c4c7f442b8565cc80492d4261f1a539

                    SHA256

                    7c3393696d205b935add38ea8a8ada9f7fe18d896cff97111b08f59a5b04e475

                    SHA512

                    a67c0d4675f325b479539c57c63944ce32632b4e1dfaf5507ed00bc2f8128dfd2c179138afeb35a7acdd8c932124c550a748db389a42082f3e03a19d9868db55

                  • C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll

                    Filesize

                    98KB

                    MD5

                    728a97b5b669c3b6dee064b5b3dc636d

                    SHA1

                    cb3d70083d65aea7dd18ee4da3844138a0d0ceef

                    SHA256

                    1306e31bdfb5c9e30b0b261125a83c5c544b3aee0e450b547e4055d533451169

                    SHA512

                    7ddcfc99ee9d4c351ad4b0622af24d27e5a6f64123fa0ae542918efc86ba832cf76b0bb36e9943be3bd6ba0d78be926310fe997045ae5babbf1f90f411b97930

                  • C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll

                    Filesize

                    252KB

                    MD5

                    b54ba5c6737c7c84b5ef7117eadc0664

                    SHA1

                    4a879b436e5c60f40aabaf9da97396cb3631acb1

                    SHA256

                    92e3b22a5652fce895eeee118dabf070eae0a9e7575324970cc0e43723c37e55

                    SHA512

                    382969362f55513fcbff571f23058f6031d4cd96e05ae1808b348df67e032cf2f667812b90718abf3eb79aa24dd5c4061b34c09ad06a044d13828c5f21fbccf2

                  • C:\Program Files\COMODO\COMODO Internet Security\cmdres.DLL

                    Filesize

                    441KB

                    MD5

                    6d7caec45f44db9a57307fdca673531c

                    SHA1

                    6c03ea2c84837edb1ff28d883db361fe8b530ba4

                    SHA256

                    973b7eef70905bde2716eb07626f9a7df9736190e02922eefff2b47619d81ebc

                    SHA512

                    9f5f204cabeee610b09321d1fdeb416e92d0ce1137f18f1544cca5496e48937ba381d2ed916cd8fb6a53834f20e566caa576b7a5792c5b7aba2c4a7000a9715e

                  • C:\ProgramData\Comodo Downloader\cis\download\installs\8050\installer_data\binaries\files_info.dat

                    Filesize

                    34KB

                    MD5

                    f42c56a1f750bdf43155a2aee0f1407c

                    SHA1

                    0929dd9594fccffe5e7e43ea33a5eb6467afab0b

                    SHA256

                    86e8a71d1327fe5f26901c8a7d10bac322dce1ff621e1339db9c7b6ab905244c

                    SHA512

                    31dc56d6455391a0075ab59d438335c9d38da43e1ef974bcdf14be059d63d48f8a8f7a1f6cd9eb5e790519a3824f59387abafef48417bbeb74e34b526646b8d9

                  • C:\ProgramData\Comodo Downloader\cis\download\installs\8050\xml_binaries\cis\cis_setup_x64.msi

                    Filesize

                    45.6MB

                    MD5

                    d54e414d5c7a8339f4762b44ae50dc96

                    SHA1

                    9770d4650f342a792f24a30ac2c2ad41d53c2416

                    SHA256

                    3805ba83a8268f8ec0615f95499de455d17b5305d416620822472ccdf58dc660

                    SHA512

                    86b87072ae62b1344510167ca427286d58a53849de02fd6089969ff5505b5555e3dee231f845b19cdb39b9bb310cdedcf82bf26e5d62b2788c0ff74b0b2fa0c5

                  • C:\ProgramData\Comodo Downloader\cis\download\installs\installer_data\installer_init.xml

                    Filesize

                    20KB

                    MD5

                    06c0057d77fc4789b1428dd6710cd5ab

                    SHA1

                    660445d67f92e84ee9aa96a7aa6cd50ba43148ca

                    SHA256

                    e3a998c06b37cec5570409e0714af72a1a936759b4420adf1b0dfaf43bb7218e

                    SHA512

                    497a86bd35149465ef3ce3d7b483a3d4950475963a9cc20075f4f92a54b05fbffa97b537b256c9bcc31a3a20f4229d33ceed45f6bd30fc9057cf879bbb368a91

