96ebd508ede2db1fa82e8f59e51821412cf7b4508b51066a4ead7a0f5433a3fe

Analysis

max time kernel
340s
max time network
355s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

APInstaller.exe
Size

958KB
MD5

3a3cff2c609b42980921e9736c0c4f02
SHA1

184971c2a9c3de826c80b2ade179ceba16076f24
SHA256

96ebd508ede2db1fa82e8f59e51821412cf7b4508b51066a4ead7a0f5433a3fe
SHA512

e08d8475d03998d8bc533804075e156eacdbaf343f1134199c890384b8ba5b79d99bdf9ddd4383ca9a52312d1d68c48da7366f361c2d40ec0a215f4ef575c998
SSDEEP

24576:/hgpKilNP+NOrvZykE/2Q8+No73poqHQEJqLYfeF:/hnilMNGykE/2Q1o73poqHQmqLgm

Score

8^/10

discovery execution persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DRIVERS\SET1B53.tmp	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\SET1F2D.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET1F2D.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET25F3.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET25F3.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\Trufos.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DRIVERS\SET1B53.tmp	RunDLL32.Exe
File opened for modification	C:\Windows\SysWOW64\DRIVERS\bddci.sys	RunDLL32.Exe
File opened for modification	C:\Windows\system32\DRIVERS\gzflt.sys	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\Trufos.sys	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\gzflt.sys	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	APInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Adaware-Privacy.exe

Executes dropped EXE 64 IoCs

pid	Process
1804	AP-Assistant-Service.exe
5012	DCIService.exe
1964	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2420	FeatureServiceInstaller.exe
4836	AP-Feature-Privacy-Service.exe
5740	adawarewebinstaller.exe
5748	ISBEW64.exe
2132	ISBEW64.exe
4576	ISBEW64.exe
5080	ISBEW64.exe
5420	ISBEW64.exe
5960	ISBEW64.exe
3880	ISBEW64.exe
6072	ISBEW64.exe
2724	ISBEW64.exe
5840	ISBEW64.exe
3588	ISBEW64.exe
5960	ISBEW64.exe
5180	ISBEW64.exe
828	ISBEW64.exe
5748	ISBEW64.exe
2132	ISBEW64.exe
6124	ISBEW64.exe
5420	ISBEW64.exe
1568	ISBEW64.exe
5672	ISBEW64.exe
3324	ISBEW64.exe
3540	ISBEW64.exe
2776	ISBEW64.exe
3324	ISBEW64.exe
5280	ISBEW64.exe
3448	ISBEW64.exe
5080	ISBEW64.exe
5420	ISBEW64.exe
1400	ISBEW64.exe
6124	ISBEW64.exe
1580	ISBEW64.exe
3448	ISBEW64.exe
3308	ISBEW64.exe
5280	ISBEW64.exe
3588	ISBEW64.exe
5352	ISBEW64.exe
5860	ISBEW64.exe
5280	ISBEW64.exe
6052	ISBEW64.exe
5420	ISBEW64.exe
5668	ISBEW64.exe
6012	ISBEW64.exe
4512	ISBEW64.exe
3540	ISBEW64.exe
6320	ISBEW64.exe
6356	ISBEW64.exe
6396	ISBEW64.exe
6428	ISBEW64.exe
6460	ISBEW64.exe
6532	ISBEW64.exe
6580	ISBEW64.exe
6624	ISBEW64.exe
6656	ISBEW64.exe
6688	ISBEW64.exe
6720	ISBEW64.exe
5916	Adaware_PC_Cleaner_Installer.exe
6308	Adaware_PC_Cleaner_Installer.exe

Loads dropped DLL 64 IoCs

pid	Process
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
5012	DCIService.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adaware Privacy = "C:\\Program Files (x86)\\Adaware\\Adaware Privacy\\Application\\Adaware-Privacy.exe --minimize "	Adaware-Privacy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adaware Privacy = "C:\\Program Files (x86)\\Adaware\\Adaware Privacy\\Application\\Adaware-Privacy.exe --minimize "	Adaware-Privacy.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
331	5976	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	adawarewebinstaller.exe
File opened (read-only)	\??\K:	adawarewebinstaller.exe
File opened (read-only)	\??\Q:	adawarewebinstaller.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	adawarewebinstaller.exe
File opened (read-only)	\??\N:	adawarewebinstaller.exe
File opened (read-only)	\??\O:	adawarewebinstaller.exe
File opened (read-only)	\??\T:	adawarewebinstaller.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	adawarewebinstaller.exe
File opened (read-only)	\??\E:	adawarewebinstaller.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	adawarewebinstaller.exe
File opened (read-only)	\??\U:	adawarewebinstaller.exe
File opened (read-only)	\??\X:	adawarewebinstaller.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	adawarewebinstaller.exe
File opened (read-only)	\??\R:	adawarewebinstaller.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	adawarewebinstaller.exe
File opened (read-only)	\??\L:	adawarewebinstaller.exe
File opened (read-only)	\??\W:	adawarewebinstaller.exe
File opened (read-only)	\??\Z:	adawarewebinstaller.exe
File opened (read-only)	\??\Y:	adawarewebinstaller.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	adawarewebinstaller.exe
File opened (read-only)	\??\J:	adawarewebinstaller.exe
File opened (read-only)	\??\S:	adawarewebinstaller.exe
File opened (read-only)	\??\V:	adawarewebinstaller.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-crt-conio-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\rpc.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\vccorlib140.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-crt-process-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bridge_start.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\pop3.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\smtp.dll	APInstaller.exe
File created	C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\bdnc.client_id	msiexec.exe
File created	C:\Program Files (x86)\Adaware PC Cleaner\is-B8V8T.tmp	adawarecleaner.tmp
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Feature-Service.exe.config	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bddci_install_boot.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-namedpipe-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware PC Cleaner\is-2ADIU.tmp	adawarecleaner.tmp
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-handle-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-crt-string-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bddci_install.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-processthreads-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bddci_stop.cmd	APInstaller.exe
File created	C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\bdsmartdb.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adaware PC Cleaner\AdawarePCCleaner.chm	adawarecleaner.tmp
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-namedpipe-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bddci_start.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bdnc.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-handle-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\smb.dll	APInstaller.exe
File created	C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\bdnc.dll	msiexec.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\privacy_clr.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\System.Data.SQLite.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-crt-private-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-rtlsupport-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-timezone-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-util-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware PC Cleaner\is-55T4A.tmp	adawarecleaner.tmp
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\sav.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-file-l2-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bridge_install.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\rpc.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Feature-Privacy-Service.exe.config	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bddci.cat	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bddci.inf	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\ucrtbase.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-file-l2-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-crt-multibyte-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bittorrent.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe.config	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\ja-JP\Adaware-Privacy.resources.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bddci_stop.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\bridge_install.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-crt-conio-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bdnc.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-console-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\WebFilteringSimple.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-WCF.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Helpers.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-debug-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-errorhandling-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-string-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bridge_stop.cmd	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-file-l1-2-0.dll	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\Win32\api-ms-win-core-interlocked-l1-1-0.dll	APInstaller.exe
File created	C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\scan.dll	msiexec.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Feature-Privacy-WCF.dll.config	APInstaller.exe
File created	C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\api-ms-win-core-processthreads-l1-1-1.dll	APInstaller.exe
File created	C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\trufos.cat	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1924.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CF7C3426-3507-4069-9147-412539F8652E}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Fonts\is-LRS5C.tmp	adawarecleaner.tmp
File created	C:\Windows\Fonts\is-CH24P.tmp	adawarecleaner.tmp
File created	C:\Windows\Installer\e5b12aa.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CF7C3426-3507-4069-9147-412539F8652E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1606.tmp	msiexec.exe
File created	C:\Windows\Installer\{CF7C3426-3507-4069-9147-412539F8652E}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI224E.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b12ae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b12aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CDE.tmp	msiexec.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI149E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CBF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3386.tmp	msiexec.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	rundll32.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4004	sc.exe
2720	sc.exe
2200	sc.exe
1956	sc.exe
4828	sc.exe
2788	sc.exe
4112	sc.exe
1556	sc.exe
1224	sc.exe
2444	sc.exe
2872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AdawarePCCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AdawarePCCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AdawarePCCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AdawarePCCleaner.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623246229455415"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AP-Assistant-Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AP-Assistant-Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AP-Assistant-Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AP-Assistant-Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AP-Assistant-Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\ = "{9083194A-939D-43BF-84C8-263F30EB2E93}"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdawarePrivacy\shell	APInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Elevation\IconReference = "@C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe,-501"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\Version = "1.0"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6243C7FC7053960419741452938F56E2\antimalware_files_x64 = "Antimalware"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\LocalServer32	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdawarePrivacy\ = "URL:AdawarePrivacy Protocol"	APInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Programmable	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdawarePrivacy\shell\open\command\ = "C:\\Program Files (x86)\\Adaware\\Adaware Privacy\\Application\\Adaware-Privacy.exe %1"	APInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6243C7FC7053960419741452938F56E2\real_time_protection_files_x64 = "RealTimeProtection"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdawarePrivacy	APInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6243C7FC7053960419741452938F56E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6243C7FC7053960419741452938F56E2\RealTimeProtection	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\LocalServer32\ = "\"C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe\""	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\FLAGS\ = "0"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{8AD862D2-E31E-4812-A89F-8906D0BF9F84}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\PackageCode = "5F67D9B473D331443A48BDC65F38ED9D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1518E1C4743F7304DA4AB1E7DA2A42B2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\0	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ = "IInstaller"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdawarePrivacy\shell\open	APInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Version	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ = "IInstaller"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\HELPDIR\ = "C:\\ProgramData\\Adaware PC Cleaner\\Installation"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\PackageName = "AntimalwareEngine.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\adaware\\adaware antivirus\\msi_cache\\5c28e533-824e-400d-8355-19804895c602\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\Version = "1.0"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Version\ = "1.0"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6243C7FC7053960419741452938F56E2\Antimalware	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6243C7FC7053960419741452938F56E2\SourceList\Net\1 = "C:\\ProgramData\\adaware\\adaware antivirus\\msi_cache\\5c28e533-824e-400d-8355-19804895c602\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6243C7FC7053960419741452938F56E2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\TypeLib\ = "{9083194A-939D-43BF-84C8-263F30EB2E93}"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Elevation	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\FLAGS	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\0\win32\ = "C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe"	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdawarePrivacy\shell\open\command	APInstaller.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	Adaware-Privacy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	adawarewebinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	adawarewebinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	Adaware-Privacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	Adaware-Privacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	Adaware-Privacy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	Adaware-Privacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	Adaware-Privacy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Adaware-Privacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Adaware-Privacy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Adaware-Privacy.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\adawarewebinstaller.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Adaware_PC_Cleaner_Installer.exe:Zone.Identifier	firefox.exe
File created	C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe\:Zone.Identifier:$DATA	Adaware_PC_Cleaner_Installer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1088	APInstaller.exe
1088	APInstaller.exe
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
1804	AP-Assistant-Service.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
1964	Adaware-Privacy.exe
4836	AP-Feature-Privacy-Service.exe
4836	AP-Feature-Privacy-Service.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
5740	adawarewebinstaller.exe
5740	adawarewebinstaller.exe
5740	adawarewebinstaller.exe
5740	adawarewebinstaller.exe
5976	msiexec.exe
5976	msiexec.exe
5916	Adaware_PC_Cleaner_Installer.exe
5916	Adaware_PC_Cleaner_Installer.exe
6416	adawarecleaner.tmp
6416	adawarecleaner.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	APInstaller.exe
Token: SeDebugPrivilege	1804	AP-Assistant-Service.exe
Token: SeAssignPrimaryTokenPrivilege	1804	AP-Assistant-Service.exe
Token: SeIncreaseQuotaPrivilege	1804	AP-Assistant-Service.exe
Token: SeSecurityPrivilege	1804	AP-Assistant-Service.exe
Token: SeTakeOwnershipPrivilege	1804	AP-Assistant-Service.exe
Token: SeLoadDriverPrivilege	1804	AP-Assistant-Service.exe
Token: SeSystemtimePrivilege	1804	AP-Assistant-Service.exe
Token: SeBackupPrivilege	1804	AP-Assistant-Service.exe
Token: SeRestorePrivilege	1804	AP-Assistant-Service.exe
Token: SeShutdownPrivilege	1804	AP-Assistant-Service.exe
Token: SeSystemEnvironmentPrivilege	1804	AP-Assistant-Service.exe
Token: SeUndockPrivilege	1804	AP-Assistant-Service.exe
Token: SeManageVolumePrivilege	1804	AP-Assistant-Service.exe
Token: SeDebugPrivilege	1964	Adaware-Privacy.exe
Token: SeDebugPrivilege	2224	Adaware-Privacy.exe
Token: SeDebugPrivilege	2420	FeatureServiceInstaller.exe
Token: SeDebugPrivilege	4836	AP-Feature-Privacy-Service.exe
Token: SeDebugPrivilege	1384	firefox.exe
Token: SeDebugPrivilege	1384	firefox.exe
Token: SeSecurityPrivilege	5976	msiexec.exe
Token: SeCreateTokenPrivilege	5740	adawarewebinstaller.exe
Token: SeAssignPrimaryTokenPrivilege	5740	adawarewebinstaller.exe
Token: SeLockMemoryPrivilege	5740	adawarewebinstaller.exe
Token: SeIncreaseQuotaPrivilege	5740	adawarewebinstaller.exe
Token: SeMachineAccountPrivilege	5740	adawarewebinstaller.exe
Token: SeTcbPrivilege	5740	adawarewebinstaller.exe
Token: SeSecurityPrivilege	5740	adawarewebinstaller.exe
Token: SeTakeOwnershipPrivilege	5740	adawarewebinstaller.exe
Token: SeLoadDriverPrivilege	5740	adawarewebinstaller.exe
Token: SeSystemProfilePrivilege	5740	adawarewebinstaller.exe
Token: SeSystemtimePrivilege	5740	adawarewebinstaller.exe
Token: SeProfSingleProcessPrivilege	5740	adawarewebinstaller.exe
Token: SeIncBasePriorityPrivilege	5740	adawarewebinstaller.exe
Token: SeCreatePagefilePrivilege	5740	adawarewebinstaller.exe
Token: SeCreatePermanentPrivilege	5740	adawarewebinstaller.exe
Token: SeBackupPrivilege	5740	adawarewebinstaller.exe
Token: SeRestorePrivilege	5740	adawarewebinstaller.exe
Token: SeShutdownPrivilege	5740	adawarewebinstaller.exe
Token: SeDebugPrivilege	5740	adawarewebinstaller.exe
Token: SeAuditPrivilege	5740	adawarewebinstaller.exe
Token: SeSystemEnvironmentPrivilege	5740	adawarewebinstaller.exe
Token: SeChangeNotifyPrivilege	5740	adawarewebinstaller.exe
Token: SeRemoteShutdownPrivilege	5740	adawarewebinstaller.exe
Token: SeUndockPrivilege	5740	adawarewebinstaller.exe
Token: SeSyncAgentPrivilege	5740	adawarewebinstaller.exe
Token: SeEnableDelegationPrivilege	5740	adawarewebinstaller.exe
Token: SeManageVolumePrivilege	5740	adawarewebinstaller.exe
Token: SeImpersonatePrivilege	5740	adawarewebinstaller.exe
Token: SeCreateGlobalPrivilege	5740	adawarewebinstaller.exe
Token: SeBackupPrivilege	5428	vssvc.exe
Token: SeRestorePrivilege	5428	vssvc.exe
Token: SeAuditPrivilege	5428	vssvc.exe
Token: SeBackupPrivilege	5976	msiexec.exe
Token: SeRestorePrivilege	5976	msiexec.exe
Token: SeCreateTokenPrivilege	5740	adawarewebinstaller.exe
Token: SeAssignPrimaryTokenPrivilege	5740	adawarewebinstaller.exe
Token: SeLockMemoryPrivilege	5740	adawarewebinstaller.exe
Token: SeIncreaseQuotaPrivilege	5740	adawarewebinstaller.exe
Token: SeMachineAccountPrivilege	5740	adawarewebinstaller.exe
Token: SeTcbPrivilege	5740	adawarewebinstaller.exe
Token: SeSecurityPrivilege	5740	adawarewebinstaller.exe
Token: SeTakeOwnershipPrivilege	5740	adawarewebinstaller.exe
Token: SeLoadDriverPrivilege	5740	adawarewebinstaller.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1088	APInstaller.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
2224	Adaware-Privacy.exe
1384	firefox.exe
1384	firefox.exe
1384	firefox.exe
1384	firefox.exe
6416	adawarecleaner.tmp

