Malware Analysis Report

2025-06-15 19:49

Sample ID 240406-hnh4cada2x
Target VMM.zip
SHA256 5344ad88a5cd21e8c2b396d4c0ff00bf3bb2c09aee63c7eb6f72a86c1a5398f9
Tags
discovery lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5344ad88a5cd21e8c2b396d4c0ff00bf3bb2c09aee63c7eb6f72a86c1a5398f9

Threat Level: Known bad

The file VMM.zip was found to be: Known bad.

Malicious Activity Summary

discovery lumma stealer

Lumma Stealer

Loads dropped DLL

Checks for any installed AV software in registry

Downloads MZ/PE file

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 06:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updater\enco.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira\Security\ConnectServices C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper\UpdateBridgeEnvironment C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Security\UserInterface C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper\MixpanelCommonProperties = "AAEAAAD/////AQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10TAAAACQIAAAAlAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAABMAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E/P///+QBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAAyRvcwYGAAAAB1dpbmRvd3MB+f////z///8GCAAAAAskb3NfdmVyc2lvbgYJAAAACDYuMS43NjAxAfb////8////BgsAAAALT3MgTGFuZ3VhZ2UGDAAAAAVlbi1VUwHz/////P///wYOAAAAC09zIFBsYXRmb3JtBg8AAAADeDY0AfD////8////BhEAAAAMc2hhMl9zdXBwb3J0CAEAAe7////8////BhMAAAAWLk5FVCBGcmFtZXdvcmsgVmVyc2lvbgkUAAAAAev////8////BhYAAAAKUHJvY2VzcyBJRAgI+AkAAAHp/////P///wYYAAAAEkNvbXBhdGliaWxpdHkgTW9kZQkZAAAAAeb////8////BhsAAAALYWNzX3N1cHBvcnQIAQAB5P////z///8GHQAAAA1FeHBlcmltZW50SWRzCR4AAAAB4f////z///8GIAAAABBFeHBlcmltZW50R3JvdXBzCSEAAAAB3v////z///8GIwAAAA9Eb3dubG9hZCBTb3VyY2UGJAAAAAAB2/////z///8GJgAAAAlCdW5kbGUgSUQJJAAAAAHY/////P///wYpAAAAFEJvb3RzdHJhcHBlciBWZXJzaW9uBioAAAAIMS4wLjQ1LjEB1f////z///8GLAAAAAZBY3Rpb24GLQAAAAdJbnN0YWxsAdL////8////Bi8AAAAHUnVuTW9kZQYwAAAAB0RlZmF1bHQBz/////z///8GMgAAAAZTaWxlbnQIAQABzf////z///8GNAAAAApTZXNzaW9uIElEBjUAAAAgMzc1Mzg5YWM5OWM1NGNhN2JhZWNlODRjOGM0M2MxZmUByv////z///8GNwAAABJTcG90bGlnaHQgTGFuZ3VhZ2UJDAAAAAQUAAAADlN5c3RlbS5WZXJzaW9uBAAAAAZfTWFqb3IGX01pbm9yBl9CdWlsZAlfUmV2aXNpb24AAAAACAgICAQAAAAHAAAAAgAAAP////8RGQAAAAAAAAARHgAAAAEAAAAGOQAAAAlzcG90bGlnaHQRIQAAAAEAAAAGOgAAAAdkZWZhdWx0Cw==" C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Avira\Security\UserInterface C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira\Security C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\updater\enco.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe\NoStartPage = "0" C:\Users\Admin\AppData\Local\Temp\updater\enco.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79} C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "29f2657c6f67487ea57f0689df844845422dd281" C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\SessionId = "375389ac99c54ca7baece84c8c43c1fe" C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\Action = "Install" C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\updater\enco.exe

"C:\Users\Admin\AppData\Local\Temp\updater\enco.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.28129\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"

C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.19620\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=enco.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

MD5 dd1e66288a585847ab7ae22370077a68
SHA1 4758fc02c40fdb2c5ba46fca20e1fece3958d313
SHA256 6f603b1450d2d6c70d9670b04c1c12acd82289a64a3136c466d381ba961fd594
SHA512 d4b936adcb60a30e91d19f7adffe2367a4608392296e8608439494a28e35f9f6f9dd8d3c08a3abbb7c4b23120f3dcf3687429ef69f824cbb24c614a2c7970ec0

C:\Users\Admin\AppData\Local\Temp\.CR.28129\Avira_Security_Installation.xml

MD5 e09c9b75391418d9dfde9132d42d8707
SHA1 c6320f57e9b4fd19296f61a47c61bbfb09097cfa
SHA256 0b88a468fa58b21e21680de328ce0c55bef8cb36f60aa649321a904a35d983ec
SHA512 b6bfccd3c14a66c8d624fd3e797ebf9bd1a93a1fc746e8500e765c9aa6b10906cc1491f1f24dfab3f9bbdb2ed17c48f9ab7e3e3e07bf5a7e7e00c335ce9d2288

memory/2552-7-0x00000000003D0000-0x000000000055A000-memory.dmp

memory/2552-8-0x0000000074590000-0x0000000074C7E000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\DRYIOC.DLL

MD5 714e25424a8aaa63d7ca6ab89019da1b
SHA1 509b65ba6c41095b7f33d7c5c80f6d4fc7b18586
SHA256 61bbf93454a27b7c4b73a5735a546a544c46e8e85dda8d93994d4d79938b9dcc
SHA512 73fa85df955d2534bb03e17a798cbc3b6cb5499a8d3dba952a1fc8c7f9994a8001b355efc159d4353363ced880f23d00ebe8023d8d6401163ff8497bb582738f

memory/2552-11-0x0000000000200000-0x0000000000270000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

MD5 e965cabfd0878bb82062b32714b836a4
SHA1 5d3deaba03c40c32e68328ff9f04034fa174cce6
SHA256 54ab6e6a8b5db759592a66b56a5fa6bca1b78cb9dd99e73c331cadcf246893f6
SHA512 b5e0901faba3e30acc6675ffa62085e1cbed06efa786d5391ee070d5fd95dac113948879cd4b249b84ba3a0cb6f8d2388fd0a7728b453f0ffb0294a80abc7d68

memory/2552-14-0x0000000000350000-0x000000000037C000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

MD5 6ddc8fc93515e76d543ddb070b97cbb5
SHA1 fb44e0fbe50e76a9704305ff264ac0b4194750a7
SHA256 53ed9a31d6d646297cef5e518442c6de07afe595d8f64db18b3eadaa10eeccb8
SHA512 e372c3dc29489d69257b9c0c550fcba4548fdb41c3bc4ff2f81f0791a661acf53add161b4deff694f764ad7bf7cf66c515848cefbc4f4b55629abdbb9eaa82fd

memory/2552-20-0x00000000043C0000-0x000000000441C000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

MD5 7e25210ab468cd9ecb7b0cb89091a2e9
SHA1 fe17c651637c0e27ec8ee6a409a4ced5e76d4eec
SHA256 7a871e2a7d6814834893229e59874922983a0060b183d3a874d6e8e6906e164d
SHA512 a9e48675eb2f75ad07a8b9fefde4fe7393ac1d9d8b3ed513117b2a688875218ab0142f423b77dc8616e8a2f1673f35661627162f50e1489b316c60a1b59ba6d7

memory/2552-17-0x00000000042F0000-0x0000000004354000-memory.dmp

memory/2552-23-0x0000000000710000-0x0000000000726000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\DRYIOC.MEFATTRIBUTEDMODEL.DLL

MD5 d78c583cb692427a10527a014962ee01
SHA1 4bab8f272f8bc6183ef6f82b6747cdfeddf12d10
SHA256 0621244e268938b4bb1cc76bb2a1b0181ee5cf59005534d08f89eba79f900b05
SHA512 a3ff15876fc297149ceb693052a47ad6f361c9f0e860005aa59684d405657b23f3879f487b42ecb41883793b881275ce458cabddb5bbb5bcaeb2e01a9d4ff607

\Users\Admin\AppData\Local\Temp\.CR.19620\DRYIOCATTRIBUTES.DLL

MD5 894402ba3f2225a71c4747d9928c566a
SHA1 b6ad87444277e2f1ff58a3aedac91021512466ce
SHA256 52cbbd4703e4e4cdac01615fcc623acce13113960eb45965d28d636d827315f7
SHA512 683849be5b0b930a71698519b07bba5df02a6ed2de84b1482dc747e380e1b51b6b3df7d65ca181579915d6c2ad649bd1f6e60d0386350af377185534f3d93cb4

memory/2552-27-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2552-26-0x0000000000790000-0x000000000079C000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\PRODUCTLABEL.COMMON.DLL

