c11bfd3d7eaf905c5b40e3328149a142b6cfb7d44a93159c3c96ff39d3bdbb34

Analysis

max time kernel
209s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

avira_fr_sptl1_1224300584-1665401309__adwb.exe
Size

5.7MB
MD5

85ddb6b0301a2bca0eba9d647d5521b3
SHA1

9dcd4ad1617387f20784775b0884da78a0e370f8
SHA256

c11bfd3d7eaf905c5b40e3328149a142b6cfb7d44a93159c3c96ff39d3bdbb34
SHA512

a103a641fdf91a0d84568714ba2ec10508d5dbcd247b6ec9a37122889b471df91cd436bc20b061d52cedac5cf58eb75c3c635626273af77e4a920b970d03cbf3
SSDEEP

49152:S50Bi3BhiwzTqO4XXXpDYALLRENU9Qd+bukvZ9Es21uUHxjCNdJd1cgrgDQMHLZ/:EiwzTfkXWU9w6ZvZ9EzjHEVxl/c

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\rtp_elam.sys	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SET946D.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_traverse.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_traverse.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_process_monitor.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\drivers\BdSentry.sys	SentryProtection.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET941D.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_process_monitor.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_filesystem_filter.sys	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SET941D.tmp	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SET94EC.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_filesystem_filter.sys	rtp_setup.exe
File created	C:\Windows\system32\DRIVERS\SET948D.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET94EC.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\BdSentry.sys	SentryProtection.exe
File opened for modification	C:\Windows\system32\DRIVERS\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET946D.tmp	rtp_setup.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET948D.tmp	rtp_setup.exe

Executes dropped EXE 46 IoCs

pid	Process
1152	Avira.Spotlight.Bootstrapper.exe
3552	MicrosoftEdgeWebview2Setup.exe
1432	MicrosoftEdgeUpdate.exe
2820	MicrosoftEdgeUpdate.exe
1348	MicrosoftEdgeUpdate.exe
5092	MicrosoftEdgeUpdateComRegisterShell64.exe
1560	MicrosoftEdgeUpdateComRegisterShell64.exe
4508	MicrosoftEdgeUpdateComRegisterShell64.exe
2140	MicrosoftEdgeUpdate.exe
4012	MicrosoftEdgeUpdate.exe
3952	MicrosoftEdgeUpdate.exe
3912	MicrosoftEdgeUpdate.exe
3780	MicrosoftEdge_X64_106.0.1370.37.exe
5084	setup.exe
3316	MicrosoftEdgeUpdate.exe
3660	avira_spotlight_setup_adwb.exe
4500	avira_spotlight_setup_adwb.tmp
2912	avira_fr_sptl1_1224300584-1665401309__adwb.exe
3576	Avira.Spotlight.Bootstrapper.exe
5012	Avira.Spotlight.Bootstrapper.ReportingTool.exe
912	avira_system_speedup.exe
4520	avira_system_speedup.tmp
4180	Avira.SystemSpeedup.Core.Common.Starter.exe
1708	Avira.SystemSpeedup.Maintenance.exe
4832	Avira.SystemSpeedup.Maintenance.exe
464	Avira_Optimizer_Host.exe
908	Avira_Optimizer_Host.tmp
4284	Avira.OptimizerHost.exe
996	Avira.OptimizerHost.exe
2528	Avira.SystemSpeedup.Maintenance.exe
3432	Avira.SystemSpeedup.Maintenance.exe
3400	VpnInstaller.exe
2212	Avira.VpnService.exe
5024	endpoint-protection-installer-x64.exe
2396	endpoint-protection-installer-x64.tmp
380	Avira.WebAppHost.exe
3532	Conhost.exe
4524	endpointprotection.exe
2608	rtp_setup.exe
2132	unins000.exe
5092	_iu14D2N.tmp
3528	Avira.Spotlight.Service.Worker.exe
4788	rtp_setup.exe
5016	endpointprotection.exe
1704	SentryProtection.exe
1292	firewall.tools.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\1.0.0.0\Assembly = "Avira.SystemSpeedup.UI.ShellExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFoldersMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\Assembly = "Avira.SystemSpeedup.UI.ShellExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\Assembly = "Avira.SystemSpeedup.UI.ShellExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\1.0.0.0\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupDesktopMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\Assembly = "Avira.SystemSpeedup.UI.ShellExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\1.0.0.0\Assembly = "Avira.SystemSpeedup.UI.ShellExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\1.0.0.0\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFilesMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\1.0.0.0\Assembly = "Avira.SystemSpeedup.UI.ShellExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\1.0.0.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\1.0.0.0\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFoldersMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupDesktopMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\1.0.0.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\1.0.0.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CAB5786-30E8-3185-9B3B-CCEFBF1B8AFE}\InprocServer32	RegAsm.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AviraOptimizerHost\ImagePath = "\"C:\\Program Files (x86)\\Avira\\Optimizer Host\\Avira.OptimizerHost.exe\""	Avira.OptimizerHost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AviraPhantomVPN\ImagePath = "\"C:\\Program Files (x86)\\Avira\\VPN\\Avira.VpnService.exe\""	VpnInstaller.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	avira_system_speedup.tmp

Loads dropped DLL 64 IoCs

pid	Process
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1432	MicrosoftEdgeUpdate.exe
2820	MicrosoftEdgeUpdate.exe
1348	MicrosoftEdgeUpdate.exe
5092	MicrosoftEdgeUpdateComRegisterShell64.exe
1348	MicrosoftEdgeUpdate.exe
1560	MicrosoftEdgeUpdateComRegisterShell64.exe
1348	MicrosoftEdgeUpdate.exe
4508	MicrosoftEdgeUpdateComRegisterShell64.exe
1348	MicrosoftEdgeUpdate.exe
2140	MicrosoftEdgeUpdate.exe
4012	MicrosoftEdgeUpdate.exe
3952	MicrosoftEdgeUpdate.exe
3952	MicrosoftEdgeUpdate.exe
4012	MicrosoftEdgeUpdate.exe
3912	MicrosoftEdgeUpdate.exe
3316	MicrosoftEdgeUpdate.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe
3576	Avira.Spotlight.Bootstrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\BootOptimizer	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "78"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\Path = "C:\\Program Files (x86)\\Avira\\System Speedup"	avira_system_speedup.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\MyA	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\BootOptimizer\StartDelay	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\TooltipShowDelay	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\UseAcceptanceBackend	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\LastEngageUpdate	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\LastEngageUpdate	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\SimulationMode	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Date	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\Features	Avira.Spotlight.Service.Worker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallAntivirus = "Install"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "46"	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Speedup\Logging	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\OptimizerHost	avira_system_speedup.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Speedup\BootOptimizer	avira_system_speedup.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\MultipleInstances	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Name	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\Expiration = "0001-01-01"	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "41"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "43"	Avira.Spotlight.Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\LicenseType	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\\General	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "87"	Avira.Spotlight.Bootstrapper.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General	net1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\DesktopCleaner\ShellContextMenu = "0"	avira_system_speedup.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UseGlobalUninstaller	avira_system_speedup.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\Power Profiles\WindowsMode	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Power Profiles\BatteryBoostMode	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\General\LastScan	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Telemetry	Avira.SystemSpeedup.Maintenance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Type = 0000420050005d00	net1.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Scanner	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "15"	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security	avira_spotlight_setup_adwb.tmp
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Speedup\Logging	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\OptimizerHost	Avira.OptimizerHost.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Power Profiles	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Serial	net1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UploadAllErrorReports	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\OptimizerHost	Avira_Optimizer_Host.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\OptimizerHost\LogLevel	Avira.OptimizerHost.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Scanner	Avira.SystemSpeedup.Maintenance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Number	net1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Last = 56000000050009001f00090053004b0004005200	net1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Beta = 0000510059004b005700	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "80"	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Speedup\General	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\ExtendedProgressLog	Avira.Spotlight.Bootstrapper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UseGlobalUninstaller = "1"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UserInterface\UiLanguage = "fr-fr"	avira_spotlight_setup_adwb.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	avira_spotlight_setup_adwb.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Telemetry	avira_system_speedup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "77"	Avira.Spotlight.Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\BootOptimizer\CleanupDelayed	Avira.SystemSpeedup.Maintenance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup\MyA\Serial	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Power Profiles\TurboBoostMode	Avira.SystemSpeedup.Maintenance.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\Power Profiles	avira_system_speedup.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\PrivacyCleaner	Avira.SystemSpeedup.Maintenance.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "66"	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Speedup\PrivacyCleaner	avira_system_speedup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\InstallProgress = "79"	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	avira_system_speedup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Avira.SystemSpeedup.Core.Common.Starter.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_0DEE1342E46668773EFEEB5337A1D453	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_0DEE1342E46668773EFEEB5337A1D453	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_63FFD9ACA3CC5EA7EBDA5A9ACC91E079	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_63FFD9ACA3CC5EA7EBDA5A9ACC91E079	Avira.OptimizerHost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Avira.Spotlight.Service.Worker.exe.log	Avira.Spotlight.Service.Worker.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_2F62D301E22E4B38ABB2A25A5848E9AE	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	Avira.OptimizerHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_2F62D301E22E4B38ABB2A25A5848E9AE	Avira.OptimizerHost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Avira\System Speedup\is-ONIJ0.tmp	avira_system_speedup.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\vn.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ws.png	VpnInstaller.exe
File opened for modification	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-engine-1\aeml.dll	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-engine-1\is-0BAKD.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-EKP7E.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\psmachine_arm64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\106.0.1370.37\identity_proxy\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Avira\Security\is-99NFO.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\Map_pro.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\bl.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\mip_core.dll	setup.exe
File created	C:\Program Files (x86)\Avira\Optimizer Host\unins000.msg	Avira_Optimizer_Host.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\package.json	VpnInstaller.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\legal\engine\is-3OVGP.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Avira\System Speedup\is-OOPGD.tmp	avira_system_speedup.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\pt.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\views\directives\regions.html	VpnInstaller.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-743EL.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-L7OCC.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\it.png	VpnInstaller.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-MAP36.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\drivers\firewall\Win10-x64\is-NRP1B.tmp	endpoint-protection-installer-x64.tmp
File opened for modification	C:\Program Files\Avira\Endpoint Protection SDK\amsi\Win32\avamsi.dll	_iu14D2N.tmp
File created	C:\Program Files (x86)\Avira\Security\is-OAPE5.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\System Speedup\is-KNJHL.tmp	avira_system_speedup.tmp
File created	C:\Program Files (x86)\Avira\System Speedup\sdf\is-U828C.tmp	avira_system_speedup.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\106.0.1370.37\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Avira\Security\x86\is-820R9.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\is-PT3ML.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\certificates\is-7DE17.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\106.0.1370.37\EdgeWebView.dat	setup.exe
File created	C:\Program Files (x86)\Avira\Security\is-GG3GM.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\Security\is-0BQVN.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\System Speedup\is-7V5TS.tmp	avira_system_speedup.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\tj.png	VpnInstaller.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\et.png	VpnInstaller.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\legal\mixpanel-user-tracker\is-HP1J1.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Avira\Security\is-6M4VL.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\neagentDialogMagnifier.png	VpnInstaller.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-T47Q1.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Avira\System Speedup\is-9HHDB.tmp	avira_system_speedup.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\legal\sentry-protection-sdk\is-603VS.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\nl-NL\is-4PT3F.tmp	avira_spotlight_setup_adwb.tmp
File created	C:\Program Files (x86)\Avira\System Speedup\is-3BEIR.tmp	avira_system_speedup.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\js\vpn-1.0.0.min.js	VpnInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_te.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\ye.png	VpnInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\106.0.1370.37\identity_proxy\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-E015V.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\coresdk\avcp-vdf\is-JUAOG.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\identity_proxy\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\106.0.1370.37\learning_tools.dll	setup.exe
File created	C:\Program Files (x86)\Avira\System Speedup\ja-JP\is-UL2TH.tmp	avira_system_speedup.tmp
File created	C:\Program Files (x86)\Avira\VPN\App\images\png\regions\hr.png	VpnInstaller.exe
File created	C:\Program Files\Avira\Endpoint Protection SDK\is-VODSS.tmp	endpoint-protection-installer-x64.tmp
File created	C:\Program Files\Avira\Endpoint Protection SDK\is-KI03H.tmp	endpoint-protection-installer-x64.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ELAMBKUP\SET942E.tmp	rtp_setup.exe
File created	C:\Windows\ELAMBKUP\SET942E.tmp	rtp_setup.exe
File opened for modification	C:\Windows\ELAMBKUP\rtp_elam.sys	rtp_setup.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	rtp_setup.exe
File created	C:\Windows\Fonts\is-V5I9V.tmp	avira_system_speedup.tmp