                  • C:\ProgramData\Comodo\Installer\cis_setup_x64.msi

                    Filesize

                    1.9MB

                    MD5

                    eb823cb08f4bf908b59cfdb6dcc9ce71

                    SHA1

                    168778e1ebb2891a102d88802cc16a718357b41d

                    SHA256

                    23c40db4cbc368b7860b367e56edcf07c18ec564b7f51538a485fa447da7d8da

                    SHA512

                    33be41227f093b8cc9b1530e36f5c9cdcb274ed72a8200050bf8205f101c99f52e1ce8dec686ffc68cabd2daa28af37f31d7fae375be4f26c46f96afd50e0057

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

                    Filesize

                    2KB

                    MD5

                    afbb1243fcf1e1089d064009ec397255

                    SHA1

                    d37349610c38b241d3beece30e2ff8208d85afe2

                    SHA256

                    5375757e734391239083f84efae832f9d86ec08273b99f2da0500bfacaa80bc1

                    SHA512

                    6a787fd1bc3a54498c92e98632c70b13ab471a6bb64f54eced7049120b4ae65478001ae495668f045d1661eb897434cb09931038542f921dafa2d560b56e439a

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F26A2159BA21EA573A1C5E3DE2CF211_7541962669C96CEAB06421EC12621007

                    Filesize

                    766B

                    MD5

                    9c168f71c294fc5d5b420b51f3b8d34c

                    SHA1

                    fad2364acc1745ef28abc1f1f6e4059f3bd80232

                    SHA256

                    fecfd0410404a1af04bfb6a17e406213dd27a6532c2ea8c2d5668564d7bd5884

                    SHA512

                    1a1b2658c706634195611ded83c5d1ff92fca153d3c92dceac0f0233f07341a00ce5f62faceb298a2633a19959d8cc82e5ce95567dabfed5674d205019df1df7

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

                    Filesize

                    509B

                    MD5

                    b830d60dc35f443ccf7df6915057dc94

                    SHA1

                    143d9a98aa590543446cec9408b8ba118e0f0470

                    SHA256

                    c65b33aff12801c35d52ab86e000414dec70f2d5c882ebdcf214ef3cd6c41302

                    SHA512

                    1839ae4c4ab53af3b3f0eb8948a33dc394b7d68556b3b2bbbc0029def1879def0384196ee0276997b4cb8337ef209981f27938e9d814c1345294cf4a8a1984e5

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

                    Filesize

                    490B

                    MD5

                    f57612579ca3abb434c682213a24595a

                    SHA1

                    b2bce01e4b94e627a90ec9f00394f571f05b37bb

                    SHA256

                    0fc0d06caf3795bb3621658e322a83cbf404344b5325ba4c53d4bfe4b2107857

                    SHA512

                    2f419a0cbaabddeb9a20ee42d34c45f7f30a1d2dd9a4fc435f13a6704f4e3fb3a142ef746f76fa2989dc6b79d8a2c2b7a54cf262a44dd898ebeccf78f86b4666

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F26A2159BA21EA573A1C5E3DE2CF211_7541962669C96CEAB06421EC12621007

                    Filesize

                    484B

                    MD5

                    d2082722d00f683be553c8dd7d704c19

                    SHA1

                    a6a93c351b4bae089ec056ee04a44c82a5a48302

                    SHA256

                    61d716f960ebb95fb69b3343b1dd300e70450cd1061e366f8d14aec94d8e43b0

                    SHA512

                    5bfbc68b9d06f55509a78bd65e31c2664b18eb98799718b11940b870f23c717dedec018286e475c8f5998b2c47ceaff8b365ca37c62dea5986611896cd02f62e

