Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 07:08

General

  • Target

    cav_installer.exe

  • Size

    5.4MB

  • MD5

    7be4a95313c926e0233571f89291f487

  • SHA1

    a16e410af1f001434d5ed5194f0755aa24173589

  • SHA256

    4e3da75745b7e4887965862b11ba68bc7aadf3ea000636554dfc8f0b8e3261ae

  • SHA512

    31df4d21db3ddaa96a7f2492572660990621050dc74ec56fe6eca725cc2d9beb63f8b74f8c8ffc85f42fcc32540117f97b9235f0d6256f10e1da7819b5d940bc

  • SSDEEP

    98304:23oeoi7dSeyB6A89FbeCD25kvriejkx9sZjMK6vx6IF/M8aWzBWcPNkNzt/c:23oeoYSeyB6vnKCD25kvmeh6vFF//aF0

Malware Config

Signatures

  • Drops file in Drivers directory 10 IoCs
  • Manipulates Digital Signatures 1 TTPs 8 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets service image path in registry 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 64 IoCs
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 21 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 34 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cav_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\cav_installer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe" -log -setupname "cav_installer.exe" -sfx "C:\Users\Admin\AppData\Local\Temp" -theme lycia -type web -mode cavfree
      2⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:768
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Registers COM server for autorun
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 31A7BBB65796A18132D9DED029B2ADDD
      2⤵
      • Enumerates connected drives
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3308
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 2EC7DCA72789D90E718C86BA178186FC M Global\MSI0000
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
        "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --langID 1033 --createConfig "active=avfw;dplus=opt;esm=0;av=1;fw=0;cesfw=0;cesav=1;cessandbox=1;free=1;noalerts=1;cloud=1;sendstats=1;configfile=;fwstate=0;dfstate=0;avstate=0;bbstate=0;avservers=0;standalone=1;useblob=1;trustnewnets=0;"
        3⤵
        • Checks for any installed AV software in registry
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3968
      • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
        "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --upgradeBackuped=""
        3⤵
        • Checks for any installed AV software in registry
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3996
      • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
        "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --windowsDefence df-
        3⤵
        • Checks for any installed AV software in registry
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4012
      • C:\Windows\system32\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\System32\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
          • Modifies data under HKEY_USERS
          PID:2912
      • C:\Windows\system32\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Windows\System32\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
          • Modifies data under HKEY_USERS
          PID:3488
    • C:\Windows\Installer\MSI3686.tmp
      "C:\Windows\Installer\MSI3686.tmp" -rptype 0 -descr "Installing COMODO Antivirus" -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\Installer\MSI3686.tmp
        "C:\Windows\Installer\MSI3686.tmp" -rptype 0 -descr "Installing COMODO Antivirus" -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log" -working
        3⤵
        • Executes dropped EXE
        PID:2392
    • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --installCertificates
      2⤵
      • Manipulates Digital Signatures
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      PID:3684
    • C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      PID:3800
    • C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      PID:3820
    • C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe" /RegServer
      2⤵
      • Executes dropped EXE
      • Registers COM server for autorun
      PID:3832
    • C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --updateHtml
      2⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1080
    • C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll"
      2⤵
      • Enumerates connected drives
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Registers COM server for autorun
      • Modifies registry class
      PID:1584
    • C:\Windows\syswow64\MsiExec.exe
      "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cmdcom32.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3040
    • C:\Windows\system32\MsiExec.exe
      "C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cmdcomps.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:1744
    • C:\Windows\system32\MsiExec.exe
      "C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:568
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2972
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000005B0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3044
    • C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"
      1⤵
      • Manipulates Digital Signatures
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:3360
    • C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMonitor -Embedding
      1⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3196
    • C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMonitor -Embedding
      1⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1132
    • C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMonitor -Embedding
      1⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f772c81.rbs

