a3dc5beed75942744a94a6af9c9b5ae4e9a8f0ed89f6ffe2f0b1813750e978bc

Analysis

max time kernel
139s
max time network
144s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
27/05/2023, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinaeroTweaker-1.52.0.0-setup.exe
Size

4.2MB
MD5

55958ff4b2b659c497edaf6d7b0083c8
SHA1

a3e334aafb41f01a82fb42699326a1196718fd01
SHA256

a3dc5beed75942744a94a6af9c9b5ae4e9a8f0ed89f6ffe2f0b1813750e978bc
SHA512

04eb265f79443fe86fc9d4179f3c2a9f5f74f9371fb4b182460fb62a866fe84d4c2ff7ec2f9f5fc12fa50f1486c448405bb749e1cd4873cb2accb3b8bcb25244
SSDEEP

98304:nkLPYJiYX937JzMSnvwonczVPTLyJ96x9jkCBnQX5FHin1KTooE:cgIigSnvxnIVHyre9gynMFa1KXE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1620	WinaeroTweaker-1.52.0.0-setup.tmp
1828	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
656	WinaeroTweakerHelper.exe

Loads dropped DLL 4 IoCs

pid	Process
1716	WinaeroTweaker-1.52.0.0-setup.exe
1620	WinaeroTweaker-1.52.0.0-setup.tmp
1620	WinaeroTweaker-1.52.0.0-setup.tmp
1620	WinaeroTweaker-1.52.0.0-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Winaero Tweaker\is-OSSE7.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-NN9CG.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-96VJM.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\no_tab_explorer.exe	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-AO03N.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-7UKIN.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-09HRO.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\Elevator.exe	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-0NHTG.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-CCQ22.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-2PFEN.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroControls.dll	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe	WinaeroTweaker-1.52.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-LMM8V.tmp	WinaeroTweaker-1.52.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-H5I0N.tmp	WinaeroTweaker-1.52.0.0-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinaeroTweaker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinaeroTweaker.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1780	taskkill.exe
656	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8741bc8dccc4e4c87e8259e277e798400000000020000000000106600000001000020000000ec5a214e2a388e0a771d847d6f6c8f52ce51db223b0b0c2d936563542c6f4834000000000e80000000020000200000001fd3018ca5768b04e0b1b18498e7acf2f92e28fd4006d381a661e9ceb090782b20000000ef68427cca0b93b5d0c6a666683db1b71795e59dea26a3e5c7991d670053311d400000001d81348073b351d686d51c3038b60d0dbac239e806ad79af6488e4e84ea8268a4514d49793f3046e3430edb1a9005022615bb4124a5b9f5f7f38ae44388c2b52	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8741bc8dccc4e4c87e8259e277e798400000000020000000000106600000001000020000000de3efc00b23c6490c3d3bdeb5f14839991d835339705b20e29f0f9b9df93f5e9000000000e8000000002000020000000b6edd45a7191fb364c0610b615f97d8b574654e1bf61237adba5efd8e4431d0c900000004eef430edf1831d9353ae6e138b13e34594522f53c40f6d6290dfdffdfd0fd25f73e89895805acb2b8a2317c6d68953429c269fa767d0bd9ce8af0a35d2d92e59d2f3b8e8cec7287727ca46b3bbfbe83fd5fca09b35777d059fb42f23f851e8f983038edb4185ece0cb0856915d59c5985d71651a84a3e982de763e3e074f31f9290d667236c5d6c1c111b71de0009ab400000005e621bb2dc232483ce68a789b5d75946db62c820f797f0d765f0daf9aba001e1b3732de76b7013f9de9655ae318cb64feda29aa97262cfc1d57621d70bef2c43	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503c830cc390d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391974473"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{325AEAE1-FCB6-11ED-95EE-4E1956A5016B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1620	WinaeroTweaker-1.52.0.0-setup.tmp
1620	WinaeroTweaker-1.52.0.0-setup.tmp
1828	WinaeroTweaker.exe
1828	WinaeroTweaker.exe