MD5 86272e56e4749850707c3fb7c267e5ce
SHA1 25ed4b5e6a33722250c6698319ab12ec5ac1f6a1
SHA256 b28bd1a97a5b6da7fca999c25429975759d41db4725082337302a4de4c233ad9
SHA512 e6b36be5c81b4d22696565e3315dffb5386cb7d26f41084dc2f820bbcd6e036b470ce288529e78b0076364437148c5c5c42dba548a9901f02754aa6e77cc490a

memory/2552-30-0x0000000000A60000-0x0000000000A90000-memory.dmp

memory/2552-33-0x0000000000A60000-0x0000000000A90000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\PRODUCTLABEL.DLL

MD5 0bc5514ed84904412e594305f34b3ec1
SHA1 c70a893441363b13866def2a06670bead74f25d3
SHA256 b86a57a8c2bca3f0e617fc47a5aed5e0e4444cfa7614f44ed9dd4401d15a381b
SHA512 a9cb019bf6ebb68a4843b47b13872d8ffcda615334308f6d56431c3eace184ef8f945f1e3a66ac9afde2c88da1f570a0d1eb70d56a9b1bf3086eb2186610e464

memory/2552-36-0x00000000048C0000-0x000000000490E000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\MICROSOFT.WINDOWS.SHELL.DLL

MD5 fc28af3ae489397c01dfefa207d7eb04
SHA1 071de4a61de6e49fe4a4e9a974feffda0e371324
SHA256 a8d4bb9664c12a00e389638aa0351ee14fc3d373812dc2da07df39635179d984
SHA512 8f0fe83ff35eb60911786d64a2e3cde93d15f8596042912e5a0571cb51c4b4e621fc10af04df3c3ece9db421b106dfe835117b21b33096ca8e28038bdd063329

memory/2552-41-0x0000000004A20000-0x0000000004A4C000-memory.dmp

memory/2552-44-0x0000000004A50000-0x0000000004A86000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

MD5 7e1abdfc735b040bbe17aa1f1aeb4a16
SHA1 946834c5a5acd43badb866f5752fb13d9236dfab
SHA256 46a0c1c829e4b3cf521124c600b676b2437aaf5e34f30bb980def7be152a635a
SHA512 014ca9477f4c6d7920532b51d7dc0ff4450397c60b43237549c72aceb120946aff19f90bdfad145a284d10cb5c372e586588b4771f6db6e91b9126751526c948

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.COMMON.MIXPANEL.DLL

MD5 b99936185b1d2795ae0cda594f8c6da0
SHA1 dd3021a9f2bf588ff420571e0ef8d0ed0f4f76af
SHA256 0565243319c9bca86bd96ce75d2ddfb48fc7869eef0986134ba4627a49b3f0bb
SHA512 bc92f1b735139007e7ea04e8369af114e93850cc01ae270b826ba601a904eec2fe70a0826f36ff621dd9052388460ca59b464e53e4751c7788cbf3593379e1c9

memory/2552-47-0x0000000004360000-0x0000000004374000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

MD5 c4fd37101f93a28897549198019046ec
SHA1 f7ba115a2d225afa0c1220208203aeafc77e8797
SHA256 2d559a2ab503cd2722df043190d5ea5d06ada933420fb35939d32dec783e7375
SHA512 2271edb4c2b0ae287a1850de66569341eed105e8e49acec8c8512132dfa7cb74cbd8cc39fc1d54eda092c2bbcacc7f40e1214e8d6f42abbbfe2a11c190beba0a

memory/2552-50-0x0000000004870000-0x000000000487A000-memory.dmp

\Users\Admin\AppData\Local\Temp\.CR.19620\AVIRA.COMMON.GUARDS.DLL

MD5 5b851b4506d10f93b988b4ee8f313824
SHA1 213c4928a28e8fbf5dfc06cd5c5415301daf72e5
SHA256 28c9ea12476af9b90857564919ab813ba2468f2dd087e482777da9a8d1811fd4
SHA512 c8aa2b665c5baeb2e02bcbf86e63e91fd18761b2ac5943650c1824a971586023b01c71fd758157301d41595a50214e95aa0b42a45b9ae3562b5e1a56772077fc

memory/2552-53-0x0000000004AA0000-0x0000000004AA8000-memory.dmp

memory/2552-54-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

memory/2552-55-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

memory/2552-56-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2552-57-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2552-58-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/2552-59-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2552-60-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Data.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Data.exe

"C:\Users\Admin\AppData\Local\Temp\Data.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

112s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iepdf32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iepdf32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iepdf32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3236 -ip 3236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.185.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppConverter\NppConverter.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppConverter\NppConverter.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe

"C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 notepad-plus-plus.org udp
DE 91.108.103.239:443 notepad-plus-plus.org tcp
N/A 127.0.0.1:49188 tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\README.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\README.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

118s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\updater\gup.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\updater\gup.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1984-1-0x00007FF980FB0000-0x00007FF9811A5000-memory.dmp

memory/1984-0-0x00007FF941030000-0x00007FF941040000-memory.dmp

memory/1984-2-0x00007FF980FB0000-0x00007FF9811A5000-memory.dmp

memory/1984-3-0x00007FF980FB0000-0x00007FF9811A5000-memory.dmp

memory/1984-4-0x00007FF97E770000-0x00007FF97EA39000-memory.dmp

memory/1984-5-0x00007FF941030000-0x00007FF941040000-memory.dmp

memory/1984-6-0x00007FF980FB0000-0x00007FF9811A5000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iepdf32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iepdf32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iepdf32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\indecorum.tiff

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\indecorum.tiff

Network

N/A

Files

memory/1284-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1284-1-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Config\nppPluginList.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Config\nppPluginList.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