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2224	Adaware-Privacy.exe
1384	firefox.exe
1384	firefox.exe
1384	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1384	firefox.exe
1384	firefox.exe
1384	firefox.exe
1384	firefox.exe
5740	adawarewebinstaller.exe
5740	adawarewebinstaller.exe
1384	firefox.exe
1384	firefox.exe
1384	firefox.exe
5916	Adaware_PC_Cleaner_Installer.exe
6308	Adaware_PC_Cleaner_Installer.exe
5916	Adaware_PC_Cleaner_Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2788	1088	APInstaller.exe	100
PID 1088 wrote to memory of 2788	1088	APInstaller.exe	100
PID 1088 wrote to memory of 2788	1088	APInstaller.exe	100
PID 1088 wrote to memory of 4112	1088	APInstaller.exe	102
PID 1088 wrote to memory of 4112	1088	APInstaller.exe	102
PID 1088 wrote to memory of 4112	1088	APInstaller.exe	102
PID 1088 wrote to memory of 4004	1088	APInstaller.exe	104
PID 1088 wrote to memory of 4004	1088	APInstaller.exe	104
PID 1088 wrote to memory of 4004	1088	APInstaller.exe	104
PID 1088 wrote to memory of 1556	1088	APInstaller.exe	106
PID 1088 wrote to memory of 1556	1088	APInstaller.exe	106
PID 1088 wrote to memory of 1556	1088	APInstaller.exe	106
PID 1804 wrote to memory of 5012	1804	AP-Assistant-Service.exe	109
PID 1804 wrote to memory of 5012	1804	AP-Assistant-Service.exe	109
PID 1804 wrote to memory of 5012	1804	AP-Assistant-Service.exe	109
PID 5012 wrote to memory of 752	5012	cmd.exe	111
PID 5012 wrote to memory of 752	5012	cmd.exe	111
PID 5012 wrote to memory of 752	5012	cmd.exe	111
PID 1088 wrote to memory of 1648	1088	APInstaller.exe	112
PID 1088 wrote to memory of 1648	1088	APInstaller.exe	112
PID 1088 wrote to memory of 1648	1088	APInstaller.exe	112
PID 1648 wrote to memory of 2232	1648	RunDLL32.Exe	113
PID 1648 wrote to memory of 2232	1648	RunDLL32.Exe	113
PID 1648 wrote to memory of 2232	1648	RunDLL32.Exe	113
PID 2232 wrote to memory of 3108	2232	runonce.exe	114
PID 2232 wrote to memory of 3108	2232	runonce.exe	114
PID 2232 wrote to memory of 3108	2232	runonce.exe	114
PID 1088 wrote to memory of 2788	1088	APInstaller.exe	116
PID 1088 wrote to memory of 2788	1088	APInstaller.exe	116
PID 1088 wrote to memory of 2788	1088	APInstaller.exe	116
PID 2788 wrote to memory of 4588	2788	net.exe	118
PID 2788 wrote to memory of 4588	2788	net.exe	118
PID 2788 wrote to memory of 4588	2788	net.exe	118
PID 1088 wrote to memory of 1224	1088	APInstaller.exe	119
PID 1088 wrote to memory of 1224	1088	APInstaller.exe	119
PID 1088 wrote to memory of 1224	1088	APInstaller.exe	119
PID 1088 wrote to memory of 2720	1088	APInstaller.exe	122
PID 1088 wrote to memory of 2720	1088	APInstaller.exe	122
PID 1088 wrote to memory of 2720	1088	APInstaller.exe	122
PID 1088 wrote to memory of 5056	1088	APInstaller.exe	124
PID 1088 wrote to memory of 5056	1088	APInstaller.exe	124
PID 1088 wrote to memory of 5056	1088	APInstaller.exe	124
PID 5056 wrote to memory of 2444	5056	cmd.exe	126
PID 5056 wrote to memory of 2444	5056	cmd.exe	126
PID 5056 wrote to memory of 2444	5056	cmd.exe	126
PID 1088 wrote to memory of 4092	1088	APInstaller.exe	128
PID 1088 wrote to memory of 4092	1088	APInstaller.exe	128
PID 1088 wrote to memory of 4092	1088	APInstaller.exe	128
PID 4092 wrote to memory of 4004	4092	cmd.exe	130
PID 4092 wrote to memory of 4004	4092	cmd.exe	130
PID 4092 wrote to memory of 4004	4092	cmd.exe	130
PID 1088 wrote to memory of 1964	1088	APInstaller.exe	131
PID 1088 wrote to memory of 1964	1088	APInstaller.exe	131
PID 1088 wrote to memory of 1964	1088	APInstaller.exe	131
PID 1088 wrote to memory of 2224	1088	APInstaller.exe	133
PID 1088 wrote to memory of 2224	1088	APInstaller.exe	133
PID 1088 wrote to memory of 2224	1088	APInstaller.exe	133
PID 2224 wrote to memory of 2420	2224	Adaware-Privacy.exe	134
PID 2224 wrote to memory of 2420	2224	Adaware-Privacy.exe	134
PID 2420 wrote to memory of 2200	2420	FeatureServiceInstaller.exe	135
PID 2420 wrote to memory of 2200	2420	FeatureServiceInstaller.exe	135
PID 2420 wrote to memory of 1956	2420	FeatureServiceInstaller.exe	137
PID 2420 wrote to memory of 1956	2420	FeatureServiceInstaller.exe	137
PID 2420 wrote to memory of 4828	2420	FeatureServiceInstaller.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\APInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\APInstaller.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" Create "APAssistantService" binPath= "C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-Service.exe" DisplayName= "AP Assistant" start= auto
  2⤵
  - Launches sc.exe
  PID:2788
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" failure APAssistantService reset= 30 actions= restart/60000
  2⤵
  - Launches sc.exe
  PID:4112
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" description "APAssistantService" "Adaware Privacy Internet security service"
  2⤵
  - Launches sc.exe
  PID:4004
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" start APAssistantService
  2⤵
  - Launches sc.exe
  PID:1556
- C:\Windows\SysWOW64\RunDLL32.Exe
  "C:\Windows\SysWOW64\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bddci.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:3108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\SysWOW64\net.exe" start bddci
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start bddci
    3⤵
    PID:4588
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
  2⤵
  - Launches sc.exe
  PID:1224
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" description "DCIService" "Webprotection Bridge service"
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bridge_start.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\sc.exe
    sc start DCIService
    3⤵
    - Launches sc.exe
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:8006/ user=Everyone
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\netsh.exe
    netsh http add urlacl url=http://+:8006/ user=Everyone
    3⤵
    PID:4004
- C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe
  "C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe" --install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe
  "C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe" --afterinstall
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files (x86)\Adaware\Adaware Privacy\Application\FeatureServiceInstaller.exe
    "C:\Program Files (x86)\Adaware\Adaware Privacy\Application\FeatureServiceInstaller.exe" --privacy --version=2.2.4.514 --eventConfigPath="C:\Users\Admin\AppData\Roaming\Adaware\Adaware Privacy\Options\EventMetadata.txt"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" Create "APPrivacyService" binPath= "C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Feature-Privacy-Service.exe" DisplayName= "AP Privacy Service" start= auto
      4⤵
      Launches sc.exe
      PID:2200
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" failure "APVPNService" reset= 30 actions = restart / 60000
      4⤵
      Launches sc.exe
      PID:1956
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" description "APPrivacyService" "AP Privacy Windows Service"
      4⤵
      Launches sc.exe
      PID:4828
  - - C:\Windows\SYSTEM32\sc.exe
      "sc.exe" start "APPrivacyService"
      4⤵
      Launches sc.exe
      PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:8
1⤵
PID:4756

C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-Service.exe
"C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-Service.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:8006/ user=Everyone
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\netsh.exe
    netsh http add urlacl url=http://+:8006/ user=Everyone
    3⤵
    PID:752

C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\DCIService.exe
"C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\DCIService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5012

C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Feature-Privacy-Service.exe
"C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Feature-Privacy-Service.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutUndo.vbe"
1⤵
PID:3512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4732
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.0.778594741\1000454858" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {435618f6-6fd2-4987-866e-2db0d151c7d4} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 1896 1edc790da58 gpu
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.1.1063368113\704782007" -parentBuildID 20230214051806 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ccd659b-cbc5-408f-9357-4a15bc96f8a4} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 2464 1edbaa8a558 socket
    3⤵
    - Checks processor information in registry
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.2.1181383791\1467140478" -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 3024 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2609604-cc8f-4b78-9fb9-c94511ce5895} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 2840 1edca0e5b58 tab
    3⤵
    PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.3.1373917991\874673746" -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {545f77ba-8a3e-43cb-9b24-8068bd4ec435} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 3968 1edbaa7ae58 tab
    3⤵
    PID:1476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.4.1499075533\714393557" -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25d03a28-79ce-46b0-aa39-4d9ab629059e} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5284 1edbaa7ca58 tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.5.1742726663\562361043" -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98f4fa7b-52b1-451d-8f84-4ba4e5285d8c} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5340 1edcc634158 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.6.1964326539\1479160769" -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5552 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edcb60ff-1168-45bc-b161-ff55d57d4b98} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5536 1edcc634d58 tab
    3⤵
    PID:5320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.7.2147136703\1325890814" -childID 6 -isForBrowser -prefsHandle 5928 -prefMapHandle 5920 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ac269a9-d623-4e82-8179-40e4946c01c9} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5932 1edccc4f358 tab
    3⤵
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.8.1039631986\1634862319" -childID 7 -isForBrowser -prefsHandle 5260 -prefMapHandle 5280 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b77e9ab-be04-4d86-b475-79b6ca328d1b} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5172 1edccf87e58 tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.9.315662919\76061065" -childID 8 -isForBrowser -prefsHandle 5328 -prefMapHandle 5496 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d0f40a-5c2b-47d5-801d-8692df7f6675} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5504 1edcc4b3458 tab
    3⤵
    PID:6116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.10.470959277\2000455510" -childID 9 -isForBrowser -prefsHandle 5704 -prefMapHandle 5692 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c3cdd03-f989-4955-ab5c-9169eb6b3291} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5332 1edce77b558 tab
    3⤵
    PID:5164
- - C:\Users\Admin\Downloads\adawarewebinstaller.exe
    "C:\Users\Admin\Downloads\adawarewebinstaller.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.11.2045297914\1789032868" -childID 10 -isForBrowser -prefsHandle 5572 -prefMapHandle 9912 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fa752a9-57d4-4770-8ecb-b8e1dadba12d} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 4600 1edce0b5b58 tab
    3⤵
    PID:6588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1384.12.1229848088\1603413166" -childID 11 -isForBrowser -prefsHandle 5268 -prefMapHandle 5872 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 992 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {218ba315-85c8-4da5-95ea-c88d9734490a} 1384 "\\.\pipe\gecko-crash-server-pipe.1384" 5364 1edd09b2d58 tab
    3⤵
    PID:6960
- - C:\Users\Admin\Downloads\Adaware_PC_Cleaner_Installer.exe
    "C:\Users\Admin\Downloads\Adaware_PC_Cleaner_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5916
  - - C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe
      "C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:6308
  - - C:\Users\Admin\AppData\Local\Temp\6887fcc1-f5cb-4356-8f28-b10d4bc0f139\adawarecleaner.exe
      C:\Users\Admin\AppData\Local\Temp\6887fcc1-f5cb-4356-8f28-b10d4bc0f139\adawarecleaner.exe /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART /ALLUSERS /DIR="C:\Program Files (x86)\Adaware PC Cleaner"
      4⤵
      PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\is-LH3NH.tmp\adawarecleaner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LH3NH.tmp\adawarecleaner.tmp" /SL5="$30368,5104624,831488,C:\Users\Admin\AppData\Local\Temp\6887fcc1-f5cb-4356-8f28-b10d4bc0f139\adawarecleaner.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART /ALLUSERS /DIR="C:\Program Files (x86)\Adaware PC Cleaner"
        5⤵
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:6416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5976
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7C6A04EC5B94545638B93138507D27B5
  2⤵
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7AB4939-AAFD-45E6-83AF-D535D7EF13F6}
    3⤵
    - Executes dropped EXE
    PID:5748
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2CE1DE12-2F39-412B-AD78-453C06CA15F0}
    3⤵
    - Executes dropped EXE
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8ED0A41-83E0-4C4D-8590-78ED8BE8054A}
    3⤵
    - Executes dropped EXE
    PID:4576
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{09C548CC-A5B8-46EA-AC6A-F539104C55F0}
    3⤵
    - Executes dropped EXE
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4FAD06F7-817E-4A66-A733-8C9E5D23E54E}
    3⤵
    - Executes dropped EXE
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CB89F9E-1E53-44D8-997C-1C0FFAC8BD6E}
    3⤵
    - Executes dropped EXE
    PID:5960
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3EA3608F-2D76-4B77-B160-9482CD0A9D9A}
    3⤵
    - Executes dropped EXE
    PID:3880
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E10A519E-3F08-4091-8AEF-0BBCED9B901F}
    3⤵
    - Executes dropped EXE
    PID:6072
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{17C7C4EE-D2FD-4D88-9697-B1F65FECF083}
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7ED774C7-74B2-4F53-8035-D60D1F5C845C}
    3⤵
    - Executes dropped EXE
    PID:5840
- - C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7546B40-2774-40FA-9AE6-9735396D0AE0}
    3⤵
    - Executes dropped EXE
    PID:3588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 19B1CC3D519D7992080EC480CE463B0C E Global\MSI0000
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D67CC8BF-AC54-4CC6-85D9-6803881BE69F}
    3⤵
    - Executes dropped EXE
    PID:5960
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{62B163A0-98A2-4762-975F-804855BC52BE}
    3⤵
    - Executes dropped EXE
    PID:5180
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6ED12EC0-A08D-490F-89FD-8FC4D16183EA}
    3⤵
    - Executes dropped EXE
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EC70ECAC-A65B-4006-9423-4801E66B7350}
    3⤵
    - Executes dropped EXE
    PID:5748
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ED9721F4-6A40-46F7-887F-D447C05EC9D3}
    3⤵
    - Executes dropped EXE
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A1258CD-A303-43D7-A9B5-2775567C5CAE}
    3⤵
    - Executes dropped EXE
    PID:6124
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECDDC808-E75F-4EC1-9952-CC5104B5E408}
    3⤵
    - Executes dropped EXE
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0E289E7-03E4-436A-B273-8CBBF58C7525}
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A82D87DD-0734-435E-B4A9-4409984EC403}
    3⤵
    - Executes dropped EXE
    PID:5672
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BBDBC943-6844-494E-BBBE-E651E3ADE3D9}
    3⤵
    - Executes dropped EXE
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7EFD6D72-0FAA-4D22-9AA8-CC41B553A760}
    3⤵
    - Executes dropped EXE
    PID:3540
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\gzflt.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:3808
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      PID:6112
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:628
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F4858C35-F428-4237-98A6-3EB097205601}
    3⤵
    - Executes dropped EXE
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{38C44247-2B17-4F12-B69C-24D737753215}
    3⤵
    - Executes dropped EXE
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18A2F83F-3968-45E8-8CE1-0B8FBB6CBEFC}
    3⤵
    - Executes dropped EXE
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06376CDF-B88C-4DBC-80E4-B756E37F155A}
    3⤵
    - Executes dropped EXE
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{206C8B89-E645-431C-8808-EDE0BE64058A}
    3⤵
    - Executes dropped EXE
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F20A47FC-8264-4863-894D-3CB9FEB01A97}
    3⤵
    - Executes dropped EXE
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7F043C8-B2F3-43AF-AB1F-EECD6B3AA61E}
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EED709DF-AE5E-4595-AA98-70339F3AE8E0}
    3⤵
    - Executes dropped EXE
    PID:6124
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5AF5747-2922-4479-BA25-47D0621C248C}
    3⤵
    - Executes dropped EXE
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{52B84228-28FA-4C69-BB02-AF6D1503E635}
    3⤵
    - Executes dropped EXE
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4934B74C-9EF4-46F5-BFED-58CD2DC9C384}
    3⤵
    - Executes dropped EXE
    PID:3308
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\trufos.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:2132
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      PID:5780
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:3448
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E7EBF02-C7B9-442F-8421-6E947DE3A54C}
    3⤵
    - Executes dropped EXE
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A964C3B5-C51B-4722-834B-9DE3A032EB0E}
    3⤵
    - Executes dropped EXE
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BABBE256-3905-4F53-8B63-83990A355054}
    3⤵
    - Executes dropped EXE
    PID:5352
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E4D9E3A-30AA-4BCD-8399-1F92475FE24B}
    3⤵
    - Executes dropped EXE
    PID:5860
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{282B1AD5-32EF-4834-B660-4FD864F98073}
    3⤵
    - Executes dropped EXE
    PID:5280
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4ACF0EA8-BBBD-430A-803F-E30149964ACB}
    3⤵
    - Executes dropped EXE
    PID:6052
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5F3149F9-FB9D-421C-9359-EDD340525FA2}
    3⤵
    - Executes dropped EXE
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D85348A-D9FC-49CD-9739-409B3AEDE8AB}
    3⤵
    - Executes dropped EXE
    PID:5668
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CDAC5F82-CA73-4A61-92DC-17371C99F61A}
    3⤵
    - Executes dropped EXE
    PID:6012
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9B02ED4F-17BA-4765-9793-67480CFE2759}
    3⤵
    - Executes dropped EXE
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{58B0E49C-8460-4633-9EE3-F8E3FA707214}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D099942D-731B-41A7-810B-A5E3A4D4CAC3}
    3⤵
    - Executes dropped EXE
    PID:3540
- - C:\Windows\system32\fltmc.exe
    C:\Windows\system32\fltmc.exe unload trufos
    3⤵
    PID:3588
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\trufos.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:5180
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      PID:5352
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:6180
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A9CF20-0FD0-4A10-B2CC-807EE408D2F1}
    3⤵
    - Executes dropped EXE
    PID:6320
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2BC46284-7945-448D-A769-5188BE92172A}
    3⤵
    - Executes dropped EXE
    PID:6356
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B140E1AF-41EF-4EA5-BE96-0994C5DCBD84}
    3⤵
    - Executes dropped EXE
    PID:6396
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF0FA41A-5E8A-4703-8D7E-B54E6C16DBF8}
    3⤵
    - Executes dropped EXE
    PID:6428
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E70BDF2-6E8A-4F26-B778-5060AF5B5AFC}
    3⤵
    - Executes dropped EXE
    PID:6460
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A56B52DF-DBB1-4D36-ABA7-C83399DCE830}
    3⤵
    - Executes dropped EXE
    PID:6532
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{52278C58-FAE4-4824-A3D0-876653D1EB1B}
    3⤵
    - Executes dropped EXE
    PID:6580
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DF902FE8-9CF1-4C81-A62D-C370C4DC1E15}
    3⤵
    - Executes dropped EXE
    PID:6624
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7D57455-24A6-48B0-98D1-F705318E3894}
    3⤵
    - Executes dropped EXE
    PID:6656
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5240703-2910-4EA8-8C9F-B1258BE9E1BC}
    3⤵
    - Executes dropped EXE
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{F5601E0B-5D95-4F1D-A00A-2B4A2A1E2E17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2ACB5B8F-932D-43B3-B290-6DD5DE8A4038}
    3⤵
    - Executes dropped EXE
    PID:6720
- - C:\Windows\system32\fltmc.exe
    C:\Windows\system32\fltmc.exe unload gzflt
    3⤵
    PID:6768
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\Program Files\adaware\adaware antivirus\Antimalware Engine\3.1.289.0\gzflt.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:6816
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      PID:6852
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:6892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://paygw.adaware.com/redirect/install/adaware%20pc%20cleaner/?lang=en&version=7.2.0.1&configId=5DF5A805-079A-42BE-85E2-53E93727B3AC&uid=1019613&key1=default&mkey1=adaware.com/free-pc-cleaner&mkey4=1df56694-98ee-4123-b1ae-838781250fff&mkey7=direct&cmp=adaw_all_a_all_a_a_pccleaner&wid=8066&ref=adaware.com/free-pc-cleaner&key2=default&qti=4a39d5f1-52f8-1623-0532-5eb43698ccd0_2024-06-08&mkey6=4a39d5f1-52f8-1623-0532-5eb43698ccd0_2024-06-08&gtm=gtm-ts85dt8&visitorid=1df56694-98ee-4123-b1ae-838781250fff&culture=en&mkey2=C09F8781-7D74-483F-B750-5DEB6AF0D263&mkey8=2024-06-08&guid=C09F8781-7D74-483F-B750-5DEB6AF0D263&eventTime=2024-06-08T12:50:17
1⤵
PID:7060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4140,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:1
1⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4144,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:1
1⤵
PID:2284