1828	WinaeroTweaker.exe
1828	WinaeroTweaker.exe
1828	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe
1136	WinaeroTweaker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: 33	716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	716	AUDIODG.EXE
Token: 33	716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	716	AUDIODG.EXE
Token: SeDebugPrivilege	1828	WinaeroTweaker.exe
Token: SeDebugPrivilege	1136	WinaeroTweaker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1620	WinaeroTweaker-1.52.0.0-setup.tmp
972	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
972	iexplore.exe
972	iexplore.exe
756	IEXPLORE.EXE
756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1716 wrote to memory of 1620	1716	WinaeroTweaker-1.52.0.0-setup.exe	28
PID 1620 wrote to memory of 1904	1620	WinaeroTweaker-1.52.0.0-setup.tmp	29
PID 1620 wrote to memory of 1904	1620	WinaeroTweaker-1.52.0.0-setup.tmp	29
PID 1620 wrote to memory of 1904	1620	WinaeroTweaker-1.52.0.0-setup.tmp	29
PID 1620 wrote to memory of 1904	1620	WinaeroTweaker-1.52.0.0-setup.tmp	29
PID 1620 wrote to memory of 1764	1620	WinaeroTweaker-1.52.0.0-setup.tmp	30
PID 1620 wrote to memory of 1764	1620	WinaeroTweaker-1.52.0.0-setup.tmp	30
PID 1620 wrote to memory of 1764	1620	WinaeroTweaker-1.52.0.0-setup.tmp	30
PID 1620 wrote to memory of 1764	1620	WinaeroTweaker-1.52.0.0-setup.tmp	30
PID 1904 wrote to memory of 1780	1904	cmd.exe	33
PID 1904 wrote to memory of 1780	1904	cmd.exe	33
PID 1904 wrote to memory of 1780	1904	cmd.exe	33
PID 1904 wrote to memory of 1780	1904	cmd.exe	33
PID 1764 wrote to memory of 656	1764	cmd.exe	34
PID 1764 wrote to memory of 656	1764	cmd.exe	34
PID 1764 wrote to memory of 656	1764	cmd.exe	34
PID 1764 wrote to memory of 656	1764	cmd.exe	34
PID 1620 wrote to memory of 1828	1620	WinaeroTweaker-1.52.0.0-setup.tmp	42
PID 1620 wrote to memory of 1828	1620	WinaeroTweaker-1.52.0.0-setup.tmp	42
PID 1620 wrote to memory of 1828	1620	WinaeroTweaker-1.52.0.0-setup.tmp	42
PID 1620 wrote to memory of 1828	1620	WinaeroTweaker-1.52.0.0-setup.tmp	42
PID 1620 wrote to memory of 972	1620	WinaeroTweaker-1.52.0.0-setup.tmp	43
PID 1620 wrote to memory of 972	1620	WinaeroTweaker-1.52.0.0-setup.tmp	43
PID 1620 wrote to memory of 972	1620	WinaeroTweaker-1.52.0.0-setup.tmp	43
PID 1620 wrote to memory of 972	1620	WinaeroTweaker-1.52.0.0-setup.tmp	43
PID 972 wrote to memory of 756	972	iexplore.exe	45
PID 972 wrote to memory of 756	972	iexplore.exe	45
PID 972 wrote to memory of 756	972	iexplore.exe	45
PID 972 wrote to memory of 756	972	iexplore.exe	45
PID 1828 wrote to memory of 1136	1828	WinaeroTweaker.exe	47
PID 1828 wrote to memory of 1136	1828	WinaeroTweaker.exe	47
PID 1828 wrote to memory of 1136	1828	WinaeroTweaker.exe	47
PID 1136 wrote to memory of 656	1136	WinaeroTweaker.exe	48
PID 1136 wrote to memory of 656	1136	WinaeroTweaker.exe	48
PID 1136 wrote to memory of 656	1136	WinaeroTweaker.exe	48
PID 1136 wrote to memory of 656	1136	WinaeroTweaker.exe	48

C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.52.0.0-setup.exe
"C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.52.0.0-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\is-42EBG.tmp\WinaeroTweaker-1.52.0.0-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-42EBG.tmp\WinaeroTweaker-1.52.0.0-setup.tmp" /SL5="$B0130,3496735,832000,C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.52.0.0-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweaker.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweakerhelper.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:656
- - C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
    "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
      "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe" -profile="C:\Users\Admin" -sid="S-1-5-21-1563773381-2037468142-1146002597-1000"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe
        