Launches sc.exe 17 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4284	sc.exe
4448	sc.exe
4936	sc.exe
2336	sc.exe
4524	sc.exe
1128	sc.exe
1988	sc.exe
2808	sc.exe
4600	sc.exe
3664	sc.exe
4532	sc.exe
4536	sc.exe
1868	sc.exe
3780	sc.exe
4336	sc.exe
4728	sc.exe
928	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1288	2956	WerFault.exe	30

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Avira.VpnService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Avira.VpnService.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3496	schtasks.exe
2608	schtasks.exe
1572	schtasks.exe
1936	schtasks.exe
736	schtasks.exe
1288	schtasks.exe
2528	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Avira.VpnService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Avira.VpnService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Avira.Spotlight.Service.Worker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Avira.Spotlight.Service.Worker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Avira.OptimizerHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	endpoint-protection-installer-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ServiceParameters = "/comsvc"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFoldersMenu\ = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFoldersMenu"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83BF6728-A96E-4228-B442-DB539208D56E}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFoldersMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\InprocServer32\Class = "Avira.SystemSpeedup.UI.ShellExtension.SystemSpeedupContextMenu+SystemSpeedupFilesMenu"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\MicrosoftEdgeUpdateBroker.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{83BF6728-A96E-4228-B442-DB539208D56E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{83BF6728-A96E-4228-B442-DB539208D56E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D191696-9CAC-4E4F-8EBC-2C7A8910C5B6}\InprocHandler32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{83BF6728-A96E-4228-B442-DB539208D56E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{83BF6728-A96E-4228-B442-DB539208D56E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{83BF6728-A96E-4228-B442-DB539208D56E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{83BF6728-A96E-4228-B442-DB539208D56E}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{700866BB-C8E9-3E71-B359-ABB28BAED0E8}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/Avira/System Speedup/Avira.SystemSpeedup.UI.ShellExtension.DLL"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14CB2BD0-2375-3D10-9B5D-5E18865C8959}\ProgId	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "c229c39e345f481c8648bcc2480a0ba8d4345f0b"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.167.21\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 56 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b43471900f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343114000000010000001400000055e481d11180bed889b908a331f9a1240916b97020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa60300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d430f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d430f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b62004000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.SystemSpeedup.Maintenance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a8937214000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d430f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.SystemSpeedup.Maintenance.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a00400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a89372190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa60300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4314000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f2000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.SystemSpeedup.Maintenance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 03000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a00300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f2000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b03000000010000001400000002faf3e291435468607857694df5e45b68851868140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a00300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a14000000010000001400000055e481d11180bed889b908a331f9a1240916b970030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34310f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa60300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4314000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f2000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b03000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e40f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a03000000010000001400000002faf3e291435468607857694df5e45b688518680f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a89372190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa60300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4314000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f2000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.SystemSpeedup.Maintenance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c000000010000000400000000080000040000000100000010000000ee2931bc327e9ae6e8b5f751b43471900f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343114000000010000001400000055e481d11180bed889b908a331f9a1240916b97019000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0281400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Avira.SystemSpeedup.Maintenance.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Avira.SystemSpeedup.Maintenance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e40f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b51400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 14000000010000001400000055e481d11180bed889b908a331f9a1240916b970030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34310f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d820000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	Avira.Spotlight.Bootstrapper.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
1432	MicrosoftEdgeUpdate.exe
1432	MicrosoftEdgeUpdate.exe
1432	MicrosoftEdgeUpdate.exe
1432	MicrosoftEdgeUpdate.exe
1432	MicrosoftEdgeUpdate.exe
1432	MicrosoftEdgeUpdate.exe
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp
4500	avira_spotlight_setup_adwb.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	Avira.Spotlight.Bootstrapper.exe
Token: SeDebugPrivilege	1432	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1432	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	3576	Avira.Spotlight.Bootstrapper.exe
Token: SeDebugPrivilege	5012	Avira.Spotlight.Bootstrapper.ReportingTool.exe
Token: SeDebugPrivilege	972	RegAsm.exe
Token: SeDebugPrivilege	3780	RegAsm.exe
Token: SeDebugPrivilege	4180	Avira.SystemSpeedup.Core.Common.Starter.exe
Token: SeDebugPrivilege	1708	Avira.SystemSpeedup.Maintenance.exe
Token: SeDebugPrivilege	4832	Avira.SystemSpeedup.Maintenance.exe
Token: 33	4284	Avira.OptimizerHost.exe
Token: SeIncBasePriorityPrivilege	4284	Avira.OptimizerHost.exe
Token: 33	996	Avira.OptimizerHost.exe
Token: SeIncBasePriorityPrivilege	996	Avira.OptimizerHost.exe
Token: SeDebugPrivilege	2528	Avira.SystemSpeedup.Maintenance.exe
Token: SeDebugPrivilege	3432	Avira.SystemSpeedup.Maintenance.exe
Token: SeDebugPrivilege	2212	Avira.VpnService.exe
Token: SeDebugPrivilege	380	Avira.WebAppHost.exe
Token: SeLoadDriverPrivilege	3516	fltmc.exe
Token: SeDebugPrivilege	3528	Avira.Spotlight.Service.Worker.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1152	Avira.Spotlight.Bootstrapper.exe
1152	Avira.Spotlight.Bootstrapper.exe
4500	avira_spotlight_setup_adwb.tmp
4520	avira_system_speedup.tmp
908	Avira_Optimizer_Host.tmp
2396	endpoint-protection-installer-x64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2608	212	avira_fr_sptl1_1224300584-1665401309__adwb.exe	85
PID 212 wrote to memory of 2608	212	avira_fr_sptl1_1224300584-1665401309__adwb.exe	85
PID 212 wrote to memory of 2608	212	avira_fr_sptl1_1224300584-1665401309__adwb.exe	85
PID 212 wrote to memory of 1152	212	avira_fr_sptl1_1224300584-1665401309__adwb.exe	84
PID 212 wrote to memory of 1152	212	avira_fr_sptl1_1224300584-1665401309__adwb.exe	84
PID 212 wrote to memory of 1152	212	avira_fr_sptl1_1224300584-1665401309__adwb.exe	84
PID 1152 wrote to memory of 3552	1152	Avira.Spotlight.Bootstrapper.exe	97
PID 1152 wrote to memory of 3552	1152	Avira.Spotlight.Bootstrapper.exe	97
PID 1152 wrote to memory of 3552	1152	Avira.Spotlight.Bootstrapper.exe	97
PID 3552 wrote to memory of 1432	3552	MicrosoftEdgeWebview2Setup.exe	98
PID 3552 wrote to memory of 1432	3552	MicrosoftEdgeWebview2Setup.exe	98
PID 3552 wrote to memory of 1432	3552	MicrosoftEdgeWebview2Setup.exe	98
PID 1432 wrote to memory of 2820	1432	MicrosoftEdgeUpdate.exe	99
PID 1432 wrote to memory of 2820	1432	MicrosoftEdgeUpdate.exe	99
PID 1432 wrote to memory of 2820	1432	MicrosoftEdgeUpdate.exe	99
PID 1432 wrote to memory of 1348	1432	MicrosoftEdgeUpdate.exe	100
PID 1432 wrote to memory of 1348	1432	MicrosoftEdgeUpdate.exe	100
PID 1432 wrote to memory of 1348	1432	MicrosoftEdgeUpdate.exe	100
PID 1348 wrote to memory of 5092	1348	MicrosoftEdgeUpdate.exe	101
PID 1348 wrote to memory of 5092	1348	MicrosoftEdgeUpdate.exe	101
PID 1348 wrote to memory of 1560	1348	MicrosoftEdgeUpdate.exe	102
PID 1348 wrote to memory of 1560	1348	MicrosoftEdgeUpdate.exe	102
PID 1348 wrote to memory of 4508	1348	MicrosoftEdgeUpdate.exe	103
PID 1348 wrote to memory of 4508	1348	MicrosoftEdgeUpdate.exe	103
PID 1432 wrote to memory of 2140	1432	MicrosoftEdgeUpdate.exe	104
PID 1432 wrote to memory of 2140	1432	MicrosoftEdgeUpdate.exe	104
PID 1432 wrote to memory of 2140	1432	MicrosoftEdgeUpdate.exe	104
PID 1432 wrote to memory of 4012	1432	MicrosoftEdgeUpdate.exe	105
PID 1432 wrote to memory of 4012	1432	MicrosoftEdgeUpdate.exe	105
PID 1432 wrote to memory of 4012	1432	MicrosoftEdgeUpdate.exe	105
PID 3952 wrote to memory of 3912	3952	MicrosoftEdgeUpdate.exe	107
PID 3952 wrote to memory of 3912	3952	MicrosoftEdgeUpdate.exe	107
PID 3952 wrote to memory of 3912	3952	MicrosoftEdgeUpdate.exe	107
PID 3952 wrote to memory of 3780	3952	MicrosoftEdgeUpdate.exe	109
PID 3952 wrote to memory of 3780	3952	MicrosoftEdgeUpdate.exe	109
PID 3780 wrote to memory of 5084	3780	MicrosoftEdge_X64_106.0.1370.37.exe	110
PID 3780 wrote to memory of 5084	3780	MicrosoftEdge_X64_106.0.1370.37.exe	110
PID 3952 wrote to memory of 3316	3952	MicrosoftEdgeUpdate.exe	111
PID 3952 wrote to memory of 3316	3952	MicrosoftEdgeUpdate.exe	111
PID 3952 wrote to memory of 3316	3952	MicrosoftEdgeUpdate.exe	111
PID 1152 wrote to memory of 3660	1152	Avira.Spotlight.Bootstrapper.exe	112
PID 1152 wrote to memory of 3660	1152	Avira.Spotlight.Bootstrapper.exe	112
PID 1152 wrote to memory of 3660	1152	Avira.Spotlight.Bootstrapper.exe	112
PID 3660 wrote to memory of 4500	3660	avira_spotlight_setup_adwb.exe	113
PID 3660 wrote to memory of 4500	3660	avira_spotlight_setup_adwb.exe	113
PID 3660 wrote to memory of 4500	3660	avira_spotlight_setup_adwb.exe	113
PID 4500 wrote to memory of 2336	4500	avira_spotlight_setup_adwb.tmp	114
PID 4500 wrote to memory of 2336	4500	avira_spotlight_setup_adwb.tmp	114
PID 4500 wrote to memory of 2336	4500	avira_spotlight_setup_adwb.tmp	114
PID 4500 wrote to memory of 2808	4500	avira_spotlight_setup_adwb.tmp	116
PID 4500 wrote to memory of 2808	4500	avira_spotlight_setup_adwb.tmp	116
PID 4500 wrote to memory of 2808	4500	avira_spotlight_setup_adwb.tmp	116
PID 4500 wrote to memory of 1572	4500	avira_spotlight_setup_adwb.tmp	118
PID 4500 wrote to memory of 1572	4500	avira_spotlight_setup_adwb.tmp	118
PID 4500 wrote to memory of 1572	4500	avira_spotlight_setup_adwb.tmp	118
PID 4500 wrote to memory of 1936	4500	avira_spotlight_setup_adwb.tmp	120
PID 4500 wrote to memory of 1936	4500	avira_spotlight_setup_adwb.tmp	120
PID 4500 wrote to memory of 1936	4500	avira_spotlight_setup_adwb.tmp	120
PID 4500 wrote to memory of 736	4500	avira_spotlight_setup_adwb.tmp	122
PID 4500 wrote to memory of 736	4500	avira_spotlight_setup_adwb.tmp	122
PID 4500 wrote to memory of 736	4500	avira_spotlight_setup_adwb.tmp	122
PID 4500 wrote to memory of 1288	4500	avira_spotlight_setup_adwb.tmp	124
PID 4500 wrote to memory of 1288	4500	avira_spotlight_setup_adwb.tmp	124
PID 4500 wrote to memory of 1288	4500	avira_spotlight_setup_adwb.tmp	124