C:\Program Files (x86)\Adaware PC Cleaner\AdawarePCCleaner.exe
"C:\Program Files (x86)\Adaware PC Cleaner\AdawarePCCleaner.exe"
1⤵
- Checks processor information in registry
PID:7164
- C:\Windows\SysWOW64\fsutil.exe
  behavior query DisableDeleteNotify
  2⤵
  PID:8548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=3956,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1
1⤵
PID:6192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5372,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
1⤵
PID:6180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5380,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
1⤵
PID:5168

C:\Program Files (x86)\Adaware PC Cleaner\AdawarePCCleaner.exe
"C:\Program Files (x86)\Adaware PC Cleaner\AdawarePCCleaner.exe"
1⤵
- Checks processor information in registry
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6044,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:1
1⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:8
1⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffdcbddceb8,0x7ffdcbddcec4,0x7ffdcbddced0
  2⤵
  PID:6844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3112,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=3116 /prefetch:2
  2⤵
  PID:6852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=3248 /prefetch:3
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4220,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4220,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=560,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4228,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:7112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4020,i,18051104651637779043,17266681444633516795,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:6448

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:5284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3432
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:3076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.0.1855190832\1839334364" -parentBuildID 20230214051806 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 22477 -prefMapSize 235208 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2805c747-0705-4c9e-a3fd-199e5b55433d} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 1792 27878629f58 gpu
    3⤵
    PID:4584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.1.1041585468\1254202825" -parentBuildID 20230214051806 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 22477 -prefMapSize 235208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2efc422d-db7e-45e2-8cdf-c74f44250f7a} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 2320 2786bc89c58 socket
    3⤵
    PID:4328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.2.112541676\1288875714" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 1088 -prefsLen 22873 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44375321-8a5f-4355-8c4e-17e7e8774eb5} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 2876 2787c434258 tab
    3⤵
    PID:5944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.3.598145428\463144621" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4d7307-0407-4587-aabf-dfa661c3a299} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 3668 2786bc7ab58 tab
    3⤵
    PID:2784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.4.1539181156\985174839" -childID 3 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 28415 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61cb4d92-40f9-4e4f-84de-4a18f76a1729} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 4212 2787e1ba358 tab
    3⤵
    PID:5948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.5.641716323\1627209416" -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5300 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e6e397c-6790-4ae0-ac5e-38fc51c599fe} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 5336 2787d195058 tab
    3⤵
    PID:4964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.6.1218201291\460859845" -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9804d0ff-2cf5-46d1-8d43-556879231df9} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 5632 2787e1b9758 tab
    3⤵
    PID:4824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.7.620463265\948999821" -childID 6 -isForBrowser -prefsHandle 5784 -prefMapHandle 5788 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d987d54f-677e-482d-8daa-57dc9493f38a} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 5776 27882133b58 tab
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.8.489299712\319663034" -childID 7 -isForBrowser -prefsHandle 5992 -prefMapHandle 6000 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ac215d-f1ef-475d-ae57-027741d15123} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 5980 27882133258 tab
    3⤵
    PID:2720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.9.1511717591\1587011503" -childID 8 -isForBrowser -prefsHandle 5168 -prefMapHandle 5160 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eb1f6b5-f14a-4647-b7e1-9af307174f27} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 6204 27882416858 tab
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.10.783529750\382000769" -childID 9 -isForBrowser -prefsHandle 6400 -prefMapHandle 6396 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e43514f9-e444-4b9e-8a44-876b331b5a68} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 6316 278824f7c58 tab
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.11.1863089267\295849" -childID 10 -isForBrowser -prefsHandle 10480 -prefMapHandle 10484 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4376dd2d-9495-4625-9bd0-8722f17c2d34} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 10468 2787ed77458 tab
    3⤵
    PID:5484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.12.1409496308\626819456" -childID 11 -isForBrowser -prefsHandle 10324 -prefMapHandle 10468 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {901e162c-f7c2-44f4-8102-3602d69c6be2} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 10336 2787ed77158 tab
    3⤵
    PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3076.13.822352537\1843126671" -childID 12 -isForBrowser -prefsHandle 6252 -prefMapHandle 5788 -prefsLen 28339 -prefMapSize 235208 -jsInitHandle 1144 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5059ff48-49e0-472c-a652-3acfef8bc9f5} 3076 "\\.\pipe\gecko-crash-server-pipe.3076" 6264 278824f6758 tab
    3⤵
    PID:3944
- - C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe
    "C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe"
    3⤵
    PID:6868
- - C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe
    "C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe"
    3⤵
    PID:3556

C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe
"C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe"
1⤵
PID:3992
- C:\Windows\Temp\asw.199cb456ab5fdcf8\avg_antivirus_free_online_setup.exe
  "C:\Windows\Temp\asw.199cb456ab5fdcf8\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_012_999_a8f_m:dlid_FREEGSR /ga_clientid:92a315c1-175e-4f4d-a5cd-61782ce2f24d /edat_dir:C:\Windows\Temp\asw.199cb456ab5fdcf8
  2⤵
  PID:5168
- - C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\common\icarus.exe
    C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\icarus-info.xml /install /cookie:mmm_bav_012_999_a8f_m:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.199cb456ab5fdcf8 /track-guid:92a315c1-175e-4f4d-a5cd-61782ce2f24d /sssid:5168
    3⤵
    PID:4108
  - - C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\common\icarus_ui.exe
      C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\common\icarus_ui.exe /cookie:mmm_bav_012_999_a8f_m:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.199cb456ab5fdcf8 /track-guid:92a315c1-175e-4f4d-a5cd-61782ce2f24d /sssid:5168 /er_master:master_ep_3ff42533-6a4f-44e7-bb71-3c8310e10d65 /er_ui:ui_ep_a73754a6-c848-4070-9163-ca494e99b23d
      4⤵
      PID:2284
  - - C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\icarus.exe
      C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\icarus.exe /cookie:mmm_bav_012_999_a8f_m:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.199cb456ab5fdcf8 /track-guid:92a315c1-175e-4f4d-a5cd-61782ce2f24d /sssid:5168 /er_master:master_ep_3ff42533-6a4f-44e7-bb71-3c8310e10d65 /er_ui:ui_ep_a73754a6-c848-4070-9163-ca494e99b23d /er_slave:avg-av_slave_ep_7d683a2e-9fb7-469b-86ba-7e8862cf6239 /slave:avg-av
      4⤵
      PID:440
    - - C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\aswOfferTool.exe
        
        "C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC
        5⤵
        
        PID:1016
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC
        6⤵
        
        PID:2740
    - - C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\aswOfferTool.exe
        
        "C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        
        PID:5140
  - - C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av-vps\icarus.exe
      C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av-vps\icarus.exe /cookie:mmm_bav_012_999_a8f_m:dlid_FREEGSR /edat_dir:C:\Windows\Temp\asw.199cb456ab5fdcf8 /track-guid:92a315c1-175e-4f4d-a5cd-61782ce2f24d /sssid:5168 /er_master:master_ep_3ff42533-6a4f-44e7-bb71-3c8310e10d65 /er_ui:ui_ep_a73754a6-c848-4070-9163-ca494e99b23d /er_slave:avg-av-vps_slave_ep_28d97233-932a-4a54-bea1-a9c20dc5821f /slave:avg-av-vps
      4⤵
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adaware\ADAWAR~1\Service\x64\bddci.sys

Filesize
781KB

MD5
2a241af18d9f0466aff6cd77c1561f9b

SHA1
2c6bfc8e583ed026fdf9ec01265d99e22d39305a

SHA256
528804013487cdb1da617e512d1de68060602887bcc8a7822bdb1346a2995ffd

SHA512
6779667bb57c87fdbf4dee57682e7851b5ad5bea39deb09fcb596ae48eb571317749ff59e825f91bd57527dab7477deac5b24bdbd86471844fad36876c08dd28

Download Submit
C:\Program Files (x86)\Adaware PC Cleaner\AdawarePCCleaner.exe

Filesize
7.2MB

MD5
e0e9514a72f7a3171553d0d11648e254

SHA1
3c92c8b996d9987bc6a4acff25c122b375d4d2f1

SHA256
13048b07f63898013c8d5cf9523219a4feb889c018c7d4235343ef5d63f73a48

SHA512
0863fd111dbaf7fba98b6d8dfcfd5ea640083776090598dc001f898a4e9a41e6988ba6552b5a210ee755e5c666f01e8c4b02d77f53827522b999c8950c84cfa3

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-Logger.dll

Filesize
17KB

MD5
19f2a2c37f2bda08523a54d751f7cb08

SHA1
b90594864b3b76f95769fb08381ec78140e2f86d

SHA256
bb88fec287570083e4f6705ab83729a07d82561e99d859af4ea8700e2609fe98

SHA512
c0d1f63044085de6b4b9c4b6abbaa7ae405664efcc74384226a5918da7d9fdaf6d60102d7ad55dd40b03588a030dac79344871462c561de70934c4d2ebfdf691

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-Service.exe

Filesize
23KB

MD5
38f800c7a73d77e860b6adc43c876b26

SHA1
87f84995e1c810262c5f58884c1fe690b6ebc05d

SHA256
7966b4df2f0858791faaddbcd15aff885388e24648cfe00406cac3308dc14aa4

SHA512
1f92acf2d8be15e1ff95476e03acb7fa0dc174de99ba228febac279e7c826b8b38d76d5f317fa4269ac204b0823ffff85eaab1083f3c74ec52b79ea3d61528e7

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-Service.exe.config

Filesize
2KB

MD5
cbeec8a9ebf7699a8397267eee275c14

SHA1
b9ec7e44228130a04cffa1c762c009cb752e19dc

SHA256
66760efc78241f693ae3bb20f26db7f5889c038778de89b4c9742651a8f69d24

SHA512
e46dd71d200bf3d8462746145cc9c3c981d58ae49962745e966b4fd7a1a999534502c29604273b7118900ecc4ec792748fe14498468c0c8477a94f143e15f082

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Assistant-WCF.dll

Filesize
48KB

MD5
1f980a45b78ffbde40f8fa5c280098fe

SHA1
fc334b4c5edeb407ca90973a2dd2f6eaa3cfefa5

SHA256
26a9ac821b619906710039483d8fae3caa3ebde8c7b407c11bde5b9af58283c1

SHA512
3632d4b07364c7c92cb7c65c8332fcdd8dcfbaff773cfb5e5d331ec948e07cb1826b77eb15fded43290ab498e6b212b2bf5f38c26b93802ba0930a5673850649

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Business-Browser.dll

Filesize
98KB

MD5
e487f4021caaa4cc0e39460dd25b0f7b

SHA1
bc7ae9af475cd58d71b1c105cd8e9aa342f4ec22

SHA256
976d2cf8e1208ad08c920e30d98f5d3b9b8c0555284b59acf33f4a085aee3a76

SHA512
ffb8857a7c608014138f6a8098f409a18621f208e0c424748a0bf2ec3b967aa72db4a2867ea5513da4477c5fb1b31faba4d71197456894133d840bac8abafc6a

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Constants.dll

Filesize
33KB

MD5
a83999bf6119c8f1e33ef796e5299cd1

SHA1
8ad1f7baa4b936fbce5ab2b3eb3f27fac40f14c9

SHA256
6b7d46d70e1a85c14800dd8c014ead24499e81306f583683eeea64ee9416f0fa

SHA512
4b57d126fc172b9c63d3db0070931d012682221c9debf00cda4da134156f73f09abda9d8ec9817bbc739cd92a4309cc98fd259f5911d2e7fb1585fc1ac670096

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Helpers.dll

Filesize
53KB

MD5
d6d1880ae13e863bbbabd0e4e30eba32

SHA1
0c9df00ab5e8b606c4752fe6f2e2f6c94991abc3

SHA256
2eca3a5894b9ef0b70d5e9fd1f01ee9773539794955f6180cd9d6bdd820f51d5

SHA512
b26dcc5edd7540a577fefd68992d9f6b9eb336c929859fdcf6663830b0c53e00fc2d4c8167a2a9a46275a3e867d9924666c7e51d65667995ce80b7b5e46a095c

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\AP-Utils.dll

Filesize
107KB

MD5
790ba02ac6c645d6012e2a780f934a2d

SHA1
4c517f8cabf78364fd92c7eb5d02a06e5f45778d

SHA256
2d5630e9e74279f8d4a7a83c4f5329c72c3da06b4d0bed2b56814c92227759b7

SHA512
d5dd5c87e4322977981add5127f17ab0c81feb42ced40cf12274cc9b4866e7ec388abdab56bb353b01bd90e1efdd1a6b7649304508df70a10d5a94c469445511