        "C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe" -
        5⤵
        Executes dropped EXE
        
        PID:656
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://winaero.com/?utm_source=software&utm_medium=in-app&utm_campaign=winaerotweaker&utm_content=setupcheckbox
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:756

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Winaero Tweaker\WinaeroControls.dll

Filesize
164KB

MD5
8422c68b244093478201c8fc9de79d51

SHA1
75f171cf2fe0b57dfe6436ee201c7c46d10b4196

SHA256
8a883d291d762e3f6357bf2a3e921888f59aecd62485d6b25a248aa379922b54

SHA512
d96f4d251e1354d9fd34ce4e134caf98c4482e76783cc83121913be2aa901ad1376d51819526d75f0036f087530b6fda5a0370211666a4d8cc1301cb00457255

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
3.2MB

MD5
8e2e1335e3366c846eb6ea37fb574873

SHA1
49db57f12b10f918fd77dbd31e92f29e19760ed1

SHA256
4e6d30d911f25e08cf8deb41638ed89f2dc1e7bad639ee4a329757e3a7fad7b6

SHA512
78c71eb3a3e768c2942e199ccad9e9f6647507a40c0fc02917cd2124c21f2ba474bcedf664a4fc1f1b45d47be9fafaaf5d72538410ec401439176f08452185f2

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
3.2MB

MD5
8e2e1335e3366c846eb6ea37fb574873

SHA1
49db57f12b10f918fd77dbd31e92f29e19760ed1

SHA256
4e6d30d911f25e08cf8deb41638ed89f2dc1e7bad639ee4a329757e3a7fad7b6

SHA512
78c71eb3a3e768c2942e199ccad9e9f6647507a40c0fc02917cd2124c21f2ba474bcedf664a4fc1f1b45d47be9fafaaf5d72538410ec401439176f08452185f2

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
3.2MB

MD5
8e2e1335e3366c846eb6ea37fb574873

SHA1
49db57f12b10f918fd77dbd31e92f29e19760ed1

SHA256
4e6d30d911f25e08cf8deb41638ed89f2dc1e7bad639ee4a329757e3a7fad7b6

SHA512
78c71eb3a3e768c2942e199ccad9e9f6647507a40c0fc02917cd2124c21f2ba474bcedf664a4fc1f1b45d47be9fafaaf5d72538410ec401439176f08452185f2

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
3.2MB

MD5
8e2e1335e3366c846eb6ea37fb574873

SHA1
49db57f12b10f918fd77dbd31e92f29e19760ed1

SHA256
4e6d30d911f25e08cf8deb41638ed89f2dc1e7bad639ee4a329757e3a7fad7b6

SHA512
78c71eb3a3e768c2942e199ccad9e9f6647507a40c0fc02917cd2124c21f2ba474bcedf664a4fc1f1b45d47be9fafaaf5d72538410ec401439176f08452185f2

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe

Filesize
330KB

MD5
8e0aec38406afacff9487529add32c74

SHA1
4a7973910178147b217107db30610bf3416f2745

SHA256
c789872a6141e19f9cb71abb8260c8303a2ac48dfd86f36912a4649800a78d39

SHA512
a29bac662446c238c787635654a1787471c484c5887cca5838361c232dca1d32220b50f36fe918b39db7d6f1976f0584332386340e96a7f85e2d71123014e62c

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe

Filesize
330KB

MD5
8e0aec38406afacff9487529add32c74

SHA1
4a7973910178147b217107db30610bf3416f2745

SHA256
c789872a6141e19f9cb71abb8260c8303a2ac48dfd86f36912a4649800a78d39

SHA512
a29bac662446c238c787635654a1787471c484c5887cca5838361c232dca1d32220b50f36fe918b39db7d6f1976f0584332386340e96a7f85e2d71123014e62c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f369c8c077b5d8eb2c118b972f475fc