      Filesize

      3.3MB

      MD5

      b931cfcd2635345c3295bfa106393ded

      SHA1

      803a0d65e29a3f749451e6ff6ac4189a40536444

      SHA256

      62a01f4ec51adb7adbd36f37e3daff3f05d4af3c145d6b4e6ebf80cd0ca0003c

      SHA512

      c9d373911b6925a7e6f2c9dcd681facc7465befa5d08d17208fb7a78a39b55a5042458680fff7826287f9045b55c5ea04f517856a18f9ad1175bb44df62c74e8

    • C:\PROGRA~3\Comodo\Cis\QUARAN~1\Temp\Cab823C.tmp

      Filesize

      29KB

      MD5

      d59a6b36c5a94916241a3ead50222b6f

      SHA1

      e274e9486d318c383bc4b9812844ba56f0cff3c6

      SHA256

      a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

      SHA512

      17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

    • C:\Program Files\COMODO\COMODO Internet Security\cfpver.dat

      Filesize

      13B

      MD5

      0889f8a78fdb667192b0a3617c51db9f

      SHA1

      32e9fe7b4f309e1605ff3a55ea1e613167f463f3

      SHA256

      6cc8b0fb91f5e5d31e6b58ecd11f33ef2c8e2d65a20639374fe0789deda57056

      SHA512

      a357766bef664ad1ae093f04c470078c5f2288d9ef6deb876b5e2b97ab6211c9cfb87c40c545ff3c5288cb04bac89c862fb21eefef784ab574bc8e3a5f6c1f47

    • C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll

      Filesize

      252KB

      MD5

      b54ba5c6737c7c84b5ef7117eadc0664

      SHA1

      4a879b436e5c60f40aabaf9da97396cb3631acb1

      SHA256

      92e3b22a5652fce895eeee118dabf070eae0a9e7575324970cc0e43723c37e55

      SHA512

      382969362f55513fcbff571f23058f6031d4cd96e05ae1808b348df67e032cf2f667812b90718abf3eb79aa24dd5c4061b34c09ad06a044d13828c5f21fbccf2

    • C:\Program Files\COMODO\COMODO Internet Security\cmdres.DLL

      Filesize

      441KB

      MD5

      6d7caec45f44db9a57307fdca673531c

      SHA1

      6c03ea2c84837edb1ff28d883db361fe8b530ba4

      SHA256

      973b7eef70905bde2716eb07626f9a7df9736190e02922eefff2b47619d81ebc

      SHA512

      9f5f204cabeee610b09321d1fdeb416e92d0ce1137f18f1544cca5496e48937ba381d2ed916cd8fb6a53834f20e566caa576b7a5792c5b7aba2c4a7000a9715e

    • C:\ProgramData\Comodo Downloader\cis\download\installs\8050\installer_data\binaries\files_info.dat

      Filesize

      34KB

      MD5

      f42c56a1f750bdf43155a2aee0f1407c

      SHA1

      0929dd9594fccffe5e7e43ea33a5eb6467afab0b

      SHA256

      86e8a71d1327fe5f26901c8a7d10bac322dce1ff621e1339db9c7b6ab905244c

      SHA512

      31dc56d6455391a0075ab59d438335c9d38da43e1ef974bcdf14be059d63d48f8a8f7a1f6cd9eb5e790519a3824f59387abafef48417bbeb74e34b526646b8d9

    • C:\ProgramData\Comodo\Cis\Quarantine\Temp\Tar824F.tmp

      Filesize

      81KB

      MD5

      b13f51572f55a2d31ed9f266d581e9ea

      SHA1

      7eef3111b878e159e520f34410ad87adecf0ca92

      SHA256

      725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

      SHA512

      f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

      Filesize

      2KB

      MD5

      ca717d4ff2cc3464e706594d739f9196

      SHA1

      cc574d9890e8037ae0cd44b2674f6cd814610f87

      SHA256

      66ed6457bedab37ba78c62303ef4cab5998e7852c6b8e42e2c2c7ae0aa7417ed

      SHA512

      a20680759913f19e54a988bb418382a690ee53824be69d9a913a622217100d1ebbbea723f209748fa0c4122ff2ee359c85be1d7127653a6c8246f7b492bc4716

