e0168825be4779091fb1035747eac2b9f685600a7e84dfc7dc3929c3a8017b2e

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_1_0/windows-movie-maker_ih-8Ta1.exe
Size

2.4MB
MD5

d8ad93ef2790aa264ab569f5ba8a67cb
SHA1

67b01f6a855b6c5def8863b0d2ef157a44762a28
SHA256

94375dbac8e6dfd152a3c3b9e33d1c6fc18d5f86e2b486124cc4f67dbef68ce6
SHA512

5fdc98ed246ada2f1db0335fed19eb72b776bf7075ebd3e0c4d16cdc448e285a9e63141c487e3c96297b876313ccc7ed135689ece9223e3d0d9526169e6d0d95
SSDEEP

49152:nBuZrEUJje0NQq5rISAGFncaWt+ugsv6fhcUiVoX:BkLxNNC7e9Wt+ugsv6fhcsX

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\AVAST Software\Avast	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\AVG\AV\Dir	windows-movie-maker_ih-8Ta1.tmp

Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WeatherZero\uninstall.exe	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\WeatherZero.exe	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\WeatherZero.exe.config	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\wz.ico	WZSetup.exe

Executes dropped EXE 8 IoCs

pid	Process
2360	windows-movie-maker_ih-8Ta1.tmp
1416	avg_antivirus_free_setup.exe
1492	WZSetup.exe
2832	avg_antivirus_free_setup_x64.exe
716	WeatherZeroService.exe
1152	instup.exe
2536	WeatherZeroService.exe
1296	WeatherZeroService.exe

Loads dropped DLL 45 IoCs

pid	Process
2448	windows-movie-maker_ih-8Ta1.exe
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1416	avg_antivirus_free_setup.exe
1416	avg_antivirus_free_setup.exe
1492	WZSetup.exe
2832	avg_antivirus_free_setup_x64.exe
2832	avg_antivirus_free_setup_x64.exe
2832	avg_antivirus_free_setup_x64.exe
2832	avg_antivirus_free_setup_x64.exe
2832	avg_antivirus_free_setup_x64.exe
2832	avg_antivirus_free_setup_x64.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
2832	avg_antivirus_free_setup_x64.exe
1152	instup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1492	WZSetup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe
1152	instup.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0005000000019645-382.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker_ih-8Ta1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_antivirus_free_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WZSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000019056-233.dat	nsis_installer_1
behavioral1/files/0x0006000000019056-233.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	windows-movie-maker_ih-8Ta1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows-movie-maker_ih-8Ta1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "92"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "71"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "64"	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker_ih-8Ta1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	avg_antivirus_free_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	avg_antivirus_free_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker_ih-8Ta1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker_ih-8Ta1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	windows-movie-maker_ih-8Ta1.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2360	windows-movie-maker_ih-8Ta1.tmp
2832	avg_antivirus_free_setup_x64.exe
2832	avg_antivirus_free_setup_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	windows-movie-maker_ih-8Ta1.tmp

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 32	2832	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	2832	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	1152	instup.exe
Token: 32	1152	instup.exe
Token: SeTcbPrivilege	1296	WeatherZeroService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	windows-movie-maker_ih-8Ta1.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	windows-movie-maker_ih-8Ta1.tmp

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2448 wrote to memory of 2360	2448	windows-movie-maker_ih-8Ta1.exe	31
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1416	2360	windows-movie-maker_ih-8Ta1.tmp	33
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 2360 wrote to memory of 1492	2360	windows-movie-maker_ih-8Ta1.tmp	34
PID 1416 wrote to memory of 2832	1416	avg_antivirus_free_setup.exe	36
PID 1416 wrote to memory of 2832	1416	avg_antivirus_free_setup.exe	36
PID 1416 wrote to memory of 2832	1416	avg_antivirus_free_setup.exe	36
PID 1416 wrote to memory of 2832	1416	avg_antivirus_free_setup.exe	36
PID 1492 wrote to memory of 716	1492	WZSetup.exe	37
PID 1492 wrote to memory of 716	1492	WZSetup.exe	37
PID 1492 wrote to memory of 716	1492	WZSetup.exe	37
PID 1492 wrote to memory of 716	1492	WZSetup.exe	37
PID 2832 wrote to memory of 1152	2832	avg_antivirus_free_setup_x64.exe	39
PID 2832 wrote to memory of 1152	2832	avg_antivirus_free_setup_x64.exe	39
PID 2832 wrote to memory of 1152	2832	avg_antivirus_free_setup_x64.exe	39
PID 1492 wrote to memory of 2536	1492	WZSetup.exe	40
PID 1492 wrote to memory of 2536	1492	WZSetup.exe	40
PID 1492 wrote to memory of 2536	1492	WZSetup.exe	40
PID 1492 wrote to memory of 2536	1492	WZSetup.exe	40

