178b96df901c69ef507824e7238ca1a5419e65c3b0c8c0635fe553d06534dbfe

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avira_es_sptl1_359962207-1678828437__pavwws.exe
Size

6.2MB
MD5

1653a381769ab363ac9af6ac26490fda
SHA1

2c4921cab32438cd549b6253b1539134c1df25fc
SHA256

178b96df901c69ef507824e7238ca1a5419e65c3b0c8c0635fe553d06534dbfe
SHA512

1ff5bcc97867f31daed0995d9734fc01d715261ec659c985d1df32c4201530170dffd9c7f602ca01cd0dee8ba334837723dca31922847840281aadface551497
SSDEEP

49152:77m0R1yvaOQ/b5HE0qXXpDYALLRENU9Qd+buk4HsM9fEJufpHxjCZdJdZcDrgDQr:XeQ/bpEnXWU9w6ZQBLHE9WbKYd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Avira.Spotlight.Bootstrapper.exeACSSignedIC.exe

pid process

2908 Avira.Spotlight.Bootstrapper.exe
3552 ACSSignedIC.exe

Loads dropped DLL 32 IoCs

Processes:

Avira.Spotlight.Bootstrapper.exe

pid	process
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe
2908	Avira.Spotlight.Bootstrapper.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1063

Processes:

Avira.Spotlight.Bootstrapper.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\MixpanelCommonProperties = "AAEAAAD/////AQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10TAAAACQIAAAAlAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAABMAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E/P///+QBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAAyRvcwYGAAAAB1dpbmRvd3MB+f////z///8GCAAAAAskb3NfdmVyc2lvbgYJAAAACjEwLjAuMTkwNDEB9v////z///8GCwAAAAtPcyBMYW5ndWFnZQYMAAAABWVuLVVTAfP////8////Bg4AAAALT3MgUGxhdGZvcm0GDwAAAAN4NjQB8P////z///8GEQAAAAxzaGEyX3N1cHBvcnQIAQEB7v////z///8GEwAAABYuTkVUIEZyYW1ld29yayBWZXJzaW9uCRQAAAAB6/////z///8GFgAAAApQcm9jZXNzIElECAhcCwAAAen////8////BhgAAAASQ29tcGF0aWJpbGl0eSBNb2RlCRkAAAAB5v////z///8GGwAAAAthY3Nfc3VwcG9ydAgBAQHk/////P///wYdAAAADUV4cGVyaW1lbnRJZHMJHgAAAAHh/////P///wYgAAAAEEV4cGVyaW1lbnRHcm91cHMJIQAAAAHe/////P///wYjAAAAD0Rvd25sb2FkIFNvdXJjZQYkAAAABnBhdnd3cwHb/////P///wYmAAAACUJ1bmRsZSBJRAYnAAAABXNwdGwxAdj////8////BikAAAAUQm9vdHN0cmFwcGVyIFZlcnNpb24GKgAAAAgxLjAuNDEuNQHV/////P///wYsAAAABkFjdGlvbgYtAAAAB0luc3RhbGwB0v////z///8GLwAAAAdSdW5Nb2RlBjAAAAAHRGVmYXVsdAHP/////P///wYyAAAABlNpbGVudAgBAAHN/////P///wY0AAAAClNlc3Npb24gSUQGNQAAACA4M2NhODliNGNjNTU0NjIzOTE3OTNlZmFiZGYzOTQ5MQHK/////P///wY3AAAAElNwb3RsaWdodCBMYW5ndWFnZQY4AAAABWVzLUVTBBQAAAAOU3lzdGVtLlZlcnNpb24EAAAABl9NYWpvcgZfTWlub3IGX0J1aWxkCV9SZXZpc2lvbgAAAAAICAgIBAAAAAgAAAD//////////xEZAAAAAAAAABEeAAAAAQAAAAY5AAAACXNwb3RsaWdodBEhAAAAAQAAAAY6AAAAB2RlZmF1bHQL"	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Security\ConnectServices	Avira.Spotlight.Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper	Avira.Spotlight.Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\UpdateBridgeEnvironment	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	Avira.Spotlight.Bootstrapper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