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

      Filesize

      509B

      MD5

      43432c50e7dcd48ddef7104a3adfc790

      SHA1

      24864aa145bd1c14335353abf81d7444da8377ef

      SHA256

      c919278f34b9b472b8be47abd92f4ec04e2c6d34a67edd39b80a9a50747016f1

      SHA512

      798c92b89412e9d119fbd0d6aa87a39a957816b3df9f468d5f020b3537d1626f21d22e8fe887d52e60c8cbb72a5e3fbde1e7f0061abe5bfc1cb9ebedf49137d1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

      Filesize

      1KB

      MD5

      8ba657489fa4c27e599af2594f82a47f

      SHA1

      38cacec6ddab083174de581cec4f6d3a2556fded

      SHA256

      c65292440779c0727c5715518ab878d2bf325c54881b60edf911f45eeedd8038

      SHA512

      bfc78ae5ffd808d78413f16204f984f636ada625113083e68634730a04e4798dd04506a7b488d13068c0a966b74bb4e635c935d522a7c36c4dc33f215443c1fe

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

      Filesize

      490B

      MD5

      d58e8fe7f69017cc5df020f11653f9d1

      SHA1

      9360c6357881294ac27ed86e52275cfc3d0ac5c4

      SHA256

      b20cf79ba01c7354abf82aa3e361c5c951d47296b5f707aa1c3726f3b0173881

      SHA512

      4b51a7f1c318b0e75e39d3355e6adbbb41f9dfeebe4d1304f024aca882c24f6be037efbf7af3653b83d9dead10518e11ac5bd7b181ebcd07ab50c1e9d66c438b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

      Filesize

      490B

      MD5

      6745f9dc413026cfe4241f2c26e4545f

      SHA1

      e5ae27681d0753170070b1f78feba38250835aac

      SHA256

      722bf0705ff9a401e346fa338bee3395aafc06b06a3e76bb766d8b26b5b365f8

      SHA512

      263524ed6a5594af18001fedf87f4997bff7ab6f87d4f94ea7ce489e8dbb6a4c54db1341ad122223ba17b6f5bc9e2ff6232981d3d0d8fd0c78ddbba0930e64a5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      d69d4cf2f02b8784adc04d9b966614e3

      SHA1

      e943ef510c64b41c2b99344bd5d6405d1f7cfbd0

      SHA256

      99c28602f5e456d746510d75c5265d76da4aa7a91b617bd7cbf92c91c5df6b87

      SHA512

      ceb30da96d7d9871914c26223b71d19a705828fe0eb7da44f0c3b9b9978e1ea8159ada47cce98e56bda708ec1d8a80cd6a99cde90a2d19e6362884d0a932d6ab

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6027698aa2d929b1945bb2bf1993bf93

      SHA1

      65226d64af8693715488661669590764e51c2402

      SHA256

      94689b61b99f2c0ad2a30ac056bd4ce8607ba3e504e0038a2f718a2ba93b5db9

      SHA512

      8e306c5c0d7b75ab4edec88eed0d6f1705d0f4a96b70c9ea25b4a253d21e8a0926b049c4c6a65a90aea9f473406b91278852239fbcd244b761d0d47510f8de6f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

      Filesize

      486B

      MD5

      14a5b17fc1f7eb4db7605b139c07cf19

      SHA1

      ea2ddaa1971cdc63402d0a74a50e7c671badb145

      SHA256

      b5170a5df4bbb2825f5ac549b9b4d10f97832084b0d311a871a69f7dfa696195

      SHA512

      975f1d3775d83f3ef02cb05c7029f432aeb33e7db353e3651a4c570fcf510309576dbc5049638858790dbc5c6f484a94b1e75481b5375863f9d21486067e0a6f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      82ffbbef07e0472b33221b56af8b6754