C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\is-NITO9.tmp\windows-movie-maker_ih-8Ta1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NITO9.tmp\windows-movie-maker_ih-8Ta1.tmp" /SL5="$70152,1583351,832512,C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod0_extract\avg_antivirus_free_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fcXHC9qkFRccV2lo29TGAzdWrUXUQp8J8u1d1okioa9mUwGAkzpoFeCeZU2yVx4dgSwW9cOd
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\Temp\asw.cc2b17a2167ad986\avg_antivirus_free_setup_x64.exe
      "C:\Windows\Temp\asw.cc2b17a2167ad986\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:92pTu5fcXHC9qkFRccV2lo29TGAzdWrUXUQp8J8u1d1okioa9mUwGAkzpoFeCeZU2yVx4dgSwW9cOd /cookie:mmm_irs_ppi_902_451_o /ga_clientid:4201c4c5-b9e8-4da9-9294-4aec774e4df1 /edat_dir:C:\Windows\Temp\asw.cc2b17a2167ad986
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\Temp\asw.83172945198ff68f\instup.exe
        
        "C:\Windows\Temp\asw.83172945198ff68f\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.83172945198ff68f /edition:15 /prod:ais /stub_context:6a61762a-951c-4ee2-b84f-f3474b56f2a3:11128544 /guid:10d88aa9-a25b-4ab6-af61-d8036842825a /ga_clientid:4201c4c5-b9e8-4da9-9294-4aec774e4df1 /no_delayed_installation /silent /ws /psh:92pTu5fcXHC9qkFRccV2lo29TGAzdWrUXUQp8J8u1d1okioa9mUwGAkzpoFeCeZU2yVx4dgSwW9cOd /cookie:mmm_irs_ppi_902_451_o /ga_clientid:4201c4c5-b9e8-4da9-9294-4aec774e4df1 /edat_dir:C:\Windows\Temp\asw.cc2b17a2167ad986
        5⤵
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
- - C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod1_extract\WZSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
      "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:716
  - - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
      "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2536

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

Filesize
5KB

MD5
c869cf8e700025febdb52012eddb2a10

SHA1
28d7a1ee9ae12aaa642b1b05e74642abaa685613

SHA256
0daae08ec45ab0cb025f83e584096473d11e4866efa120dc385230ea74f26a55

SHA512
dcd3dc8adb9b2b64cc2909cf6efcaa17a19331447c02729b6f60c110cb5317f3327fcc32b3e1e23775bb160d0c07f76f2dca6db4dcd5a2d2f3f3e59d47afe5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb123bbc0bc40b95925a5f35c71a6282

SHA1
4f1de6f90cd52e488e16e3cde901c0b5b85f1426

SHA256
1ca8db48707fb3cfa414df49e2699a7519767aa995a3a7253146430ffa600013

SHA512
b9aa2d5762a672d047704c76af0f8d8e707d3ccf71cdb58f4dbe9126160ab309aa7dd1276af0847da755cf7871b50415b535b6f5df74d6f77a26bebc2dbe5c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3acae2e35a5a1b28057c53282731a84

SHA1
817f7c36a67762a4ebb1f55eef681980815f8edf

SHA256
0656d5c169db5fcbe14028dc5b29d1e00860cbd9c6000005245c25f3312f5932

SHA512
bed48cb37875c1dab790f2f3c1a9f542e74a18bb4f1c8e96baf85c2b066e28b0db24ce2399082eb2ebd095024d18f25e9a21b097895edfcf2cd52d53370982e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar302.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\AVG_AV.png

Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\WeatherZero.png

Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\loader.gif

Filesize
10KB

MD5
12d7fd91a06cee2d0e76abe0485036ee

SHA1
2bf1f86cc5f66401876d4e0e68af8181da9366ac

SHA256
a6192b9a3fa5db9917aef72d651b7ad8fd8ccb9b53f3ad99d7c46701d00c78cb

SHA512
17ab033d3518bd6d567f7185a3f1185410669062d5ec0a0b046a3a9e8a82ee8f8adb90b806542c5892fc1c01dd3397ea485ebc86e4d398f754c40daf3c333edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\mainlogo.png

Filesize
12KB

MD5
dd90682ef1b7d5890c8c5a3d3d65d3f0

SHA1
1297970e3d54afa50cb787ca76e211623f88a383

SHA256
42fea3730803d445b175774bd62a89112df551424e04755b0b8a5238153a6f77

SHA512
f828389557f4ea065c26cb18e47f8161ebabc8a5b824560531602adaa0c5c6c66b79ab3c932b933038d98316bdb6dcf2ffbb85ecb331ab94b7de63f28e58c3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod0.zip

Filesize
122KB

MD5
56b0d3e1b154ae65682c167d25ec94a6

SHA1
44439842b756c6ff14df658befccb7a294a8ea88

SHA256
434bfc9e005a7c8ee249b62f176979f1b4cde69484db1683ea07a63e6c1e93de

SHA512
6f7211546c6360d4be8c3bb38f1e5b1b4a136aa1e15ec5ae57c9670215680b27ff336c4947bd6d736115fa4dedea10aacf558b6988196f583b324b50d4eca172

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod0_extract\avg_antivirus_free_setup.exe

Filesize
229KB

MD5
26816af65f2a3f1c61fb44c682510c97

SHA1
6ca3fe45b3ccd41b25d02179b6529faedef7884a

SHA256
2025c8c2acc5537366e84809cb112589ddc9e16630a81c301d24c887e2d25f45

SHA512
2426e54f598e3a4a6d2242ab668ce593d8947f5ddb36aded7356be99134cbc2f37323e1d36db95703a629ef712fab65f1285d9f9433b1e1af0123fd1773d0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod1.zip

Filesize
5.9MB

MD5
7cc0288a2a8bbe014f9e344f3068c8f1

SHA1
eb47d401ae30a308dd66bdcafde06cdd35e25c94

SHA256
200e9bc4fcf2c6682ddc8c7f172a0d02befecd25ca882f66c6abc868a54b8975

SHA512
869f0a01ef0bcbbfc501c1786e14bffeaa2daaa00210c312874fc67a724c77ef61394bb5854b9a02af654cd045c4d39ae30d73f1b4ec8aa9e531dfeea1714476

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\prod1_extract\WZSetup.exe

Filesize
6.0MB

MD5
3c17f28cc001f6652377d3b5deec10f0

SHA1
eeb13cf47836ff0a0d5cc380618f33e7818f9d75

SHA256
fa352552306b80f3f897f8f21d8579ae642c97d12298e113ae1adc03902c69b8

SHA512
240b31f29d439c09a56d3bf8d4a3ea14f75c2286e209e7df3f4ff301bfa3ad8228d7bebe01acea6f2f702a0ba7ecdb5583b97372725c77ef497e749740f644b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszE300.tmp\WeatherZeroNSISPlugin.dll

Filesize
695KB

MD5
2eaf88651d6de968bf14ec9db52fd3b5

SHA1
1c37626526572fdb6378aa4bedbf7b941886a9a1

SHA256
070190292df544da87f84dc8cf8ecc0a0337085a3fe744fa60ce00a6879b6146

SHA512
15754a8f097f9c8d7bda65fb881720af5e4c4db1e35f555563b9bafe6426a6a0e50953a47f628fe3dc0f461e48abbf77db7c997902ff483cf33396d0d8e2cd17

Download Submit
C:\Users\Admin\Downloads\windows-movie-maker.exe

Filesize
1.2MB

MD5
8423b539d6dcecf2d710c210f01d6c6a

SHA1
24bcef46ea3ed47158c72a753f6b1b6005468879

SHA256
7d9c68b11e45a763facc7577a51c8c00b7fb654b9ba044deb223e7140a2efe50

SHA512
4db21d0f283e3539c649f6eda114f48a5aaddf32b483bdccfeb5d00859c58b94d4153ea4bce92f39cd26d6042cd3ceccebc74e3ae2a8482eeb975459f9684b02