912 schtasks.exe

pid	process
912	schtasks.exe

Modifies registry class 6 IoCs

Processes:

avira_es_sptl1_359962207-1678828437__pavwws.exeAvira.Spotlight.Bootstrapper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe	avira_es_sptl1_359962207-1678828437__pavwws.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe\NoStartPage = "0"	avira_es_sptl1_359962207-1678828437__pavwws.exe
Key created	\REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "3fac7a4cd22645d88967c6dbd1bdb0f7c433a146"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\SessionId = "83ca89b4cc55462391793efabdf39491"	Avira.Spotlight.Bootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\Action = "Install"	Avira.Spotlight.Bootstrapper.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Avira.Spotlight.Bootstrapper.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	Avira.Spotlight.Bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Avira.Spotlight.Bootstrapper.exe

description pid process

Token: SeDebugPrivilege 2908 Avira.Spotlight.Bootstrapper.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Avira.Spotlight.Bootstrapper.exe

pid process

2908 Avira.Spotlight.Bootstrapper.exe
2908 Avira.Spotlight.Bootstrapper.exe

description	pid	process
Token: SeDebugPrivilege	2908	Avira.Spotlight.Bootstrapper.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

avira_es_sptl1_359962207-1678828437__pavwws.exeAvira.Spotlight.Bootstrapper.exe

description	pid	process	target process
PID 4160 wrote to memory of 912	4160	avira_es_sptl1_359962207-1678828437__pavwws.exe	schtasks.exe
PID 4160 wrote to memory of 912	4160	avira_es_sptl1_359962207-1678828437__pavwws.exe	schtasks.exe
PID 4160 wrote to memory of 912	4160	avira_es_sptl1_359962207-1678828437__pavwws.exe	schtasks.exe
PID 4160 wrote to memory of 2908	4160	avira_es_sptl1_359962207-1678828437__pavwws.exe	Avira.Spotlight.Bootstrapper.exe
PID 4160 wrote to memory of 2908	4160	avira_es_sptl1_359962207-1678828437__pavwws.exe	Avira.Spotlight.Bootstrapper.exe
PID 4160 wrote to memory of 2908	4160	avira_es_sptl1_359962207-1678828437__pavwws.exe	Avira.Spotlight.Bootstrapper.exe
PID 2908 wrote to memory of 3552	2908	Avira.Spotlight.Bootstrapper.exe	ACSSignedIC.exe
PID 2908 wrote to memory of 3552	2908	Avira.Spotlight.Bootstrapper.exe	ACSSignedIC.exe
PID 2908 wrote to memory of 3552	2908	Avira.Spotlight.Bootstrapper.exe	ACSSignedIC.exe

C:\Users\Admin\AppData\Local\Temp\avira_es_sptl1_359962207-1678828437__pavwws.exe
"C:\Users\Admin\AppData\Local\Temp\avira_es_sptl1_359962207-1678828437__pavwws.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\.CR.3113\Avira.Spotlight.Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\.CR.3113\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.3113\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=avira_es_sptl1_359962207-1678828437__pavwws.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Local\Temp\.CR.3113\ACSSignedIC.exe
"C:\Users\Admin\AppData\Local\Temp\.CR.3113\ACSSignedIC.exe"
3⤵
- Executes dropped EXE
PID:3552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.30088\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"
2⤵
- Creates scheduled task(s)
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Security Software Discovery

T1063

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.CR.30088\Avira_Security_Installation.xml
Filesize
1KB

MD5
5768c01ea149093a3557a986fc3ff1f2

SHA1
3c4e3168d15a7236edbde6ab8e5d8a84c4a6b733

SHA256
87b27aa56b4556ee81074c90b13c803504235b25f9acff84ca38ed124ecfe92f

SHA512
bb36d28af9ec001c7492e5c6cddd0f09e65bf01ed85579c0d7458fb41286ca2831678a6842edf89c28ad40035f1acbdf461222dd7feb24a57dfbff9e0f2bfc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\ACSSIGNEDIC.EXE
Filesize
202KB