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

                    Filesize

                    490B

                    MD5

                    515c5817e200b4ec42eb70da74eba3ef

                    SHA1

                    9194e4370b543056cf27dcfee056596f677c9cb6

                    SHA256

                    01dd47539bbe89545c3aec848541327ede1e4ce7ccea8bbca2b0387c4f563875

                    SHA512

                    f7894526731c080618b5be020b073e59620df25ec16c6a2ea29506d0cdd47a0c89620688abfc6e1b859bf0c7dc9157f58bdb519f3edc226178a3c8357b17379a

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.dll

                    Filesize

                    277KB

                    MD5

                    7baac18fb157c76574ca3d7a2f5eb193

                    SHA1

                    6460577ce621fa28133096073376f6a88f8acd61

                    SHA256

                    347144ae998d96c6b8664abf56f3ff8cfa4dcdfd6e13205d7e8ee2f3b77eefc2

                    SHA512

                    513cc213da81db470f8675c29162f4b724bb92a690edd451025eb68588971eebb937f88cc5a659222f2bbbd99440aa56800bf4167bb8912ea87a0b2648b002ea

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdhtml.dll

                    Filesize

                    4.2MB

                    MD5

                    6d9aa26bb18af69dc74ae8e822eb53dd

                    SHA1

                    6ef20da9b9e70afa742f047f1c6f9d3e58290450

                    SHA256

                    cf140523b8834de1c37efa29b02adcdc88babc0f8ee90ba93dd98c260d7036c3

                    SHA512

                    3a9e8f15d207e98bb182f8d1838e93dba9750e6cfc79b72aab0706f969866447e50b3ab28bc1768a7cac7e7733cde80085cabcefefae0d287f08374578935c36

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

                    Filesize

                    5.7MB

                    MD5

                    74cf93a3d559a630911fc94568b99e1e

                    SHA1

                    a5f164154e164174c715e493f440b1935ec53af8

                    SHA256

                    fe82eb2103b177370e742aee40a2b840805516ff23867f6b9bd3655a401eb50b

                    SHA512

                    c000d512e270d7f89058fe52a3ecfac6f60462eed21b134ebb57640cc6425e7ece9b6ce683acc666d8358875c8d621497a8e3eb95b4ad72311efb9d12c03100a

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdres.dll

                    Filesize

                    367KB

                    MD5

                    a4b3e07a9d407bca7a0ed76ea7c4945f

                    SHA1

                    af16d87110e2f9e64d5c35a6d522151b69377bbc

                    SHA256

                    b115a17e7500dbc34cce1f8e84a59f072a26ad49be5dcde6ac5908e4d2ad3555

                    SHA512

                    77c6ba298f5bd4c04192660d365d2a45ecb23fa441818735bd01050677037e1976670dcb457b6684343fbccb02a6fcfd98f22ae9f2de263057157917ee28d981

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer_langdata.bin

                    Filesize

                    5KB

                    MD5

                    b80eda6258e28b537651f8e5ebd997ff

                    SHA1

                    826741e138e8342f4bc3303838e347a44bb93546

                    SHA256

                    6e960dfed451c2dfb99352d25d3df8dd46fe7d80c9af79805c0cfbd1a99a2709

                    SHA512

                    9fce1cb5fe8b6a2bc4d13c1ca3ec31c926c6dd33717f145da6952ae33144eb11a6ee9e751e1d3e2d5d6ce7768e9f9602773a917d9f5f8473670e6d631b932b74

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\themes\ilycia.set

                    Filesize

                    764KB

                    MD5

                    7b85f91536c8342ac64d3edece2af7fe

                    SHA1

                    1e28c62364f606f03078e985222a2e3400a483c6

                    SHA256

                    918e7aad857776a895ecdf850665c355026882bcf1e0eba279ff4f7aa4b6bbae

                    SHA512

                    42cbaca95018eba8b05d3d586dbe8537ec1130af9edd813c4e7affef88c804a4ae65d9a446a95326508cd21da03a7e6a7969f6de5a68e69ce86c827f4308ac5a