C:\Users\Admin\AppData\Local\Temp\avira_fr_sptl1_1224300584-1665401309__adwb.exe
"C:\Users\Admin\AppData\Local\Temp\avira_fr_sptl1_1224300584-1665401309__adwb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\.CR.16065\Avira.Spotlight.Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\.CR.16065\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.16065\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=avira_fr_sptl1_1224300584-1665401309__adwb.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\.CR.16065\ed20f33c-def5-44b5-a713-70e57d9bdf1a\MicrosoftEdgeWebview2Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.CR.16065\ed20f33c-def5-44b5-a713-70e57d9bdf1a\MicrosoftEdgeWebview2Setup.exe" /silent /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2820
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:5092
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:1560
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:4508
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjcuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjcuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDU1MUFBQzItQTg2OC00Q0RCLThGNzAtMjYxOENGOTZGQUVFfSIgdXNlcmlkPSJ7OEFBODAwRTgtQTQxQi00RUIyLTgxQzItQTRDM0UyNzkyQUU5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntEREI1MUM1QS02OThELTRGMkMtQUEzRC1BOEQwNjQxMjVEREJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O200Nks1SzV6MXZ2a05MSHI0YzF4L2hDamU3WlFMZHFLeVo1TndnelYzQTg9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNjcuMjEiIG5leHR2ZXJzaW9uPSIxLjMuMTY3LjIxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NDYyNjg1MTc2IiBpbnN0YWxsX3RpbWVfbXM9IjExNDEiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2140
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{0551AAC2-A868-4CDB-8F70-2618CF96FAEE}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4012
- - C:\Users\Admin\AppData\Local\Temp\.CR.16065\326b455d-c0cc-4c25-8c27-d10427d095a9\avira_spotlight_setup_adwb.exe
    "C:\Users\Admin\AppData\Local\Temp\.CR.16065\326b455d-c0cc-4c25-8c27-d10427d095a9\avira_spotlight_setup_adwb.exe" /LOG=C:\Users\Admin\AppData\Local\Temp\avira_spotlight_setup_20221010113023161.log /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /LANGUAGE=fr-fr /SYSTRAYAUTOSTARTENABLED=true /WITHSERVICESTOPPED=true /SKIPSERVICEREGISTRATION=true /CERTIFICATESVERSION=V4
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\is-SNE0S.tmp\avira_spotlight_setup_adwb.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SNE0S.tmp\avira_spotlight_setup_adwb.tmp" /SL5="$B0054,36799154,924160,C:\Users\Admin\AppData\Local\Temp\.CR.16065\326b455d-c0cc-4c25-8c27-d10427d095a9\avira_spotlight_setup_adwb.exe" /LOG=C:\Users\Admin\AppData\Local\Temp\avira_spotlight_setup_20221010113023161.log /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /LANGUAGE=fr-fr /SYSTRAYAUTOSTARTENABLED=true /WITHSERVICESTOPPED=true /SKIPSERVICEREGISTRATION=true /CERTIFICATESVERSION=V4
      4⤵
      Executes dropped EXE
      Checks for any installed AV software in registry
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" create AviraSecurityUpdater DisplayName= "Avira Security Updater" binPath= "C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Common.Updater.exe" start= delayed-auto
        5⤵
        Launches sc.exe
        
        PID:2336
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" description AviraSecurityUpdater "Avira Security Updater"
        5⤵
        Launches sc.exe
        
        PID:2808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Update /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-6REVH.tmp\UpdateFallbackTask.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1572
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Service_SCM_Watchdog /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-6REVH.tmp\WatchdogServiceControlManagerTimeout.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Systray /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-6REVH.tmp\SystrayAutostart.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:736
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Maintenance /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-6REVH.tmp\MaintenanceTask.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1288
- - C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\avira_fr_sptl1_1224300584-1665401309__adwb.exe
    "C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\avira_fr_sptl1_1224300584-1665401309__adwb.exe" Action=RegisterFallbackUpdater AllowMultipleInstances=true UnpackInCurrentDirectory=true
    3⤵
    - Executes dropped EXE
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\.CR.24092\Avira.Spotlight.Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\.CR.24092\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\.CR.24092\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=avira_fr_sptl1_1224300584-1665401309__adwb.exe Action=RegisterFallbackUpdater AllowMultipleInstances=true
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_FallbackUpdater /XML "C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\.CR.24092\rk4eayxg.5fp"
        5⤵
        Creates scheduled task(s)
        
        PID:2528
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Avira_Security_Installation"
      4⤵
      PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\.CR.24092\Avira.Spotlight.Bootstrapper.ReportingTool.exe
      "C:\Users\Admin\AppData\Local\Temp\.CR.16065\c394e907-e4bd-4243-9a77-051d2d71e412\.CR.24092\Avira.Spotlight.Bootstrapper.ReportingTool.exe" /TrackUnsentEvents
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5012
- - C:\Users\Admin\AppData\Local\Temp\.CR.16065\816ab6ec-0ab4-4cef-a7a3-cdb9487f2d3f\avira_system_speedup.exe
    "C:\Users\Admin\AppData\Local\Temp\.CR.16065\816ab6ec-0ab4-4cef-a7a3-cdb9487f2d3f\avira_system_speedup.exe" /install /OTC= /EMAIL= /LOG=C:\Users\Admin\AppData\Local\Temp\avira_system_speedup_setup_20221010113034474.log /VERYSILENT /SUPPRESSMSGBOXES /LANGUAGE=fr-fr /NOSTART /NORESTART /bundle=sptl1 /download=adwb /Spotlight
    3⤵
    - Executes dropped EXE
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\is-HPDVT.tmp\avira_system_speedup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HPDVT.tmp\avira_system_speedup.tmp" /SL5="$D0054,34264624,916480,C:\Users\Admin\AppData\Local\Temp\.CR.16065\816ab6ec-0ab4-4cef-a7a3-cdb9487f2d3f\avira_system_speedup.exe" /install /OTC= /EMAIL= /LOG=C:\Users\Admin\AppData\Local\Temp\avira_system_speedup_setup_20221010113034474.log /VERYSILENT /SUPPRESSMSGBOXES /LANGUAGE=fr-fr /NOSTART /NORESTART /bundle=sptl1 /download=adwb /Spotlight
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Checks for any installed AV software in registry
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of FindShellTrayWindow
      PID:4520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /F /TN AviraSystemSpeedupRemoval
        5⤵
        