      SHA1

      a4ca28924de7b080f59df263bd5632aca982b702

      SHA256

      3faecf7e472d8e4ec3187348a7fd8d83784d3f59f61a31122326bb4274873ee2

      SHA512

      fa316d438d66bad343024d4bf60d0b80a55625444ef2a40a7526798d93fdb7493b270deb313f6a360fa50f66b4df2c5621c3b82551340978229fe6479e586815

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdhtml.dll

      Filesize

      4.2MB

      MD5

      6d9aa26bb18af69dc74ae8e822eb53dd

      SHA1

      6ef20da9b9e70afa742f047f1c6f9d3e58290450

      SHA256

      cf140523b8834de1c37efa29b02adcdc88babc0f8ee90ba93dd98c260d7036c3

      SHA512

      3a9e8f15d207e98bb182f8d1838e93dba9750e6cfc79b72aab0706f969866447e50b3ab28bc1768a7cac7e7733cde80085cabcefefae0d287f08374578935c36

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdres.dll

      Filesize

      367KB

      MD5

      a4b3e07a9d407bca7a0ed76ea7c4945f

      SHA1

      af16d87110e2f9e64d5c35a6d522151b69377bbc

      SHA256

      b115a17e7500dbc34cce1f8e84a59f072a26ad49be5dcde6ac5908e4d2ad3555

      SHA512

      77c6ba298f5bd4c04192660d365d2a45ecb23fa441818735bd01050677037e1976670dcb457b6684343fbccb02a6fcfd98f22ae9f2de263057157917ee28d981

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer_langdata.bin

      Filesize

      5KB

      MD5

      b80eda6258e28b537651f8e5ebd997ff

      SHA1

      826741e138e8342f4bc3303838e347a44bb93546

      SHA256

      6e960dfed451c2dfb99352d25d3df8dd46fe7d80c9af79805c0cfbd1a99a2709

      SHA512

      9fce1cb5fe8b6a2bc4d13c1ca3ec31c926c6dd33717f145da6952ae33144eb11a6ee9e751e1d3e2d5d6ce7768e9f9602773a917d9f5f8473670e6d631b932b74

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\themes\ilycia.set

      Filesize

      764KB

      MD5

      7b85f91536c8342ac64d3edece2af7fe

      SHA1

      1e28c62364f606f03078e985222a2e3400a483c6

      SHA256

      918e7aad857776a895ecdf850665c355026882bcf1e0eba279ff4f7aa4b6bbae

      SHA512

      42cbaca95018eba8b05d3d586dbe8537ec1130af9edd813c4e7affef88c804a4ae65d9a446a95326508cd21da03a7e6a7969f6de5a68e69ce86c827f4308ac5a

    • C:\Users\Admin\AppData\Local\Temp\COMODO Antivirus_24-06-01 07.10.07.log

      Filesize

      1KB

      MD5

      7b6e2764cd8186079d67fbce9642fe33

      SHA1

      76e5bcf793b50a6f6b898d81e9b00518bdabcedb

      SHA256

      2267d759de9a423832367ead87c8e8ed418ad3bd6a9be1ea666fd799cff89657

      SHA512

      62c450a888084a813a6e71601dc12ae06c337dee39156bb910c69549b26fa04a0036c81c1cf533ab180c1f5e5dea6a26ecd5899ab03ca4e1eaffbc8d3a282db5

    • C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

      Filesize

      3KB

      MD5

      df2e1e7d43c66692a20bab6ddda933c2

      SHA1

      ff83a0e2a630d2c5b6bddc9069b9d231b90f3217

      SHA256

      1d9e1a7b6049639493cb4d5323c774cabbc0c2e45460d730ce47d5cd3a519453

      SHA512

      e9c35efde413af95beefdf6482bea22ee75d9e15196ef6e71dd870ad15f7041fde3198244556cad6c4e01fa5e2798bdfe265261be201661de4c659742c52f007