                  • C:\Users\Admin\AppData\Local\Temp\COMODO Firewall_24-02-12 22.02.28.log

                    Filesize

                    1KB

                    MD5

                    d6d05611d996eeb41039aece62d0cf93

                    SHA1

                    17b2d7a5d63c28c516e6e46d79a38d17fef6a2d2

                    SHA256

                    38bf5fd29e0f4e4ba2bf4668d886f277d508d09228aaf8da8e4fb7b99053cff2

                    SHA512

                    1183907071fb90204c100fe9a3ce4da8df530c896fcc89ebb0aab2f9dcefd6734fc9e709f2671788307b770cf4d17f3d9f4ff302b272d48ce9d1bd4c647fbae5

                  • C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

                    Filesize

                    4KB

                    MD5

                    874820254380bc90ddeb1d9e83efd21a

                    SHA1

                    9c98ea10f154439fcc071392fbc8cbc68b9b547a

                    SHA256

                    5432674bdebb6433b0140594bbe1ed236a7867b6ad035aec11ddce1e5adec587

                    SHA512

                    36011b1539777431ccef14534bc29e6f2fda93963798a16590e25f06e2e093e4baba88a2750402430930db59a7819ebac74c26687e6761f5bc25779fa234764d

                  • C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

                    Filesize

                    5KB

                    MD5

                    29f8d60b5b278b2a4d1ca77f8e54a5ee

                    SHA1

                    c430c858c5fde20b7c0826a48d5e3889a560fc3f

                    SHA256

                    83ea048278cc9b1fb9cfba026dfe725a8617a649f3941cd8e850545ab7d577a9

                    SHA512

                    ed31190e7a3e5c24d32e7360bb4611c13a1fc020c7c9dd221aa64cad4d118565129124db69459237180df970b193d29d4e746ca28cdc6d54fc556379d5ad5a31

                  • C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

                    Filesize

                    7KB

                    MD5

                    f7cd4dd16115f6e4b0c0c11fe9f5530a

                    SHA1

                    5629c25d34f76b7848521edefbc5e8b07712aacf

                    SHA256

                    b2c0f19973d63e6d376448eb72108305ad2e76b919b54eecdc169342b261b80a

                    SHA512

                    3847af14db5e0be4fca41713338b152fc83a35d39ccaa9c080744047b5fae8788f6e3fd8d3e6638d797938427c417fd21cf68de117a52b16902f99bd779357d0

                  • C:\Users\Admin\AppData\Local\Temp\cmdinstall.exe_24-02-12_22.01.06.log

                    Filesize

                    9KB

                    MD5

                    10bdb71bcb0e9dd2078c02dc292a318d

                    SHA1

                    298a6af444c3ddf364948ee8b8b375c215b8481e

                    SHA256

                    1a8c482b1ec14c828f0052ef14d886e896ddb461fe70905221e1c455b10da9e9

                    SHA512

                    c7fa81611216d7a81b56dc9249f7848011a278d1d2841623e6538accc6c64170658c0480d7388cc1f073dc49d8892dd0eecc10677c197d02b8686e380691e696

                  • C:\Windows\Installer\MSI8855.tmp

                    Filesize

                    1.6MB

                    MD5

                    0d1b3d26a9d0c59e8da1d3df6f5235a9

                    SHA1

                    d4f7c0253c0d8fd02a3cee0462d3912db759b962

                    SHA256

                    355fd71a76f85e8dc7fa18a007809c4381c2afe887d7a25ce9e1e95070f26b33

                    SHA512

                    ef0ce0879a1cda3822f7281373e31dd196dfee76ada9645e89332473ba416b691ca3ab710ad4e86dc37de143dd6cadc1b3955f13a318a1c49fd2890660844c56

                  • C:\Windows\Installer\MSI95DA.tmp

                    Filesize

                    163KB

                    MD5

                    c435f554a0823a156c21d8ebe6487fb0

                    SHA1

                    a078ca18d0532f33d10a8e898970e3f0ed2c1985

                    SHA256

                    d8a42eda60051799d97883dcc0f27b2f87f39d39d5a46047590c403d57e29d25

                    SHA512

                    d4e405fe17079e2e3943d0e625f2d8c530398467cbd6a575828c84b46df2c1aeb66c16f7d54973f280c5319366767cbc3fe741aa2f2f00ebda590c0ee85c745a