SHA1
a36939c99a23b4459a93c2c25302e2bfc586588c

SHA256
379376ffbff3b97b4ebacad809351d7a9c3117bbb86f2640a062c2a3f74f28dc

SHA512
c3adb325044186dd817db32782d406ecf052f7f8ececd150913221ba84651793822329e8f0ae02d84594db0d2d720ce3408489e761cef87544c7e979f1e5fc4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
28c541d814ea0cbb260ae0bbb2818ca0

SHA1
3b5f571f7ab171fe2eaf51fa14f4a7dfff758722

SHA256
1a866c3fd49cd1efe86392437d9b206a461c4d0c99bfe4fa586b60fbed4d0526

SHA512
74dffbcd33603298f50bb41697e96f418ae5de5886e54ccff9a0afdb7744e4406fecd37cd8eff46f2c35d53802714fa8c669b7164b0b7a6161d9e837b792c3dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9f3000b0f6cedd9019a9b6ffb5041e8

SHA1
511ce1c4b3b7b87c7e2ddd3e8017d1fdea065b0f

SHA256
0884523c64faf8e679e6850a5d5c7ae74036eea690ede6f28b2e18520262a10d

SHA512
8d5212bbd14c1d4f8bc6a562a351108b557732e1ae209e2cc9c74c3e397b7ec94cdb2d73a3a80f7a18cfe95c247f022f3a1521ca6135ba6b341e3c4539414674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba321b7ccc427dbded3d52da7a88b959

SHA1
112e5caf016d73aac7268ccf5cd92f1b8e0a2a20

SHA256
1682053095de55217888c1eb8f5108a6872c85198e7a97e2cb6d91db50cabe2d

SHA512
a8481bac4bb3bedac69735c1fcdf3bd0f821328c36d1713ce0f39f513c6066ec84e582acc78685250a3d9d350b1230829f2949e95d8646a32eda3343c35e7bfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b6885b88265d321c2cf902973485cc7

SHA1
e776eb7075df6c0936a5262b0805596d675a698b

SHA256
3519954c2e437a167e1ac2853284bc85564882f6e54d12611855b0295f5c979f

SHA512
8a18a4fc6d8c3ce073562c443324969ea5c7c8749593e36bd9136ce330cd08e94e19fdb341990d4a029367184bf1e807ab48ccacac6e28bfa7f359c1bc51ead5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22570f5288ee60b37d5687751475c405

SHA1
a64c9a1f0b1436fadb1d79d29e84476ba4fc7b19

SHA256
6fe6a052e4a908d35f6ae8fda0db2cf73d3d7a7338e2fa9d61328833e68947f4

SHA512
84bc448f7c5f7c8d9c4dd423cd0a855d08e0099bb955ce9e8abd9b5ce59af25e5ccd7489e1b53a55dfe89bec20e35e4bd9df530b0d5bb7a48c5e641644609bc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c1300ec18cb935c2425849ca7c11394

SHA1
436175ffca925ca1f4d490dd390f5433b9516d91

SHA256
7cb2bb8e62676230f1e126c99765521b3d0ee9e79256a2c004212dd47641cedd

SHA512
ea423f56cd65039adbca477ac6a8a5b6d85b2e6772f6f1a80ba5b51c7c48a6ed6d344d098db6721a2e7f477582a60d7b92edd7336cf2e238db402020f82c42e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fb78e1c03d6667d3a4caab798f69fc9

SHA1
6d85c619d69bb6593529eeeebdc97374853e9f68

SHA256
ed37459f17b960bbc50b6dc65275e6568536a51e013804aaa52a9ac14534c975

SHA512
fc3594133a5fbc8f01535e6a319d01a81ac3d84c1d84fc8753feeac1db10c01de653c9472d8eaab54e288f8a6defdecc1685c59b6151146fe3431284e436326f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b53878721aa5c8aa0fef2ac227ecb20c

SHA1
7e9418fd281c46c5aee1f4d747a21af55c10396a

SHA256
d96b375d45cedd42ffe1a07f785a95666450c548fc8a881887a2b0a6277a8d31

SHA512
2de7134a38f8d56d1e3ff10dec0c84054af13b95498d4ae71dbe1520df2d03ce545a8bec4513b858ae8268d6a94232fefa49939a53e33b031e2ea1397079d58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7581.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab793B.tmp