    • C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

      Filesize

      5KB

      MD5

      83c2af34cc3f2e782cf902e55b04cc0c

      SHA1

      c038b3311a3704f42b895f2d8a67b257f1b7779b

      SHA256

      cada64634101eea36de887b62b6d6e67528d82c74d922b4e5642bfabff3dd4d0

      SHA512

      a4184940138ebdc0848b32d3b781398f9679bba20525e6d6b5399689ce236ddc23645cd0ebda17b3dd90348a9878faac115ed9989bc2e3e5e63462d1acc5fe75

    • C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

      Filesize

      7KB

      MD5

      7aa56aa8db3acc908d86828b7c5686cc

      SHA1

      fa8290bb5697b35e5c0d1ed8fd040680b2764576

      SHA256

      5af2cb347d8a4bf5e406d2cddb1cd07d75b87b0bed12d308f06cbc0b5aca9a70

      SHA512

      9a3140cabf791bd0a3c915be18b5824dc832fad26f9793ab3295c2f8a771cf023fd8971bdecb53aa3cf3c0339f9b0e73d366e330c942f9886b7f71e1d22d0c0c

    • C:\Users\Admin\AppData\Local\Temp\Tar1F49.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\Installer\MSI3094.tmp

      Filesize

      1.6MB

      MD5

      0d1b3d26a9d0c59e8da1d3df6f5235a9

      SHA1

      d4f7c0253c0d8fd02a3cee0462d3912db759b962

      SHA256

      355fd71a76f85e8dc7fa18a007809c4381c2afe887d7a25ce9e1e95070f26b33

      SHA512

      ef0ce0879a1cda3822f7281373e31dd196dfee76ada9645e89332473ba416b691ca3ab710ad4e86dc37de143dd6cadc1b3955f13a318a1c49fd2890660844c56

    • C:\Windows\Installer\MSI3686.tmp

      Filesize

      163KB

      MD5

      c435f554a0823a156c21d8ebe6487fb0

      SHA1

      a078ca18d0532f33d10a8e898970e3f0ed2c1985

      SHA256

      d8a42eda60051799d97883dcc0f27b2f87f39d39d5a46047590c403d57e29d25

      SHA512

      d4e405fe17079e2e3943d0e625f2d8c530398467cbd6a575828c84b46df2c1aeb66c16f7d54973f280c5319366767cbc3fe741aa2f2f00ebda590c0ee85c745a

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      8dc1462bdd04264b22295ee3675d92d5

      SHA1

      299b0bfc82ad57280d8004099a80c2bf2212b0d1

      SHA256

      dfd91f255bd641874ae27b41d55b875a6227dbf6772898d69e67c458e4df86bf

      SHA512

      2ce3357e2270887ffe616ddf5957f5729f9cc71d1ba4111764212ca12604e05b8303af6b76a8d6289dbcbd8e373f7bd7e440623422f5d2a52af2ead2fbbc561e

    • C:\Windows\System32\drivers\SET6539.tmp

      Filesize

      28KB

      MD5

      bd355711c7c960c0bd1ac44e1f7052a6

      SHA1

      0f42054de62da794526fefb08d4bf73e12016681

      SHA256

      00ed372159987455a77418ed8c315c42d523f850423587aefc666af79a53f2ae

      SHA512

      165c1344b84bac56f4aa11b298134741ca78c90f71163a718880870cde98e06210f2a7b4e35ac0db9be006b89715536ad54167580292bbf36b68491a837881dc