MD5
8c4622622a1044250d32b3f75dff1308

SHA1
8eef39eda2043c3f2fb680b5ecba9dc399b70f10

SHA256
7fbac7f635533ed207d3479cb8a4e5e96fefae5c1ddbdd5f52780ce6c3ddc6c2

SHA512
a36ca64d20cfb8a9cf04c6d7565cf8f38922092850913d0ee062305fb755c6570693da32dd866c7c667d7e03b8a9656dc74637b9535ac6e26a156a200c3d02cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.COMMON.GUARDS.DLL
Filesize
17KB

MD5
5b851b4506d10f93b988b4ee8f313824

SHA1
213c4928a28e8fbf5dfc06cd5c5415301daf72e5

SHA256
28c9ea12476af9b90857564919ab813ba2468f2dd087e482777da9a8d1811fd4

SHA512
c8aa2b665c5baeb2e02bcbf86e63e91fd18761b2ac5943650c1824a971586023b01c71fd758157301d41595a50214e95aa0b42a45b9ae3562b5e1a56772077fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.COMMON.GUARDS.DLL
Filesize
17KB

MD5
5b851b4506d10f93b988b4ee8f313824

SHA1
213c4928a28e8fbf5dfc06cd5c5415301daf72e5

SHA256
28c9ea12476af9b90857564919ab813ba2468f2dd087e482777da9a8d1811fd4

SHA512
c8aa2b665c5baeb2e02bcbf86e63e91fd18761b2ac5943650c1824a971586023b01c71fd758157301d41595a50214e95aa0b42a45b9ae3562b5e1a56772077fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.COMMON.MIXPANEL.DLL
Filesize
67KB

MD5
b99936185b1d2795ae0cda594f8c6da0

SHA1
dd3021a9f2bf588ff420571e0ef8d0ed0f4f76af

SHA256
0565243319c9bca86bd96ce75d2ddfb48fc7869eef0986134ba4627a49b3f0bb

SHA512
bc92f1b735139007e7ea04e8369af114e93850cc01ae270b826ba601a904eec2fe70a0826f36ff621dd9052388460ca59b464e53e4751c7788cbf3593379e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.COMMON.MIXPANEL.DLL
Filesize
67KB

MD5
b99936185b1d2795ae0cda594f8c6da0

SHA1
dd3021a9f2bf588ff420571e0ef8d0ed0f4f76af

SHA256
0565243319c9bca86bd96ce75d2ddfb48fc7869eef0986134ba4627a49b3f0bb

SHA512
bc92f1b735139007e7ea04e8369af114e93850cc01ae270b826ba601a904eec2fe70a0826f36ff621dd9052388460ca59b464e53e4751c7788cbf3593379e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL
Filesize
382KB

MD5
29dc8609f3cc1836297e481444b32a52

SHA1
7becb42555660aacc684ed255a91b1877d60d15c

SHA256
2a8f0e76c3ab176ea94a88ac6a36adcf68abfdd297bf596dd0392cf2a707aed0

SHA512
6fa8a1eafc84f9249d37d4070174967840ad31eb85bc28963cc0839bfa8e355311db9fb38237b410574452a090925ec2e4b0e70973ae54ebceabcee703be2f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL
Filesize
382KB

MD5
29dc8609f3cc1836297e481444b32a52

SHA1
7becb42555660aacc684ed255a91b1877d60d15c

SHA256
2a8f0e76c3ab176ea94a88ac6a36adcf68abfdd297bf596dd0392cf2a707aed0

SHA512
6fa8a1eafc84f9249d37d4070174967840ad31eb85bc28963cc0839bfa8e355311db9fb38237b410574452a090925ec2e4b0e70973ae54ebceabcee703be2f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL
Filesize
358KB

MD5
b3d386d685c2ebf31dd286245ea97f8f

SHA1
f3d3b975c0c9af041aa13ef7c041c1d04549a30e

SHA256
fe18b119eac17228f87d509f3c135be7ffbf594e372556c79ab7c431ff4706f3

SHA512
36efdf588dc382cda3d36532f6ed785c7e9cff976070de3b024e1eb4ae80147f598826f539ea49d9251148fc97398896ea4ffa0e65c5ed9da246558e135fab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL
Filesize
358KB