        PID:2660
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.dll" /codebase /silent /nologo
        5⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.dll" /codebase /silent /nologo
        5⤵
        Registers COM server for autorun
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
    - - C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe
        
        "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe" -umh
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\.CR.16065\816ab6ec-0ab4-4cef-a7a3-cdb9487f2d3f\avira_system_speedup.exe" "C:\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe"
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR "\"C:\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe\" /VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3496
    - - C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe
        
        "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -validatelicense
        5⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe
        
        "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -initbootoptimizer
        5⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\is-KVO4U.tmp\Avira_Optimizer_Host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KVO4U.tmp\Avira_Optimizer_Host.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        
        PID:464
      - C:\Users\Admin\AppData\Local\Temp\is-3D7NU.tmp\Avira_Optimizer_Host.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3D7NU.tmp\Avira_Optimizer_Host.tmp" /SL5="$2022A,1525703,780800,C:\Users\Admin\AppData\Local\Temp\is-KVO4U.tmp\Avira_Optimizer_Host.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:908
        
        C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe
        
        "C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe" /Install /Silent
        7⤵
        Executes dropped EXE
        Sets service image path in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
    - - C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe
        
        "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -ameinstalled
        5⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe
        
        "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -heartbeat
        5⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
- - C:\Users\Admin\AppData\Local\Temp\.CR.16065\02b8004c-b8b4-4e2c-9c93-65e99f1dfc5c\VpnInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\.CR.16065\02b8004c-b8b4-4e2c-9c93-65e99f1dfc5c\VpnInstaller.exe" /S /LANG=fr-fr /bundle=sptl1
    3⤵
    - Executes dropped EXE
    - Sets service image path in registry
    - Drops file in Program Files directory
    PID:3400
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" failure AviraPhantomVPN reset= 86400 actions= restart/5000/restart/10000//1000
      4⤵
      Launches sc.exe
      PID:4524
- - C:\Users\Admin\AppData\Local\Temp\.CR.16065\52dceff5-02cc-4055-a072-766402cf65fb\endpoint-protection-installer-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\.CR.16065\52dceff5-02cc-4055-a072-766402cf65fb\endpoint-protection-installer-x64.exe" /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DIR="C:\Program Files\Avira" /AppData="C:\ProgramData\Avira" /License="C:\Users\Admin\AppData\Local\Temp\.CR.16065\EndpointProtectionSDK.lic" /Log="C:\Users\Admin\AppData\Local\Temp\avira_endpoint_protection_sdk_setup_20221010112922.log" /CACApplication="C:\Program Files (x86)\Avira\Security\Avira.Spotlight.UI.AdministrativeRightsProvider.exe" /WscAppName="Avira Security" /UpdateServer="https://download.avira.com/download/" /UiPath="C:\Program Files (x86)\Avira\Security\Avira.Spotlight.UI.Application.exe" /Config="C:\Users\Admin\AppData\Local\Temp\.CR.16065\EndpointProtectionConfiguration.json" /UpdateAfterInstall=off /LogMaxFileSize=10485760
    3⤵
    - Executes dropped EXE
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\is-1IVI5.tmp\endpoint-protection-installer-x64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1IVI5.tmp\endpoint-protection-installer-x64.tmp" /SL5="$30228,239442132,867840,C:\Users\Admin\AppData\Local\Temp\.CR.16065\52dceff5-02cc-4055-a072-766402cf65fb\endpoint-protection-installer-x64.exe" /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DIR="C:\Program Files\Avira" /AppData="C:\ProgramData\Avira" /License="C:\Users\Admin\AppData\Local\Temp\.CR.16065\EndpointProtectionSDK.lic" /Log="C:\Users\Admin\AppData\Local\Temp\avira_endpoint_protection_sdk_setup_20221010112922.log" /CACApplication="C:\Program Files (x86)\Avira\Security\Avira.Spotlight.UI.AdministrativeRightsProvider.exe" /WscAppName="Avira Security" /UpdateServer="https://download.avira.com/download/" /UiPath="C:\Program Files (x86)\Avira\Security\Avira.Spotlight.UI.Application.exe" /Config="C:\Users\Admin\AppData\Local\Temp\.CR.16065\EndpointProtectionConfiguration.json" /UpdateAfterInstall=off /LogMaxFileSize=10485760
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2396
    - - C:\Windows\system32\fltmc.exe
        
        "fltmc.exe" unload rtp_filesystem_filter
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_traverse
        5⤵
        
        PID:4860
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_traverse
        6⤵
        
        PID:2004
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_traverse
        5⤵
        Launches sc.exe
        
        PID:4532
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_filesystem_filter
        5⤵
        
        PID:4208
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_filesystem_filter
        6⤵
        
        PID:4428
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_filesystem_filter
        5⤵
        Launches sc.exe
        
        PID:4336
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_process_monitor
        5⤵
        
        PID:1144
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_process_monitor
        6⤵
        Checks for any installed AV software in registry
        
        PID:1708
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_process_monitor
        5⤵
        Launches sc.exe
        
        PID:4600
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop rtp_elam
        5⤵
        
        PID:2184
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rtp_elam
        6⤵
        
        PID:3120
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete rtp_elam
        5⤵
        Launches sc.exe
        
        PID:4536
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter
        5⤵
        
        PID:4580
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter
        6⤵
        
        PID:4216
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter
        5⤵
        Launches sc.exe
        
        PID:4728
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter2
        5⤵
        
        PID:1428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter2
        6⤵
        
        PID:1576
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter2
        5⤵
        Launches sc.exe
        
        PID:1128
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop EndpointProtectionService
        5⤵
        
        PID:2088
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EndpointProtectionService
        6⤵
        
        PID:752
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete EndpointProtectionService
        5⤵
        Launches sc.exe
        
        PID:3664
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop EndpointProtectionService2
        5⤵
        
        PID:3316
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EndpointProtectionService2
        6⤵
        
        PID:2404
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete EndpointProtectionService2
        5⤵
        Launches sc.exe
        
        PID:4284
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        
        PID:3532
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop BdSentry
        5⤵
        
        PID:3700
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BdSentry
        6⤵
        
        PID:876
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete BdSentry
        5⤵
        Launches sc.exe
        
        PID:928
    - - C:\Windows\system32\net.exe
        
        "net.exe" stop BdNet
        5⤵
        
        PID:692
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BdNet
        6⤵
        
        PID:3812
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" delete BdNet
        5⤵
        Launches sc.exe
        
        PID:3780
    - - C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe
        
        "endpointprotection.exe" check
        5⤵
        Executes dropped EXE
        
        PID:4524
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" create netprotection_network_filter type= kernel start= system error= normal binPath= System32\drivers\netprotection_network_filter.sys DisplayName= netprotection_network_filter group= PNP_TDI tag= yes
        5⤵
        Launches sc.exe
        
        PID:4448
    - - C:\Windows\system32\sc.exe
        
        "sc.exe" create netprotection_network_filter2 type= kernel start= demand error= normal binPath= System32\drivers\netprotection_network_filter2.sys DisplayName= netprotection_network_filter2 group= PNP_TDI tag= yes
        5⤵
        Launches sc.exe
        
        PID:4936
    - - C:\Program Files\Avira\Endpoint Protection SDK\rtp_setup.exe
        
        "rtp_setup.exe" install /drivers-path="C:\Program Files\Avira\Endpoint Protection SDK\drivers\x64" /license-path="C:\Program Files\Avira\Endpoint Protection SDK\sdk.lic" /client-path="C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2608
    - - C:\Program Files\Avira\Endpoint Protection SDK\unins000.exe
        
        "unins000.exe" /VERYSILENT /LOG /Rollback=on
        5⤵
        Executes dropped EXE
        
        PID:2132
      - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Avira\Endpoint Protection SDK\unins000.exe" /FIRSTPHASEWND=$50182 /VERYSILENT /LOG /Rollback=on
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5092
        
        C:\Program Files\Avira\Endpoint Protection SDK\rtp_setup.exe
        
        "rtp_setup.exe" uninstall /drivers-path="C:\Program Files\Avira\Endpoint Protection SDK\drivers\x64"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4788
        
        C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe
        
        "endpointprotection.exe" uninstall
        7⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter
        7⤵
        
        PID:380
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter
        8⤵
        
        PID:2172
        
        C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter
        7⤵
        Launches sc.exe
        
        PID:1868
        
        C:\Windows\system32\net.exe
        
        "net.exe" stop netprotection_network_filter2
        7⤵
        
        PID:876
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop netprotection_network_filter2
        8⤵
        
        PID:4860
        
        C:\Windows\system32\sc.exe
        
        "sc.exe" delete netprotection_network_filter2
        7⤵
        Launches sc.exe
        
        PID:1988
        
        C:\Program Files\Avira\Endpoint Protection SDK\SentryProtection.exe
        
        "SentryProtection.exe" -uninstall drivers-path="C:\Program Files\Avira\Endpoint Protection SDK\drivers\sentry"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1704
        
        C:\Program Files\Avira\Endpoint Protection SDK\firewall.tools.exe
        
        "firewall.tools.exe" uninstall --driver-path="C:\Program Files\Avira\Endpoint Protection SDK\drivers\firewall"
        7⤵
        Executes dropped EXE
        
        PID:1292
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.16072\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"
  2⤵
  - Creates scheduled task(s)
  PID:2608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2956 -ip 2956
1⤵
PID:540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2956 -s 1624
1⤵
- Program crash
PID:1288