    • C:\Windows\System32\drivers\SET653A.tmp

      Filesize

      841KB

      MD5

      235a8a617a3e4aaa121debeb2883d47e

      SHA1

      998b02236a6a13a14f09b32a2e8387f0a6488d35

      SHA256

      3f4f034d8dcad822ed462f1363f1a52c958fc3870cc15f506d2842d7f990960f

      SHA512

      c87fe51403dccf47e3b6d00f823f8493aec321defef6ddd731f4d607dbc45e6249b44abf15785913be7d55a74f90b833157a7e4202fa62d4c7e06be76c6ceaea

    • \Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

      Filesize

      5.5MB

      MD5

      50a9b8ada65d917c4470c35a24e5321f

      SHA1

      cf7b45814560418fdef69aaad2f0bc348f95aa78

      SHA256

      604e6a806d37c436b5858d9521d52f18bb779caa23f7b79d534de19d141a2d8e

      SHA512

      b69049aef1f1f80e6a4494d265ea65e01a979b3e9521966a5f608ace6c4fa05e7cf3d4f44260d2f38d7f7ebd723221867ccdd8e31d7f728de18151fa2d8e367d

    • \Program Files\COMODO\COMODO Internet Security\cisbf.exe

      Filesize

      251KB

      MD5

      0ac6f2e6487b82ccb89033ee84b615e1

      SHA1

      db55e4017c4c7f442b8565cc80492d4261f1a539

      SHA256

      7c3393696d205b935add38ea8a8ada9f7fe18d896cff97111b08f59a5b04e475

      SHA512

      a67c0d4675f325b479539c57c63944ce32632b4e1dfaf5507ed00bc2f8128dfd2c179138afeb35a7acdd8c932124c550a748db389a42082f3e03a19d9868db55

    • \Program Files\COMODO\COMODO Internet Security\cisbfps.dll

      Filesize

      98KB

      MD5

      728a97b5b669c3b6dee064b5b3dc636d

      SHA1

      cb3d70083d65aea7dd18ee4da3844138a0d0ceef

      SHA256

      1306e31bdfb5c9e30b0b261125a83c5c544b3aee0e450b547e4055d533451169

      SHA512

      7ddcfc99ee9d4c351ad4b0622af24d27e5a6f64123fa0ae542918efc86ba832cf76b0bb36e9943be3bd6ba0d78be926310fe997045ae5babbf1f90f411b97930

    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.dll

      Filesize

      277KB

      MD5

      7baac18fb157c76574ca3d7a2f5eb193

      SHA1

      6460577ce621fa28133096073376f6a88f8acd61

      SHA256

      347144ae998d96c6b8664abf56f3ff8cfa4dcdfd6e13205d7e8ee2f3b77eefc2

      SHA512

      513cc213da81db470f8675c29162f4b724bb92a690edd451025eb68588971eebb937f88cc5a659222f2bbbd99440aa56800bf4167bb8912ea87a0b2648b002ea

    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

      Filesize

      5.7MB

      MD5

      74cf93a3d559a630911fc94568b99e1e

      SHA1

      a5f164154e164174c715e493f440b1935ec53af8

      SHA256

      fe82eb2103b177370e742aee40a2b840805516ff23867f6b9bd3655a401eb50b

      SHA512

      c000d512e270d7f89058fe52a3ecfac6f60462eed21b134ebb57640cc6425e7ece9b6ce683acc666d8358875c8d621497a8e3eb95b4ad72311efb9d12c03100a

    • memory/1132-2248-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/1132-2228-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/1132-2227-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/2816-2267-0x0000000000A40000-0x0000000000A41000-memory.dmp

      Filesize

      4KB

    • memory/2816-2594-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/2816-2266-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/2816-2265-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/2816-2613-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3196-2211-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3196-2209-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/3196-2208-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/3360-2204-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/3360-2580-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3360-2605-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3360-2607-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3360-2205-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

    • memory/3360-2615-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3360-2624-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB

    • memory/3360-2626-0x0000000077B90000-0x0000000077D39000-memory.dmp

      Filesize

      1.7MB