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\Instup.dll

Filesize
21.7MB

MD5
28c9db78d385f048d1308543aa0b6dc8

SHA1
b94e6adf0a9be060cb8164e74335602e3d931f88

SHA256
09d3c5a849005005a6c0b4f905e78ef25c917ba832aecd7a17ca0588f3bb4e96

SHA512
5a3fa72e40cc98e8236f018d68a6091246c6ce0452fcfab4c4d8528b82d00a51597d2b6c260f73ca1f6b6e70ff50d341f9e775a5525e332d78759e2a26d0ee6d

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\Instup.exe

Filesize
3.7MB

MD5
9ff8fadc76f9bf63f91362e07ce45608

SHA1
f3214a70eff7c29deb29219692e673b2df0ecbea

SHA256
3cb90d4f86a49a9290ea0417179182bc2c8e0f7d8dab2de180db3dd1146d80c3

SHA512
716ad876b6704801d50e015dfdbd81edde17e47eb9c28d3af53ad0feed4d28be185d026f8a64e3ed735fec1d2659e1b59cd5976bb156b0df826c8f13247ecc3b

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\New_15020c62\asw0ccfb9130a8ab243.tmp

Filesize
4.5MB

MD5
bbb61ad0f20d3fe17a5227c13f09e82d

SHA1
01700413fc5470aa0ba29aa1a962d7a719a92a82

SHA256
39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e

SHA512
c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\New_15020c62\asw956551a41bb4a819.tmp

Filesize
3.1MB

MD5
c545527e69a46359a4a45f58794a0fe5

SHA1
e233e5837bfe5d1429300fb33f12f5b54689781b

SHA256
8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9

SHA512
754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\New_15020c62\aswb4142f2f7145dd59.tmp

Filesize
831KB

MD5
ce4d45d0b684f591d5a83fdbd99bd306

SHA1
e89637b905c37033950afadaca2161bd5b09fb5e

SHA256
907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7

SHA512
af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\New_15020c62\aswe8c87a259b01223a.tmp

Filesize
907KB

MD5
43dc9e69f1e9db4059cf49a5e825cfda

SHA1
519298f8a681b41d2d70db2670cc7543f1ee6da4

SHA256
98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d

SHA512
d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\New_15020c62\aswe9e92cf5307001a8.tmp

Filesize
15.8MB

MD5
5a42ea3b0ede7f8381db00287af28ac4

SHA1
f95340b37ee137b60729803223b3c2ebd65a6df6

SHA256
b4caded48386a72cc2d6484ac0aa36e5a18ee6785d366a9f6267324e5d3a8a8f

SHA512
3ca8b4996c041fb76d9de7b5368f5bf6d289ad26c3dc2a5468ce32c104f82d8bf4f15720c806c3f61a33e8e9fe71c7771d50f8a21fa2db4c104be54267252838

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\asw6d837cae0a933d16.ini

Filesize
666B

MD5
a99a6a456b47a3c256acef6086442554

SHA1
88053453f6a4ed8f0c8132a2782ce3592f9fac19

SHA256
a8d6400ad3ac438944f6963201ca74b06ab4fdb088fe9169cb1a4d1833a4c9c6

SHA512
93bf56fd6f9152a459e6adf5652f1205c575b0feac3491f7e65144620e5982dd2e466c46cf213917839058535e040245931109159eb3901c334e8786b74fd836

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\config.def

Filesize
18KB

MD5
4b347d5388b66a283210d558b16b1442

SHA1
458d2b2b47894a0ae5f54276e8d4ed264cd73bc7

SHA256
8e5a4c7af575d57a658894a3599a1f373cb145fe770bcec5df87374ae34bc5d1

SHA512
dc8745f7534ea80044883715f8fc4b9a94b03c3b609593f6b5a3873978af97c074bde5aab4031dccfa0f333da9144a869bb218cb83d89a9d4d4ea5a54ea52d42