MD5
b3d386d685c2ebf31dd286245ea97f8f

SHA1
f3d3b975c0c9af041aa13ef7c041c1d04549a30e

SHA256
fe18b119eac17228f87d509f3c135be7ffbf594e372556c79ab7c431ff4706f3

SHA512
36efdf588dc382cda3d36532f6ed785c7e9cff976070de3b024e1eb4ae80147f598826f539ea49d9251148fc97398896ea4ffa0e65c5ed9da246558e135fab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE
Filesize
1.5MB

MD5
7156b78847eecfe0dcb70f99fb86c77c

SHA1
40319b6c11e201815b26ab1ec7da18cb42ed9a5f

SHA256
c6802d1ec81b72fb12b72ca8a2acaf1e19f760950c7dac7d8ce05acd5e326a27

SHA512
85f7711bd6b3aa58e6c3ebb67447d47fccdcf8d7caf5948a5cfcd4f52eec679ca96fb73f2961f82ad4afad82d64dcf64ddc8cb4f41ff31915511a7dc27a58258

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL
Filesize
167KB

MD5
c23c96dcbbdea269b9a6a31188f871c5

SHA1
cf3db12d0aadda85220aff9e96b9086b8e68989a

SHA256
7fde6bd77b725d6877ddffca2e9f022e54cb5a5c308705f0be836ac308396c02

SHA512
c2bb76e09c5dd54b6a6fb8b6473db624f166b1b7cfb6a26e8eca931f0e51c515787275d7247820b752d9ffd666885b1f922ce83bb53a022326795a13b2ae242b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL
Filesize
167KB

MD5
c23c96dcbbdea269b9a6a31188f871c5

SHA1
cf3db12d0aadda85220aff9e96b9086b8e68989a

SHA256
7fde6bd77b725d6877ddffca2e9f022e54cb5a5c308705f0be836ac308396c02

SHA512
c2bb76e09c5dd54b6a6fb8b6473db624f166b1b7cfb6a26e8eca931f0e51c515787275d7247820b752d9ffd666885b1f922ce83bb53a022326795a13b2ae242b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL
Filesize
205KB

MD5
44cca8ad4b61868ceb7ef0252807adbc

SHA1
66904e9b50cede9e4a90265c77cb5571d812c6b9

SHA256
6b68f68a2062a7e428f62f27ea4356ce450a4f7b2d6ef3ca0a0ccb207205598f

SHA512
6277c357c7390fd5ce45ae691ba4af8c365d6c4d8a7a2b7c82af9f3b9452d0a5414dbc9103633a1d0c5bfff9ce8acdb38c5ffda477f0dcabaef16235e8613fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL
Filesize
205KB

MD5
44cca8ad4b61868ceb7ef0252807adbc

SHA1
66904e9b50cede9e4a90265c77cb5571d812c6b9

SHA256
6b68f68a2062a7e428f62f27ea4356ce450a4f7b2d6ef3ca0a0ccb207205598f

SHA512
6277c357c7390fd5ce45ae691ba4af8c365d6c4d8a7a2b7c82af9f3b9452d0a5414dbc9103633a1d0c5bfff9ce8acdb38c5ffda477f0dcabaef16235e8613fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\DRYIOC.DLL
Filesize
440KB

MD5
714e25424a8aaa63d7ca6ab89019da1b

SHA1
509b65ba6c41095b7f33d7c5c80f6d4fc7b18586

SHA256
61bbf93454a27b7c4b73a5735a546a544c46e8e85dda8d93994d4d79938b9dcc

SHA512
73fa85df955d2534bb03e17a798cbc3b6cb5499a8d3dba952a1fc8c7f9994a8001b355efc159d4353363ced880f23d00ebe8023d8d6401163ff8497bb582738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\DRYIOC.DLL
Filesize
440KB

MD5
714e25424a8aaa63d7ca6ab89019da1b

SHA1
509b65ba6c41095b7f33d7c5c80f6d4fc7b18586

SHA256
61bbf93454a27b7c4b73a5735a546a544c46e8e85dda8d93994d4d79938b9dcc

SHA512
73fa85df955d2534bb03e17a798cbc3b6cb5499a8d3dba952a1fc8c7f9994a8001b355efc159d4353363ced880f23d00ebe8023d8d6401163ff8497bb582738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\DRYIOC.MEFATTRIBUTEDMODEL.DLL
Filesize
70KB