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjcuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjcuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDU1MUFBQzItQTg2OC00Q0RCLThGNzAtMjYxOENGOTZGQUVFfSIgdXNlcmlkPSJ7OEFBODAwRTgtQTQxQi00RUIyLTgxQzItQTRDM0UyNzkyQUU5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntEMjZDQjE5My1FODhDLTQzQTktODNDMS0xQTgyRDBEQjE3N0J9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90OzA1UWxTc0tWY0FQaEJ2dEljT2s4T2pNTVdYL1FCVENtTFdUY2RSSnd3aVE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSI4OS4wLjQzODkuMTE0IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDQ4MjY4NDkwMyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3912
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6AEF14C6-3D74-4604-ABC6-CF7E6E82CC96}\MicrosoftEdge_X64_106.0.1370.37.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6AEF14C6-3D74-4604-ABC6-CF7E6E82CC96}\MicrosoftEdge_X64_106.0.1370.37.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6AEF14C6-3D74-4604-ABC6-CF7E6E82CC96}\EDGEMITMP_1D198.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6AEF14C6-3D74-4604-ABC6-CF7E6E82CC96}\EDGEMITMP_1D198.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6AEF14C6-3D74-4604-ABC6-CF7E6E82CC96}\MicrosoftEdge_X64_106.0.1370.37.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:5084
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjcuMjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjcuMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDU1MUFBQzItQTg2OC00Q0RCLThGNzAtMjYxOENGOTZGQUVFfSIgdXNlcmlkPSJ7OEFBODAwRTgtQTQxQi00RUIyLTgxQzItQTRDM0UyNzkyQUU5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntCMDREOTAxNC00ODg4LTQwOTQtODdEMS03NkQ3OUUwQjA0NjV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwNi4wLjEzNzAuMzciIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ0OTkyNDY4MzUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NTQ2NDM0NTM4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDY1ODE1NDI2NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYjNiMDk5ZTQtNTMwYy00MTRiLWIzMGMtNjY5MjVjNTRmNWZhP1AxPTE2NjYwMDYxODImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Q1NBZ28lMmI0dHlaT1dWTXlBR21yR043aDhDbmNpMFZCcmJJYiUyYklBcEFZcmNGSlFwcng2N2hUSWdXMldIdmlhZHIlMmI0M2thM3ZEYjVqb1l1bDJkc0h2dFElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxMzQxMDE5MjgiIHRvdGFsPSIxMzQxMDE5MjgiIGRvd25sb2FkX3RpbWVfbXM9IjczMjgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NjU4MTU0MjY2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDY3NjU5MTU4NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDkxNjgxOTY0MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijc5NyIgZG93bmxvYWRfdGltZV9tcz0iMTExMDkiIGRvd25sb2FkZWQ9IjEzNDEwMTkyOCIgdG90YWw9IjEzNDEwMTkyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMjQwMjMiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3316

C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe
"C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2212
- C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe
  "C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete
  2⤵
  PID:3532

C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe
"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe
"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 7000
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
172KB

MD5
45e07d76113e58ed3eae843d0f391978

SHA1
db05c7094068f52ee4b551314527c625a21f8059

SHA256
29209988e4d7f68adb322af1bbc8e506db5f88279bc12786ca82d88fd135a776

SHA512
1ceb8e654dd9c2d56234ae8182f750644be13aab788fcf0d064f21da0e172e62cd6fa265ffce5b6bdce1b3f6e38707d757ca9d7c5df63f9c870d31426c22bbd4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeUpdate.exe

Filesize
200KB

MD5
d1c3e60c8afb52d707e1fefda65fdea2

SHA1
79b739b599f804a822bf2059b84b1a58838f9a20

SHA256
32cef1f473157936b3adbb35b2566a619d4620af2998e05b01a493edf39d19ec

SHA512
95d6495a7f86424266105138c963504c33f30848e34d5d02a26fee8f1d6b2418d2f1b25e3261571feeecfa8a489c52412180f84cafc12f71fa0d1029c28afa03

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeUpdate.exe

Filesize
200KB

MD5
d1c3e60c8afb52d707e1fefda65fdea2

SHA1
79b739b599f804a822bf2059b84b1a58838f9a20

SHA256
32cef1f473157936b3adbb35b2566a619d4620af2998e05b01a493edf39d19ec

SHA512
95d6495a7f86424266105138c963504c33f30848e34d5d02a26fee8f1d6b2418d2f1b25e3261571feeecfa8a489c52412180f84cafc12f71fa0d1029c28afa03

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
205KB

MD5
cac6c261275e3dd2e3914cfcc292e8e3

SHA1
ad1bffd171be87ce367eb7dfa94e7d535b6dc6a6

SHA256
e309bb6443e9bee17e0f203c2f3089c7ae729cf4429eadc08830961e7281af16

SHA512
2b0a2c6fa205bfed5bed4979f13122f5e6a31124bb9c024d75211eb696284bfe1946b8b32402f6341805a31170223d31e1532895ef61c670678afbc3e7f8dceb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
247KB

MD5
3160bc28225ac26f224c9d8c3dd3879d

SHA1
525c620bef1abd54bad5a7dac99e202dcbdd6c9f

SHA256
d2a4c7517995d3ddb8ce90ab479ffd779aca192beaf22c7367f2d7572633335c

SHA512
1336f8cb2baeffc6e91a06ea927fe8ba3998b9b3ad12d7801dbe2c5db59cb180de95c90f92d72cea82fe6ae338f842448c4b00e1d5c7b3de4e0e85308fdad3b8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
0b450b4d2fa5d196cfb11aef193df865

SHA1
749ef041b43c1153a365847724bc47ade84c59aa

SHA256
78fc4ae5232e4f75c818244b254394a975e16d56021dc7f864955cdbcfb62983

SHA512
ae9438fda4f19c8fc002a7193eb33321f16ee05b3cb401f63c1dfd7fa48d35bb2cce38ac6b64e1a3b23b9b51bb7cfbd2eff1d8b64629bf145cebcff3e26facbf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
0b450b4d2fa5d196cfb11aef193df865

SHA1
749ef041b43c1153a365847724bc47ade84c59aa

SHA256
78fc4ae5232e4f75c818244b254394a975e16d56021dc7f864955cdbcfb62983

SHA512
ae9438fda4f19c8fc002a7193eb33321f16ee05b3cb401f63c1dfd7fa48d35bb2cce38ac6b64e1a3b23b9b51bb7cfbd2eff1d8b64629bf145cebcff3e26facbf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
2eac5bbaddacc9c90a7d52087426319b

SHA1
62631d1714f9c9b4dac99107362a89b0e709e519

SHA256
b75bc84efb4e9798a173c3f3e90fc9f4ed56e5e2b6a9bd5e71bdefa598b4fd16

SHA512
18f5024a7ca1e55fa97b66752b8645f5f7d40d1d6e850d35541de3a0d598cfb7b74386612395aabe856a6f312ed99ebc0e3c1bdca6854386bf30a843240ef137

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
1cabac7c2ff12a0e8ec6f42436210c3a

SHA1
9b0accc8525d591bb5b517a11b9e4e06827892ab

SHA256
606886aed120ed99a6da0bd96ee462a12939299644b23176348e107b232124fe

SHA512
2610051f2998b2ab7221d648b596e3defc06d4af6b6992e1ec9f4418f0d41c466cc947b4d36836182f1a656a8fe11cab943ccf0aba3b4eb8ca0e110ecafa5683

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
0a309d8f9fcd6b07a7e80cbf9062d374

SHA1
a86b8cd6322155a421babf019d33b2853d1ba4cb

SHA256
9fae19dc5943d22e6ef1ed0ad1fd2a3855e942d139ae8b10aaa422b8ff3d7078

SHA512
fc3767323ccab953a9a55c19e5272505ff3cf82ac0fd5a2b00ebd7b142856a2e46e534da61ee2c5f8a4f17e04e6a96c24b0eb86ca497f820879808e52b3a79a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
4359cb661582d525b2b0521de9bf055e

SHA1
2b4bd6ca59e3bb6484346b108eadfa58f0713a37

SHA256
d9fd47207f15d21901c7f0bf6180b0326cf6559483d8a746be20b4d2bee6e80a

SHA512
825816e8dad43e55ffc350917203de5fba686c7b85baf878c7b856494a3d09368a3cadf09db774e150fd96fb80f6fcf1d0e27ec1ed80103ea714a6ee95372471

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
a5a0299366c2aab858908e66452005f6

SHA1
a43f9b06ecc0516742d45b94501c4a2f289ad309

SHA256
c76de0c42cc0459fce633a5afdc10582348b74517bbab87e58995ce5dde3324a

SHA512
5c56ac27e62e893e2ab16ba40e35a2a878e20bb218b4c97bebb9d3026d4b185c85337ee7795af24639ba79792bc58c8f6ed16acc1e3cb840b452b16e3cef9756

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
df66726c21287d3194bc2823c8b39051

SHA1
40d8f982fecbe78d46afaa12bc421474122a9549

SHA256
f11c8daba1f070cdb7328c57cd22666de7e784c3318322fb34d1a2026944be8d

SHA512
5ec560d5dbd72a257bfc8372376da8727b30bd5e01afe51f28c4c0a670aae374f915b888343e47e7817b6f3006df0166f29124e41b32ed3a9efc299734a7d5fa

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
c05a32431758b9154329a022507f18b4

SHA1
f1339d6a92c117adb8ff752d09cfa1b138a7b534

SHA256
eb61d21fa1408a7300cb20939be53b8fa6050dc1e2bf7bf749e9f69fbefea311

SHA512
a91f1a29ef6b316c253430b982507075047025a5c08eb297b63544a7839ac45ecc41f5737c80664a8863ebd2daf21e293c3e369613f9f423a98af741c68aef78

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
565534aa402aa4fbf495b19a224114af

SHA1
e5a96bc68932ab34bb292114ae86e9f46c7e2f28

SHA256
c1ed73de87987e29610f8bf9781388c7ee497b9e53d52e4f8b396eeb8937cd33

SHA512
e6e5b7399d401d4f7bbae5fbf2aca62921133603e361ae8aa8430b9b187f2bef855d5ac13467f8a6f4500e7cd97e7e4e700024c54c65560f527e000dd667fbb8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
cec38b8587697fb3756c87d824a3fa6b

SHA1
38db26fbe8a91d0ddb2ae357ccfc6b6fe6e92b32

SHA256
464a7799eb7c05d28f775294953fc64d6f3978ef652bf3f0f4c7c3bd422690e8

SHA512
e111b175d221a64346c8ef1f4364c94948640afa14395ef50a55e3d3722559c4726bdf60245e77fd4e7ad853c1ce0ee9f1107ffa188fbbfa0e5895b48c9e1a05

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
cdf6f06c7583803765ffb9201bcf8d5e

SHA1
2af217ece211611ba5c6250c8a6d07359cb0bf32

SHA256
37e32cda3a4dac0155613350135dbdbfac1c8e5d7a10ef7f5717dcffb8b4f9ca

SHA512
494ef11db2ab7ff792a24cd89eb53055428a638dd917b6b7f0483bce6d10f57760f6d8786cb4f925bd86db0c656e18a9cf73680bbb6845498f3b82a83014ca51