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\config.def

Filesize
19KB

MD5
63c4997d559bc2b3bdf45236bc418164

SHA1
240803190280a0f2ba79082065a216df499f6b92

SHA256
a7b7d1f37192c5e2c2ad66b5e96b79d9010c5ba2c0163c2ffbe12f10ee3dd735

SHA512
e0579b6f51ca0369f9e11c808ed7f1e9131e3fde133851ea9e2b30089c624f522bfddf60b6fb8bbea3ded05ce8811be2fa574f1151561e475919d246f52bd657

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\part-setup_ais-15020c62.vpx

Filesize
5KB

MD5
d5b798d8816b252e7d718195dfeb8a8c

SHA1
860c5807fd491aeeb12d661d8cf2ecca4ca1639b

SHA256
75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499

SHA512
16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\prod-pgm.vpx

Filesize
572B

MD5
999754d694d00b2319ebc83bad47ad55

SHA1
1f4a09d7506648b5f257dc3bf5fbe6629d85d1ba

SHA256
a44174fe5fae6797f814c6b0f34a7a40967247abea3f8ac3c2e053d75778402d

SHA512
5f035e60b0f58d988af62b3c245a5bbb2c364df3e65255f37743fddf5d357ba5515eb4bdb1bf95e922dbc994f031da6e84ed26b3ee884863efd5d4854547b59d

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\prod-vps.vpx

Filesize
343B

MD5
c3f29a734e383ec053cbed7569a6d9a2

SHA1
5b07d18fd0aa113399ea59d092a54a60ed1b9080

SHA256
222d3a2e50840f889b8a01d0d3570a0523604bba549051352a668b405f6d809b

SHA512
c11731dce8670da15a6028c64d9778e05b4bedc0bf8f02f4ab6ba7d84148cb83934df0ac7d7163e7fb10612b5800640e68a3338c0a70c84c5dfdb577b2c9ea60

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\servers.def

Filesize
27KB

MD5
6685e1a7edfaf040ce933daaa271b33f

SHA1
b1bfca6f357cc75b10d2b59f228da51097c02d15

SHA256
842b0d709b81589d1ee5f24f421e531f512e46bc0b770b97afd2774a45ec7a97

SHA512
4f958804cbd1ff13b29a5539400ba3263d03e434d59365727997f7dd9bf5f6f61a6fa77d869eeb0f3b33b3f1f7fa76bd1ee5c26b055d2446640ba761507c72e2

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\servers.def.vpx

Filesize
1KB

MD5
68fa59ad1f9f4f9c9bb28b865e09518c

SHA1
5264ddce5171dbb3d8639fc3b2796d2043f0714d

SHA256
6f9fffe858e1631105c8432f785acdde98cf61b9ab657a9f3b6a21daf37f9230

SHA512
07e0d192119656867797a4f55836975a0dcf01bf7de096569e72c34b1ae2efdfcd1622ade600b3f46c5579cc84517adc694a6e6a5d283396b7d9dcf6d261162f

Download Submit
C:\Windows\Temp\asw.83172945198ff68f\uat64.vpx

Filesize
12KB

MD5
859c080245a39c701981f84287e0ee92

SHA1
59bd07b9a4d04aa88861263240cb2695e0ffa5d7

SHA256
7d13e1c324f8d2335943f3416c73acfd7f197c3ce53981bf4c26cf822797f91d

SHA512
2c23a3758ad830c6191e20ab4aec4cad42ebad1cfc309efc6fc48f4733de2278cf8c26f4d6e7cf378218ccbcc327e4d3b6c0357219934d7074b4a393e9a68eae

Download Submit
C:\Windows\Temp\asw.cc2b17a2167ad986\ecoo.edat

Filesize
21B

MD5
3f44a3c655ac2a5c3ab32849ecb95672

SHA1
93211445dcf90bb3200abe3902c2a10fe2baa8e4

SHA256
51516a61a1e25124173def4ef68a6b8babedc28ca143f9eee3e729ebdc1ef31f

SHA512
d3f95262cf3e910dd707dfeef8d2e9db44db76b2a13092d238d0145c822d87a529ca58ccbb24995dfcf6dad1ffc8ced6d50948bb550760cd03049598c6943bc0