MD5
d78c583cb692427a10527a014962ee01

SHA1
4bab8f272f8bc6183ef6f82b6747cdfeddf12d10

SHA256
0621244e268938b4bb1cc76bb2a1b0181ee5cf59005534d08f89eba79f900b05

SHA512
a3ff15876fc297149ceb693052a47ad6f361c9f0e860005aa59684d405657b23f3879f487b42ecb41883793b881275ce458cabddb5bbb5bcaeb2e01a9d4ff607

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\DRYIOC.MEFATTRIBUTEDMODEL.DLL
Filesize
70KB

MD5
d78c583cb692427a10527a014962ee01

SHA1
4bab8f272f8bc6183ef6f82b6747cdfeddf12d10

SHA256
0621244e268938b4bb1cc76bb2a1b0181ee5cf59005534d08f89eba79f900b05

SHA512
a3ff15876fc297149ceb693052a47ad6f361c9f0e860005aa59684d405657b23f3879f487b42ecb41883793b881275ce458cabddb5bbb5bcaeb2e01a9d4ff607

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\DRYIOCATTRIBUTES.DLL
Filesize
32KB

MD5
894402ba3f2225a71c4747d9928c566a

SHA1
b6ad87444277e2f1ff58a3aedac91021512466ce

SHA256
52cbbd4703e4e4cdac01615fcc623acce13113960eb45965d28d636d827315f7

SHA512
683849be5b0b930a71698519b07bba5df02a6ed2de84b1482dc747e380e1b51b6b3df7d65ca181579915d6c2ad649bd1f6e60d0386350af377185534f3d93cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\DRYIOCATTRIBUTES.DLL
Filesize
32KB

MD5
894402ba3f2225a71c4747d9928c566a

SHA1
b6ad87444277e2f1ff58a3aedac91021512466ce

SHA256
52cbbd4703e4e4cdac01615fcc623acce13113960eb45965d28d636d827315f7

SHA512
683849be5b0b930a71698519b07bba5df02a6ed2de84b1482dc747e380e1b51b6b3df7d65ca181579915d6c2ad649bd1f6e60d0386350af377185534f3d93cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL
Filesize
34KB

MD5
d2a5cba61102ffb5fb74215561fd8d49

SHA1
d0303a778673702c720256e54bc9fa650fb2414e

SHA256
abd98575f5fa1e9c02e8ec29cfee3ab805a0b7c5a5d1d1b8d9049e942a3a6471

SHA512
70749480e62a8b4f50322db8658aec4c35e7e8312c5aa3fd5462fa8290381464dfe6864ee37fdc39067e71f18f79467ab080d0069e4a228292a4a1eb09d91029

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL
Filesize
34KB

MD5
d2a5cba61102ffb5fb74215561fd8d49

SHA1
d0303a778673702c720256e54bc9fa650fb2414e

SHA256
abd98575f5fa1e9c02e8ec29cfee3ab805a0b7c5a5d1d1b8d9049e942a3a6471

SHA512
70749480e62a8b4f50322db8658aec4c35e7e8312c5aa3fd5462fa8290381464dfe6864ee37fdc39067e71f18f79467ab080d0069e4a228292a4a1eb09d91029

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\ES-ES\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL
Filesize
24KB

MD5
f5f4177552f3109b6b6431245d94f9f1

SHA1
344d6be4a724bfadcebc3393be5c3137967cda3c

SHA256
86f1b4926df5f72869cc394ecfd0720f61db6032a25e03536a7d1468841f613e

SHA512
cc78db23a1a01fa4783eeac2daa5d5c04133221774c7bcd7843e1c6b5466c668b11ce9a35c66b831b0f7942ad81ede3465956a32758fdad0420e21c477e6cfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\ES-ES\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL
Filesize
24KB

MD5
f5f4177552f3109b6b6431245d94f9f1

SHA1
344d6be4a724bfadcebc3393be5c3137967cda3c

SHA256
86f1b4926df5f72869cc394ecfd0720f61db6032a25e03536a7d1468841f613e

SHA512
cc78db23a1a01fa4783eeac2daa5d5c04133221774c7bcd7843e1c6b5466c668b11ce9a35c66b831b0f7942ad81ede3465956a32758fdad0420e21c477e6cfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\MICROSOFT.WINDOWS.SHELL.DLL
Filesize
162KB