133s

Max time network

129s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\updater\gup.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{694A0851-F3E2-11EE-825B-FA5112F1BCBF} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000a21d8441f90d88f62b52cf9b8a2edf0fa4635ef675dd3e1de7e38c7b766eb35a000000000e800000000200002000000068ba5f5c4ba9488d2994156498f38e2b6932f3efd8dee09425e9edf54c8394c290000000eea336fc93019540d2ecc35abdb4eb08249e3e57a4c5def789e32322e5b3575ab6156271bb9aeaed74f79f9e7fbb89b6d77c13f0be169e6cd71712bec3ca3ed61b0dce12939dba6aea7a8b1bb364433cbbe308b92530eab81765311a3928418001360ef714c2d7ef067f69c516cae4a794731debe1095ee05693b261ba793c3545182e0aa8a76ccfd63eaf0a862ba0c9400000000693287e8e392a1706455c52fd00b75342d3c7d36eaef36b458f2125eac5187030c9dd17c5b7a198fc264959604105a6fe01ce5b457a7b9cc7b03862235cbb10 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418548292" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000159fbe51b46c3a214935e187ee3dd00bab188a9af1c9fec325f587b0002658eb000000000e8000000002000020000000fca514baadd0838bfc8d6419ededa9409cac7f782e10b23557ea88bcf00e950e20000000f8bf5939f00167181101c8191ae684e65e1122e7d103f7ceeaded2014b0a417c400000006d26cd998479567ac02e9096a3773896c9ddcd90f85eeb96c6e7b8675ee2f5cebbc96b4c06aa6f56b9911b6fabfb1cfa099431a85998c2a8c7fb163bb5c7b69c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0baee3def87da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2160 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1928 wrote to memory of 2160 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1928 wrote to memory of 2160 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1928 wrote to memory of 2160 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2160 wrote to memory of 2592 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2160 wrote to memory of 2592 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2160 wrote to memory of 2592 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2160 wrote to memory of 2592 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 2504 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\updater\gup.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab46A2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab4761.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4776.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e0c0b0ece181a0df7b530ef50961a30
SHA1 9b9725b3d6a0a792cd9b248c77e58acd0df4e495
SHA256 8a0011c75a82ce7a7a4a2d66a39e5688b0bb88edfdb03a54734a024c8db9bf49
SHA512 e174acd32a98770c04dbe1a110835b7feb8e8f926f2f89a63d18cb34af723519a6435b2acee114120b3f5a90dd18f9e4d7125f549a6aad16ac7abd7fcffc72b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c516038f2bf086fb6259165034342d72
SHA1 b3bf8c6e0d2b10d6a73fef5bb7c27af23806578c
SHA256 fbe3b6e29d65ae4d5c5a82d8e50592f0a9a3004c0d24cbb053812b851b61d6fc
SHA512 d02dc8707230af2b37becefbfa97b183848e96c099976f47110c227860d96798d0777211eeacb50b334850655f4f871a7f3f39ff0d4c6db312ebb6cf2c520d6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 143b9e6d568f19bbaec4ced690c2c86f
SHA1 0ee0329d8b82e4a3f19f17bdc99be43fbe263aff
SHA256 b21606bd18d9a21bf9641b658ce95c366bb19bdc55e05847272c11d3d5e80aa5
SHA512 a1a7e07544d9d100dc969033904a5d743858564f223cc7709feff840ba7dd135f3acae9a53f3bb61f88180a87e3ffe149bdd8b65f282e6a483bfb95931f7d81c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbbf9a3e00f90fb7fadda0397302524f
SHA1 5836d2ca5f63840febe94176ea83b3c1a303f58c
SHA256 4269d8a3dbede975a32f1fa6702e80c08032aafe54eb16450ee8dd80226db8a8
SHA512 d0953e7cdd33e2c2151d47d8a2247a18cff23dc8c0c3c52fd2ea14b02bbea61cec5b31392e9d6e4912a93d13144c97e84c7baf6aa77b6bf505f3d02bad2a3a14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c21f1837082756fa373313f4c5cc1f0
SHA1 2063ac70d251a2519da8554f27469ac736899040
SHA256 2f70f1563870099710022ba7ff964bcfb3029c1ac5150adeb55d2ca53373f472
SHA512 52d1e4bd5ab033c56c41c427d327f1f24161b137f803b7745bfef2a38edd936ffcf11880a54396b984ded2495fce6cefc9753ea73e4262e08710198cfa88e0e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d21cfabf109a169e23953530d713e5dd
SHA1 afa5f1ca377dfe96d1c22980e70049c0939f987f
SHA256 69c8105defdafabc21c53b85232257e368bb452b68b1a12ff43c6eb25b736e1c
SHA512 e2be29f9b4f09ffe43306e75e537bce948ca728b1a59adee5e09dc30e9429cf1aeb5dc66814e6d4670dedd6f73b820c3592ec07554b946bbb22e9ec23571bbb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49dcacaeeae9cf61db8a6f2c49c3e98e
SHA1 d93cc1c19352ecfc12c04c654dcbaec413ab1356
SHA256 ea5ce6f833e7b4df9b6f6f10f29fd32e33dc547c9c40963e38532356615d3165
SHA512 930a425c526cf08399e9f37e5976acc48dc4525cf6ddba0c11f831af4d482088929bd3d80c5543c9e29161a9df4387924d148503ab7d80a0ae94803f7bb21d86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c71478a88ebabfb67af93d7dd7dcab7
SHA1 40b9b7c6074a16323930f6f2b67c0112cb230737
SHA256 2c28cef45f443020c01e9594369d5cf3253e945086fae9324bea511f0133903f
SHA512 dfbb68a3ac5ea8beb287bafdf9620c977c6b3c030ebf186fbe0855d1a17c03c3b64dce044234bba16865f6224143ffe76a423b00c6d469425f7bd4f40199dea0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffc7493b3a86adddb2ad564fad724a49
SHA1 79c5d6a53a7db50fa234595fb0d32ac8f3ddeec7
SHA256 98ab77a56f326c8747971ce3dc8bae305fa9821b0ee2b15cf544e635f267e549
SHA512 2905b83b8a895ee7f01d7658625036abe2708d19f5776b6b73001765fe6c428739e0fee54c2cf7e1210cac9fc0180dc4258430abef6b45d8607d1874d3c400cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acdbcb70973b16a2e6f5192e3fcd8857
SHA1 998eae123e4f9c734b3efee99fe754100ec951c7
SHA256 1326b060fd1044f768275647840da6c5a16e026d443fd7cfaf12d9f7ec47b4d4
SHA512 a48be16c3c20d34ccff1f7aa516410fceb45b0700e3d5a21e529df75982734adfbf7c258fc328fffa82a6fe3e2fef4e023e008cfca42bbab9d3698c19a9a503d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd21e1a987213c24fc44d6dcabdae2ca
SHA1 8be843adb46e04e04a3e48d761a8b96b22a33823
SHA256 b7bbed44f4dd22c7582f20854c9c803dbddccc7732b6a8872e82c85022cf0d64
SHA512 b03b63c795efb280a3ec6693a41bb21da60bb098df6ee39c9cae7337bfc02c944c30ca05b3a4be1d80947032aebcd7837f25bfefde83017c98b87e3139d44632

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7f3734e2322be342b928cb3cd7cc53b
SHA1 5a33ee5ae6441e55b86d5fbf7e7c07a756e1d95f
SHA256 5c5c8bc0cb3bec06b5b614a76c85eb05de766561a5d575f7535e6a465674ce16
SHA512 433fd2c5d76ed32835057d868ecdf732756f92332e1a02219f05a2aeae6ccb0e510b30f176f012c223273d001b6dac701df5662ef08ea17ed0190adc635cc92f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c14d21ba023a709fe60c88085c8d2eb7
SHA1 5d780413c01c29cf27872e5cdee1896c47cc36ee
SHA256 51bc13c96df5517389a2b380e7c694af41850169ee1e995187320639aa0f5ed2
SHA512 47f710b9d32c702991b46c4bfab2eda49f5f53c7d006bdc8434310661b5ef1e5e1dac93bc49973f5ea624ce386242da758f284d38f6f45239baec0e456916e3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9617542cf668a3c9b329c00395328a3
SHA1 3c304c6cf53464079e2a0133eca0ee7372b00075
SHA256 189dfd3785d07387620500b1b5b80f576fd237088c623b774d3210002a6af8f0
SHA512 17858e04cdd7edba36a8a1c6b698180dd604718d88a2a965a84c90cb982f0e2597ee15dd231df9511f8f8d72a66ddb5c2379b2bcb02aac8301be0e35f22e9aea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 161e8118027e00850717eab26d442906
SHA1 e580cbea412250ccf24c58a7fd50aa2d6cd5794e
SHA256 efda5273a4fb1ba51f6bced948b7c011d1ce38fc16309ccbee7fbae348cc608d
SHA512 154777cfeb3c0cccd3e2dd2864d0cfbcbb7af7f86381c8de16324c0ddd81a951c5e76dfa931611c3e1919b57fa64ddb948b9b0d4ef0722271c31de037849222b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 230060ea44683c3e776f34d5158ebeb9
SHA1 9eac4eae2d36d3b74e31d2402d6294f01c44149d
SHA256 428311dc109e14f04348979e57c35d45ea343ee6a9322be663d0148645307680
SHA512 b9b1244645ecd16f7090d4a4a02674b1ea8dec65309ad1d198322b1de715fa76bdf3b445e19500e0fe3b51eeeb45bb890cd358a4872f39c50f6544a47f7b5560

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a192dea04652a26d9be9cbf20cdda021
SHA1 1d429cce6ec1a6bdec590906de2a8c94aebc2b03
SHA256 0bbe57819d382bd92cc4397f17884dd7025d6d1343a2290c00a70c44dcf137df
SHA512 83278585291207b8326e3ac0e09b44e147d39937ce5e58203b563a40349d10113a25fb7dbf6fd03f57f5447dc74dbaf44685ce4ebb717730b9c77e07270271d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff3cdcb53b6bc26f04433ecd0323c01a
SHA1 2f0e89c3b917d7a34a881480b3c9bfc4f50d06f8
SHA256 71e270682db0cbee34deabc79a5b7b5256e8d0c1a491fbbd4225176556fbb9ba
SHA512 b199475020d1af4934f1281296c81cba16339184e4d3aa62b8aff98ca2adfbd07abfaad4434dd6902c88879fbe058d670641147c9e7276c29b47a809b8b94cc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 634d3506fe2a541047019bef02ae2232
SHA1 1f14687a0d6402efa353fb29526eb6872a9fd8a6
SHA256 b2a1e1b3fe9d766cc6694ac79494bea5a8cdf22628fb70d2c580dd2ef21bfa83
SHA512 370f25042ab6aa6f8d334e8d6cceb073171e3ed8fa63b1aafc01ac0d3fe9a6e3a7c8270d2628f1cc26ed9d72dd78dc45d5958725e5ceb8b9ee5e5b3424a8de67