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
979c55df3e9b16ff0fa594fde20f5c2d

SHA1
ef9e5da9e37e43e66c80593790582c9c0bfb3b6c

SHA256
1174b225b078e6f0986de0a59f0818d3a3df623b163b437be5f32182225ce170

SHA512
709a2efda4ddbd8eb75e91c0ade70563a6dca2d273fa2fd4f3cbd794990498505df0e97b18be28a3ca0de98e3fff5575ed04e540774579e7c86c4d4a9bebff81

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
505cdec7acfeaee40351af218e1eef00

SHA1
79e5ddb99ab4aa02c43b25a6d57e87c4eca1afb5

SHA256
385a5cbc42b93b73f19d1d965382b9953c42bd171f077f6872d365f2cab84c40

SHA512
fb043a69fd04fd0c68747048866697c287014308cfce3b69d6d3a3cf9f56895bd92687df3cce9c6afb81cb076748d1f1645b914145eb438d0d5722791726b89a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
106e9315d74407a2552a0c9364dfd2f9

SHA1
88724d934580924d1297819f97d2bd1e7fec6b00

SHA256
b99d7895c41c4c2918b3f768e4af16172c7f09207cdbd3f2a91770c73637cce9

SHA512
5267c782a25297239185738f18437e9ccbf3b690d9a421c2f9ea2960f0c9183a486c352c3080433fd6931a44154be322ed21c63d68776eb549913d515a765f85

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_da.dll

Filesize
28KB

MD5
020abd9fd7b99a54a210a125c5469bc8

SHA1
5b7bbc5f0487e5955b8b891b728c89404afcd19d

SHA256
16fe6a115d5f75503b0c683099c0ba8330a93d2c6f51171ee1ceef9496a8a917

SHA512
fbe9b6b53c5a28e6ff4f15080fc1789b652808ec196de36f89dba117d5acd48242cd3c27280687c1305f10b92b6637fc79c7716c9f885a15d1c3149ca7661e67

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
b714a4ec7603291a98f2c07cf993f611

SHA1
fb8a9623475ed4ef0fd00b16ba43372c5d842829

SHA256
2a4eb6299914ccca3945ee44014428dc871f8557ea1dbefc23cc5fb58d90b211

SHA512
724052a19161224ec553d52a48aefdf4d56a64fd56f87da684e0fa92832fa699101dcfd71f50df4da3f5162fa628957e138e5e2b085d1a022b3c94190957e481

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
de30ccdce58d87af22c121229e1d034e

SHA1
0a1e42dee0cb30e70aeccdbd69f295c1d38a82fc

SHA256
f2a37ea5b5d3c738dfe71dc638ff21a14fba664980b0086d638b8c7eedbf5cfc

SHA512
8e10ceb08adbc9d04da644a79c77c56a321c7d1d62b9bfc2b480d5963d73dcd6e997ab602cba04945e769c19689b24043c0682bd6619672a9809757155104b56

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUD1F.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
b38fc02921f9cab6df148550631f5d71

SHA1
b6465b3c4ad3518ac1e0368fb00123e60b5de8e3

SHA256
0eafe6e62f849843a0b85f70733e68cb2e31521198508499c39429438f4754d2

SHA512
905fbf837d237c8317b1904967c5637f330345e6b5898ee02791dd46deaa7897e8ee2dab17183a12f3d02e5ff5616b83ab4141d91e5de2f2497ad3c9303f13b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.COMMON.GUARDS.DLL

Filesize
17KB

MD5
3b01bd8e5db865776ff79571cdb580a2

SHA1
2eab636247c2edcfc0000e24c7bf8c8c1e6de6fd

SHA256
2a4022204e2d7710ffe041b863fed86fc0f00a2a6039b9960c371b21407b6c18

SHA512
139a95cd640948df703134d8de5541d170e422a643a272685f3ffafbaaf3e7cfb2396c554398a725eb4635e3e5f2ab2f675e7118eb8271b6cb9de9ede3741dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.COMMON.GUARDS.DLL

Filesize
17KB

MD5
3b01bd8e5db865776ff79571cdb580a2

SHA1
2eab636247c2edcfc0000e24c7bf8c8c1e6de6fd

SHA256
2a4022204e2d7710ffe041b863fed86fc0f00a2a6039b9960c371b21407b6c18

SHA512
139a95cd640948df703134d8de5541d170e422a643a272685f3ffafbaaf3e7cfb2396c554398a725eb4635e3e5f2ab2f675e7118eb8271b6cb9de9ede3741dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.COMMON.MIXPANEL.DLL

Filesize
64KB

MD5
49e0e8f437c146e630e8d7c878f874a7

SHA1
736cf402467778122c51d63103f913ea511f1927

SHA256
9ef6813ded99f6d6f264bac6131de6a84d641ecd5bd6741c875754169cff3e96

SHA512
ccc9e64760f69f8648d080a9ed3f34dcb1b76846825f2b85f56bb308d120125ec4b2af50c8835a071fa26c1eff6b7d1f65d0005433079e4172eb398eae0c5f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.COMMON.MIXPANEL.DLL

Filesize
64KB

MD5
49e0e8f437c146e630e8d7c878f874a7

SHA1
736cf402467778122c51d63103f913ea511f1927

SHA256
9ef6813ded99f6d6f264bac6131de6a84d641ecd5bd6741c875754169cff3e96

SHA512
ccc9e64760f69f8648d080a9ed3f34dcb1b76846825f2b85f56bb308d120125ec4b2af50c8835a071fa26c1eff6b7d1f65d0005433079e4172eb398eae0c5f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.FILEDOWNLOADER.DLL

Filesize
48KB

MD5
21c33c040d27ce5f18f3bde3e4aa931f

SHA1
ba037b37142ec45145b37b07b85ef8877a3ee4fa

SHA256
ca3be70bbb91acbb866d326ca29768c5c8422c06842da2029cb58d6c1a28a144

SHA512
7cce6860aafe3a25ac1051695c0a7e31ed239c3a2b028a7faddc21f791f8e5c912b175ceaeabf8f018f5835178d56ad07ad48255dcbe0899cdedeb98d5880032

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.FILEDOWNLOADER.DLL

Filesize
48KB

MD5
21c33c040d27ce5f18f3bde3e4aa931f

SHA1
ba037b37142ec45145b37b07b85ef8877a3ee4fa

SHA256
ca3be70bbb91acbb866d326ca29768c5c8422c06842da2029cb58d6c1a28a144

SHA512
7cce6860aafe3a25ac1051695c0a7e31ed239c3a2b028a7faddc21f791f8e5c912b175ceaeabf8f018f5835178d56ad07ad48255dcbe0899cdedeb98d5880032

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

Filesize
362KB

MD5
77059ad7cd80d2f5126ae7190752acac

SHA1
0b8124ada148c3473c1e7bd86d82d7fa7cb7809e

SHA256
229aa8d3833d5d44392f774e4d00b399d3b88a6e165913cda0784d06a82fdcd5

SHA512
1414fc9878c94c6b986f4cce249833133420832e9c62c066fb56de45b76c20968c40f287720a2df83eb6d19116ee9bd997de92588902d5e87024f1d870922a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

Filesize
362KB

MD5
77059ad7cd80d2f5126ae7190752acac

SHA1
0b8124ada148c3473c1e7bd86d82d7fa7cb7809e

SHA256
229aa8d3833d5d44392f774e4d00b399d3b88a6e165913cda0784d06a82fdcd5

SHA512
1414fc9878c94c6b986f4cce249833133420832e9c62c066fb56de45b76c20968c40f287720a2df83eb6d19116ee9bd997de92588902d5e87024f1d870922a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

Filesize
345KB

MD5
3b2a564303c77fd8b4a6ee1e99d2d540

SHA1
f8311b77e7ce5385b69e2e4841b130ab8b65fdcf

SHA256
571f6098818e39b9276474549e3b8d91e0a4b70a21d7fca1fc1007f76f855401

SHA512
6062f9433273000b3186c90873d4f8c5b8cf7b9e883d29e359a957cef1aaa3d41814ad4002f3091f33f2408edebf71f895c858400391518ed341e0c35b2d7c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

Filesize
345KB

MD5
3b2a564303c77fd8b4a6ee1e99d2d540

SHA1
f8311b77e7ce5385b69e2e4841b130ab8b65fdcf

SHA256
571f6098818e39b9276474549e3b8d91e0a4b70a21d7fca1fc1007f76f855401

SHA512
6062f9433273000b3186c90873d4f8c5b8cf7b9e883d29e359a957cef1aaa3d41814ad4002f3091f33f2408edebf71f895c858400391518ed341e0c35b2d7c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

Filesize
1.5MB

MD5
ca52e4a0309eb40c2dcd4244a9b2aeaa

SHA1
b859913460456af225e02aeb062d07c90e0f1708

SHA256
e19bf508ad716254f506fa6a65256bcea1312174de344a5d5be5434fe6d2afa7

SHA512
c5185d2b78ca54ce1aa0b69c9095d2b0990edf48cf3f5cd8e785a26e0fade1974df992d7969e23596158dcb44f3ddbbf6b6153169f0c71d47ee0b29991d2be71

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

Filesize
166KB

MD5
51de5cd119bc830206de93ee96444a88

SHA1
0b590ade2e7cda07140f2b0f6aa05a9627922b31

SHA256
4f4b0f11acf7edb61f6f8ed26d03a9691e2e51c9aa3b53438ef30689abc2c1be

SHA512
3bc36446e1bd8e337dd65d73167079d9d8931fcc86337c67af0cfbdd061884219a9a13e719a4cec1684321080081b76ccb64c55a676192ebbe66d11b93c22cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

Filesize
166KB

MD5
51de5cd119bc830206de93ee96444a88

SHA1
0b590ade2e7cda07140f2b0f6aa05a9627922b31

SHA256
4f4b0f11acf7edb61f6f8ed26d03a9691e2e51c9aa3b53438ef30689abc2c1be

SHA512
3bc36446e1bd8e337dd65d73167079d9d8931fcc86337c67af0cfbdd061884219a9a13e719a4cec1684321080081b76ccb64c55a676192ebbe66d11b93c22cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