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-42EBG.tmp\WinaeroTweaker-1.52.0.0-setup.tmp

Filesize
3.0MB

MD5
0b2bdbef5747d9dea1ed038c7c5d5f83

SHA1
b9bea8a7fdc64ca51cf0bb120555c8ad41f1dbc7

SHA256
d33c33c287813591ef3d16855663cb06934e850d6fa0338e4e5601cf8d6b3af3

SHA512
86919fde39ac178626dba8afcb3e725a6c29c3bb921106d75863e699ace42ff2121f6b6d64bbeed969e200aeb5bbc233fd03bfd87856313e66f706b3f769854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-42EBG.tmp\WinaeroTweaker-1.52.0.0-setup.tmp

Filesize
3.0MB

MD5
0b2bdbef5747d9dea1ed038c7c5d5f83

SHA1
b9bea8a7fdc64ca51cf0bb120555c8ad41f1dbc7

SHA256
d33c33c287813591ef3d16855663cb06934e850d6fa0338e4e5601cf8d6b3af3

SHA512
86919fde39ac178626dba8afcb3e725a6c29c3bb921106d75863e699ace42ff2121f6b6d64bbeed969e200aeb5bbc233fd03bfd87856313e66f706b3f769854a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M42293YF.txt

Filesize
599B

MD5
97f835c2b2a59d2cbba54a554ba61043

SHA1
cb0b196193778948270a7b95db7e77a2a26e10c6

SHA256
79abb4fe613fbd6db5c3724e8e178c6065de14231521c63a81e12fabf87abe13

SHA512
b70cc75de75002e5fc05e0047fcf7d88245927afdb624647fa3d51a039eba0c27e0670baf2f2cebc4f48c26b08ac1c6fb9b5dfce80b437b5efc9df5eaa4f5e99

Download Submit
\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
3.2MB

MD5
8e2e1335e3366c846eb6ea37fb574873

SHA1
49db57f12b10f918fd77dbd31e92f29e19760ed1

SHA256
4e6d30d911f25e08cf8deb41638ed89f2dc1e7bad639ee4a329757e3a7fad7b6

SHA512
78c71eb3a3e768c2942e199ccad9e9f6647507a40c0fc02917cd2124c21f2ba474bcedf664a4fc1f1b45d47be9fafaaf5d72538410ec401439176f08452185f2

Download Submit
\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
3.2MB

MD5
8e2e1335e3366c846eb6ea37fb574873

SHA1
49db57f12b10f918fd77dbd31e92f29e19760ed1

SHA256
4e6d30d911f25e08cf8deb41638ed89f2dc1e7bad639ee4a329757e3a7fad7b6

SHA512
78c71eb3a3e768c2942e199ccad9e9f6647507a40c0fc02917cd2124c21f2ba474bcedf664a4fc1f1b45d47be9fafaaf5d72538410ec401439176f08452185f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-42EBG.tmp\WinaeroTweaker-1.52.0.0-setup.tmp

Filesize
3.0MB

MD5
0b2bdbef5747d9dea1ed038c7c5d5f83

SHA1
b9bea8a7fdc64ca51cf0bb120555c8ad41f1dbc7

SHA256
d33c33c287813591ef3d16855663cb06934e850d6fa0338e4e5601cf8d6b3af3

SHA512
86919fde39ac178626dba8afcb3e725a6c29c3bb921106d75863e699ace42ff2121f6b6d64bbeed969e200aeb5bbc233fd03bfd87856313e66f706b3f769854a

Download Submit
\Users\Admin\AppData\Local\Temp\is-N949J.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1136-137-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1136-138-0x000000001B210000-0x000000001B290000-memory.dmp

Filesize
512KB

Download
memory/1136-141-0x000000001B210000-0x000000001B290000-memory.dmp

Filesize
512KB

Download
memory/1620-70-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/1620-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1620-67-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/1620-127-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/1620-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1620-108-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/1716-128-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1716-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1716-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1828-129-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/1828-122-0x0000000001210000-0x0000000001540000-memory.dmp

Filesize
3.2MB

Download
memory/1828-124-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/1828-130-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/1828-131-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download