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\updater\libcurl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\updater\libcurl.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:55

Platform

win7-20240319-en

Max time kernel

102s

Max time network

25s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\VMM.zip

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 1640 N/A C:\Users\Admin\Desktop\Setup.exe C:\Windows\SysWOW64\netsh.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1640 N/A C:\Users\Admin\Desktop\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1640 N/A C:\Users\Admin\Desktop\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1640 N/A C:\Users\Admin\Desktop\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1640 N/A C:\Users\Admin\Desktop\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1640 N/A C:\Users\Admin\Desktop\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1640 wrote to memory of 2020 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 2020 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 2020 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\VMM.zip

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\Desktop\Setup.exe

"C:\Users\Admin\Desktop\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 200

Network

N/A

Files

memory/1692-0-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1692-1-0x0000000072C10000-0x0000000072D84000-memory.dmp

memory/1692-2-0x00000000775C0000-0x0000000077769000-memory.dmp

memory/1692-6-0x0000000072C10000-0x0000000072D84000-memory.dmp

memory/1692-7-0x0000000072C10000-0x0000000072D84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3110720c

MD5 9515b07eb3a87b926aad8d9dd64aa454
SHA1 3ac6bd117e11a308be46eeb7f9f4637b8a482d5f
SHA256 59da866b0475686721a7533c8da1fdb3dfc5c90afc7c08772cad1dc1f358dad8
SHA512 10922f541e401b5a52cce8b4ce31524f595cae709154d71d8adc6453959b7187edfe0cd650693b08235788c875c63c39b51271338cf078272a91cd1eb9d1b037

memory/1692-9-0x0000000001170000-0x0000000001A46000-memory.dmp

memory/1640-11-0x0000000072C10000-0x0000000072D84000-memory.dmp

memory/1640-12-0x00000000775C0000-0x0000000077769000-memory.dmp

memory/1640-14-0x0000000072C10000-0x0000000072D84000-memory.dmp

memory/1640-15-0x0000000072C10000-0x0000000072D84000-memory.dmp

\Users\Admin\AppData\Local\Temp\RunDll.exe

MD5 726444379dbb621f5f117a2605425be1
SHA1 1700e8c51b39a8000bb41ee8b25940a6962c305b
SHA256 a642496f090ca7c54dc57e9ae6f5fe65b3a233dcdf7a2b734f58be23a388b1e9
SHA512 28f04eef12ae8d58dd67d956a1bcce0fc3dad579105c4be19432cb902b89977ffb8f9ac85506ce9461582276cd4c5c7be476016c4d9cf3f67bf7f1674c5cd267

memory/1640-20-0x0000000072C10000-0x0000000072D84000-memory.dmp

memory/2020-22-0x00000000775C0000-0x0000000077769000-memory.dmp

memory/2020-23-0x0000000000090000-0x00000000000DD000-memory.dmp

memory/2020-26-0x0000000000240000-0x00000000005DA000-memory.dmp

memory/2020-27-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2020-33-0x0000000000090000-0x00000000000DD000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppConverter\NppConverter.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppConverter\NppConverter.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\mimeTools\mimeTools.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\mimeTools\mimeTools.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updater\enco.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Avira\Security\UserInterface C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Security\ConnectServices C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\UpdateBridgeEnvironment C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\MixpanelCommonProperties = "AAEAAAD/////AQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10TAAAACQIAAAAlAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAABMAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E/P///+QBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAAyRvcwYGAAAAB1dpbmRvd3MB+f////z///8GCAAAAAskb3NfdmVyc2lvbgYJAAAACjEwLjAuMTkwNDEB9v////z///8GCwAAAAtPcyBMYW5ndWFnZQYMAAAABWVuLVVTAfP////8////Bg4AAAALT3MgUGxhdGZvcm0GDwAAAAN4NjQB8P////z///8GEQAAAAxzaGEyX3N1cHBvcnQIAQEB7v////z///8GEwAAABYuTkVUIEZyYW1ld29yayBWZXJzaW9uCRQAAAAB6/////z///8GFgAAAApQcm9jZXNzIElECAiEEwAAAen////8////BhgAAAASQ29tcGF0aWJpbGl0eSBNb2RlCRkAAAAB5v////z///8GGwAAAAthY3Nfc3VwcG9ydAgBAQHk/////P///wYdAAAADUV4cGVyaW1lbnRJZHMJHgAAAAHh/////P///wYgAAAAEEV4cGVyaW1lbnRHcm91cHMJIQAAAAHe/////P///wYjAAAAD0Rvd25sb2FkIFNvdXJjZQYkAAAAAAHb/////P///wYmAAAACUJ1bmRsZSBJRAkkAAAAAdj////8////BikAAAAUQm9vdHN0cmFwcGVyIFZlcnNpb24GKgAAAAoxLjAuNDguNzE5AdX////8////BiwAAAAGQWN0aW9uBi0AAAAHSW5zdGFsbAHS/////P///wYvAAAAB1J1bk1vZGUGMAAAAAdEZWZhdWx0Ac/////8////BjIAAAAGU2lsZW50CAEAAc3////8////BjQAAAAKU2Vzc2lvbiBJRAY1AAAAIDE1NmMxMWRkN2I3ZTRjN2RiYmIzNzU4ZGI0MmE1YWM1Acr////8////BjcAAAASU3BvdGxpZ2h0IExhbmd1YWdlCQwAAAAEFAAAAA5TeXN0ZW0uVmVyc2lvbgQAAAAGX01ham9yBl9NaW5vcgZfQnVpbGQJX1JldmlzaW9uAAAAAAgICAgEAAAACAAAAP//////////ERkAAAAAAAAAER4AAAABAAAABjkAAAAJc3BvdGxpZ2h0ESEAAAABAAAABjoAAAAHZGVmYXVsdAs=" C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Avira\Security\UserInterface C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Security C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UserInterface C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\MixpanelCommonProperties = "AAEAAAD/////AQAAAAAAAAAEAQAAAOIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuRGljdGlvbmFyeWAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAHVmVyc2lvbghDb21wYXJlcghIYXNoU2l6ZQ1LZXlWYWx1ZVBhaXJzAAMAAwiSAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkdlbmVyaWNFcXVhbGl0eUNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCOYBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dW10TAAAACQIAAAAlAAAACQMAAAAEAgAAAJIBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0VxdWFsaXR5Q29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0AAAAABwMAAAAAAQAAABMAAAAD5AFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5LZXlWYWx1ZVBhaXJgMltbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0E/P///+QBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuS2V5VmFsdWVQYWlyYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAgAAAANrZXkFdmFsdWUBAgYFAAAAAyRvcwYGAAAAB1dpbmRvd3MB+f////z///8GCAAAAAskb3NfdmVyc2lvbgYJAAAACjEwLjAuMTkwNDEB9v////z///8GCwAAAAtPcyBMYW5ndWFnZQYMAAAABWVuLVVTAfP////8////Bg4AAAALT3MgUGxhdGZvcm0GDwAAAAN4NjQB8P////z///8GEQAAAAxzaGEyX3N1cHBvcnQIAQEB7v////z///8GEwAAABYuTkVUIEZyYW1ld29yayBWZXJzaW9uCRQAAAAB6/////z///8GFgAAAApQcm9jZXNzIElECAhYDgAAAen////8////BhgAAAASQ29tcGF0aWJpbGl0eSBNb2RlCRkAAAAB5v////z///8GGwAAAAthY3Nfc3VwcG9ydAgBAQHk/////P///wYdAAAADUV4cGVyaW1lbnRJZHMJHgAAAAHh/////P///wYgAAAAEEV4cGVyaW1lbnRHcm91cHMJIQAAAAHe/////P///wYjAAAAD0Rvd25sb2FkIFNvdXJjZQYkAAAAAAHb/////P///wYmAAAACUJ1bmRsZSBJRAkkAAAAAdj////8////BikAAAAUQm9vdHN0cmFwcGVyIFZlcnNpb24GKgAAAAgxLjAuNDUuMQHV/////P///wYsAAAABkFjdGlvbgYtAAAAB0luc3RhbGwB0v////z///8GLwAAAAdSdW5Nb2RlBjAAAAAHRGVmYXVsdAHP/////P///wYyAAAABlNpbGVudAgBAAHN/////P///wY0AAAAClNlc3Npb24gSUQGNQAAACAwOTBjNGRmZmYwMTU0NmYzYjZmNzllYTkwOTEzYWNhYwHK/////P///wY3AAAAElNwb3RsaWdodCBMYW5ndWFnZQkMAAAABBQAAAAOU3lzdGVtLlZlcnNpb24EAAAABl9NYWpvcgZfTWlub3IGX0J1aWxkCV9SZXZpc2lvbgAAAAAICAgIBAAAAAgAAAD//////////xEZAAAAAAAAABEeAAAAAQAAAAY5AAAACXNwb3RsaWdodBEhAAAAAQAAAAY6AAAAB2RlZmF1bHQL" C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Security\ConnectServices C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Bootstrapper\UpdateBridgeEnvironment C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UserInterface C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Security C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A