Filesize
205KB

MD5
225311ccba1fa5842ce1353875ccc572

SHA1
989723cc8e2b0317fbff4401f877320790513df2

SHA256
7a5470a20a27d9df5589d24c30eb41621dd2ff96bf13bba67d64be6514f3f1ac

SHA512
8613f6e725fc6b425fa2cd3dbcb0699e13ba2ebabab91d8d4df40235819fa0fd3c93ca81c267c62c3595b85b7e7b780aee1aec761a44561cf081a1ee9736126c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

Filesize
205KB

MD5
225311ccba1fa5842ce1353875ccc572

SHA1
989723cc8e2b0317fbff4401f877320790513df2

SHA256
7a5470a20a27d9df5589d24c30eb41621dd2ff96bf13bba67d64be6514f3f1ac

SHA512
8613f6e725fc6b425fa2cd3dbcb0699e13ba2ebabab91d8d4df40235819fa0fd3c93ca81c267c62c3595b85b7e7b780aee1aec761a44561cf081a1ee9736126c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\DRYIOC.DLL

Filesize
438KB

MD5
2178d7eca6ab43ced708ca20a6722a68

SHA1
937536b753b5a4404ed312d0e9a778c67433e771

SHA256
78939516bcac09c1f71e7e33d9a5df07ca6ec4fdd390bc164d20edf01371d5af

SHA512
8f19cac88cb3b1e34cc4b2d5a1429caaf1a9538a23f368cc718d2ef7762bcda3abfbfe4c012c659525fab2fdbb09cb0757ea7557bf3e36fb6bd8f8ec4923bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\DRYIOC.DLL

Filesize
438KB

MD5
2178d7eca6ab43ced708ca20a6722a68

SHA1
937536b753b5a4404ed312d0e9a778c67433e771

SHA256
78939516bcac09c1f71e7e33d9a5df07ca6ec4fdd390bc164d20edf01371d5af

SHA512
8f19cac88cb3b1e34cc4b2d5a1429caaf1a9538a23f368cc718d2ef7762bcda3abfbfe4c012c659525fab2fdbb09cb0757ea7557bf3e36fb6bd8f8ec4923bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\DRYIOC.MEFATTRIBUTEDMODEL.DLL

Filesize
69KB

MD5
3aa463876fbdc1d6eea8a195c33ca8d4

SHA1
041df6a3d73ed18c7357e6e6087de0f6b08e7d3d

SHA256
52c2b170499fc6264c4757f3fe8c8ab056aa64caca818fd6b0ec7f55aa611e1b

SHA512
66897b16866b3ba8cb3fcfd5c2f3f41b88b6cddc21ed44ba0a1cb8ee928ccb3e84d14cec868ba683a3295d8fb41668bb6cd1d3e2d3d86cc7d3f83c0c552c5721

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\DRYIOC.MEFATTRIBUTEDMODEL.DLL

Filesize
69KB

MD5
3aa463876fbdc1d6eea8a195c33ca8d4

SHA1
041df6a3d73ed18c7357e6e6087de0f6b08e7d3d

SHA256
52c2b170499fc6264c4757f3fe8c8ab056aa64caca818fd6b0ec7f55aa611e1b

SHA512
66897b16866b3ba8cb3fcfd5c2f3f41b88b6cddc21ed44ba0a1cb8ee928ccb3e84d14cec868ba683a3295d8fb41668bb6cd1d3e2d3d86cc7d3f83c0c552c5721

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\DRYIOCATTRIBUTES.DLL

Filesize
32KB

MD5
76629f898346e0e1462655bfe6a28821

SHA1
a5591a4fb8d153256ce0ef02e0225df04c7b289a

SHA256
125f3cb6d9cd6c0fa087d6a8343e983d340d5dada2dbfe05e6bf2288f12a8f12

SHA512
238577f9560018eafb2735e51120d4ac04ddd4e51b9e64471af9da563e58cc3c012ea72f57f0f1fd5bbc668cfb2b256b171c7a965a7968da5603def94d2a3998

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\DRYIOCATTRIBUTES.DLL

Filesize
32KB

MD5
76629f898346e0e1462655bfe6a28821

SHA1
a5591a4fb8d153256ce0ef02e0225df04c7b289a

SHA256
125f3cb6d9cd6c0fa087d6a8343e983d340d5dada2dbfe05e6bf2288f12a8f12

SHA512
238577f9560018eafb2735e51120d4ac04ddd4e51b9e64471af9da563e58cc3c012ea72f57f0f1fd5bbc668cfb2b256b171c7a965a7968da5603def94d2a3998

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
33KB

MD5
befd3d540eb998f3b522074a361ed9b0

SHA1
6c4b5654b322a786e0b2f5cb71a4b6063f16ca79

SHA256
e78e3e9b41983f65c4f60ba9dfaec1ddcc17b9fb7a14e105f738c8d22dcd3b2c

SHA512
a387f7dcdecfc3ec254bfa180480a74306787671c080c8b7cee079baa199e7630741d694c56a236701272d5e14dcd1dfcbaea535e669262366a7f8fd812e9b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
33KB

MD5
befd3d540eb998f3b522074a361ed9b0

SHA1
6c4b5654b322a786e0b2f5cb71a4b6063f16ca79

SHA256
e78e3e9b41983f65c4f60ba9dfaec1ddcc17b9fb7a14e105f738c8d22dcd3b2c

SHA512
a387f7dcdecfc3ec254bfa180480a74306787671c080c8b7cee079baa199e7630741d694c56a236701272d5e14dcd1dfcbaea535e669262366a7f8fd812e9b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\FR-FR\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
26KB

MD5
75026ba5797590d534fdcc8c8bba10f7

SHA1
fbbe359336c8d4a78b8392644c688f8b5ec7d0d4

SHA256
14af68fe1032037b62633b363ae7bc1b7c1dfce49a82da5229153796e7e02dea

SHA512
cdf2f84a103f09d83c748547ab23d74b9348899bd58e0252a834d31fad490f5bf7bfef72cb43fcae8566bc2f5a427e4c20a2edfc183a94add7f42c7370e12ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\FR-FR\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

Filesize
26KB

MD5
75026ba5797590d534fdcc8c8bba10f7

SHA1
fbbe359336c8d4a78b8392644c688f8b5ec7d0d4

SHA256
14af68fe1032037b62633b363ae7bc1b7c1dfce49a82da5229153796e7e02dea

SHA512
cdf2f84a103f09d83c748547ab23d74b9348899bd58e0252a834d31fad490f5bf7bfef72cb43fcae8566bc2f5a427e4c20a2edfc183a94add7f42c7370e12ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\MICROSOFT.WINDOWS.SHELL.DLL

Filesize
160KB

MD5
e30f3664d10ed36454e2e60b9a7b7517

SHA1
a9887ab8ed02bfa3540354004dd859ff35d71a0f

SHA256
32217df3aebb45f4db96b5c50b4005c6498670b0d1267161c748ab5d69f355e9

SHA512
b76a049e544eaf974dc20f6a69e3e6c6c0c57a6da50b86ce24899459fd5768ecc41dbf866a34fa190e5608bef85edf29c3334e44cdbedd79c3c719631ea55bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\MICROSOFT.WINDOWS.SHELL.DLL

Filesize
160KB

MD5
e30f3664d10ed36454e2e60b9a7b7517

SHA1
a9887ab8ed02bfa3540354004dd859ff35d71a0f

SHA256
32217df3aebb45f4db96b5c50b4005c6498670b0d1267161c748ab5d69f355e9

SHA512
b76a049e544eaf974dc20f6a69e3e6c6c0c57a6da50b86ce24899459fd5768ecc41dbf866a34fa190e5608bef85edf29c3334e44cdbedd79c3c719631ea55bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.COMMON.DLL

Filesize
181KB

MD5
b28dd515c279756dafa231c563f4b2fb

SHA1
59529e1afafb0edac6c75e99b050c249ea8e6c3e

SHA256
72b0d3316204164ea6ee60e0af5a9ae4c6f0522df8647bcd0067dc82c60fed45

SHA512
09f77e931d7eb2c883efc4a4b5352d7dd1d6e3b95363c05049fe07c4e3153b01b64d3ff4893545b5897f1a337431350501cfea990362c1d88657cfbbfe710b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.COMMON.DLL

Filesize
181KB

MD5
b28dd515c279756dafa231c563f4b2fb

SHA1
59529e1afafb0edac6c75e99b050c249ea8e6c3e

SHA256
72b0d3316204164ea6ee60e0af5a9ae4c6f0522df8647bcd0067dc82c60fed45

SHA512
09f77e931d7eb2c883efc4a4b5352d7dd1d6e3b95363c05049fe07c4e3153b01b64d3ff4893545b5897f1a337431350501cfea990362c1d88657cfbbfe710b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.COMMON.DLL

Filesize
181KB

MD5
b28dd515c279756dafa231c563f4b2fb

SHA1
59529e1afafb0edac6c75e99b050c249ea8e6c3e

SHA256
72b0d3316204164ea6ee60e0af5a9ae4c6f0522df8647bcd0067dc82c60fed45

SHA512
09f77e931d7eb2c883efc4a4b5352d7dd1d6e3b95363c05049fe07c4e3153b01b64d3ff4893545b5897f1a337431350501cfea990362c1d88657cfbbfe710b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.COMMON.DLL

Filesize
181KB

MD5
b28dd515c279756dafa231c563f4b2fb

SHA1
59529e1afafb0edac6c75e99b050c249ea8e6c3e

SHA256
72b0d3316204164ea6ee60e0af5a9ae4c6f0522df8647bcd0067dc82c60fed45

SHA512
09f77e931d7eb2c883efc4a4b5352d7dd1d6e3b95363c05049fe07c4e3153b01b64d3ff4893545b5897f1a337431350501cfea990362c1d88657cfbbfe710b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.DLL

Filesize
247KB

MD5
03686671b9a9c4a1e36e2a4bef4f0bc4

SHA1
65985b29c6ce04ca1684a2758f9d19eb7a40b48c

SHA256
73c49d192c1b64f6aa80bb65403227dfc69d02d6f8d542998892370d0307e9d7

SHA512
7b0cb6482ccf9dafdb1d849d91ee6d37bcae9661146030ee8a862018ea24e22955dafefdd22b06aa7d13009ead94100e6b32c7bfc3df383c6e8e148ed064f7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.DLL