MD5
fc28af3ae489397c01dfefa207d7eb04

SHA1
071de4a61de6e49fe4a4e9a974feffda0e371324

SHA256
a8d4bb9664c12a00e389638aa0351ee14fc3d373812dc2da07df39635179d984

SHA512
8f0fe83ff35eb60911786d64a2e3cde93d15f8596042912e5a0571cb51c4b4e621fc10af04df3c3ece9db421b106dfe835117b21b33096ca8e28038bdd063329

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\MICROSOFT.WINDOWS.SHELL.DLL
Filesize
162KB

MD5
fc28af3ae489397c01dfefa207d7eb04

SHA1
071de4a61de6e49fe4a4e9a974feffda0e371324

SHA256
a8d4bb9664c12a00e389638aa0351ee14fc3d373812dc2da07df39635179d984

SHA512
8f0fe83ff35eb60911786d64a2e3cde93d15f8596042912e5a0571cb51c4b4e621fc10af04df3c3ece9db421b106dfe835117b21b33096ca8e28038bdd063329

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.COMMON.DLL
Filesize
180KB

MD5
8f8d5d83598aca25fef268fe71d7b6d5

SHA1
04bc7349952926167cd622096551e1697f3fa477

SHA256
55e3d72fd102bba01a525f486ee36ad22bc3630dc1cc327ff34c7f0311f3bd21

SHA512
ca5a474bb7acb207b018f99d4caae6c154d8f0262c9e108990ec851d63fc21cc245545611a0182eab23925431bb2d4506b79a11238a520cfa6d72e4531628dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.COMMON.DLL
Filesize
180KB

MD5
8f8d5d83598aca25fef268fe71d7b6d5

SHA1
04bc7349952926167cd622096551e1697f3fa477

SHA256
55e3d72fd102bba01a525f486ee36ad22bc3630dc1cc327ff34c7f0311f3bd21

SHA512
ca5a474bb7acb207b018f99d4caae6c154d8f0262c9e108990ec851d63fc21cc245545611a0182eab23925431bb2d4506b79a11238a520cfa6d72e4531628dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.COMMON.DLL
Filesize
180KB

MD5
8f8d5d83598aca25fef268fe71d7b6d5

SHA1
04bc7349952926167cd622096551e1697f3fa477

SHA256
55e3d72fd102bba01a525f486ee36ad22bc3630dc1cc327ff34c7f0311f3bd21

SHA512
ca5a474bb7acb207b018f99d4caae6c154d8f0262c9e108990ec851d63fc21cc245545611a0182eab23925431bb2d4506b79a11238a520cfa6d72e4531628dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.COMMON.DLL
Filesize
180KB

MD5
8f8d5d83598aca25fef268fe71d7b6d5

SHA1
04bc7349952926167cd622096551e1697f3fa477

SHA256
55e3d72fd102bba01a525f486ee36ad22bc3630dc1cc327ff34c7f0311f3bd21

SHA512
ca5a474bb7acb207b018f99d4caae6c154d8f0262c9e108990ec851d63fc21cc245545611a0182eab23925431bb2d4506b79a11238a520cfa6d72e4531628dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.DLL
Filesize
248KB

MD5
83c3afe9a54ef573c4cf7ca0147773af

SHA1
346e622d93fe7ab53fb914517fc5e0a9cd8cb49c

SHA256
db6cde609752ba82de25f1867313bb58ff52a9547b5029a4d0d31ff425dd16fa

SHA512
b54ac40945cf1b4b37b899560241d8431696de3e91bf5d59522c2af739da4e714b394a31e6aecad428ea3b42e264c8e0db79c0b1d29d280a118a8de102c4e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.DLL
Filesize
248KB

MD5
83c3afe9a54ef573c4cf7ca0147773af

SHA1
346e622d93fe7ab53fb914517fc5e0a9cd8cb49c

SHA256
db6cde609752ba82de25f1867313bb58ff52a9547b5029a4d0d31ff425dd16fa

SHA512
b54ac40945cf1b4b37b899560241d8431696de3e91bf5d59522c2af739da4e714b394a31e6aecad428ea3b42e264c8e0db79c0b1d29d280a118a8de102c4e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.DLL
Filesize
248KB