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe

Filesize
4.5MB

MD5
5205d373fb5520a53b82e8b2def0479f

SHA1
e87fa3273368e60fab93f635a2695172e5504ee3

SHA256
a0fd3d69df8afa5a4e7f48fc4e884e19a9d9c606dff3595f619f005f57613180

SHA512
87a972de5140fb95f1ccf88a129e6500df3ae5293feacad9400dff91a67f0537fcc6083368f28fccc03952a0f9a7bf9b42062f21bcfc23a2f334d3c3e34ad505

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\Adaware-Privacy.exe.config

Filesize
4KB

MD5
9c6b7626100bdb0f18d135159bf0fc3c

SHA1
d4c49bfb6820fdcb70679673694188634cbb72e7

SHA256
ca5e025c98a1a894d5d7c6c543b47fef41289c595dcf6dccf1c86b7cc0c007bd

SHA512
e78c586bf42650f44e0c95b3e9b353ee5948cc1acb609f23b0930d8827a1eaca82915df77e38fa4a53754ceab68a62b92d53667ee15293d42e774370953ace9a

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Application\log4net.dll

Filesize
276KB

MD5
40c6cc1de81e822d3acf61a24268ba14

SHA1
a67c8c6aaa34134baf82d1ae343f01db79f4ac2b

SHA256
231e6f6db2e50e36e0388d4ef35c3a97e8ca66778a78faa7bdeae1f13e6796a1

SHA512
8198a1408bbd18d832bd17b870a04693c0192337207c5dc285f3ae99479bae8288ca18bb00cd23e658935dd2ac7af21a3e13a3e2d9dc8bcd733d8154a1de122a

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\DCIService.exe

Filesize
3.2MB

MD5
e7693f1dac7e029c9617ffd1ddef207f

SHA1
0a1d28a18d7e21a87c1c51126f5bb0fb7b44eb6c

SHA256
a280854f1f400f39a7757c861f281f905f717ddb0f480f4ca45d97e2f768cba0

SHA512
1fa815a34468408defd6d831e0f4c9dfb35f3e26b345393b4f54c2c174beb8139d839e71f20e8f78384e5b827d848e893324b5b2e640161ddbc007af5605aff2

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bddci.inf

Filesize
4KB

MD5
e8b58a307f96dc9ce1eb2729f86e13b0

SHA1
5cee60f070930dc971e4d35d48e30364f623aad2

SHA256
2c9a7118ef74c3b168663c8ec6f3a7b27653896e193129ed0bc5e9aa55a0afbb

SHA512
7cd9fe7bcc8c8ec1466acc1adc7ab8c9ab6bdaf7c7c27dcc6c0cb43bab741f2519a88647ce43f74d7e9caf4ae39ae172dc639ed1b2027b9e8f15f35353613d91

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bddci_core.dll

Filesize
1.5MB

MD5
13efc649989e224c8346c52ae3cc9a93

SHA1
bf907fee6fce0745601219f3faa89bc2c08434b0

SHA256
f994e407e9f78d521f335f25b7a4217fdcc4a5e6dc050fdf90d7870fda1e0ef7

SHA512
7c6f65858e3803ab9abe075c2e257e322594b875bd6001be5a6c6bde0ab271844ccd7f869394666a2ce9b535abb46e0332697d2c19836f886241881a60697ce0

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bddcihttp.dll

Filesize
2.6MB

MD5
53f6774df73cc44d29f354aecbdef948

SHA1
894158c553f39f8000c858c84ad772714e215d75

SHA256
d1130318e699b81f1918f468a8b49c9be7b8b4293c1078da4a17dac6ad999ec6

SHA512
5151804071c371fe2458c2fc67441441b01602a529582bed48b0e0226e051f933981dce1f84e3ac0f2ebe608b463fe1e9c226d058edd3bf6c5b35be9e8a9e234

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bittorrent.dll

Filesize
106KB

MD5
74d7799c00c804296c0f1b99324b513f

SHA1
527380e0e44c9fd8ca5f73d103e8e9f56eb13142

SHA256
66c0b9d01afab9db8f87164c747dc6bdd05ffae25092ab4627a8a47857118ab0

SHA512
3140d32d4199cc246fddb292400ec31bcc098e18349d9991828fc1462f7cd6aa3a0666037e569511b37b1cb6baf34c94be2fdc70a9685125a72fdd44e427cdac

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\bridge_start.cmd

Filesize
49B

MD5
95e8c6cd0a911f1ab4969c06b8cf77a2

SHA1
be1b1f8abd0420f59ecab7bcf8120cdc2ce34195

SHA256
de795f6d8591577054813bee79e7c5b4ee13360039d29aa73971c6b985d26ebd

SHA512
e5eefaf761be7bf3cea207e22e98398093fa0a9d3b459af7df22bfbf07755816737a7b8b261acf01aec8b10b5d8f0d90132a4ecdd83c242b2cde883039fac1ff

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\ftp.dll

Filesize
121KB

MD5
b7c081f03a50c391f5b22a0ee16b8a1e

SHA1
2fa63728dddb2e25f69adf0e02cbd75d053a9965

SHA256
42ccb6c597d0952042c3d3fdc0027634c3e9d118706a286277a32a7f6af6bd30

SHA512
8590e537d7df9523f934cd4bb18c7515d89e74fc8b3e8e35ce70b368c9a99659bf59dedb020fb470cf8577248f607ed271d52107015cdffc8a0a9f7e8ac2880b

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\http.dll

Filesize
189KB

MD5
c0d7a16ba0340ffaeadedb5fd82f6984

SHA1
63ac374a7322e4ecb9b8fed7e67ffcf01b71fc75

SHA256
e07a6f752e45e3240c95cbb890b22a154b1cca571c17fb57f11ef0b86108a7bb

SHA512
3e50f009b7a43d2fb58f28f0eaab4555d9fc68ed72af970f6a6bd875dab30b5ad32300e95ac570ddf0d925499e709457ea8757033580493f4bbae14a20d06c42

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\lsa.dll

Filesize
106KB

MD5
f89b978400b6c035f975efc6ab7303a8

SHA1
173f9f2bc814b19870c7b98057c948b0292340f9

SHA256
ca621b67c0aa1fe669c99abc0ee1a52807321f5be4092bad7c49d4291c194b7c

SHA512
d0fc9d302ee3b8be6c65ccb2a2d387a1a914ed9a453ce0cad6734f2c9d59a0ea8694e39b81382ee7b6f6c61b96db81f7ad1c227727b65a5a61c0471a35c39e33

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\msvcp140.dll

Filesize
576KB

MD5
e74caf5d94aa08d046a44ed6ed84a3c5

SHA1
ed9f696fa0902a7c16b257da9b22fb605b72b12e

SHA256
3dedef76c87db736c005d06a8e0d084204b836af361a6bd2ee4651d9c45675e8

SHA512
d3128587bc8d62e4d53f8b5f95eb687bc117a6d5678c08dc6b59b72ea9178a7fd6ae8faa9094d21977c406739d6c38a440134c1c1f6f9a44809e80d162723254

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\pop3.dll

Filesize
108KB

MD5
4617113b1fa666e743f899d3781483d8

SHA1
0a1dadb7051c5a5ed9d108f78f83ac2b21419a84

SHA256
30af0cec58983ef5ccf2b30f074faad6ac348cd5fc88461c0b06977839a2c651

SHA512
92d0cd9e51de702a04bc2948e2966219b16c1bef93dadddccf801c58c2da1dd22ac5b9651583868957098959beeca2cfdd7465edece1120e364935ff65184675

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\rpc.dll

Filesize
107KB

MD5
fd8770a4368acd38c18ccb0298dcf587

SHA1
867772d872b84988bd7e9ea2271e470dd443874e

SHA256
e039a7e9bdecaf697bd73a47da557e5582fbffacc53f9a185790299156c85584

SHA512
e1123fa8cf304d082324cfaa5534ea34103226242cef1d6e1640bd2b343d19ae3bcec2302c3a6167c57f8196415190d86050fb55e2e6ba0d90aef189d5ca18c7

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\sav.dll

Filesize
726KB

MD5
47b40a1348a6eda7087a6241858ef9e1

SHA1
ca8ce0ba789baafc75b593fd8a98d4cf8afa4956

SHA256
cd83b1612c2823488ea267e88fe91a2aedf6b278bafdd39ff673bed3add39d6b

SHA512
dd43a1a08e0dd9386c0c4aa47c2e1a71a6ccd07dec1d70129c43845c5c32ec038efb617bec35320a467bbac77bad6abefd176c747b2a9113190d3e98d1b50130

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\smb.dll

Filesize
192KB

MD5
b4a0352a49d7661e64693765707a0a1a

SHA1
888f7e14cc08ef0ff4f6557bc8ec3a4ac36d18f3

SHA256
4295bbc2ce2ccb68b17df07b2364ef90b3bb802fc2f44c710b13c1477f424caa

SHA512
8647121a5cfc25fb7ff46308cebe3c261927bac40d2fafe89c01945346993e31ff6b0369e2a686f9f4a16cc61b74c887ed670f30a1a21252e04cd1ba781bb712

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\smtp.dll

Filesize
121KB

MD5
2b8265dfa5b53b61e875f7a83dde8680

SHA1
fa3c87c02750700ac0d20d21b88a90b8122be8e1

SHA256
748bac0cddaa20c4967f6f495db6b58f88fb675790c2039e211e42468afbe2eb

SHA512
9011bc9b204db910f7a06f89928986f03df234df39309b183b3fe226677eb0c435f0b8c3efaad9689a5fa44bee034ec99b7af2c6fc3a2056bc0a4c0d4d9d5de2

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\ssl.dll

Filesize
178KB

MD5
9592f5912b31b62193656497e67a2d9b

SHA1
b8a92656880a7016edcba43b1e206d83fe3847e0

SHA256
5978dd53996bc3856d01010e4ddc41215dc9d7fe046961feabec419972ce94bd

SHA512
ffab48be1db5cc30f61d88b3bc02e2ea30c8dcd44bfe9bed786bb7cd699dac8c456c1d390925c9a9ff2994a54cf98eee0e76984eba318792ec9838db1954b98d

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Program Files (x86)\Adaware\Adaware Privacy\Service\x64\vcruntime140_1.dll

Filesize
43KB

MD5
21ae0d0cfe9ab13f266ad7cd683296be

SHA1
f13878738f2932c56e07aa3c6325e4e19d64ae9f

SHA256
7b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7

SHA512
6b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c

Download Submit
C:\Program Files\AVG\Antivirus\AvEmUpdate.exe

Filesize
64KB

MD5
3979953a6242be291f5c7b7f7b23f48c

SHA1
667d127119b70c520b4008bb5f4671022f65505c

SHA256
3905b3da70294b59bc6bec12c5027243c4e6a2e7e5c5ec2dd712b48d34de9948

SHA512
f9cea4329a4a015a504dec0c58b63032cd96766edbef605b27449b5145636096fb7bb429ed40709ceb0282637c4ac25485192df60e27decab4b87e5824590409

Download Submit
C:\Program Files\AVG\Antivirus\Inf\x64\avgMonFlt.sys

Filesize
64KB

MD5
74bc24dd41b9a7cd19c97f6ef3a94f34

SHA1
c5cda918ffbd4792bf00fbe78431706ea1c89005

SHA256
4270c3f2d4617efd707292988e89f9b1a484faa897a83096e95f4a31de5d4661

SHA512
dbb88739c315bb3656c9da89dc61741675a193359436d83d8a7e3b1f3c50f6360a8d67861b03102df5c0c6e78d316e085ebd07b683f1d498794ab5336f7d245e

Download Submit
C:\Program Files\AVG\Antivirus\Licenses\intel_asm.txt

Filesize
1KB

MD5
4cddb654fe704264c203b4d9c7c832c0

SHA1
9d236e8f305b4bc8c486de24549a706a3957c210

SHA256
634788199f33637e3cc36c61e5272f72ccbdab87be0c07eaaaf487c5f4f1ce82

SHA512
1933696744c8a95bc6c82ef0d19e99f1d4291f6e0aaf8570e45bd74065ec076ea9b3e4b030ebc8df52903f4f98aef6a9727d3370834efb9187e4ce24ab9a0180

Download Submit
C:\Program Files\AVG\Antivirus\RescueDisk\waikamd64.mst

Filesize
3KB

MD5
ec82d1081d31554e75d7e72b30d31d78

SHA1
ff5615640cda8cec9fb0ad3fb8a4e441bcc8e398

SHA256
0823905ce46355fe514ed547d5c639af39b2b3d28a5bcabd1846997c7a4208b7

SHA512
2f36323db92f1c1d4e3b8f18f8258830a6200bc7061eaaeadcd0a655e30276592376fa4c4f706f497d5fcd00a1e5c5649e20407d3860910a184ccbe4b36547b9

Download Submit
C:\Program Files\AVG\Antivirus\SupportTool.exe

Filesize
372KB

MD5
62adbb3b0f6a0882acc589878cdc7577

SHA1
b809af0673b4fc2f729184719ffab57245d0ca85

SHA256
5281df5119a29c148ada09d2d92aa0e7f021d24aa5d75451e8be5725daee2ee0

SHA512
73012930a6e2129d741f2a2de8167806a332f40a5662ddc4f08805ad5813fd05333c7ca5edbe5fa5d5f875de161bc072bc1e1571df1120a045470ec3d882a93b

Download Submit
C:\Program Files\AVG\Antivirus\aswAvBootTimeScanShMin.exe

Filesize
499KB

MD5
ab2cf54e88cd99212efe74ce7c6ff8d2

SHA1
33a12b8ddb52213e6eb820c6289882a2516ee146

SHA256
bb2ec03307951d8392e13bc036f085c13af286d4515d22dcab3163e7f1bdedc2

SHA512
e488d9f531c706a3589d20f653f7839ad8150af24ceb7c1335d7a528fb26f2b1b7fde2336b76a0ef1769f58eea8e8c51be6103242d9961ec9ed01cb6115067c8

Download Submit
C:\Program Files\AVG\Antivirus\aswpsic.dll

Filesize
62KB

MD5
14476f299954d2358ba792b662c2480e

SHA1
2a5e461e30132417f73aff3588668072c2728f44

SHA256
6b257f37c0d04ee8679c7bb5d78e31c155dae829e1e15077e0466d196e2df32f

SHA512
55e7daa67c21957e856bdbd69ff971a71f73dcdb777c4b5303aabedc89f40027dce62483757e6984c7687aa25dac6f16f11334bcabc015899026ab8991852819

Download Submit
C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-fi.json.ipending.313ec7aa

Filesize
380KB

MD5
3c30f0ee768e10347544d81b2c98c320

SHA1
2e10a0feb4e97e52a4f516c3c3c9e17246452d39

SHA256
88355500c807d4e7b872f028467c2bc296f585b304a38f5767a26add7bd0bd06

SHA512
b701d1071e3b574e263b0d3e7b8695be8221c2356c3d2605a37b787da9c5fc1208e5d5f70c6fefe3d40c970bab407a945811ed504160b42d3e636aeed1478921

Download Submit
C:\Program Files\AVG\Antivirus\libwavmodapi.dll

Filesize
516KB

MD5
d147e097abaab5a473993564e15f43c8

SHA1
337687c4a9940a89292f31be4ff5331e97f7f454

SHA256
b7b2f84c60addc947b398d8073c655525243dec98ef2cf8ced4829be56045141

SHA512
5b80c3edece1241aad46dc83f93a6bf1ec5a2ca299fa21ac3f23c2552bfb3c3a5a35caca27a24f2b1c5772a5b969859118273663f00997f28b0efb701815ddad

Download Submit
C:\Program Files\AVG\Antivirus\locales\cs.pak

Filesize
278KB

MD5
c35f6471ed5a9e7ef8570034717fc28a

SHA1
1271695d339b3d49c861b96fa790d5a634e3ccbf

SHA256
7665f4d55ff8cc3e9e1d5e94a75acdcd26603c12a5c681dbfa506e826b6381d0

SHA512
cdb2cbb932ec895b9c368101046ed2a8dda2e1914663fc8ec5765f8922c33253618c01c5293bec1cba1eeabecbdba9346bf04bb524e37cddafe705a9486dc9e1