                  • C:\Windows\System32\DriverStore\Temp\{d11b6dbe-1ffd-a847-8627-2f8a27e4006e}\inspect.cat

                    Filesize

                    10KB

                    MD5

                    7c977268ee60fd92ef58849e19431483

                    SHA1

                    f371323947552968ae0f4439c819d071520c3794

                    SHA256

                    ea0aa16e6d3ed58fa312fd6b25e252806afa095e6dc121b9ba0e1dc1b089fffc

                    SHA512

                    f29b97906999133da7eb59b6f92bde043d889bd624a8c692fced43a329a70a3b2725b6cc52d638c64a6896842b7c31efc3b4bbe55d23be7b15358377949d89bd

                  • C:\Windows\System32\DriverStore\Temp\{d11b6dbe-1ffd-a847-8627-2f8a27e4006e}\inspect.inf

                    Filesize

                    2KB

                    MD5

                    df44c02cbfa857c9bf77a35594391d04

                    SHA1

                    e018b8c2b3213d4e7ac05d90d0b958e88a8e5953

                    SHA256

                    5357482e9f2f5dad518e4fc80b2a36c2de2e356cf3bed5ea453afa5a0e748da7

                    SHA512

                    486a33465bedfd84d66c91ef2fa86810aeaba9e592b6cd759c28a0365d92ca2194494d198f954487744073bb069f03bf9bffbf31ad4c0f1dbded87070859f440

                  • C:\Windows\System32\DriverStore\Temp\{d11b6dbe-1ffd-a847-8627-2f8a27e4006e}\inspect.sys

                    Filesize

                    127KB

                    MD5

                    4e2fa027252a2b9fcf213152d098b352

                    SHA1

                    a3f07b79417454c0ab0f34ace7d2d309ab941178

                    SHA256

                    803b69cc009d92c4b7685f718a5cf55cb80a8cc9f648376e9d8d2eef05490274

                    SHA512

                    3b302f4580e5ff330dc210bf80c52e5e69c93aa1114664d10ee9f64a5d775749587fbb267ceb6b443f02439ef0df8635dd8c3d0eba7b44ba641db9a10a809e3a

                  • C:\Windows\System32\drivers\SETD00D.tmp

                    Filesize

                    37KB

                    MD5

                    d3d25a9b82ce6ba3078ee519394579e3

                    SHA1

                    756e832100613d083de579204c6cbe77be508e0d

                    SHA256

                    67aa0540e2893d7cdbd04d4ed264e8c7b517530b2c9d12370f65c2473965bf70

                    SHA512

                    8a1a6c48a8db3614b0cb47fc04f0d964f2097123ac0eca01270823e408ef670334f16a401324dea5e7fd8c40e8204de81c92f318f74dd56f5ce8edcf1ed0bd17

                  • C:\Windows\System32\drivers\SETD03D.tmp

                    Filesize

                    824KB

                    MD5

                    188a4a7112d216741adeacab8495e400

                    SHA1

                    467b7539aa977db3f4a0a460f8788f55b3699cd1

                    SHA256

                    fd92e07aefa0739cacbac2c2e99fb74413279c4930b9d4f274d580ba52020903

                    SHA512

                    b776181d6a040f7ee3468e155e0de2417113a2565d7629dad5a37e4a2f744fa1d1ee52e06523f07474e500defb9ed508fb69cb2792986d31704214b75e138a6a

                  • C:\Windows\System32\drivers\SETD416.tmp

                    Filesize

                    46KB

                    MD5

                    6cee7521136e5b1eab4f723c44b8a850

                    SHA1

                    87fd9dab6304d19d6c9fefa44ebe5085c60a52a0

                    SHA256

                    0edd7f07bd14770a40b6895649f0715d234db0137f6456fa7b639e26f768ba38

                    SHA512

                    18e23156cc5a1b05e9a4a304442555786569ba99034f33c8b514e47e67609e7504e625680bef9926f8f5aeed3b8a60cb756c857295620f6dd5bc16c93bce862d