MD5
83c3afe9a54ef573c4cf7ca0147773af

SHA1
346e622d93fe7ab53fb914517fc5e0a9cd8cb49c

SHA256
db6cde609752ba82de25f1867313bb58ff52a9547b5029a4d0d31ff425dd16fa

SHA512
b54ac40945cf1b4b37b899560241d8431696de3e91bf5d59522c2af739da4e714b394a31e6aecad428ea3b42e264c8e0db79c0b1d29d280a118a8de102c4e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\.CR.3113\PRODUCTLABEL.DLL
Filesize
248KB

MD5
83c3afe9a54ef573c4cf7ca0147773af

SHA1
346e622d93fe7ab53fb914517fc5e0a9cd8cb49c

SHA256
db6cde609752ba82de25f1867313bb58ff52a9547b5029a4d0d31ff425dd16fa

SHA512
b54ac40945cf1b4b37b899560241d8431696de3e91bf5d59522c2af739da4e714b394a31e6aecad428ea3b42e264c8e0db79c0b1d29d280a118a8de102c4e400

Download Submit
memory/2908-168-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2908-187-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2908-175-0x0000000005C70000-0x0000000005CA6000-memory.dmp

Filesize
216KB

Download
memory/2908-154-0x0000000005860000-0x0000000005876000-memory.dmp

Filesize
88KB

Download
memory/2908-151-0x0000000005920000-0x000000000597C000-memory.dmp

Filesize
368KB

Download
memory/2908-178-0x0000000005CB0000-0x0000000005CC4000-memory.dmp

Filesize
80KB

Download
memory/2908-148-0x00000000058B0000-0x0000000005912000-memory.dmp

Filesize
392KB

Download
memory/2908-179-0x0000000005CD0000-0x0000000005CF2000-memory.dmp

Filesize
136KB

Download
memory/2908-180-0x0000000005D20000-0x0000000005D32000-memory.dmp

Filesize
72KB

Download
memory/2908-183-0x0000000005E50000-0x0000000005E5A000-memory.dmp

Filesize
40KB

Download
memory/2908-169-0x0000000006170000-0x0000000006714000-memory.dmp

Filesize
5.6MB

Download
memory/2908-165-0x0000000005B70000-0x0000000005BB2000-memory.dmp

Filesize
264KB

Download
memory/2908-145-0x0000000005810000-0x000000000583C000-memory.dmp

Filesize
176KB

Download
memory/2908-142-0x0000000005460000-0x00000000054D0000-memory.dmp

Filesize
448KB

Download
memory/2908-186-0x0000000006010000-0x0000000006018000-memory.dmp

Filesize
32KB

Download
memory/2908-172-0x0000000005C00000-0x0000000005C2C000-memory.dmp

Filesize
176KB

Download
memory/2908-139-0x0000000000A80000-0x0000000000C08000-memory.dmp

Filesize
1.5MB

Download
memory/2908-189-0x0000000006E70000-0x0000000006EC0000-memory.dmp

Filesize
320KB

Download
memory/2908-190-0x0000000006EC0000-0x0000000006EFC000-memory.dmp

Filesize
240KB

Download
memory/2908-191-0x0000000006E40000-0x0000000006E60000-memory.dmp

Filesize
128KB

Download
memory/2908-160-0x00000000059B0000-0x00000000059E0000-memory.dmp

Filesize
192KB

Download
memory/2908-157-0x0000000005880000-0x000000000588C000-memory.dmp

Filesize
48KB

Download
memory/2908-194-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/2908-195-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/2908-196-0x0000000009970000-0x0000000009990000-memory.dmp

Filesize
128KB

Download
memory/2908-197-0x0000000009B10000-0x0000000009B48000-memory.dmp

Filesize
224KB

Download
memory/2908-198-0x0000000009AF0000-0x0000000009AFE000-memory.dmp

Filesize
56KB

Download
memory/2908-199-0x000000000ACB0000-0x000000000AD42000-memory.dmp

Filesize
584KB

Download
memory/2908-200-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2908-201-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2908-202-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2908-203-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download