Download Submit
C:\Program Files\AVG\Antivirus\locales\hu.pak

Filesize
336KB

MD5
ae54cf32c7e5bc9b75615225c5faffea

SHA1
25c6ecee303925f6a273a8d0818a79ff80a74298

SHA256
12949111bf85a2236f071a294a508d99c90587a97b9ba7f61dc8d70e36f5761b

SHA512
eb12669cef9fe09d8f53094aa5df2ac71c8ea334be474a2dacb5f2e8ab56bb56bbb188aac10509873fb7dd3ebb6278d69a050a700cef6388a5caa22736813932

Download Submit
C:\Program Files\AVG\Antivirus\locales\ja.pak

Filesize
380KB

MD5
017796cec4dcae8064f6303f2e3174ac

SHA1
1709c22b0a24a74b690deb61dace383484c08bc4

SHA256
8b8407ca872711857c1efe032f0c71df17fbe8d82107a09953e812a20497e582

SHA512
e469f0a63bc649126e0a191dd17c1f5db6e1bbde4b4cec63fe4dfe7c821ff5f1919980ba5bd4962095c0f8c4698ac659693b6ecf1a5feb2832936bc3c47a3af5

Download Submit
C:\Program Files\AVG\Antivirus\locales\ko.pak

Filesize
319KB

MD5
d324469bd2d6e373ab875328c95322ee

SHA1
8c4d3d7e0bb3df9d4028a49b64182d016b47443f

SHA256
549b190c3722d4774cc7a8a2730f858dba66f063840469799adb449184056f9b

SHA512
10a2e751d95422fbc24f5618edac8589d033f19106ee500c83830fb839d639d30f25f2b49ee017767325dfdf833a6e1f9eaaf0c1081c1d339233dfeda9876ae8

Download Submit
C:\Program Files\AVG\Antivirus\locales\lt.pak

Filesize
336KB

MD5
96406518a17835d2c08ea09f6a4f5269

SHA1
63f2b8ac41adabfc0f58bde2ea02af3ea830cee4

SHA256
336b6bfe35680a19b02d583f332df5d0f5dc6fa5729c2910fb1aa6659e6aaab6

SHA512
342a9d97fa6747b52e462e302cc865e8ee6018aa65ac3d517d4625cd31cef68412e4df9d28ac10e39ed73801342455635ab99a6e167bf7527ac7acd62bab733b

Download Submit
C:\Program Files\AVG\Antivirus\locales\mr.pak

Filesize
183KB

MD5
c67caf1cd4a713803cfd072468656a55

SHA1
881b5ede35a92314941bbbb1432db1a75d0d1f3c

SHA256
1a40a6fa63f363c32e46a7ac1e217de510a9c35c90ad5bb016b5daccab0df763

SHA512
1886120a0a2b9b19e292bdf154d7621e66cce40f55b354baacb0e0398a5e5670d9fa00bdb4659810c137d274c72146b4bd123119041a40bacb2cec80e8bd6e6c

Download Submit
C:\Program Files\AVG\Antivirus\locales\nb.pak

Filesize
288KB

MD5
4795132dc7086e139a2af75a69fa4f63

SHA1
e8acbd586ccb9ca0686c7cbf90f0be5cda48228a

SHA256
8ef002c7ef1d7207b5b41038f16fef198d2343c0539f14090960d6f1295d8c7a

SHA512
466f4a0eb01d2f8d8359016fba96189f152fddcf5c041b05a62c5a7b14b3d93b3f2a4c7eba7e292eb8acacb65afa68b9e9adf4843ef78c410f3d5296656911de

Download Submit
C:\Program Files\AVG\Antivirus\locales\pl.pak

Filesize
325KB

MD5
419e3f381b0e0f080ec230a9f1b80e66

SHA1
c279ff058f3f3ef086715ea2206f24cf7aa75818

SHA256
a5fdcd13f711d4665d1960f512f1bd229dbbacb24c86bbb3773a905e2dd24b33

SHA512
d7896ce61b64ae92f5af2774f3a996516d24e89d7cc6f84429cbf3f70aa3d87404fca8c6d242b5a088bdc1a7a73e229628ca7dbec81d6976734632cb5291e9b7

Download Submit
C:\Program Files\AVG\Antivirus\locales\pt-BR.pak

Filesize
309KB

MD5
3a4f9d62b91bc0eeab11f0865d4be286

SHA1
c56a98f46b9f0ef8c5180d176cfb7773a05ce941

SHA256
3051442a3e905dfdfb8f17f49d12a3722c511faf9aba0fc86d577dac90e3b654

SHA512
39a81774c90476e4e8ab80b0784a8923c698040f51cd6acd08a50b5d2f90a7a22242296ca5793ce39ccc93120df3f40eb2abaf6317ffed8aebb986ff28946081

Download Submit
C:\Program Files\AVG\Antivirus\locales\pt-PT.pak

Filesize
183KB

MD5
7d2b8be0201514d645f38c1e66d8e640

SHA1
b70f16472d4597bfc1e0c590a6f3d1b60c0075b2

SHA256
22690dad8cac796b8d93ce86112815b9c44204da4e448d49aaaf1e858a5bc3b0

SHA512
e25b185f733d09b224634f297e60948e8ef932ca44384d478be3cbc0cc0f7a2748589352327219e630db7b99061f6379a6e2670740e25d9a6f156bda805c1da7

Download Submit
C:\Program Files\AVG\Antivirus\locales\ro.pak

Filesize
163KB

MD5
48719caf5d5c49e63c0b5cc07a82ccfa

SHA1
60ecb262139e51f02423f311dfe72af2633d4c39

SHA256
8cffc8805063f9a45adec983ce3d0b766f45180a258fe304adf00ee4e053b63a

SHA512
aecd67fe0b27e9e601f8563cfcea0f3beedebfd6e1fd86eaac10298121e0f7cc94d9c4b4459b46023db55e376a78bb07df9904969b66132f9ed25e68fba27f88

Download Submit
C:\Program Files\AVG\Antivirus\setup\config.def

Filesize
20KB

MD5
934e4c0db2900855ec6b7bada158d464

SHA1
095811d2cc7924bf2b4c0d88537de9eaca106eb3

SHA256
b419fe15dd54882a70e9c1ff902467d2e1abfa8565a9cfd0770481ff0ac84e10

SHA512
0d7a0c5a0c545e6dc35d14ec16486f146e89145c2ac7126780012723ebb57d968b46208c6fd379f1d01ca3af188afb68e5a4fd74c351f40134f40630c50ef7a8

Download Submit
C:\Program Files\AVG\Antivirus\shred.exe

Filesize
320KB

MD5
1aa48c879af5c8d63729c570d093054e

SHA1
617778ab0eea431903ee3346bf50e0a4c1fe32c0

SHA256
b577aaedd4ff942a33523847e8f17c0baebb127a7014e852899a0818d895349e

SHA512
07cab721770d289199e490e1c2bf360f539386ade48eef4b1180a659c334cf31b63c107e5b1514eea1e86a52d1cb25fe605cd5e9b714ebabc8fd46293ea2389c

Download Submit
C:\Program Files\AVG\Antivirus\su_common.dll

Filesize
244KB

MD5
f3203e6510be60dd8b46c5b37ec635bf

SHA1
e26175af807d07cb93cf89d586848579718d8c4a

SHA256
70ce03a7674ba8b2ce55df27a5a10bb0a8d22f3752053a757fcf74d87e7e0ed5

SHA512
fdc96dd8f1b90d0765acd746717a6d1e0cc3f4924cc498bf2e2e6a42bb58c7fbf4f8efda8b436978c8e610f1df78e910fba1462a6b20ce6600e9fd6eb5206ba2

Download Submit
C:\Program Files\AVG\Antivirus\su_controller.dll.ipending.313ec7aa

Filesize
452KB

MD5
477f6281701903041064f43dedcdd6e8

SHA1
754c85d79da5dc6af1dd6635bf9b893a08eb1159

SHA256
55b4e1916c8f42b7349ed85a5b4aeea591cb9d0a423957f3c80e333b1f6ff3fc

SHA512
9bfc38b0794497a83e36e1e5c4daca8d1c882df4192e27013c1225973d48fe226f9305151d1c26079118473a31ef4214d41cf87e07647d02bc0ea9f8e476b2f7

Download Submit
C:\Program Files\AVG\Antivirus\x86\ashShell.dll

Filesize
268KB

MD5
1494e4344b98f755be073faca531c223

SHA1
51ab271441da3ac4e3b878c20709e41a5e645efd

SHA256
25f9353a8268a227cb52d4410466da1fa40e9bd6d35b6277ffb95805ac8a7aa4

SHA512
7d1a3f8732866a6b4f170f43a9bef67b071ded236cbe250e27bd694e21ebbcbce6712ec906e2c48ed508b19f8d96da53448348431f2ebe0af0cf05327c8ffc83

Download Submit
C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll

Filesize
65KB

MD5
3b07abbe272e9b9e2989e2d6a400fa53

SHA1
f925e5e58377dcdc13b6d80ff22c775e2334e372

SHA256
a170d9851a1427066d1fd61c32a9ae4b9545aa926be55da7e7d94275be281dc8

SHA512
14762c984aa6736b1330b1f0b296622fc1ce3ac79108c0bfee793a51131deacd09b494e8c851c6e437a84871a864dd65389657df8b2256f931e3c60a61fade8b

Download Submit
C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
18KB

MD5
85444893a6553a4dd26150a68fd373d8

SHA1
ad9b46da45366f13a22173b06e22a45a211e99ec

SHA256
65f2a93490c845833541de1376d5bb65e6e864a1a9232f58f86a7a84408508c9

SHA512
ad56f71d0dc6d2dc5dd46eaa00247bd209403014648fb9c8f98937fc8e36fc85c0107365d2f6ba4f6d530f340278e0205d94bafebc78d10201e71dbb5d4c36d6

Download Submit
C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll

Filesize
18KB

MD5
841e4ff9bb531b52218392db1d7cfbe4

SHA1
5607c2a987436195f1e241a0b29e8fb1f734102f

SHA256
4da31e582dc47d46132cc73ad34d5b87dddd2338495ceb2772f7e103a9a32ebc

SHA512
93232073d95870043994c752318f9b319db508fff452e4aa0b8e42e66d13623803be4537e1798dd05177b7427175d989c8e49a379fd932297e161d461bae268b

Download Submit
C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140_atomic_wait.dll

Filesize
45KB

MD5
cc556ffc1ee06111ba305967b089779b

SHA1
9b515a2f8e7dcf570f040b19a64b36166e17d93f

SHA256
be242784fa947e505ab9d79a23d7ae96e5979af03bc51297ae840517942f8675

SHA512
51fdf6c92ac6cc06b04092a0b1f9d391ed36d8ce0b2b123fff9d228875bd91b55dc218615f757f06f34c11d2527344f21c7db48a7b0502685bf6f77650d240a2

Download Submit
C:\ProgramData\AVG\Antivirus\fw\rules.xml.ipending.313ec7aa

Filesize
34KB

MD5
2fc4e6e0dc7816f855189f4018d1c935

SHA1
141f4aaa087369ea2b872e21b292f44afa611e71

SHA256
5aa5a5d5a9061a50c93893f88ca06a53d78550640c417759a44341a11be915be

SHA512
6f3b2ffc4260ab36b1e02206c9cddcbb8d9520619436157947179031b18585c0ccc57fced9860198fbbd74e8781c84b23d5f0b38b5dcffcbab731e1a60cfbede

Download Submit
C:\ProgramData\AVG\Icarus\avg-av\icarus.ini

Filesize
166B

MD5
c043a3beb23cc43cb3e9acae2ad9d8b4

SHA1
f8a300a14643d9d2ef708839d882fa8fae274f73

SHA256
3df024f72a0bcdd90a7c140591e224492481eb7f32a940bfb9af1cdb6472af9e

SHA512
e5baa81e296b7f06360ed20d9484a137ca49c0505d2c94947b978b09b277f13184e540098e21daad0a72d8ddd831a57d6ac0e67c0aa860d87a051b55c3c9fff2

Download Submit
C:\ProgramData\Adaware\Adaware Privacy\Logs\AdawarePrivacy\adaware-privacy.log

Filesize
4KB

MD5
7127ff6e741e6466c2cb4aabe00f80ed

SHA1
d1628cec29cc033989c6823212c61ca508db33b4

SHA256
7ff217ab0e3d32bf9d96c3f9983289bc408b72f6dc9d939d5f6a1119b63f9cf1

SHA512
1d4c06c3db92bd9d1339ef3d798e04bd9bb9d877e16d73777852c270c798456066ae672134f06d309d6daee17dd65e6b1a390b6d736dcf8b38025a4490b527d7

Download Submit
C:\ProgramData\Adaware\Adaware Privacy\Options\ActiveFeatures.zip

Filesize
377B

MD5
27e59cd04dbef582087fc13ffa9ffa42

SHA1
d5cbc4c8f831c06a5bdb1efc2dfce3bce8ca3f55

SHA256
a05f40fdba2129cd7f91c71fb76f7960ef6cc2c511b007df2b2d896063c40add

SHA512
ab97693a128f61fa92563f4d52078d159e46403603038615ffa5d7fe4cdcd1c110d04179349610a45aa252ba005a82c6f599f9daab593813305421a4f1f8ab83

Download Submit
C:\ProgramData\Adaware\Adaware Privacy\Options\ActiveFeatures.zip

Filesize
377B

MD5
45b2d1a73e14b344d5c8e5bc3c906a37

SHA1
bd4efefbfb8a34e868b93426c33281e658ec7057

SHA256
c16d5521ce9b6ffec8c550a1d036c7c55d9dd67f42b5447710c4c86f7dafaadc

SHA512
9015bc90c889a460c0053c04f33aab1a14869859f862373ec3c364fff0bd85859d6cc965af91b5fdd2089828e20693b00ad9b972bfd86c416576342503dea0fb

Download Submit
C:\ProgramData\Adaware\Adaware Privacy\Options\AppSettings.txt

Filesize
297B

MD5
6c0379994214a0aa56bba11ebdcc4821

SHA1
4cd353f215c3242f620330d57ef602300bc0bd45

SHA256
d71617647ee56a89433b83ebef1f8e2b791ba45fda68766c879ad379108d1531

SHA512
ed6c5ea83d33f3d5883329b98e7dc2dfc294993cd51146148d867787ea74db8c899e641953001598d83bdf9317668fa5fcb90bd11ef99bd6261481cf51926f16

Download Submit
C:\ProgramData\Adaware\Adaware Privacy\Options\statistic.db

Filesize
16KB

MD5
a54b80cab57ab049df325bf3d1ac2703

SHA1
88678057be1b5f77f8f93254afc11a09c67a571a

SHA256
e412db66d4df0ec45e4cacbbece1c3011cc8e85b4f18b5cb4a31179b3630e0e8

SHA512
27f99a13a4bb4abae986a32712b6f4a8d8da79c94d9cd13cc3ef01e615f0f9c6dbfd8c4174792d65f107ea2a9e5621e5652e91868e96bcc278182302815152dd

Download Submit
C:\ProgramData\Adaware\Adaware Privacy\Options\statistic.db

Filesize
40KB

MD5
771d570201ec6a328c55d0639c3762ff

SHA1
9e6175a22241cf8e8601b927408c205e361292b5

SHA256
78cbdf671b7de172ce369da5a0c2aff238707d88b4fe5ce102c265039e40f7cb

SHA512
877250a97eff43b8771043dba92f7694650355087874861d863cfad908a0c2d282a66f5b2d5f551f2bb48453c15fd638e4de87cf266c8bfbd9bfd2a414dbe05d

Download Submit
C:\ProgramData\Adaware\adaware antivirus\Options\lang

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\ProgramData\Adaware\adaware antivirus\Options\params.xml

Filesize
856B

MD5
d8fb979dd07428b3f03f0365ed38674e

SHA1
254b3cf971ba462085a677bff0f28e9c6225174c

SHA256
8f3e8fa43945f0c904080b766e99ee7a08b5ed8e9823456682b1675fc33d9a8b

SHA512
b0237659a85545f1e9e8fec788110328e03a3cd6eefbeee8a173c1c2775ed4b9b35569b731ada73730971320f88d252c545a7df04d345172c94bf65bb1379825

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\0tmfoka1.newcfg

Filesize
2KB

MD5
0e32fe4ffc5271b77e5c10eae3f2747f

SHA1
fbce896710d2fac9e557239b4d79530404154d65

SHA256
7e50df3795e6013d957bc64299b1e07f26a2778813bcbbbf142ae95d19cdd313

SHA512
dadf76e502185ae0e855d703452bd1b18fa3c73c2fac0f70187626c2ba49d0b5d672c486750c004fc344e0a11096bfead43deaab3b2ba30939ed47aa45e3cdee