Downloads MZ/PE file

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe\NoStartPage = "0" C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\SessionId = "156c11dd7b7e4c7dbbb3758db42a5ac5" C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\Action = "Install" C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\updater\enco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\telemetry = "7f387454138447a4acefe39905c4e88eca93fb63" C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe\NoStartPage = "0" C:\Users\Admin\AppData\Local\Temp\updater\enco.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79} C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\SessionId = "090c4dfff01546f3b6f79ea90913acac" C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}\Action = "Install" C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79} C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\updater\enco.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe
PID 3292 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe
PID 3292 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\updater\enco.exe C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe
PID 3672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\.CR.8708\ACSSignedIC.exe
PID 3672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\.CR.8708\ACSSignedIC.exe
PID 3672 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\.CR.8708\ACSSignedIC.exe
PID 3672 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe
PID 3672 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe
PID 3672 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe
PID 1916 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe C:\Windows\SysWOW64\schtasks.exe
PID 1916 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe
PID 1916 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe
PID 1916 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe
PID 4996 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\.CR.18989\ACSSignedIC.exe
PID 4996 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\.CR.18989\ACSSignedIC.exe
PID 4996 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe C:\Users\Admin\AppData\Local\Temp\.CR.18989\ACSSignedIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\updater\enco.exe

"C:\Users\Admin\AppData\Local\Temp\updater\enco.exe"

C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.8708\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=enco.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.997\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"

C:\Users\Admin\AppData\Local\Temp\.CR.8708\ACSSignedIC.exe

"C:\Users\Admin\AppData\Local\Temp\.CR.8708\ACSSignedIC.exe"

C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe

"C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe" SelfUpdate=false AllowMultipleInstances=true

C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.18989\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=enco.exe SelfUpdate=false AllowMultipleInstances=true

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.16690\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"

C:\Users\Admin\AppData\Local\Temp\.CR.18989\ACSSignedIC.exe

"C:\Users\Admin\AppData\Local\Temp\.CR.18989\ACSSignedIC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dispatch.avira-update.com udp
DE 3.64.134.99:443 dispatch.avira-update.com tcp
US 8.8.8.8:53 download.avira.com udp
GB 23.37.1.152:80 download.avira.com tcp
US 8.8.8.8:53 99.134.64.3.in-addr.arpa udp
US 8.8.8.8:53 152.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

MD5 dd1e66288a585847ab7ae22370077a68
SHA1 4758fc02c40fdb2c5ba46fca20e1fece3958d313
SHA256 6f603b1450d2d6c70d9670b04c1c12acd82289a64a3136c466d381ba961fd594
SHA512 d4b936adcb60a30e91d19f7adffe2367a4608392296e8608439494a28e35f9f6f9dd8d3c08a3abbb7c4b23120f3dcf3687429ef69f824cbb24c614a2c7970ec0

C:\Users\Admin\AppData\Local\Temp\.CR.997\Avira_Security_Installation.xml

MD5 9dadf1c0bbfd4ee1a8e18d5008b33412
SHA1 ce5ee4d14fac0fb725fae0a4f383af59403b408f
SHA256 26ca440b564d33d2942dca984dd4b7b6ace2ac5f4916b1736d2eb72a8070d8a0
SHA512 812ca49cc27d4c8a34cf7836a465c3d4d2d77eaf67da0a4070b6d5fc9cb2eafe44f9045c63ac5098b75ec8331fd306a907a1b77b13c48ccd1cf77cd109d65951

memory/3672-6-0x0000000000390000-0x000000000051A000-memory.dmp

memory/3672-7-0x0000000074310000-0x0000000074AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\DRYIOC.DLL

MD5 714e25424a8aaa63d7ca6ab89019da1b
SHA1 509b65ba6c41095b7f33d7c5c80f6d4fc7b18586
SHA256 61bbf93454a27b7c4b73a5735a546a544c46e8e85dda8d93994d4d79938b9dcc
SHA512 73fa85df955d2534bb03e17a798cbc3b6cb5499a8d3dba952a1fc8c7f9994a8001b355efc159d4353363ced880f23d00ebe8023d8d6401163ff8497bb582738f

memory/3672-10-0x0000000004F10000-0x0000000004F80000-memory.dmp

memory/3672-13-0x0000000005280000-0x00000000052AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

MD5 e965cabfd0878bb82062b32714b836a4
SHA1 5d3deaba03c40c32e68328ff9f04034fa174cce6
SHA256 54ab6e6a8b5db759592a66b56a5fa6bca1b78cb9dd99e73c331cadcf246893f6
SHA512 b5e0901faba3e30acc6675ffa62085e1cbed06efa786d5391ee070d5fd95dac113948879cd4b249b84ba3a0cb6f8d2388fd0a7728b453f0ffb0294a80abc7d68

memory/3672-19-0x0000000005390000-0x00000000053EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

MD5 7e25210ab468cd9ecb7b0cb89091a2e9
SHA1 fe17c651637c0e27ec8ee6a409a4ced5e76d4eec
SHA256 7a871e2a7d6814834893229e59874922983a0060b183d3a874d6e8e6906e164d
SHA512 a9e48675eb2f75ad07a8b9fefde4fe7393ac1d9d8b3ed513117b2a688875218ab0142f423b77dc8616e8a2f1673f35661627162f50e1489b316c60a1b59ba6d7

C:\Users\Admin\AppData\Local\Temp\.CR.8708\DRYIOC.MEFATTRIBUTEDMODEL.DLL

MD5 d78c583cb692427a10527a014962ee01
SHA1 4bab8f272f8bc6183ef6f82b6747cdfeddf12d10
SHA256 0621244e268938b4bb1cc76bb2a1b0181ee5cf59005534d08f89eba79f900b05
SHA512 a3ff15876fc297149ceb693052a47ad6f361c9f0e860005aa59684d405657b23f3879f487b42ecb41883793b881275ce458cabddb5bbb5bcaeb2e01a9d4ff607

memory/3672-22-0x00000000052D0000-0x00000000052E6000-memory.dmp

memory/3672-16-0x0000000005320000-0x0000000005384000-memory.dmp

memory/3672-26-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3672-25-0x00000000052F0000-0x00000000052FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\DRYIOCATTRIBUTES.DLL

MD5 894402ba3f2225a71c4747d9928c566a
SHA1 b6ad87444277e2f1ff58a3aedac91021512466ce
SHA256 52cbbd4703e4e4cdac01615fcc623acce13113960eb45965d28d636d827315f7
SHA512 683849be5b0b930a71698519b07bba5df02a6ed2de84b1482dc747e380e1b51b6b3df7d65ca181579915d6c2ad649bd1f6e60d0386350af377185534f3d93cb4

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

MD5 6ddc8fc93515e76d543ddb070b97cbb5
SHA1 fb44e0fbe50e76a9704305ff264ac0b4194750a7
SHA256 53ed9a31d6d646297cef5e518442c6de07afe595d8f64db18b3eadaa10eeccb8
SHA512 e372c3dc29489d69257b9c0c550fcba4548fdb41c3bc4ff2f81f0791a661acf53add161b4deff694f764ad7bf7cf66c515848cefbc4f4b55629abdbb9eaa82fd

C:\Users\Admin\AppData\Local\Temp\.CR.8708\PRODUCTLABEL.COMMON.DLL

MD5 86272e56e4749850707c3fb7c267e5ce
SHA1 25ed4b5e6a33722250c6698319ab12ec5ac1f6a1
SHA256 b28bd1a97a5b6da7fca999c25429975759d41db4725082337302a4de4c233ad9
SHA512 e6b36be5c81b4d22696565e3315dffb5386cb7d26f41084dc2f820bbcd6e036b470ce288529e78b0076364437148c5c5c42dba548a9901f02754aa6e77cc490a

memory/3672-29-0x0000000005420000-0x0000000005450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\PRODUCTLABEL.DLL