Filesize
247KB

MD5
03686671b9a9c4a1e36e2a4bef4f0bc4

SHA1
65985b29c6ce04ca1684a2758f9d19eb7a40b48c

SHA256
73c49d192c1b64f6aa80bb65403227dfc69d02d6f8d542998892370d0307e9d7

SHA512
7b0cb6482ccf9dafdb1d849d91ee6d37bcae9661146030ee8a862018ea24e22955dafefdd22b06aa7d13009ead94100e6b32c7bfc3df383c6e8e148ed064f7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.DLL

Filesize
247KB

MD5
03686671b9a9c4a1e36e2a4bef4f0bc4

SHA1
65985b29c6ce04ca1684a2758f9d19eb7a40b48c

SHA256
73c49d192c1b64f6aa80bb65403227dfc69d02d6f8d542998892370d0307e9d7

SHA512
7b0cb6482ccf9dafdb1d849d91ee6d37bcae9661146030ee8a862018ea24e22955dafefdd22b06aa7d13009ead94100e6b32c7bfc3df383c6e8e148ed064f7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\PRODUCTLABEL.DLL

Filesize
247KB

MD5
03686671b9a9c4a1e36e2a4bef4f0bc4

SHA1
65985b29c6ce04ca1684a2758f9d19eb7a40b48c

SHA256
73c49d192c1b64f6aa80bb65403227dfc69d02d6f8d542998892370d0307e9d7

SHA512
7b0cb6482ccf9dafdb1d849d91ee6d37bcae9661146030ee8a862018ea24e22955dafefdd22b06aa7d13009ead94100e6b32c7bfc3df383c6e8e148ed064f7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\ed20f33c-def5-44b5-a713-70e57d9bdf1a\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
cf7f5cdb6443fef5c5e14351dfa52a61

SHA1
50b9178f04c1102938afa4badb5f03cfc0f8a9b9

SHA256
69a70d81c56c0fedf43d7a07ee0f8ad006383ec06733748ac83b0401bf937ddb

SHA512
0cdba91499cc421da6d330954a9e3211765ebc2c48034a93b5b084e5b2c7de93ca96af025f2e5e91054d113e4c7f8c0bec3a8c94269565ce7181ea165a57c3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16065\ed20f33c-def5-44b5-a713-70e57d9bdf1a\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
cf7f5cdb6443fef5c5e14351dfa52a61

SHA1
50b9178f04c1102938afa4badb5f03cfc0f8a9b9

SHA256
69a70d81c56c0fedf43d7a07ee0f8ad006383ec06733748ac83b0401bf937ddb

SHA512
0cdba91499cc421da6d330954a9e3211765ebc2c48034a93b5b084e5b2c7de93ca96af025f2e5e91054d113e4c7f8c0bec3a8c94269565ce7181ea165a57c3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.16072\Avira_Security_Installation.xml

Filesize
1KB

MD5
89d377234e7ec82778659eb37c4e1f14

SHA1
302644d1756ccb15af13caa34372e451e2af9b16

SHA256
658f6ee60ef6ecf47245cddfc98cc4f33f60d977a76051cf63fec35a1f005df2

SHA512
d1bfdd86191d208bd66fb2d265518b8c93ae06c06c1d41bcf7eed3eae9345ff0bd65b5832642da156a7226c3181ba792a2f007373e023cad3f37589c5ee7caba

Download Submit
memory/464-292-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/464-285-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/912-260-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/912-257-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/972-268-0x0000000005720000-0x000000000576A000-memory.dmp

Filesize
296KB

Download
memory/972-267-0x00000000055A0000-0x0000000005614000-memory.dmp

Filesize
464KB

Download
memory/972-265-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/972-266-0x0000000005490000-0x00000000054B8000-memory.dmp

Filesize
160KB

Download
memory/1152-182-0x0000000005A60000-0x0000000005A68000-memory.dmp

Filesize
32KB

Download
memory/1152-184-0x0000000005BC0000-0x0000000005BFC000-memory.dmp

Filesize
240KB

Download
memory/1152-139-0x0000000005110000-0x0000000005180000-memory.dmp

Filesize
448KB

Download
memory/1152-159-0x0000000005660000-0x00000000056A2000-memory.dmp

Filesize
264KB

Download
memory/1152-195-0x000000000AD10000-0x000000000AD20000-memory.dmp

Filesize
64KB

Download
memory/1152-192-0x000000000AD20000-0x000000000AD86000-memory.dmp

Filesize
408KB

Download
memory/1152-191-0x000000000A3D0000-0x000000000A462000-memory.dmp

Filesize
584KB

Download
memory/1152-190-0x000000000A170000-0x000000000A17E000-memory.dmp

Filesize
56KB

Download
memory/1152-189-0x000000000A190000-0x000000000A1C8000-memory.dmp

Filesize
224KB

Download
memory/1152-136-0x00000000005F0000-0x0000000000776000-memory.dmp

Filesize
1.5MB

Download
memory/1152-165-0x00000000056E0000-0x000000000570C000-memory.dmp

Filesize
176KB

Download
memory/1152-188-0x0000000006C90000-0x0000000006C98000-memory.dmp

Filesize
32KB

Download
memory/1152-174-0x0000000005750000-0x0000000005764000-memory.dmp

Filesize
80KB

Download
memory/1152-187-0x0000000005B40000-0x0000000005B4A000-memory.dmp

Filesize
40KB

Download
memory/1152-142-0x00000000054C0000-0x00000000054EC000-memory.dmp

Filesize
176KB

Download
memory/1152-183-0x0000000005B70000-0x0000000005BC0000-memory.dmp

Filesize
320KB

Download
memory/1152-154-0x00000000055E0000-0x0000000005610000-memory.dmp

Filesize
192KB

Download
memory/1152-171-0x00000000057E0000-0x0000000005816000-memory.dmp

Filesize
216KB

Download
memory/1152-179-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/1152-176-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/1152-175-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/1152-168-0x0000000005780000-0x00000000057DA000-memory.dmp

Filesize
360KB

Download
memory/1152-151-0x0000000005500000-0x000000000550C000-memory.dmp

Filesize
48KB

Download
memory/1152-148-0x0000000005510000-0x0000000005526000-memory.dmp

Filesize
88KB

Download
memory/1152-162-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/1152-145-0x0000000005550000-0x00000000055AE000-memory.dmp

Filesize
376KB

Download
memory/1708-306-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/1708-282-0x0000000000340000-0x000000000039A000-memory.dmp

Filesize
360KB

Download
memory/1708-296-0x0000000005140000-0x000000000514E000-memory.dmp

Filesize
56KB

Download
memory/1708-298-0x0000000005180000-0x000000000518C000-memory.dmp

Filesize
48KB

Download
memory/1708-289-0x00000000050C0000-0x00000000050D8000-memory.dmp

Filesize
96KB

Download
memory/1708-288-0x0000000005090000-0x00000000050BA000-memory.dmp

Filesize
168KB

Download
memory/1708-303-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

Filesize
40KB

Download
memory/1708-304-0x0000000006D80000-0x0000000006DD4000-memory.dmp

Filesize
336KB

Download
memory/1708-291-0x0000000005110000-0x000000000513A000-memory.dmp

Filesize
168KB

Download
memory/1708-305-0x0000000006DE0000-0x0000000006E0E000-memory.dmp

Filesize
184KB

Download
memory/1708-307-0x0000000006E50000-0x0000000006E86000-memory.dmp

Filesize
216KB

Download
memory/1708-308-0x0000000006D30000-0x0000000006D38000-memory.dmp

Filesize
32KB

Download
memory/2528-315-0x0000000005120000-0x00000000055C6000-memory.dmp

Filesize
4.6MB

Download
memory/3400-316-0x0000000003200000-0x0000000003259000-memory.dmp

Filesize
356KB

Download
memory/3400-335-0x00000000021F1000-0x00000000021F7000-memory.dmp

Filesize
24KB

Download
memory/3400-334-0x00000000021F0000-0x00000000021FB000-memory.dmp

Filesize
44KB

Download
memory/3576-251-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/3660-238-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3660-241-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3660-248-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3780-271-0x000001F79B440000-0x000001F79B468000-memory.dmp

Filesize
160KB

Download
memory/3780-274-0x00007FF8F7E60000-0x00007FF8F8921000-memory.dmp

Filesize
10.8MB

Download
memory/3780-273-0x000001F7B76C0000-0x000001F7B770A000-memory.dmp

Filesize
296KB

Download
memory/3780-272-0x000001F7B6AB0000-0x000001F7B6B24000-memory.dmp

Filesize
464KB

Download
memory/3780-270-0x000001F79B090000-0x000001F79B0A0000-memory.dmp

Filesize
64KB

Download
memory/4180-279-0x00000000019E0000-0x00000000019F2000-memory.dmp

Filesize
72KB

Download
memory/4180-277-0x0000000000FD0000-0x0000000001024000-memory.dmp

Filesize
336KB

Download
memory/4180-280-0x00000000059B0000-0x0000000005A00000-memory.dmp

Filesize
320KB

Download
memory/4520-261-0x0000000004110000-0x00000000045B6000-memory.dmp

Filesize
4.6MB

Download
memory/4520-262-0x0000000007790000-0x00000000078B2000-memory.dmp

Filesize
1.1MB

Download
memory/4832-300-0x0000000006B00000-0x0000000006B3C000-memory.dmp

Filesize
240KB

Download
memory/4832-295-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/4832-385-0x00000000074D0000-0x0000000007976000-memory.dmp

Filesize
4.6MB

Download
memory/4832-287-0x0000000005200000-0x0000000005222000-memory.dmp

Filesize
136KB

Download
memory/4832-301-0x0000000006F50000-0x0000000006F5C000-memory.dmp

Filesize
48KB

Download
memory/4832-297-0x0000000005480000-0x000000000548E000-memory.dmp

Filesize
56KB

Download
memory/4832-299-0x0000000005610000-0x0000000005674000-memory.dmp

Filesize
400KB

Download
memory/4832-290-0x0000000005380000-0x0000000005388000-memory.dmp

Filesize
32KB

Download
memory/4832-293-0x0000000005500000-0x0000000005598000-memory.dmp

Filesize
608KB

Download
memory/5012-255-0x00000000006B0000-0x00000000006DE000-memory.dmp

Filesize
184KB

Download
memory/5024-338-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download