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\32mxr0fh.newcfg

Filesize
2KB

MD5
d1ec5186e6d2de9b6e6ed61740c6b369

SHA1
db0fa8a3d2f45e8b062428876928f2f11ea970a8

SHA256
968d661008ceb2e2482cae61a9e68221f844f26e4351fd0ecb1a8ff363dad85d

SHA512
1811145a46f960ad94b1164d7d108195f5ff9260df8c2c82985aeae5201d5542626c55b81e19ae09b741f6a797d0ee0971bfb0cb82ee1c6074357ebfe00d392f

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\5lh5ufhq.newcfg

Filesize
2KB

MD5
a77ec5859ec6aeaca6dfe683343c1c24

SHA1
9f6a20ce493e3ea21e453f68d3a53fc1c416e9ce

SHA256
5b5068f621e70ddbfba7f09e521c40c0b5ae3b8a7f23db2fabf89731ae2aff2d

SHA512
740928b91abbba42c6ce520dfa4d02f77b467eff9d2ca265752ddbfc17ff0a05dc594e414dc1057c17705e74f96e081e7e8f5021287551f95f097b84414665b2

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\bywvusd3.newcfg

Filesize
1KB

MD5
8cb57a1070070d1b8ba624113ad341d6

SHA1
dc8f077d3fe98faa9b75decec5a1f9bd3ca7f95f

SHA256
c8d8bc4ac56bd53b7e3c9bdcdc986afa23622693d39887acf526ba164dee1ec6

SHA512
eb90f89ba2792ce2551229eefe383c3efdc4966bf694d84ad7aee7e0aae333de9353003950294052e5436d341dca509afa2af1931f454607b775801c1dadab4d

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\cftohq4a.newcfg

Filesize
1KB

MD5
38277ba4f9770aeea585906f74684232

SHA1
3bbf3e37ffdcae082f195b41c3c6a5083c1d9010

SHA256
02a85f8a5d65ca65653f1dcf5d98a492ae1c5b961dc94334fe28bb7fffc0b10a

SHA512
dfced852a890cb5e4c942f3bbff876b6f7d3671ca7034dd7bce6e5029f3f653e673cfd2612df40cbda040ad3a947f808a98602eaea0082a55ec429c4f2aebf5a

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\jte2ukxw.newcfg

Filesize
1KB

MD5
9e64a728a6cb3fc7bcdec0adb0beaa5b

SHA1
74ffee0f6d285dce9f7e868ccc49fc50c1c6679b

SHA256
5af15b012008beecec88822e8b539b57dca7b275174ffd7b78c63aa5f965ddb7

SHA512
4f7306d951cebeaf6f79688a9301278362135eeb2767cde5cebdbf010d2df70cc75cc4cdb089e67c577213762a1aa97d34de3650203e06ff94b17f054fa57afb

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\qmpre0m4.newcfg

Filesize
2KB

MD5
a98faabcedf6d3bbfa15987c9d8cf785

SHA1
5d3b93c9c651b08dea5797c59176db5d957a5855

SHA256
e7ce4e0d42062290b60e346e345b4c7f09b6f2f393f8c9042de14255c06b08e6

SHA512
41fbf2ee47ee6d902c8a0255d1c44c4aa5091f6b5fa2a8558439964d078d65a759ba70dab522a035009370474dfd88795870fb121d4e647e3c4102a5c5bca8c3

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\qrstsl1r.newcfg

Filesize
2KB

MD5
33fdaa1f02663eb76a16fca8c7763f84

SHA1
aed9235b2a4f1bd977e313f683858409e2cf47fe

SHA256
ce54519b2ac4e80c0b361fbcf4f63c4e47dbab96ebad46a47015185844d6f6fe

SHA512
efbe8b85af30488163362a135af94f68b717e5491bab806f5dbe41c8ac75ff2fe954dd08a023999381ee73f46d293fcd5f42ae22067e6446531d02998ededa83

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\user.config

Filesize
804B

MD5
cf7630a3d1f139d8702a3417445c09c1

SHA1
7157398379029088b1ba75249086073808e40ba9

SHA256
f4184d9c7df70376da387dab3e9d2eb0db973fdf01f0961d5c78cbce8c64ee23

SHA512
c6a3df1f699c4e4e5570114279086ad70d75638fe6a2eb1ffbc605bb34a5aef79c1a74a6ce3c5ea297ef5bdf4c90dccab648ba394929bead86f728324f856ce5

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\user.config

Filesize
936B

MD5
57f394284cf344b3df56a71c33813d8f

SHA1
f03d2a4b4b19feeb2be3b642115a3bb69bb2ee6d

SHA256
b28d377dd704de7d2914855f89e7887d5743eb8005f1a75722312892b3c405db

SHA512
2266458231e18bac79100efb0c5e2ec74b7cb16fb333e5bec9859a8cf635040223f6de96263140f6b1a3b2ace7da2fcd5f5afd771f4db2a8c91521e214939be0

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\user.config

Filesize
2KB

MD5
33277c3356b2881126582cfaf092dbec

SHA1
e5fa4c6225d773ffb4cc85fec7fca67c29dcf123

SHA256
1e0974e8845ea6547d94975279b4f6bccef2ae449e27fd6704bedc5ad6027a75

SHA512
d2527b5a55a1f708281b2a6e50e67a9fdc3219568726bc7f0160daa2280f9f6dcd0bece5da53fe05eda8b776c7c50f9ffc183d31d2ad6f643922b839a9dd3bb4

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\user.config

Filesize
1KB

MD5
dad708bbaccafb5e0067b55141b75b81

SHA1
2a14ab0af7cbb395acdf48368b78c54829226776

SHA256
333d54e1a096cdebb021ac290c12b92b1fa024fc42d85dcb4a3766e0b4100a2d

SHA512
7c9abfcfc02e582afb0cfb784b2f8c5ba480156f8bd57df848900a4bdad4f7c356c1616c0d678c56753f1603dba45cf84f1844b387b8e5178c19573566889e62

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\user.config

Filesize
1KB

MD5
7133deae2fbacf5fb782c363784e55c4

SHA1
79f5de52aae1c3dfc908370b57088c2e18a97d61

SHA256
0f5da92f9df54828e5dad6d503e892196f998faae94dade06e47e4f15bdddaa6

SHA512
c8d402b3a9a3a742a141ee84b7870b75100ed8b495d1eb6c643ae79047d84e0e59a481f9b96dc61a8fbdc042f5584d12fc3163f699e4f683332b65b32bdf3266

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\user.config

Filesize
2KB

MD5
809d652bec939c99314c22a6917cf9c2

SHA1
a8c518c7fc31a2f9a055646b9b6800696617bfd0

SHA256
d10885f75fccccc376c0eb72c6483d3c766e324f490e9677cd1f55eda97c501d

SHA512
9e6d0073c8a41e46abba1fc7e1659a446d172af5339fee63a11e90248db628fc3a02291e8a88084f7f67ad292202e49eb871058cf1c76a297abc5dba1cc5103f

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\xg3msmzs.newcfg

Filesize
1KB

MD5
bd8aa6733363e0756c1630c3f70fba89

SHA1
8a1b6ca2670cbace1304e6ad862f60946403b10f

SHA256
cd08a8faab9c8972cb6eda9e266db9360de4451130219431f62a5d9b72d9ed6a

SHA512
2a51d8f7fab64dcc962049a546012ce6cc0236434e2b3b9ffd0c1f0fb823f4654ef4c910e79a7034797e1f75d4f6ee619450a7638862a108d071d90095ccad67

Download Submit
C:\Users\Admin\AppData\Local\Adaware\Adaware-Privacy.exe_Url_reyj5o4jfrpl4db3gsdcoojszcmtsm35\1.0.0.0\yg1hfb3m.newcfg

Filesize
1KB

MD5
cbe831d12e722d5509a2330da31f124d

SHA1
0d3ee892b98627e1b5372bd8d3e199c3f46702c5

SHA256
7398eda1e0362bbbff641d82a032f21281c644d0188776357d62578934c4a8f2

SHA512
19db408aba8097d477f83ea36898992cbd6f2eea38e80e45c1dc8de12e834d823a383b9b9a2138efc17cb7106d269616230f83a0af8daec483e09a4e8293634b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6f5b85d7dc5e3bb347b358f3735bcda8

SHA1
882253a8bc4f6927751d92c04246507adc08d400

SHA256
8276437c35a9cc5b6c26eb6da8561ebb0ea35ef63cfdd8a586899384700299d1

SHA512
8bdea02408dd0d6dbe67130cde4c2f3d5b243aace24869b7331e856fae049d580ec9c51eafdf1ca08b53d24c344d6b153f20ae0f5fe5013f3cd0a3855be9c7d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
daad5e6d2c399add7488566b7694b10f

SHA1
0777edbbafeb3e1e1262a5edb94390155700a1b9

SHA256
f19d3c9d6c2aba9966b5722f0638243ce15ec202787a8901d27c659910f96a5c

SHA512
842d3a83e265696eb99da71c47704586595f1f005867c8976ca5e1619d75010e80164f7f4a749145ab57e761da589c6e743b088b2ced88907cdcc080c9fe3074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
e014b244f5411594a2189a76bc30f6f9

SHA1
75cfa99b00c0880114fe1e4b6750b8fe9be44153

SHA256
ba8e16d673413f5abca7360da43c87933892eb09c38ecf5c8dadbea0bd14cd23

SHA512
03d407e0533feea9b0cab575d693ca36411897f7e55c660f5cc75ae40badc00d9490b8c80dde20545c839d8cc5c057695fd01905cd91c443ee94b0679ae4ea9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
67KB

MD5
397da936b22903ba894a41058375fc6c

SHA1
a9d4563e20782cbf3f5c06685d8bb9b07d690e7c

SHA256
629bc472038e0778deac3fc5c71b0105adfe916dd85ebe01c115782f1c8a7cc8

SHA512
4b878e343e3e980e92ed68ea08d2683be01323f18758ce5c313813e03a911011dc95cbbe86990acd15b0db6d6ccadd70df660d24cbd639988d781337d038deaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
67KB

MD5
a7f0923cdbf9765dccee24f7a3fd2051

SHA1
9a0105a3c24e6c5fd5819df43b18e5edf956c8f7

SHA256
0eae5878a7e322efc88120255f661806632bb5609bbc1e3c6b17789c7badb7f8

SHA512
17ec307e210eb7addbcdcbef37bc15b4f794ab31dafddd9f7be005a9d6d10e8c1f5c64f8c68a3f6facebbd6a06fb573a5d4211d37c8f2cc506a5466daabf42b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
19d99f24e07ed5f621201ce09c7c5c09

SHA1
9407629a4859cb48710861636c75c56067a31990

SHA256
557002943ba076953a8777a840fb8fd5b298d9c7bd788969dbfb7139e6d5d378

SHA512
a50008350802765dca595c2f6f56537a456b06d74c7a84f3f9a8ee30ade3cf12be79aa69922f62843376a0f6d40269b4b26a0784136a510da3c8f0ff02429db7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\10903

Filesize
7KB

MD5
05f2ab796026acf5a35b155dff5ab632

SHA1
54ee551e9e4a10df2fb21f156f3db5f8a7fcb194

SHA256
814adaaecbc6851d5d6aa11060c000a3bfff6708c2159c89f659fc8b349dcfa1

SHA512
b55024be03d6e4ba0b18ea5deb3b9b72c584f6ca04da585a8816240b42f7521edf9d2ff7da82d43c5e1129734aaf5d571d8dbc54d382c2742ca86bbeab3cfe27

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\1258

Filesize
16KB

MD5
e457aa5921e09b124068181fb64071ce

SHA1
c5c58d431f0b2ef84746c60c306b3acfa3b8185e

SHA256
39606ddada19af7de0ec8eb32886cec6469f2f22430db165b87c2ca1947a7af0

SHA512
0b8c6bc7c89eef9b34c40837471743b06537fcf8e385f393a3367e034158b417df94fd563ea0a07a4b10c476526e2c7caec0e5421d167bda8fbe8e03b61f56c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\13376

Filesize
16KB

MD5
d1c5b65b22b7b5566c8cc688ff164eb7

SHA1
6790b2ec4ba9d49fbf2ca3817ccad2fc927e2956

SHA256
124ea132540f5a8f611376ff16e03f761746a0523d28703365f8e9555dc143bb

SHA512
cc7f56f0016c2c7ae5189aa4c7c9cca809ef139a86f17ebbc5640fc805cc75843addc6cdd8c151c3fce53a444775ded06ecf13ad902aec33e2490141ffe33016

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\14320

Filesize
16KB

MD5
bb222a1eca84b36a4bb9506f94bf5929

SHA1
5dc3a78b21d4bfbdadc41f9353d5c9d012985346

SHA256
f701cac32279421757e4dd8b6ee58e56c5158fcf10e471dc10588c127b4fb087

SHA512
4f75686d47b09d896ca16b7bdf16c7d733a87349e8bd7c6f7aae2f592e8b77752d99180a914554b6fff5a93e0946d2d0a320eb3e1ffbe2f2cab03c698feecdb3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\1538

Filesize
7KB

MD5
18b7c869e676a17d4c199b98c34afd71

SHA1
35919dfceff1b04adcce14227533d1b395c13270

SHA256
c3dd8933145dcf45acbbe2f18b9b2a4ee99c1143455ba51b5b4fe37ee2369a59

SHA512
c9c34d3c1691396e35925d1bbbc0bd7e47028bee97b8630e351922040f2a531a5e50ddc91df2405ae99e56721b37bc58297b3e35db2d89e292b421432b97a957

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\20244

Filesize
15KB

MD5
30992446decf78e8651045d34aba12d2

SHA1
215db00759e5af4ea37f11a28ad8f2781935b6c1

SHA256
5363bf5318848bb42584d760b7f3e1a21383aa04cb24d1eae31cbc60e04834f2

SHA512
e22782be51df68358786d29afc2a7710051dd066ccbb7fe3e87057cd508064177004562ad550ef425092f322ac967afe7dc24d48b58cdddf3f4de2bdf7142536

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\20356

Filesize
21KB

MD5
2f0866d2a9956bff405aaef28f7ab0e3

SHA1
637b9393e2240ce6fcf2197f68deb7cec847f598

SHA256
86a9d3c4a23c1df9c9028b5b1895800e3284ba4829824727738b3703b30f9d3d

SHA512
54f679b38558a131e90f7ccd301355dbec785b3bba5770897154c978e2300920c841ec17aebe6d5c61ebdba4d276560ec871742518c5c0b5a715e1577cef6cb9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\25355

Filesize
7KB

MD5
4fb050056b645411cbc21be95e129e4c

SHA1
f9983f2fca182d116d870b24997d8c022ea6d297

SHA256
a0518dcdd814e97d820732d3df3b4a0011fb74ed0838e7685f0c7fccfc08144c

SHA512
98ee7ea1a84151b2e22fa849ca467ce34b95afaae5da2fffaa2d39af46d8549ba1428cc4c4d40e2d593346cba9510ae0f0fda8bdccfc92fdf70df661ce680ace

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\26163

Filesize
6KB

MD5
df0324606bdbdfd2f446dad1f117a33c

SHA1
c3408d3cedfc4ad721497f0a8dbeb2caadf30912

SHA256
207d98da49b511de95758d41dd43c1ca621daa4e17bb9d6e1a2059e4d6d56f87

SHA512
67d9abebc566f4eda674cb102818d4c78a9da20e2c729c12d6df842c2bd21c25bd10bdf7150b775cf76146b85ecf49cf53a06efa7ad172b774da3ae30b6468bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\26438

Filesize
16KB

MD5
a1d8b56dcfbec99a449753388f3dec8f

SHA1
f3648253fad9126838bbab33e95d5123bc33be03

SHA256
7db7034e3634c9adada788cc1c41a14f7f4f864a8a57fb45202cda0531f6c2fb

SHA512
22d4beb9b9525ff3b404f526b181662e05cf0c093f9f2c3d9dddb831b1bf4cbf21219cbfd602e8b58a2ccbb19fb833320dc28b5f0afd9f577cb5562b113de6a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\29216

Filesize
11KB

MD5
6f41e9f099fc1e7f889c9eda1a4ce0e1

SHA1
699a3734293361ad0a98291224713c5b6b83b4bb

SHA256
86c97c362a11959cf580c77c34117a0674d5b7172c3804c1b144e32af9b9ed69

SHA512
a7d3163682f2c97a941995ca5f1c95983fa001504aeaae6fecd6202585502e5737602959a73937f77fa9498025c43492ed65dcfc13e91d2bbb0d4bbfb11002ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\29936