Download Submit
\Program Files (x86)\WeatherZero\WeatherZeroService.exe

Filesize
3.2MB

MD5
2b149ba4c21c66d34f19214d5a8d3067

SHA1
8e02148b86e4b0999e090667ef9b926a19b5ca7d

SHA256
95f0e021c978ddd88e2218a7467579255a5ae9552af2508c4243a4adec52d2b8

SHA512
c626f89bc01fdb659f4ee2cf86ba978f04e4bf0dec2624170c83c21d5ad29e20335566b1f7545d9badc4e47ca2ea90535c4cb08b4afa3457b72a5801053706d8

Download Submit
\Users\Admin\AppData\Local\Temp\is-NITO9.tmp\windows-movie-maker_ih-8Ta1.tmp

Filesize
3.1MB

MD5
52263ba53784a017b4c47b092643dd24

SHA1
f12942694efc30db81b938702af1ebc5b8d68415

SHA256
30848b34a4fba4a601332f90a6f4327ef3c1c9f943dc35c764ee3aeaba412600

SHA512
754f8f18090297ee5815b48aa745feed2b54cd6fb555645a607ea42400b6149e4556be6403b927e848e595c07377585355e173ad7f52795112029ee4f6923e40

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q8RFB.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
\Users\Admin\AppData\Local\Temp\nszE300.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Windows\Temp\asw.83172945198ff68f\New_15020c62\asw241becb2db821305.tmp

Filesize
15KB

MD5
e38cc92cd980a55d811316ac62883e14

SHA1
fa83737abe11ee825c3da6843cc4d8e3b459729a

SHA256
be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87

SHA512
1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

Download Submit
\Windows\Temp\asw.83172945198ff68f\New_15020c62\aswcbdd8203f9b1cfb2.tmp

Filesize
3.8MB

MD5
0b830444a6ef848fb85bfbb173bb6076

SHA1
27964cc1673ddb68ca3da8018f0e13e9a141605e

SHA256
63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f

SHA512
31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

Download Submit
\Windows\Temp\asw.83172945198ff68f\New_15020c62\aswe9e92cf5307001a8.tmp

Filesize
15.1MB

MD5
38e42a7a589092324bb5df8c514d7064

SHA1
c8f2fa3c900df51c3555fec9f3703402d9ffdd58

SHA256
94fdff96bdda95f7432c9e77c1162bfd0239f874b87de46f1e25d8db698a74e4

SHA512
8432ed22dfcc7943c9f889d6378e0a9c2b0e2f9a23e0a1ee63c92102a2c4e88c89150a87dd9768dce0dcd42256f5e8b1f0e65deaf4a776f6c8a3dc413c4c7857

Download Submit
\Windows\Temp\asw.83172945198ff68f\uat64.dll

Filesize
23KB

MD5
d4cb0514285ec27a18ac6e74159fb695

SHA1
3b5d445c2162c3723ae73e3bf6cf3acf37019d5e

SHA256
8f204d870ec74423be8c7f05b9822392eb9f675c676ac8646e944645a5e9aa0f

SHA512
25ce4398012d86eed44a66cd96cd3790df05c44d8480b4ee5c702ef5e005950cace265ea2a65fe5fc25a49d93f1a5eaabd28b6fc350428baccbc141bd69b2988

Download Submit
\Windows\Temp\asw.cc2b17a2167ad986\avg_antivirus_free_setup_x64.exe

Filesize
10.6MB

MD5
64b8e930e0e649a7b8302380a2fa6dd0

SHA1
3390e6f86293032053d0d712a613b8e3608b237c

SHA256
f30810d4be51461cda07872416d2cb9bd14ef555cc4f5d859a48abce1727de16

SHA512
5b2ae05de9366bb8665220dc337ef678f2f611375ab94689ceb417f4fe869ea9a1045ba8ed1df0498c56c991ce020a9d28de0504c4f07cbab19efde22c547710

Download Submit
memory/2360-143-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-140-0x00000000079C0000-0x0000000007B00000-memory.dmp

Filesize
1.2MB

Download
memory/2360-148-0x00000000079C0000-0x0000000007B00000-memory.dmp

Filesize
1.2MB

Download
memory/2360-243-0x00000000079C0000-0x0000000007B00000-memory.dmp

Filesize
1.2MB

Download
memory/2360-150-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-142-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-385-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-228-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-152-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-168-0x00000000079C0000-0x0000000007B00000-memory.dmp

Filesize
1.2MB

Download
memory/2360-170-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2448-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2448-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2448-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download