MD5 0bc5514ed84904412e594305f34b3ec1
SHA1 c70a893441363b13866def2a06670bead74f25d3
SHA256 b86a57a8c2bca3f0e617fc47a5aed5e0e4444cfa7614f44ed9dd4401d15a381b
SHA512 a9cb019bf6ebb68a4843b47b13872d8ffcda615334308f6d56431c3eace184ef8f945f1e3a66ac9afde2c88da1f570a0d1eb70d56a9b1bf3086eb2186610e464

memory/3672-34-0x00000000054A0000-0x00000000054EE000-memory.dmp

memory/3672-37-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/3672-40-0x0000000005530000-0x000000000555C000-memory.dmp

memory/3672-43-0x00000000055A0000-0x00000000055D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

MD5 7e1abdfc735b040bbe17aa1f1aeb4a16
SHA1 946834c5a5acd43badb866f5752fb13d9236dfab
SHA256 46a0c1c829e4b3cf521124c600b676b2437aaf5e34f30bb980def7be152a635a
SHA512 014ca9477f4c6d7920532b51d7dc0ff4450397c60b43237549c72aceb120946aff19f90bdfad145a284d10cb5c372e586588b4771f6db6e91b9126751526c948

C:\Users\Admin\AppData\Local\Temp\.CR.8708\MICROSOFT.WINDOWS.SHELL.DLL

MD5 fc28af3ae489397c01dfefa207d7eb04
SHA1 071de4a61de6e49fe4a4e9a974feffda0e371324
SHA256 a8d4bb9664c12a00e389638aa0351ee14fc3d373812dc2da07df39635179d984
SHA512 8f0fe83ff35eb60911786d64a2e3cde93d15f8596042912e5a0571cb51c4b4e621fc10af04df3c3ece9db421b106dfe835117b21b33096ca8e28038bdd063329

memory/3672-48-0x0000000005650000-0x0000000005662000-memory.dmp

memory/3672-47-0x0000000005600000-0x0000000005622000-memory.dmp

memory/3672-46-0x00000000055E0000-0x00000000055F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.COMMON.MIXPANEL.DLL

MD5 b99936185b1d2795ae0cda594f8c6da0
SHA1 dd3021a9f2bf588ff420571e0ef8d0ed0f4f76af
SHA256 0565243319c9bca86bd96ce75d2ddfb48fc7869eef0986134ba4627a49b3f0bb
SHA512 bc92f1b735139007e7ea04e8369af114e93850cc01ae270b826ba601a904eec2fe70a0826f36ff621dd9052388460ca59b464e53e4751c7788cbf3593379e1c9

memory/3672-51-0x0000000005780000-0x000000000578A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL

MD5 c4fd37101f93a28897549198019046ec
SHA1 f7ba115a2d225afa0c1220208203aeafc77e8797
SHA256 2d559a2ab503cd2722df043190d5ea5d06ada933420fb35939d32dec783e7375
SHA512 2271edb4c2b0ae287a1850de66569341eed105e8e49acec8c8512132dfa7cb74cbd8cc39fc1d54eda092c2bbcacc7f40e1214e8d6f42abbbfe2a11c190beba0a

memory/3672-54-0x0000000005960000-0x0000000005968000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.COMMON.GUARDS.DLL

MD5 5b851b4506d10f93b988b4ee8f313824
SHA1 213c4928a28e8fbf5dfc06cd5c5415301daf72e5
SHA256 28c9ea12476af9b90857564919ab813ba2468f2dd087e482777da9a8d1811fd4
SHA512 c8aa2b665c5baeb2e02bcbf86e63e91fd18761b2ac5943650c1824a971586023b01c71fd758157301d41595a50214e95aa0b42a45b9ae3562b5e1a56772077fc

C:\Users\Admin\AppData\Local\Temp\.CR.8708\ACSSIGNEDIC.EXE

MD5 8c4622622a1044250d32b3f75dff1308
SHA1 8eef39eda2043c3f2fb680b5ecba9dc399b70f10
SHA256 7fbac7f635533ed207d3479cb8a4e5e96fefae5c1ddbdd5f52780ce6c3ddc6c2
SHA512 a36ca64d20cfb8a9cf04c6d7565cf8f38922092850913d0ee062305fb755c6570693da32dd866c7c667d7e03b8a9656dc74637b9535ac6e26a156a200c3d02cc

memory/3672-56-0x00000000067A0000-0x00000000067F0000-memory.dmp

memory/3672-57-0x00000000067F0000-0x000000000682C000-memory.dmp

memory/3672-58-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3672-59-0x00000000072C0000-0x00000000072C8000-memory.dmp

memory/3672-60-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3672-62-0x00000000094A0000-0x00000000094AE000-memory.dmp

memory/3672-61-0x000000000A940000-0x000000000A978000-memory.dmp

memory/3672-65-0x000000000A980000-0x000000000A990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.8708\AVIRA.FILEDOWNLOADER.DLL

MD5 0030dd38523e6a2227534e2469561f53
SHA1 cd2ba1ac1fb71e5aff30ef57a899b245525e9860
SHA256 a8eb1f255ed57db70f8ef6892e9dbe2687fdfbbb16d0e8ff8797df898e12fa3e
SHA512 99308fd780a030bdc2306679248a5d4d8d00aa1557f217c1914504fa5f6834b222fceaede320aff6d232abb7d77086aef3283c38722fa390febb1bed088c4f1e

C:\Users\Admin\AppData\Local\Temp\bf47eb48-74f9-4920-bcab-2656c8c10556\enco.exe

MD5 cc6e9e404056010e5c9959a0a72f77de
SHA1 3e6178adcf3a6414b78443852f4a7092d760635d
SHA256 e2e67d0d9e2f6bd577911a81b261e4d5381d4461e01af8496830a97b55262cde
SHA512 b24c4ec0f8b8b2393def441743c781cb869ddde70abe23bdfe3b57e12295ba82c791f8ebad797d4fde44045cf21f018aed83e376f300c2ccd422f55367dad4c2

C:\Users\Admin\AppData\Local\Temp\.CR.18989\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE

MD5 7c68d940f5d3344a3b2a874b34260761
SHA1 9c84a7ddb1c5e888248ebd72b25822ea2e7c20d5
SHA256 9bcb9fa66f71a81bd9bcab842be3f485f0a1768a77cb28a1f34a5b367db48daa
SHA512 c044b9b3b5e06ee7f1aa47bdf634a3540eb45265791c828cfbe03fa3708af40a3c06977a40b57bd773dc19335668f04b7381f95ab86c435bbd3afae8a49e3f33

memory/4996-87-0x0000000000250000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\DRYIOC.DLL

MD5 15fe9c51056f1b56d147f3674d3f65c3
SHA1 202c6101ef20259a07f00c619a10fe4f954bb782
SHA256 3d312f14d5995fe1731497e8defa402cf36f48ca514e23f9d63d9e33e351ca2f
SHA512 6a58f0be22e1d21c0363cdf2da0b6a46750b3d1a58da727e3ca138fee2d22017a726a2ecab8a2a5a99b80a20000c4edf4a79ba053d7ad61288fdc0421cd469b3

memory/4996-92-0x0000000074310000-0x0000000074AC0000-memory.dmp

memory/4996-95-0x0000000004CE0000-0x0000000004D0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL

MD5 8d673df9e5fd8fb8ec671345af53c072
SHA1 cf7caf96666f6d72780665e8ee2773ad6d74a675
SHA256 2a889f1a7dd69178bd76e5db927e9f92c60a7ec0e0d04861322e4f633d61a28b
SHA512 5857d6443d025263f64a5ee88709e59a8e6d1d111b699287fe85f02b1d8b986ef78a200120cfc9cf385eb35c72b45d99b9fba81feca74f36e736cea7d4d6558d

memory/4996-98-0x00000000050A0000-0x000000000510C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL

MD5 64de70e5caf962d56b52c77726442380
SHA1 11a029c67e151b925232c53babf4694de0ee2b63
SHA256 4d481eb8cbe270c384fa4e5703e39a370f3d5c8e49c61855cea55d626229a3bf
SHA512 c5abe4cf002d9ecdc8fba8b790e8855b45d29cb9c0814a408fc143679d22a6a84dc677af5896c7b5fbe5929896f7a66d2110202571c5a2fee8428c06331417b1

memory/4996-104-0x0000000005050000-0x0000000005066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\DRYIOC.MEFATTRIBUTEDMODEL.DLL

MD5 dbe4da6a000aadaa9118568e36ade98e
SHA1 63b0f90bd1c72f208883d3749c9a90680fe2923d
SHA256 94b17590329073b981561a7e2e395ba013c06987c7b56ab2f77527bb632b8b5d
SHA512 146fd65c4c95af61ff8dd42c97f00f43951632a1135d27ca92b54b527d73beef8292ef51eeee6a2e66c6b1c196abfe4d5f91493a5ea28e802d3d4fa4b1ee8112

memory/4996-101-0x0000000005110000-0x0000000005170000-memory.dmp

memory/4996-107-0x0000000005080000-0x000000000508C000-memory.dmp

memory/4996-108-0x0000000005350000-0x0000000005360000-memory.dmp

memory/4996-111-0x00000000051A0000-0x00000000051D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\PRODUCTLABEL.COMMON.DLL

MD5 2399f2f5d18a1b9375ce39e50353d4f5
SHA1 cc53df13011480bdc309a51266fd09c53708bf80
SHA256 f979debf1930d091833768e04193a5c437411e0a28aa93917000f05fe3bbd834
SHA512 1c71d9fbf32dc356f21c92bdd0c17c7d555ca72db412f2df25bdf7c1092f580c855bb51d72bbba77642a3d81b4e48a5f6436809f29b3eeda798715ac77e10660

memory/4996-116-0x0000000005220000-0x0000000005264000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\PRODUCTLABEL.DLL

MD5 7977fddab911bef04af6417a88a2b3e2
SHA1 4e1a4e0b8b65976f9efdd1eff5d11710b73a3390
SHA256 12383591ce3b642687e068efa9556f3ca827d427b415919e05a5ca385e734ee2
SHA512 2f594bb68a446bf41fb899c71b8f2a6a67db1b20917729f6dddadf7e1dac8765707476f2432a0f8a3c11b3db83d1746c385a724cd5595b472935796bb7be89c9

memory/4996-121-0x00000000052B0000-0x00000000052DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\MICROSOFT.WINDOWS.SHELL.DLL

MD5 fd153080fe5aa65a23d2fec5a1bf3919
SHA1 e97cdeb809a9b27490c8d45fc2332f347bad7055
SHA256 f68e7d787b5b2f63c7dc73bbf197cf95b0c0b9cf6acf9b49f8fb4862cbda76cc
SHA512 d306879bc911ab3732c53127949333c196eb8a64c1624b5207cdf5a89f360cae55782a1ad3d3895f88e67bbad752beebd537c7c742786d3353cd5de6e8ab7630

memory/4996-124-0x0000000005360000-0x0000000005396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\AVIRA.SPOTLIGHT.BOOTSTRAPPER.REACTIVE.DLL

MD5 1d5c5b5264ae7ed868eeb82e2be959de
SHA1 d89d2675d1062025a5aadfa5d7f7103504bd8830
SHA256 1d88207d2e39d5804788c645fe5c1e3f83cf9c9e1dff6405d824fe808e0ff517
SHA512 1d2af9ecd910e993950c89a1a8eae7c8cfe22404012e3ca5f35f8b52cc314b4a6f2b6c8f81254c2534d2b7bbca358fb16129f50f00a0df2934265e542db74e67

C:\Users\Admin\AppData\Local\Temp\.CR.18989\DRYIOCATTRIBUTES.DLL

MD5 561b5afeb747ebd5ef4fadeac8c6db95
SHA1 2e9faa0051ffa83df0930a83b770fe4e74c42795
SHA256 4468138ab065bdd64508edf745a784077f2c2b108dd8abefc2cda543578ce9f8
SHA512 f592e74156303014a43bd6a0053b87c21d22e95da611df5a1da52ab04b2f4eaca95f03f3d557ad70c47f9ed9a7f3a4fd770f3a4484a59796456f2c8702454189

C:\Users\Admin\AppData\Local\Temp\.CR.18989\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL

MD5 83b0855a3a88a1a5958dbd6bce119d7e
SHA1 a99da461cd9998d17addc8790585bf5a034badca
SHA256 5133a4ffa2acf3ca099b9e2968c0557e42842a6e9d078310ad2021e620202c57
SHA512 a846f3451ed7edef437f10789e8e899fd130e1f8e57f2885f62341c8efbc759b919b98210c6b8e0b8dd4412b1eab812ea67e7ff28f4c93c6811fa6780267e8e7

C:\Users\Admin\AppData\Local\Temp\.CR.16690\Avira_Security_Installation.xml

MD5 df0004001f930e646a887fd04569df46
SHA1 b1035bff22e2b42085f26495d00b4fdd4e6afb52
SHA256 a848d0513e151c27a1be8ab12897b3bee76ec94b16f0066b8e03967f5b14c561
SHA512 ac8ebb761ff8058cf4ac69bc1427b8ce5cbc5bbf7445019397902a06bbf18e465ca05a8ea73b4d5dc9ec8e0bc901eda58497c3005ddb55fc43f44af13a7ee891

memory/4996-126-0x0000000005310000-0x0000000005324000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.CR.18989\AVIRA.COMMON.MIXPANEL.DLL

MD5 2d3dbe2d0a1c9598c86b12b542ce8ff0
SHA1 af186460251a91c41fbe26172ce0d492350d7e58
SHA256 d9a96849098c4cb4aa1d8485a6f539597a561fa9562409b722690297b7aba185
SHA512 ca0bc6297d03b0332e8f9beceaea53b349939f2728ce82dbf2bd0dec18318e7a2436e6f2a99cadfc69576e446404e8fa2fbb6317909a0d39652c3aefec6e2c6e

memory/4996-90-0x0000000004BF0000-0x0000000004C60000-memory.dmp

memory/4996-127-0x0000000005300000-0x000000000530A000-memory.dmp

memory/4996-128-0x0000000005430000-0x0000000005438000-memory.dmp

memory/4996-129-0x0000000005570000-0x000000000557C000-memory.dmp

memory/4996-130-0x0000000005350000-0x0000000005360000-memory.dmp

memory/4996-131-0x00000000067E0000-0x00000000067F0000-memory.dmp

memory/4996-132-0x0000000008C50000-0x0000000008CE2000-memory.dmp

memory/4996-133-0x0000000005350000-0x0000000005360000-memory.dmp

memory/3672-136-0x0000000074310000-0x0000000074AC0000-memory.dmp

memory/4996-141-0x0000000074310000-0x0000000074AC0000-memory.dmp

memory/4996-142-0x0000000005350000-0x0000000005360000-memory.dmp

memory/4996-143-0x0000000005350000-0x0000000005360000-memory.dmp

memory/4996-144-0x0000000005350000-0x0000000005360000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

153s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\indecorum.tiff

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\indecorum.tiff

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Config\nppPluginList.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Config\nppPluginList.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppExport\NppExport.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppExport\NppExport.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

115s

Max time network

145s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\VMM.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\VMM.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Data.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Data.exe

"C:\Users\Admin\AppData\Local\Temp\Data.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\mimeTools\mimeTools.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\mimeTools\mimeTools.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\README.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.md C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.md\ = "md_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\README.md

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\updater\README.md

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\updater\README.md"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 41cb3f3f7ed63b30e53c7e81ddcfba1a
SHA1 28193b0713ad22f2fb255b12f5b44ceab44f07dd
SHA256 4900fc5e0b6a6e6990782e6d64599b5dd5e253375bc983da4f63662d7e6c2955
SHA512 06d5e363bda66da523b1aa4dfbfa59ef0afb48901afacc0daf922d6f7fa86018a95d7ae486794dce7547cd7df9c4314bf20ae9fac249fe587e8e1f83f86ae122

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240215-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2832 set thread context of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe
PID 2596 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe C:\Windows\SysWOW64\WerFault.exe
PID 1384 wrote to memory of 2596 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\RunDll.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 196

Network

N/A

Files

memory/2832-0-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2832-1-0x0000000072960000-0x0000000072AD4000-memory.dmp

memory/2832-2-0x00000000770C0000-0x0000000077269000-memory.dmp

memory/2832-6-0x0000000072960000-0x0000000072AD4000-memory.dmp

memory/2832-7-0x0000000072960000-0x0000000072AD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9717d2b2

MD5 c6749be44fda45f59400565e96a438c4
SHA1 aa38e13ce70d83c896eb3166b2deb424533cd702
SHA256 1b448489f265bcf01e9afe71cc26a1309de46d25ee2d8ee8938554ef7a6b65ff
SHA512 41278ca24b2401a0db17bc99e2c13e951a09b90369d17ddf193e070e2c0ab7205f136c4e5757261f85b2321ddf715e86d7ad0cb7687073ca348adee071e365cb

memory/1384-11-0x0000000072960000-0x0000000072AD4000-memory.dmp

memory/2832-9-0x0000000000BB0000-0x0000000001486000-memory.dmp

memory/1384-12-0x00000000770C0000-0x0000000077269000-memory.dmp

memory/1384-15-0x0000000072960000-0x0000000072AD4000-memory.dmp

memory/1384-14-0x0000000072960000-0x0000000072AD4000-memory.dmp

\Users\Admin\AppData\Local\Temp\RunDll.exe

MD5 726444379dbb621f5f117a2605425be1
SHA1 1700e8c51b39a8000bb41ee8b25940a6962c305b
SHA256 a642496f090ca7c54dc57e9ae6f5fe65b3a233dcdf7a2b734f58be23a388b1e9
SHA512 28f04eef12ae8d58dd67d956a1bcce0fc3dad579105c4be19432cb902b89977ffb8f9ac85506ce9461582276cd4c5c7be476016c4d9cf3f67bf7f1674c5cd267

memory/1384-20-0x0000000072960000-0x0000000072AD4000-memory.dmp

memory/2596-22-0x00000000770C0000-0x0000000077269000-memory.dmp

memory/2596-23-0x0000000000090000-0x00000000000DD000-memory.dmp

memory/2596-30-0x0000000000A60000-0x0000000000DFA000-memory.dmp

memory/2596-31-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2596-33-0x0000000000090000-0x00000000000DD000-memory.dmp

memory/2596-34-0x0000000000090000-0x00000000000DD000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppExport\NppExport.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\NppExport\NppExport.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\rubadub.odp" /ou ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\rubadub.odp" /ou ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/680-0-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-2-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-1-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-3-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-4-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-5-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-6-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-7-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-8-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-9-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-10-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-11-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-12-0x00007FFF18910000-0x00007FFF18920000-memory.dmp

memory/680-13-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-14-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-15-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-16-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-17-0x00007FFF18910000-0x00007FFF18920000-memory.dmp

memory/680-18-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-19-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-20-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-21-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-22-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/680-44-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-45-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-46-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-47-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/680-48-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\LICENSE

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240319-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 636 set thread context of 3616 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RunDll.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 51.140.242.104:443 tcp
GB 51.11.108.188:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 kitchenreviewbewrwsa.shop udp
US 172.67.189.176:443 kitchenreviewbewrwsa.shop tcp
US 8.8.8.8:53 birdpenallitysydw.shop udp
US 104.21.18.173:443 birdpenallitysydw.shop tcp
US 8.8.8.8:53 cinemaclinicttanwk.shop udp
US 104.21.63.97:443 cinemaclinicttanwk.shop tcp
US 8.8.8.8:53 176.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 disagreemenywyws.shop udp
US 104.21.89.249:443 disagreemenywyws.shop tcp
US 8.8.8.8:53 speedparticipatewo.shop udp
US 104.21.86.190:443 speedparticipatewo.shop tcp
US 8.8.8.8:53 173.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 249.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 fixturewordbakewos.shop udp
US 104.21.61.180:443 fixturewordbakewos.shop tcp
US 8.8.8.8:53 colorprioritytubbew.shop udp
US 172.67.139.138:443 colorprioritytubbew.shop tcp
US 8.8.8.8:53 abuselinenaidwjuew.shop udp
US 104.21.15.45:443 abuselinenaidwjuew.shop tcp
US 8.8.8.8:53 190.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 138.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 methodgreenglassdatw.shop udp
US 172.67.221.254:443 methodgreenglassdatw.shop tcp
US 8.8.8.8:53 45.15.21.104.in-addr.arpa udp
US 8.8.8.8:53 254.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp

Files

memory/636-0-0x0000000001B60000-0x0000000001B61000-memory.dmp

memory/636-1-0x0000000073080000-0x00000000731FB000-memory.dmp

memory/636-2-0x00007FFE59330000-0x00007FFE59525000-memory.dmp

memory/636-6-0x0000000073080000-0x00000000731FB000-memory.dmp

memory/636-7-0x0000000073080000-0x00000000731FB000-memory.dmp

memory/3616-9-0x0000000073080000-0x00000000731FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1a26d6e2

MD5 2afa1e9e48736a687ac1d81386e96954
SHA1 0635590a90d33bc15a38548bb4b566bd0bb450a9
SHA256 f340c791a9408118ac69c07bd71df107b57142e4a351b13ac84ccf7c51800e3e
SHA512 5365a5a00931796a8251eecc3be320c7a5bbab641cac38efa9a75d952ea70cc97251a74c85d966bc9633efb7ce178291361fdea788a0221c55780386529db340

memory/636-10-0x0000000000A40000-0x0000000001316000-memory.dmp

memory/3616-12-0x00007FFE59330000-0x00007FFE59525000-memory.dmp

memory/3616-14-0x0000000073080000-0x00000000731FB000-memory.dmp

memory/3616-15-0x0000000073080000-0x00000000731FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RunDll.exe

MD5 726444379dbb621f5f117a2605425be1
SHA1 1700e8c51b39a8000bb41ee8b25940a6962c305b
SHA256 a642496f090ca7c54dc57e9ae6f5fe65b3a233dcdf7a2b734f58be23a388b1e9
SHA512 28f04eef12ae8d58dd67d956a1bcce0fc3dad579105c4be19432cb902b89977ffb8f9ac85506ce9461582276cd4c5c7be476016c4d9cf3f67bf7f1674c5cd267

memory/208-19-0x00007FFE59330000-0x00007FFE59525000-memory.dmp

memory/208-20-0x0000000000C80000-0x0000000000CCD000-memory.dmp

memory/208-22-0x0000000000730000-0x0000000000ACA000-memory.dmp

memory/208-23-0x0000000000C80000-0x0000000000CCD000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win7-20240319-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\rubadub.odp"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\rubadub.odp"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2220-0-0x000000002D341000-0x000000002D342000-memory.dmp

memory/2220-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2220-2-0x000000007287D000-0x0000000072888000-memory.dmp

memory/2220-5-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2220-6-0x000000007287D000-0x0000000072888000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe

"C:\Users\Admin\AppData\Local\Temp\updater\GUP.exe"

C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe

"C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 notepad-plus-plus.org udp
DE 91.108.103.239:443 notepad-plus-plus.org tcp
N/A 127.0.0.1:64403 tcp
US 8.8.8.8:53 239.103.108.91.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:64410 tcp
N/A 127.0.0.1:64413 tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\npp.8.6.5.Installer.exe

MD5 6f7e2e04a4e06254fd1454515eb0331d
SHA1 ba940c6b526da1ce127f43b835b4d8c9d5c4b59c
SHA256 5180a17f24df75ccc000cdc2904b14c865ccfd7521909bf06cc75189a65c3e2f
SHA512 b230bea0ea463a34c3f01c5714d2dbd8dc9023ac373e46f4ec821fabb876d977fe3f5814740e903650a3d604422fef12bd7bbab7e1b531d9688af8111b30d859

C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\InstallOptions.dll

MD5 d095b082b7c5ba4665d40d9c5042af6d
SHA1 2220277304af105ca6c56219f56f04e894b28d27
SHA256 b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA512 61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

C:\Users\Admin\AppData\Local\Temp\nsu9F20.tmp\ioSpecial.ini

MD5 bf874b71933a47516bfeeb045c90b42b
SHA1 fa94e0fc3d7c3c38ba0b62d28fe4bf9ed98cc5dd
SHA256 01a9b42b23ce0be7164d4a6da8452cb2e2f60ea81c2dd6a6a0616f7760727054
SHA512 01d073dd3356225c53b5320bf07d94b6c88c0b484da1b220b0f0981a06898e242cc8c5a0a428cc4821d3a049122acc405a562d455762f5c4f1d100af0661a2ab

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:56

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

166s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\updater\LICENSE

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-06 06:52

Reported

2024-04-06 06:57

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

189s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\updater\libcurl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\updater\libcurl.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A