Filesize
11KB

MD5
438a378c579319902dd88691f3035275

SHA1
2d9b7bc8674dccf3adfe9597ecc5bf882ef5a1bb

SHA256
822f3d5ee7a00b2f0e26bc9a9ac998deeed56aa3385fbd657d4282b7fefc3b74

SHA512
74fa7e3bac9c9bdbbbf16b3ef95447adbd0aed0044001b6c86d112888fc574d19a318b851e371ea4ae116e941eabab0a7ba0601195e3ce630c5e3989aa047be3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\32402

Filesize
7KB

MD5
fe2c808e21856802c75b891cc20321a3

SHA1
ea65ecef6bdbe52d7921742a89a419f551419ee6

SHA256
9c2a0daa248f140d8883d4c278bc4e798fa0adc716e23b6da642404bdc62e142

SHA512
29d6e30195c1dfa511ccb03432819601d363ad233ee39ad66ee206e7b5385143ea89cac0355cc54a75943525e44776723595d2091be795ce68f4fdd4f456e78e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\4343

Filesize
16KB

MD5
8e18cf00fea5da8035d456b01b66cf65

SHA1
d1e03d278482298ed62a1abef619dba2a1171076

SHA256
ec4e8cebe92fa046cb1054a621cbb5101f331e5e3a342b0cb6fbbb6bb2305c3a

SHA512
7c23e2e774d1d21bd437d69d3f20e69c6efe9e9eee1f093d4a67426d5f7ee4ba7a2522aa9eecede142619b3276ff92a463f734d87da62b2009957b9315d6ba0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\8845

Filesize
16KB

MD5
c528c0e9dec5432388e53413927e44e0

SHA1
c18dcb5e329a847c74c4f4a9360d74c16aa92e94

SHA256
cd6d9426bf2cf7f1eb49a36eae11068c195cc2e1da126ca6c903faca93d3eb1c

SHA512
2e068787cacf0cde03af51eeafad7ebe40d6fd1dbd589589497aae19935e3d7426175259351725f6f2d53d06a1e770641b8e55051e8822f50eb80b4e54baeb56

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\18C000894AEC86AEFCABFED078C3EF9400ACA47E

Filesize
150KB

MD5
90d538eb1ead5c2f39b7821ad57b3adf

SHA1
0ce04ad3203da199dc5e6d7e643d9b9774aa75b9

SHA256
45331ea7be0f21eee1f91da9885c8c0fed32ac019f1cec2a4a5456c71b2d4373

SHA512
5176addfaacd2cedccc51abf118de702bfadda1f9985c0aa66e5f16bc33c22c386013cb0c8bf4c7a5caf521f52514d59670fc2ddbaba870568bc5b5f40611907

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\4E3C3BF56893AE81BBA6B6ACD628627DC9D2E5F7

Filesize
4.8MB

MD5
1b3d3f199d241874bd9acba63e8939b9

SHA1
b3bce39fc9472bafdfca40b5b10f28d81749a1a9

SHA256
61cf9dc7cb483dc474c445aa3a9bf939d97157c66f1cf86dd805ef899afa9476

SHA512
b5d4c05f71f7f430d648446fcca93b1c1c09e02d29edfdce35b4302d777c5e0fa00f3800a668e875a51c28c3b462374635e895140f7abb1ec9e0ff300b51fbc2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
33KB

MD5
43c3dc3acba9a7f758d8d205b68929d1

SHA1
d7dea1dd63539173b0c6146040eee9da40376028

SHA256
a9fce470aef180f7bb35cf934da9fe92a47f8b8ecebf8cb9b2ed6250faf01ea7

SHA512
5465cbc4aed02f004063454dc30fc10e5e4b8ee7c4de86c88d6c5c0157891aa4382381146fa900f695e9e517bc9233bef37da5b699849af35e8a4eede4a94756

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\C55A36E5F2E60051C6B822CB91BF483EBD6FB0EF

Filesize
962KB

MD5
b2bca90d0daa813223a99165707e317e

SHA1
4c3729b63e9cbee2fbc0996275afe892e6e2516d

SHA256
1f1b8ac01410b6eb8a9cdd238a5f7e97c075dfe7f58a2eb5dba17944db80fa7e

SHA512
535f5a41847a5c215368d201598619939c86656a7bbbfcd64cf87c8ca60e0a96c2fb1f679254e975231db1bd2337a1fc127fa32b5ff7a03766ab5b769481136c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\F59E6E16B56600A9C29B6520A5717AAEC59BE32A

Filesize
15KB

MD5
31cf3e345ce7051267b19573d8a16744

SHA1
b7d258f69333c024cf20a429fd2bf1979d0de165

SHA256
e9fdebe3a4daa06899617fb8b2c7be5c66fb6199db84486fcf5be5f0d339e2c0

SHA512
01bc6d729264c8775fd2a613b70933afa02ff61d214ad287320e584787a9e16e7dc469e8dd755f5e1ad9a6f3c44cdc6b0dee24aefedab988cc9f3a14eed49967

Download Submit
C:\Users\Admin\AppData\Local\Temp\706ec860-83ad-4892-bb0b-a93220095c90\setupdata.dll

Filesize
68KB

MD5
739292ca2fd90ae2ca7d0166768ab474

SHA1
00ede30da96244c86b94ec05bfc547ce2147e7bb

SHA256
c8692cf959c1491709a83bf94e3eb005678109fca6f4d58eaefcab9c4ccbac11

SHA512
5ba2f3b8b885eaf9163180d69e334abe75f6e2f3742b5d32a481f363404521ac28be9fe66ac1fadfcd1c1517b9c82ec0a93b5e00a774a9cf16914e6b56e72f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Filesize
64B

MD5
168f03c5c241049561d93853fa2304dc

SHA1
ee086aa5bc60436a75015003cb2dd27ae57620ff

SHA256
374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e

SHA512
169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179

Download Submit
C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

Filesize
72B

MD5
59886cf47b41b72d8f8954afdb5f9ea1

SHA1
304f8a1003b1dfe6b4d375bea0a774264cee02dc

SHA256
efbbc5607c68fced09babf8afef5c7d43fc1d7e9d6a47c43a01dee4a83cb040f

SHA512
d95ab142f756349acad469d0e75aaceba0d9a445e06aeef75d15b67a3664e494cf451c585a59394fe68a27a140e680622dc8780d7e58871a86beaa17ed4c637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\IsConfig.ini

Filesize
398B

MD5
28e31cd3ea06f28d13ff507a5cc54162

SHA1
4e050f713fa6b43a0ab5140a76de25c2eee0d515

SHA256
fb506a274f7b257e60d449f86a4feea24a2922f7b38ed430d9480d2ad17b3dfa

SHA512
11501a399cc186922a7420a02bcd0d7c901778fefe036078c5bb3ca50e48df2f01770825690a9102583e1f6eeb770c7c753c779831ceafa32b9c92b74ae630aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\String1033.txt

Filesize
170KB

MD5
84453933d67fe226dd1cfd92cc06bf07

SHA1
60e8a1f68f6c6b96d61857529495afaf2c69f43e

SHA256
9685e975fefd424187daf70d6fb2d8ae9b5d1625b3830d8e2faa17dd8cde2da1

SHA512
b633d0a09222231d8ca0e84e40a72f82ef432e1f748ba7a269dc583a49dd5cf144c37391b7cadc06fd3a9de443f7c95650b9206986a2dd2642d115baecdb6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{411BEEF7-8C16-49F3-8E54-D02AB1B7139E}\setup.inx

Filesize
261KB

MD5
f6acd6ba4a3315272ae52547cfe3226f

SHA1
b2ef243b42544058614404b0836547689813b278

SHA256
1e49a0ee276cc66a6808d9fd112ebc15679afb0d7dedfb1396408ce221031645

SHA512
79b9ed241732b9e44d00cc68f48dcb820675cfe5188dc89c0d34a029859298e8ae88cf9adbc93d5f6b0b86daf8651c1ccaead485b64488027c1a8242fab5ea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\ISRT.dll

Filesize
262KB

MD5
5ecda0a54c4d9babcdb177d54f2e733d

SHA1
e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b

SHA256
e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c

SHA512
45cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4CD3D268-560C-4CAF-968E-CF46D8E33B70}\_isres_0x0409.dll

Filesize
540KB

MD5
d1bb47446802afd706f2babed529db80

SHA1
47919e77e8868ac2df4fd7342ca0d0a72766f680

SHA256
b674d17a6cd5f472328f0f3620c5df73b3e40fbdf8e0435082bc5585d44d85b5

SHA512
dd551bb14d8a44a8713a6fe7758caa6632e085881cb9631e6cd5a61d21e2a87095d14e67fcb1fca29c748621bee2080381375a459ba362d6bb27156cdf5426d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{827470A4-5C3E-4BDB-AFEB-1E2F5EEE4E46}\ISBEW64.exe

Filesize
148KB

MD5
962b85d5bc8945d80b4839e47efe8fdd

SHA1
3291792ee90594baa9083ef544779d6b550d3fec

SHA256
1b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5

SHA512
6a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff

Download Submit
C:\Users\Admin\AppData\Roaming\Adaware\Adaware Privacy\Options\CData.txt

Filesize
208B

MD5
bf1b706495aa4b9ca06cf6048d293740

SHA1
a6fd28c94281a7b76657392c3286e8ffb7e3e18b

SHA256
3b81d743fdc6fc100ed45216263fe90cdac2c10af2d4adfdc931fad352324447

SHA512
d975e5b55ddb76006cd53f74ce94913b2bd9c354cf3fd1785e1727839f6ebe027fbf4a61d087c28604c07fde2dce18b056f5c25fa91e4e8b9704cff7893113fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\crashes\store.json.mozlz4.tmp

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

Filesize
7KB

MD5
c90e6e23d71f179eebf0b90e0e71ebd9

SHA1
504314e0f13d3db056517bfb42691bd6efd9ca50

SHA256
6c26578314523768afc4abc631d64b4aff850bf78c3e10b2dc316f956af5efc4

SHA512
f662352f3cac2d12b42dd547d8053f992ea8324476b3f66a3b133ebb3a058daf56359d9c15e155c893a58114d023a8092a7ad67677b88e2fe019493ff9de2aac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

Filesize
7KB

MD5
e5d33c5d712fde1a7e981ff184c8c5eb

SHA1
03d46b17246950874f946bca89ceea991ad925a1

SHA256
43643b0662b76d0c5004780b47c8e7023be27591bcf7b9dd2eae4e6a32ce1afa

SHA512
2067b409aa475cc67316a4243afe25bab83505b42e9b483cd8c8bc58248d664da60f713dc6b56691159d651e7f68db4983dd7a597a2618bb09f2d8c8d234b52e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

Filesize
7KB

MD5
1fe42ca8ce751a3759897ec8b561122b

SHA1
9968300bfe113635c68b548f7b7b531bac76195e

SHA256
68fd513c40f2fa9dfbfc763b34707bb489beea8981b22f5546f57905984adb07

SHA512
c9d71ad3ef6e6b4d122dee8e1ffa02ab533cafc276a667b0ae2a796b50f21d930c9da94992c34e63638d24ce78e078fc538112c8f1e5aa36e1dd220ae98e43b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

Filesize
7KB

MD5
766b0e16e0d0c8e3d8336fc3b3353919

SHA1
038469e7f3705534aecbca09ac8c3378cbfe67bb

SHA256
c581ec4496166b4837ac805dcbf44ed499ea33f345e2ae2c6005e16dd4398676

SHA512
0ba819153c03d4dfa79568d7ece7a00345a8cdffaabebc7c52ebed90ac704859260a9ac26cf63b20046b732a171d758df5ca6014f28e8031fa8e3709a0d5929c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

Filesize
6KB

MD5
2129da43ab2f1ec4ab6eaea4b8a00f08

SHA1
7a92d1d7ad843184e83911367a8c4c66fe35adb9

SHA256
4ba7dd5497694e8ad1d26fbd1564d6f3e3bfae4a4809b17b661d759206dfdcf7

SHA512
24f1e8fe3c4edf124a881324e86baed963d62d8b753c4705491c4d1fe877757132da617fd271be957fddfbc28a6b51047f161de17e2e77843624d00c4305f46f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

Filesize
7KB

MD5
2f29d95f635caa3e5f1bf137fbef6b65

SHA1
383244c9ebed632182b910b8013c42c332405d7f

SHA256
cf8d3ef0a75543a80eb2fad2b5428d03f6abc7beb7a2faa971a2a9eb11a71d2c

SHA512
191df01a68dd99541447400c45e41a93291b82ec7852498b24873a000fc6e29208bb62f307e0e436ab6b4b862336e181423ef34282c2a6045320213d256c8c56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

Filesize
7KB

MD5
73ab2bc4368cc81ff4b9f6d12402aedf

SHA1
133edb4bf0713d689867bbd6db91eb38b4d40ec5

SHA256
182697aa5da126812d368b70b15e909c7112cc8bfa108e8404b1f3fcd43b20cb

SHA512
6c16d82f1c9863f83b8813e4606024a0b7993b823ad253661b5cb2267ae2fe9cb1c75091d8364271c08b0a2ae67e24f88f74fe8c9b420b158f03ed6668a65e07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

Filesize
6KB

MD5
68068c78ac7500ad8c725e3e5646c0ab

SHA1
400cc8e0572275d75dc6759f0f71b241e4af3f77

SHA256
d6bf68b8480a52227df5780d09837a255a4e1f962130a40e1a1e94810e3e54a3

SHA512
6c05fa2608d6e3aed3be27cf6908f0816257f851475fe09c1d87098321598f000a2e864bcb9ee061270f21d4f80cffa084ac465ff615e594e21b90bcb72b7843

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
066ae93becf58c3de6f910e97f499ced

SHA1
3a3df48df576437ccea2340025b0289b678fb105

SHA256
9e219f37144ad1d26eef57b894d36bc36d84b31c10431915437066f8b4f48c8f

SHA512
44a88f133fb7056b69f67bf462bdbb7437be2fa529738aabfe8840c47bd7d38560e09a455e833a2fd0b98bb52687301920f48aed6fd65a970cf6cc449f31e34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c354c25b91c3d1fa7f0ccbb444ab5efa

SHA1
40c1d3bea1c1dbcc1e1d17733817cd86c033a757

SHA256
8314afd16b9b50e5919b581eb4f7b06788bb360381ba680d3557a7f8d3848978

SHA512
d17e793d57e5ff93c14e7e4b41ca229f8804b7ee8805e7644c3604b647cb3e5b97beb36dfa8d564ab3ca77f7d422e5686f41803166e083167f667eaaca57ea58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
45387a83d71e8ef0cd405e49595b5792

SHA1
f34bc84be7819dc63b6abc9884fdfeca775532b8

SHA256
299be6ec6a242b6763c9fb2310a51b3515e7635c00aac36b9b516c3dd769a0d9

SHA512
f74d5f53130a752471afb727de58e291c117f38efe9ca88180cc47fa68da7025a2d620b7b5e3182fec11c0cfc158102953fa0a7f30bc53ba222e67f8676da19c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
74ba68fa310284b5c288c657221662a4

SHA1
376f4998aeae9d41bc10b556c622f70cec902a63

SHA256
051b4d62d3b1cfc93659a06a56ec9befc0eba28207832062a24ab5d3d543aa59

SHA512
6a9f37a66819d7f15c63df9e3942e121d97fbe56f3b75ae593a60224ae604f1adae77c5c2b1c3f504f4b08f43d2b18cbca1ccf29f90c9f215a2aacfe1ffbf8e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
15KB

MD5
700697a3045269aaea9979eded506905

SHA1
b7813be5f4b9be391d99545ae812a1a8c972b238

SHA256
af22e39faa9d85b19f25fe88eb0b5bbf3b971ce700fe8ff77c0ff6024e0eec7c

SHA512
735728d15740dfeb383a07c61690d22d524730cd2d3ca5987dee50c910eca550b232abf2a808710ef7a8fd548ed09b6870e1f56cdecfda8460eddb40be5178be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
67bbbea21af0a0f403372ad845219d60

SHA1
85f9c99e448f5db0c8246c422dd7f9d593f60385

SHA256
2f40893594a22039343dbf9bf121e923d682a2c8c079158e8ea68633f8e4e321

SHA512
dfd10e161453bf41565757f762bc159de74a9154445ee028b1c5bd986d96d3f5ce5e8d4a6eca6d84f41b4f28d5ef79c42c725e239c805da3ee73357019852ad9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a5c7a11910102fa69cd115209ed8386a

SHA1
bf1ced07cf3c96b7d44b825e2f0db4ddbbab7608

SHA256
44782f5de906957e2dd2205fe8d185b96b043fec6aa84d43db188e9aee3a3bb4

SHA512
eda0b814856f5de8f63180410de53338983af9429b9091e6aac25e9dfab51143560435a98040a04399f090ed6435d85a3c882446bebcaa03910bb67dab347f46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
9c51f1f0e36e648dcddbae9d67b6e4c7

SHA1
5651f0f4832671f19aa622e8d216234b26fc070b

SHA256
0a4dea7b350d0690c146c3d18e60b22fee8d73ff57f3c9f88d65e774eb8bb8da

SHA512
6f87dc8a37bd634945a74175b40945f97b77843f4bcd79ef9d46b1b79fc71977c76156527f0ebd85e8c7c6c5f35ec0c19da7d8fe0e4b316dd9c84ce3f071d5f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
15KB

MD5
a34e2937fbd9896c2b29150d8f1adfb9

SHA1
182048fad1a230f8741be77767561fb4340612a3

SHA256
a148f169810bfb529449444c41af9cd5cb9c66a34f3cfb43822e0830fc6b97dd

SHA512
b68d0cf02320a0620151b9122950e72ff74230422bfd9eb2735f0829ee611f5fd48005a81c4d378a90810255e5cad8a5542d6f3777c873c4d2c4185fcd793f15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
7319a8c42da109c3b4b6495ab956fff0

SHA1
413c000d23d21f14b6afbdfed12285aa379e0a1b

SHA256
c5667ddbbf78242fe0950de30d2b2566ae5ebdc7b894097795eec2d960e69c06

SHA512
a331063257cd209a28eac9c0c35903d7cd03eb9b874815e44c052d79784a0500fffcdb068ab4d40fdc79d93402025d2ed1daa7455d5fac32b84676ca8082f039

Download Submit
C:\Users\Admin\Downloads\Adaware_PC_Cleaner_Installer.KGXxEx2-.exe.part

Filesize
5KB

MD5
65b454b2d3504b222ba9376645c5262d

SHA1
0677dc49b96e7b517e831eef8f6bfc3d51e62a3c

SHA256
684df2137278df9b8ebadc4090251500d20189aa2eb0874fb3e345fc88d9f664

SHA512
aa03ce3271fafa890a46958e22b3f2ad654a7a921172a03dc10f75b59329118ef521686e37755d27710d81c08fbd47bed7f652c7c01df311625c6a0dc5a7f8d6

Download Submit
C:\Users\Admin\Downloads\adawarewebinstaller.Z7dYlJyE.exe.part

Filesize
31KB

MD5
d7b67b94c87dfbe72fbdcbc04e3ea523

SHA1
76b090013843f8c1df62415288ab5c63e1ff1c20

SHA256
0580dc5a6a1255934cb70887d0f738e50c6b6726fdda862f7a328ab5347af532

SHA512
b707f86d874d6a52bae12b8c84ebffada0c11698b2132b7d5f8ec97b5c3b11c45aca597f10aca2270b4c36b1cfbde62857c2c2e6af9ef8e66cebc69cd6b0a9ca

Download Submit
C:\Users\Admin\Downloads\avg_antivirus_free_setup.exe

Filesize
229KB

MD5
d3a0789194bd2d445b25873e6309abe5

SHA1
aba149b636e6734704bc1316317273d5bfd288fb

SHA256
231821d1051df1260259815727d01219564f5c42dd5c29a608d96321482be8ee

SHA512
b53dd2bdc33f633d87cb11901841706c58f1eada8f5d23ba708d77e3c6908e78bdd261785f865a4abf02055457a647fecb86934d62bf8fa7bdb9a4b4f031757d

Download Submit
C:\Users\Public\Documents\aswOfferTool.exe

Filesize
2.3MB

MD5
14ab1b335b1b9a39a7c3038626ef9d3d

SHA1
96608c4427861b524cea46ec47bd5185ea10815a

SHA256
90364dd980f0c7a8b126d5fb65c7788921e13aba273ad8fb296b5eba59778f12

SHA512
913188939451702639f34299145e4a1719ce5ee416aa9ef13fbdec868185a9b6ccbedd4b0fbc8212f72035b757780c368e6f7d44b93dfb46e3577be1c16ab1d5

Download Submit
C:\Windows\Installer\MSI224E.tmp

Filesize
1.3MB

MD5
4a3968e49d9121021f785b24dd56941e

SHA1
3362e71cbd51ec26a72b3956c59ff6411de4698d

SHA256
f7fb7b09cb507e17d7fc5308b49faf620b8856f9d3f75b4abb52aade9d70b0ca

SHA512
42d5bb6c45849cd65f78b89a2d54f9051d2a4e71d2a8be13c9de0699e669055a9175d1030ee1bccce3b0346d1b637ca7457f328813800a0a31f63b5d497ec5d0

Download Submit
C:\Windows\System32\icarus_rvrt.exe

Filesize
49KB

MD5
97f5d0caaa1988c95bf38385d2cf260e

SHA1
255099f6e976837a0c3eb43a57599789a6330e85

SHA256
73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd1f7dd9e034339

SHA512
ad099c25868c12246ed3d4ee54cef4df49d5276a5696ca72efa64869367e262a57c8ff1fb947ad2f70caef1d618849dbab2ec6161c25758d9f96733a7534b18f

Download Submit
C:\Windows\Temp\OLD3044.tmp

Filesize
618KB

MD5
20a44cefdb57111d6b965d1de83c0d9e

SHA1
735f7f0f44a8775daae3cb77f243bf5b5f6b8e02

SHA256
f3c7f5c2edb2ea668dd615aa60820afa50ddcb30bd4ac32fd5684f59b985b00c

SHA512
d3b9b6373972d32ea378bd470ece30785d760bb206e505bb1f4cbb92e12db6c2de7e3d8127d972b5cf183646b8fb9f66c363326f549592af7a966310ea8d294c

Download Submit
C:\Windows\Temp\OLD368D.tmp

Filesize
172KB

MD5
563979be86330766b6af0f10a94dc3ab

SHA1
346178b66f22ab9b2d387382064ad3be05b0aa56

SHA256
b6e680e580e43e4fddfa5a5894e4075a57c7e4375c9395eb1c49590df37d8929

SHA512
0c96bca8387827fdf76df66fc2b6d761bf052b00e144ec4ddf2085819567b837d7b62f41d952138a90ee8aac23d6a25b7dd12c16bc0c078bddd36b006a848801

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av-vps\bug_report.exe

Filesize
4.8MB

MD5
51d5604dd0a85f5fa6586980e64d0785

SHA1
cfc31d787dbf01e039971365a9c7a1b6affa1132

SHA256
0bc7930fe347a5a4a0ad244f60122a4635baf0695ca30c9ac8df923f540013e6

SHA512
247490f99e7f8343c00223c1cb2a596ed12584f76c0c3fff24d14859651dacc11ef5ecaa5785af063ee62965b6c8bc535e12d1b78fa43c2bb3f8b133b5af0bda

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av-vps\dump_process.exe

Filesize
3.4MB

MD5
21d84898683d48daa44ed5a2f0f3591b

SHA1
d1a3d3755d2facb545e69578459f64bb7ddc736b

SHA256
c109510846192f6f93efb0955a784c302b07858c98a8548e861209b353a31e71

SHA512
5bb4a5e0039059f32ef77aa4d45a7661801f539fe341fd1ed667da5ca8b20dad6d5ca405260084f780af4b2ff8db93c3598f859fe9d5d88cbeeb7d9f6dd0d117

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av-vps\icarus.exe

Filesize
7.7MB

MD5
392d142e6b814f42079d5ed9011758f4

SHA1
4111eb5a27f84c26f1a95cc8d577e5b3743dfebf

SHA256
dfefb27fc9a96a2a7aab2059067d670178ede0f926215464d61c298e8e3f895f

SHA512
11678c9857ced88d947779b10089a91abc1e80a43f6518289c4fea88353241767406a59a6e682bf300344a7a5aab34126b373aff33fad04d0fee4a78db01b58d

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\icarus_ui.exe

Filesize
11.7MB

MD5
93ac5443af08533a675113b0227705c0

SHA1
cecc66d306ec3a4cfbe93abf51472385aa157795

SHA256
3342f6600ce7e3a7f88d041ad8f4a27fe8f06dc549c371d28eb202e4ec7e8064

SHA512
9de0fd990e88ec37655b7968623823c9cef7aa2444573d8f7863cb77d6b55622e41197612421a19f08f60b65bd59f8d656556d6254b16ed8fcfed0613ca73071

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\product-def.xml

Filesize
1.3MB

MD5
bb399f3eb4cb55dc8f2467c1625535c6

SHA1
3b47ad5966bab7ad26b263e14a38c7792b9ee349

SHA256
10bd70200dc8414774e02c8751d7f35e5d8ee80657db4c2efc54369e1da59d2f

SHA512
7294a989592fae569f1066451f6dd7fd36c52ad20d956d6be20cf69e070ed812fdc9b6dd506c74b54d9fb35a31c5382b8353ca814207dd69b98f7963da7e6717

Download Submit
C:\Windows\Temp\asw-22f6a839-8dff-4fc8-b52b-b40c4e4da9bc\avg-av\setupui.cont

Filesize
381KB

MD5
a55572f37fe1652b92e09b1f2a0d43bd

SHA1
4d1ffb01d15c8482607a8fcec2a4bcd905448946

SHA256
79f91b261fede95ab25c4a2ed1d118221552a33ba3e13c9746b1f3200bdfc4ef

SHA512
1da2fcfa34b72dc64e00f5907d59f68e23be20794884cccb838a41b6023683471dfcb1b0b5bf4695958879aa2e80e8f92385d1b081acde4d4c5002c8a1a468c6

Download Submit
memory/1088-8-0x00000000058C0000-0x0000000005C14000-memory.dmp

Filesize
3.3MB

Download
memory/1088-1-0x0000000000170000-0x0000000000262000-memory.dmp

Filesize
968KB

Download
memory/1088-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/1088-1179-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-269-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-270-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-9-0x0000000004BF0000-0x0000000004BF8000-memory.dmp

Filesize
32KB

Download
memory/1088-13-0x0000000008580000-0x0000000008588000-memory.dmp

Filesize
32KB

Download
memory/1088-14-0x0000000006C90000-0x0000000006CC8000-memory.dmp

Filesize
224KB

Download
memory/1088-268-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/1088-12-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-15-0x0000000006C60000-0x0000000006C6E000-memory.dmp

Filesize
56KB

Download
memory/1088-16-0x000000000B5A0000-0x000000000B5C2000-memory.dmp

Filesize
136KB

Download
memory/1088-11-0x0000000006B50000-0x0000000006B58000-memory.dmp

Filesize
32KB

Download
memory/1088-7-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/1088-6-0x0000000005620000-0x00000000056D0000-memory.dmp

Filesize
704KB

Download
memory/1088-10-0x0000000006B10000-0x0000000006B38000-memory.dmp

Filesize
160KB

Download
memory/1088-19-0x000000000AAB0000-0x000000000AAE4000-memory.dmp

Filesize
208KB

Download
memory/1088-3-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/1088-4-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1464-1948-0x0000000003610000-0x0000000003699000-memory.dmp

Filesize
548KB

Download
memory/1464-1945-0x00000000034E0000-0x0000000003587000-memory.dmp

Filesize
668KB

Download
memory/1464-1944-0x00000000034E0000-0x0000000003587000-memory.dmp

Filesize
668KB

Download
memory/1464-1930-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/1804-248-0x00000000043B0000-0x00000000043F6000-memory.dmp

Filesize
280KB

Download
memory/1804-251-0x0000000004E80000-0x0000000005498000-memory.dmp

Filesize
6.1MB

Download
memory/1804-257-0x0000000005520000-0x000000000555C000-memory.dmp

Filesize
240KB

Download
memory/1804-261-0x0000000005F50000-0x000000000601E000-memory.dmp

Filesize
824KB

Download
memory/1804-244-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/1804-271-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1804-258-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download
memory/1804-249-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1804-256-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/1804-255-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/1804-260-0x0000000004950000-0x00000000049A0000-memory.dmp

Filesize
320KB

Download
memory/1804-240-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1804-259-0x0000000005E40000-0x0000000005F4A000-memory.dmp

Filesize
1.0MB

Download
memory/1804-250-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1964-328-0x0000000005310000-0x000000000532E000-memory.dmp

Filesize
120KB

Download
memory/1964-381-0x0000000007190000-0x0000000007208000-memory.dmp

Filesize
480KB

Download
memory/1964-336-0x0000000005350000-0x000000000536C000-memory.dmp

Filesize
112KB

Download
memory/1964-332-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1964-340-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/1964-366-0x00000000068C0000-0x0000000006926000-memory.dmp

Filesize
408KB

Download
memory/1964-392-0x00000000072E0000-0x0000000007314000-memory.dmp

Filesize
208KB

Download
memory/1964-337-0x0000000005390000-0x00000000053A4000-memory.dmp

Filesize
80KB

Download
memory/1964-395-0x0000000008250000-0x00000000082C6000-memory.dmp

Filesize
472KB

Download
memory/1964-396-0x00000000082D0000-0x00000000082EE000-memory.dmp

Filesize
120KB

Download
memory/1964-368-0x0000000006970000-0x0000000006991000-memory.dmp

Filesize
132KB

Download
memory/1964-437-0x0000000008BB0000-0x0000000008BC0000-memory.dmp

Filesize
64KB

Download
memory/1964-367-0x00000000069B0000-0x00000000069EC000-memory.dmp

Filesize
240KB

Download
memory/1964-324-0x0000000004EF0000-0x0000000004EFC000-memory.dmp

Filesize
48KB

Download
memory/1964-318-0x0000000000270000-0x00000000006EE000-memory.dmp

Filesize
4.5MB

Download
memory/2224-904-0x0000000008390000-0x0000000008398000-memory.dmp

Filesize
32KB

Download
memory/2224-518-0x0000000006470000-0x0000000006491000-memory.dmp

Filesize
132KB

Download
memory/2224-783-0x0000000008BA0000-0x0000000008BF6000-memory.dmp

Filesize
344KB

Download
memory/2224-866-0x0000000010A40000-0x0000000010FE4000-memory.dmp

Filesize
5.6MB

Download
memory/2224-784-0x0000000008DD0000-0x0000000008DDE000-memory.dmp

Filesize
56KB

Download
memory/2224-864-0x00000000103F0000-0x0000000010482000-memory.dmp

Filesize
584KB

Download
memory/2224-918-0x00000000083A0000-0x00000000083B0000-memory.dmp

Filesize
64KB

Download
memory/2224-749-0x00000000089C0000-0x00000000089CE000-memory.dmp

Filesize
56KB

Download
memory/2224-750-0x0000000008AB0000-0x0000000008AD4000-memory.dmp

Filesize
144KB

Download
memory/2420-999-0x000000001B8B0000-0x000000001B8F6000-memory.dmp

Filesize
280KB

Download
memory/2420-1009-0x0000000002F80000-0x0000000002FB4000-memory.dmp

Filesize
208KB

Download
memory/2420-998-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/4836-1020-0x00000000034D0000-0x00000000034DA000-memory.dmp

Filesize
40KB

Download
memory/4836-1019-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/5744-2150-0x0000000003360000-0x00000000033E9000-memory.dmp

Filesize
548KB

Download
memory/5744-2153-0x0000000003140000-0x00000000031E7000-memory.dmp

Filesize
668KB

Download
memory/5744-1989-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/5744-2012-0x00000000032A0000-0x0000000003347000-memory.dmp

Filesize
668KB

Download
memory/5744-2009-0x0000000003470000-0x00000000034F9000-memory.dmp

Filesize
548KB

Download
memory/5744-2031-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/5744-2045-0x00000000030D0000-0x0000000003177000-memory.dmp

Filesize
668KB

Download
memory/5744-2046-0x00000000030D0000-0x0000000003177000-memory.dmp

Filesize
668KB

Download
memory/5744-2049-0x00000000032A0000-0x0000000003329000-memory.dmp

Filesize
548KB

Download
memory/5744-2095-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/5744-2109-0x0000000002F50000-0x0000000002FF7000-memory.dmp

Filesize
668KB

Download
memory/5744-2136-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/5784-3044-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-3240-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-3848-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-3538-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-2680-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/5784-3241-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/5784-2679-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-3106-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-2709-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/5784-2843-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/6016-2459-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/6016-2543-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/6416-2542-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/7164-3846-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/7164-2678-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/7164-3443-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/7164-2677-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads