Edit tour

Windows Analysis Report
MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip

Overview

General Information

Sample Name:	MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip
Analysis ID:	1342832
MD5:	5e6ccbae7e98529febf929d16266987f
SHA1:	5f70c4d02eeb8c2ccfc1e55bb1c20561f4a99dd2
SHA256:	f5efe4bd130acb6905088afb7ebfa1ec3de6aa4f2bcd6cb6605abf4484956634
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Query firmware table information (likely to detect VMs)

Drops executable to a common third party application directory

Allocates memory in foreign processes

Writes many files with high entropy

Writes a notice file (html or txt) to demand a ransom

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Drops certificate files (DER)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Queries the installation date of Windows

Stores large binary data to the registry

Stores files to the Windows start menu directory

Found dropped PE file which has not been started or loaded

query blbeacon for getting browser version

Downloads executable code via HTTP

Enables debug privileges

Drops files with a non-matching file extension (content does not match file extension)

Queries information about the installed CPU (vendor, model number etc)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64_ra

mozilla-firefox_qK5-VP1.exe (PID: 2068 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" MD5: E0CB873B4ABC6E0650EBFCF9B7A328FF)

mozilla-firefox_qK5-VP1.tmp (PID: 1344 cmdline: "C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp" /SL5="$2038A,831488,831488,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" MD5: C2A9A21C0C0BD341958033EA11684FEA)

mozilla-firefox_qK5-VP1.exe (PID: 5448 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" /SPAWNWND=$20390 /NOTIFYWND=$2038A MD5: E0CB873B4ABC6E0650EBFCF9B7A328FF)

mozilla-firefox_qK5-VP1.tmp (PID: 6524 cmdline: "C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp" /SL5="$D0078,831488,831488,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" /SPAWNWND=$20390 /NOTIFYWND=$2038A MD5: C2A9A21C0C0BD341958033EA11684FEA)

file_qK5-VP1.exe (PID: 6980 cmdline: "C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe" /LANG=en /NA=Rh85hR64 MD5: F709593FF1FB625B1D073724961F0956)

file_qK5-VP1.tmp (PID: 1840 cmdline: "C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp" /SL5="$203F8,1611420,832512,C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe" /LANG=en /NA=Rh85hR64 MD5: 1968CA694D9B1FB54EDF2A8380F1E0FE)

saBSI.exe (PID: 4172 cmdline: "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US MD5: BB7CF61C4E671FF05649BDA83B85FA3D)

installer.exe (PID: 1568 cmdline: "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade MD5: 58EB889F91B5133D5DB88612CA6E5887)

installer.exe (PID: 4108 cmdline: "C:\Program Files\McAfee\Temp2863637682\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade MD5: 38F970B5919FA4F8174F559A91003924)

avg_antivirus_free_setup.exe (PID: 4916 cmdline: "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 MD5: 26816AF65F2A3F1C61FB44C682510C97)

avg_antivirus_free_online_setup.exe (PID: 4744 cmdline: "C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 MD5: 3771842CBB051810EA827C3855934A32)

icarus.exe (PID: 6704 cmdline: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\icarus-info.xml /install /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 MD5: 00F3158AA3CAC845A8DDBCE86CF20560)

icarus.exe (PID: 6724 cmdline: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av-vps_slave_ep_ab8b7bb3-1f02-4903-a419-1d553e034ddd /slave:avg-av-vps MD5: 00F3158AA3CAC845A8DDBCE86CF20560)

icarus.exe (PID: 6356 cmdline: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av_slave_ep_8b7017fa-856f-4c37-a8f5-998cf2feee77 /slave:avg-av MD5: 00F3158AA3CAC845A8DDBCE86CF20560)

mozilla-firefox.exe (PID: 4400 cmdline: "C:\Users\user\Downloads\mozilla-firefox.exe" MD5: 8F4A7771AE6B62234B08572A6863CEDC)

setup-stub.exe (PID: 2224 cmdline: .\setup-stub.exe MD5: A30EDC877E77C0A5CE37D5F93BC949DE)

chrome.exe (PID: 6004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.fileplanet.com/windows MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,10801690335675068171,112558321772065651,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 15 Nov 2023 07:22:05 GMTContent-Type: application/octet-streamContent-Length: 398800Last-Modified: Wed, 19 Apr 2023 12:54:58 GMTConnection: keep-aliveETag: "643fe4a2-615d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6b 8d c8 e6 2f ec a6 b5 2f ec a6 b5 2f ec a6 b5 64 94 a5 b4 23 ec a6 b5 64 94 a3 b4 bd ec a6 b5 90 90 a2 b4 3d ec a6 b5 90 90 a5 b4 3a ec a6 b5 64 94 a2 b4 3a ec a6 b5 64 94 a7 b4 2c ec a6 b5 2f ec a7 b5 89 ec a6 b5 90 90 a3 b4 1f ec a6 b5 f8 91 ae b4 7d ec a6 b5 f8 91 59 b5 2e ec a6 b5 f8 91 a4 b4 2e ec a6 b5 52 69 63 68 2f ec a6 b5 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 e9 ff 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 23 00 c0 01 00 00 00 01 00 00 40 03 00 c0 0c 05 00 00 50 03 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 06 00 00 10 00 00 06 36 06 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 0b 06 00 88 00 00 00 00 10 05 00 4c fb 00 00 00 00 00 00 00 00 00 00 20 e5 05 00 b0 30 00 00 d4 0b 06 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 0e 05 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 4d 03 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 40 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 c0 01 00 00 50 03 00 00 c0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 00 01 00 00 10 05 00 00 fc 00 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

HTTP traffic detected: POST /cgi-bin/iavsevents.cgi HTTP/1.1Connection: Keep-AliveContent-Type: iavs4/statsUser-Agent: AVG Microstub/2.1Content-Length: 268Host: v7event.stats.avast.com

Source: unknown

DNS traffic detected: queries for: d2nko69k18f2wb.cloudfront.net

Source: global traffic

HTTP traffic detected: GET /US/mozilla-firefox.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: dl.jalecdn.com

Source: unknown	HTTPS traffic detected: 3.163.178.91:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.27.203.89:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.190.8.5:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.86.37.179:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.16:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.16:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.16:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.16:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.16:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.16:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.16:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.240.196.74:443 -> 192.168.2.16:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.240.196.74:443 -> 192.168.2.16:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.235.221.40:443 -> 192.168.2.16:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.235.221.40:443 -> 192.168.2.16:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.235.221.40:443 -> 192.168.2.16:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.188.206.57:443 -> 192.168.2.16:50014 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe entropy: 7.99261107729	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\35629e3b-c85e-4581-a75c-9aa7dbcac5d5 entropy: 7.99963634506	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\f7598da6-300b-4836-84a4-2e66e663877a entropy: 7.99986103887	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\b1a48d96-62d9-4a02-9e4e-df840d3f50e8 entropy: 7.99993035713	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\54887df2-d3ac-45fc-9c02-400e5761c668 entropy: 7.99994842041	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\cd423ba8-8e08-4b9d-bb30-e4dbda938cd2 entropy: 7.99857728039	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\setupui.cont entropy: 7.99946982031	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\b6c2f478-64f6-4ffb-a288-1ee9a291a6ff entropy: 7.99938086549	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\analyticsmanager.cab entropy: 7.99961438969	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\browserhost.cab entropy: 7.99953579752	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\browserplugin.cab entropy: 7.99922249191	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\downloadscan.cab entropy: 7.99976400125	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\eventmanager.cab entropy: 7.99956598882	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\logicmodule.cab entropy: 7.99960093777	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\lookupmanager.cab entropy: 7.99852985626	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\mfw-webadvisor.cab entropy: 7.99735105928	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\mfw.cab entropy: 7.99508058214	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\servicehost.cab entropy: 7.99608701279	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\settingmanager.cab entropy: 7.9994274548	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\taskmanager.cab entropy: 7.99954412419	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\uihost.cab entropy: 7.99651369261	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\uimanager.cab entropy: 7.99959504638	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\uninstaller.cab entropy: 7.99935092903	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\updater.cab entropy: 7.99930681513	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\wataskmanager.cab entropy: 7.99983539171	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\wssdep.cab entropy: 7.99865937314	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus_product.dll.lzma entropy: 7.99940731604	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus_rvrt.exe.lzma entropy: 7.99377130708	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus_product.dll.lzma entropy: 7.99989570564	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\aswOfferTool.exe.lzma entropy: 7.99980181862	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\ProgramData\AVG\Antivirus\gaming_mode\dnddetection.dat.ipending.0699c975 entropy: 7.9996461815	Jump to dropped file

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe

File dropped: C:\Program Files\McAfee\Temp2863637682\jslang\eula-en-US.txt -> encryption key for your account secure because without them you may lose access to your data. you are solely responsible and liable for any activity that occurs under your account, including by anyone who uses your account. if there is any unauthorized use or access to your account, you must let us know immediately. we are not responsible for any loss caused by unauthorized use of or access to your account; however, you may be liable for any losses we or others suffer because of the unauthorized use. we do not have access to master passwords and cannot recover your encrypted data if you forget the master password for any password management feature or product. we offer both free and premium versions of our password and identity management software, and the free versions limit the maximum number of unique accounts (such as a website or application login) that you can store. if you have downloaded a premium version of the software at no cost during a promotion, then when the promotional period ends you will not

Jump to dropped file

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe

File created: C:\Windows\system32\icarus_rvrt.exe

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp

Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe

Section loaded: sfc.dll

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe

File read: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe

Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp "C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp" /SL5="$2038A,831488,831488,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" /SPAWNWND=$20390 /NOTIFYWND=$2038A
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp "C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp" /SL5="$D0078,831488,831488,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" /SPAWNWND=$20390 /NOTIFYWND=$2038A
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe "C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe" /LANG=en /NA=Rh85hR64
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp "C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp" /SL5="$203F8,1611420,832512,C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe" /LANG=en /NA=Rh85hR64
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe "C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe" /LANG=en /NA=Rh85hR64
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp "C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp" /SL5="$2038A,831488,831488,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp "C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp" /SL5="$D0078,831488,831488,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe" /SPAWNWND=$20390 /NOTIFYWND=$2038A
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\Downloads\mozilla-firefox.exe "C:\Users\user\Downloads\mozilla-firefox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.fileplanet.com/windows
Source: C:\Users\user\Downloads\mozilla-firefox.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe .\setup-stub.exe
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,10801690335675068171,112558321772065651,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp "C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp" /SL5="$203F8,1611420,832512,C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe" /LANG=en /NA=Rh85hR64
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\Downloads\mozilla-firefox.exe "C:\Users\user\Downloads\mozilla-firefox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.fileplanet.com/windows
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\icarus-info.xml /install /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,10801690335675068171,112558321772065651,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp2863637682\installer.exe "C:\Program Files\McAfee\Temp2863637682\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av-vps_slave_ep_ab8b7bb3-1f02-4903-a419-1d553e034ddd /slave:avg-av-vps
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av_slave_ep_8b7017fa-856f-4c37-a8f5-998cf2feee77 /slave:avg-av
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av-vps_slave_ep_ab8b7bb3-1f02-4903-a419-1d553e034ddd /slave:avg-av-vps
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av_slave_ep_8b7017fa-856f-4c37-a8f5-998cf2feee77 /slave:avg-av
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3
Source: C:\Users\user\Downloads\mozilla-firefox.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe .\setup-stub.exe
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp2863637682\installer.exe "C:\Program Files\McAfee\Temp2863637682\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade

Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select Architecture from Win32_processor where Architecture=5 or Architecture=12
Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select Architecture from Win32_processor where Architecture=5 or Architecture=12
Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select Architecture from Win32_processor where Architecture=5 or Architecture=12

Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp

File created: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp

Source: classification engine

Classification label: mal84.rans.spyw.evad.winZIP@43/229@69/112

Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Key opened: Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1f6554c2-d7a7-40d9-b3be-1de5d37df66d}Installer
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\3ab359ed30100228a64e9a58c74e8c4e
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0e71c6a0-3828-42ba-8e37-07180bcc1157}suy
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3ab359ed30100228a64e9a58c74e8c4e
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{0e71c6a0-3828-42ba-8e37-07180bcc1157}suy
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\75373c9551467e2da6e910632669e725
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\de5f6207c352f8b0cce60f84cc0d84cf
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{32B25EF2-80FD-4C66-97E1-0890D9E9F87B}
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{1f6554c2-d7a7-40d9-b3be-1de5d37df66d}Installer
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\95bab6178d88c1c69a998a8e0beeaa03

Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe

File created: C:\Program Files\Mozilla Firefox\nsy855C.tmp

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe

File written: C:\ProgramData\AVG\Icarus\settings\proxy.ini

Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Window detected: HYPERLINK "https://cassinilabs.com/privacy-policy/" End User License AgreementHYPERLINK "https://cassinilabs.com/privacy-policy/" Privacy PolicyThis will download Mozilla Firefox to your computer click "Next" to continue.Popular and widely used internet browser softwareWelcome to Mozilla Firefox Download Manager&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Window detected: HYPERLINK "https://cassinilabs.com/privacy-policy/" End User License AgreementHYPERLINK "https://cassinilabs.com/privacy-policy/" Privacy PolicyThis will download Mozilla Firefox to your computer click "Next" to continue.Popular and widely used internet browser softwareWelcome to Mozilla Firefox Download Manager&NextCancel

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip

Static file information: File size 1192377 > 1048576

Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Directory created: C:\Program Files\Mozilla Firefox\nsy855C.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Directory created: C:\Program Files\Mozilla Firefox\nsy855C.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Directory created: C:\Program Files\Mozilla Firefox\nso856D.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Directory created: C:\Program Files\Mozilla Firefox\nso856E.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Directory created: C:\Program Files\Mozilla Firefox\nso856E.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Directory created: C:\Program Files\Mozilla Firefox\nso856F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\analyticsmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\analyticstelemetry.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\balloon_safe_annotation.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\browserhost.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\browserplugin.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\downloadscan.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\eventmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\icon_complete.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\icon_failed.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\icon_laptop.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\installer.exe
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jquery-1.9.0.min.js
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\l10n.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\logicmodule.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\logicscripts.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\lookupmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\main_close_large.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mcafeecerts.xml
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mcafee_pc_install_icon.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mcafee_pc_install_icon2.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mfw-mwb.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mfw-nps.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mfw-webadvisor.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\mfw.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\resource.dll
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\resourcedll.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\servicehost.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\settingmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\taskmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\telemetry.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\uihost.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\uimanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\uninstaller.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\updater.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa-common.css
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa-core.js
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa-install.css
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa-install.html
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa-ui-install.js
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa-utils.js
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wataskmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_install_check.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_install_check2.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_install_close.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_install_close2.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_install_error.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_logo.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wa_logo2.png
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\webadvisor.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\webadvisor.ico
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\wssdep.cab
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-it-IT.txt
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\Common Files\AVG
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Icarus
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Icarus\avg-av
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\setup
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Overseer
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\setup\aswd2a3a6766f965e6a.tmp
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\setup\config.def.ipending.0699c975
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\BrowserCleanup.ini.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\TuneupSmartScan.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\dnd_helper.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\gaming_hook.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gaming_hook.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\dnd_helper.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\hns_tools.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswhook.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgbidsdriver.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswidpm.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswidsagent.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswhook.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\background.png.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\background-loading.png.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\waikamd64.mst.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\aswShMin.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\aswPEShell.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\aswPEAntivirus.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\aswRegLib.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\aswPEBrowser.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\aswPECommander.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\wxbase315u_vc.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RescueDisk\wxmsw315u_core_vc.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\shred.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\snxhk.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\snxhk.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgSnx.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\asulaunch.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\aswClnTg.htm.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\aswClnTg.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\aswInfTg.htm.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\aswInfTg.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\Base.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\Boot.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\1033\uiLangRes.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgArDisk.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgArPot.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\BreachGuardSdk.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswProperty.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswPropertyAv.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\AavmRpch.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\ashShell.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\dll_loader.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswCmnOS.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswCmnIS.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswCmnBS.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\firefox_pass.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswBrowser.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswAMSI.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\Boost.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\brotli.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\bsdiff.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\bzip2.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\c-ares.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\cef.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\Crypto++.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\cURL.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\Detours.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\dnscrypt-proxy.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\GSL.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\ICU.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\intel_asm.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\jansson.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\JsonCpp.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\lexbor.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\libevent.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\libPNG.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\libsodium.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\LUA.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\lzfse.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\LZMA.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\mbedTLS.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\mhook.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\nanopb.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\nghttp2.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\OpenSSL.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\PCRE.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\protobuf.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\pugixml.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\rapidjson.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\sqlite.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\unrar.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\vxWidgets.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\Xerces.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\xmlParser.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\xxHash.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\yara.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\zlib.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Licenses\EULA.txt.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswCmnBS.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswCmnOS.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswCmnIS.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ashBase.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ashServ.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswAv.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ashShell.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ashTask.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ashQuick.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ashUpd.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswAux.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswDld.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\CommChannel.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\streamback.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ntp_time.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\sched.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswEngLdr.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswEngSrv.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswLog.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswProperty.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswPropertyAv.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswW8ntf.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\anen.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\perfstats.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\CommonRes.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswSqLt.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\VisthAux.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswChLic.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswIP.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswRvrt.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\log.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\burger_client.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\tasks_core.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\task_performance_logger.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\process_monitor.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\serialization.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\event_routing.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\event_routing_rpc.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\event_manager.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\event_manager_burger.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\event_manager_ga.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\event_manager_er.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\ffl2.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\browser_pass.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\vaarclient.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\module_lifetime.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\dll_loader.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\shepherdsync.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\fltlib_wrapper.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AVGSvc.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AavmRpch.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgBoot.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\wsc.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\firefox_pass.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswAMSI.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswBrowser.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\wsc_proxy.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\wsc_proxy.exe.manifest.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AvEmUpdate.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\SupportTool.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\nos.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswAvBootTimeScanShMin.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\mfc140u.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\mfcm140u.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\crts.cat.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-louserzation-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\concrt140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\msvcp140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\msvcp140_1.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\msvcp140_2.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\ucrtbase.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\vccorlib140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\vcruntime140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avg.local_vc142.crt\vcruntime140_1.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-louserzation-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\API-MS-Win-core-xstate-l2-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\concrt140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140_1.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140_2.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\ucrtbase.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\vccorlib140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\avg.local_vc142.crt\vcruntime140.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\HTMLayout.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AvLaunch.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AVGUI.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AvConsent.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\jsbridge.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgKbd.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgNetHub.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\libssl-3-x64.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\libcrypto-3-x64.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\protobuf.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgRdr2.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgMonFlt.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgSP.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgRvrt.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgElam.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgbidsh.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgbuniv.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswavdetection.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswcomm.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswdetallocator.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswntsqlite.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswpsic.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswremoval.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswsecapi.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswwinamapi.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgStm.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\RegSvr.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\aswRunDll.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\x86\AvDump.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswRunDll.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\RegSvr.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AvBugReport.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\AvDump.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\SetupInf.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\overseer.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\avgToolsSvc.exe.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\aswVmm.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\Inf\x64\avgVmm.sys.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\chrome_100_percent.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\chrome_200_percent.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\resources.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\icudtl.dat.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\am.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ar.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\bg.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\bn.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ca.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\cs.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\da.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\de.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\el.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\en-GB.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\en-US.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\es-419.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\es.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\et.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\fa.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\fi.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\fil.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\fr.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\gu.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\he.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\hi.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\hr.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\hu.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\id.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\it.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ja.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\kn.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ko.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\lt.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\lv.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ml.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\mr.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ms.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\nb.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\nl.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\pl.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\pt-BR.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\pt-PT.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ro.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ru.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\sk.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\sl.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\sr.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\sv.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\sw.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\ta.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\te.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\th.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\tr.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\uk.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\vi.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\zh-CN.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\locales\zh-TW.pak.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\swiftshader
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\swiftshader\libEGL.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\swiftshader\libGLESv2.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\chrome_elf.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\libcef.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\d3dcompiler_47.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\libEGL.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\libGLESv2.dll.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\snapshot_blob.bin.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\v8_context_snapshot.bin.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\about.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\antiRansomware.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\ask.ogg.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\browserDetection.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\browserDetectionWindow.html.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\browserExtensions.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\core.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\darkWebMonitor.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\dashboard.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\dataShredder.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\done.ogg.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\doNotDisturb.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\driverUpdater.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\feedbackForm.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\firewall.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\help.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\i18n.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\kin.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\libs.js.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-cs.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-da.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-de.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-en.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-en_GB.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-es_ES.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-fi.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-fr.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-hu.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-id.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-it.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-ja.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-ko.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-ms.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-nb.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-nl.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-pl.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-pt_BR.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-pt_PT.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-ru.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-sk.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-sr_CS.json.ipending.0699c975.lzma
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Directory created: C:\Program Files\AVG\Antivirus\gui_resources\default_av\locale-sv_SE.json.ipending.0699c975.lzma

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp

File written: C:\Users\user\Downloads\mozilla-firefox.exe

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\TuneupSmartScan.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\x86\dnd_helper.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\x86\gaming_hook.exe.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\gaming_hook.exe.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\dnd_helper.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\hns_tools.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\x86\aswhook.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\Inf\x64\avgbidsdriver.sys.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\aswidpm.dll.ipending.0699c975	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File created: C:\Users\user\AppData\Local\Temp\nsd852C.tmp\UAC.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\dnd_helper.dll.ipending.0699c975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File created: C:\Users\user\AppData\Local\Temp\nsd852C.tmp\CityHash.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\setupui.cont (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\x86\dnd_helper.dll.ipending.0699c975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File created: C:\Users\user\AppData\Local\Temp\nsd852C.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe	File created: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\hns_tools.dll.ipending.0699c975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File created: C:\Users\user\AppData\Local\Temp\nsd852C.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File created: C:\Users\user\AppData\Local\Temp\nsd852C.tmp\InetBgDL.dll	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\bug_report.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\gaming_hook.exe.ipending.0699c975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\resource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\botva2.dll	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\dump_process.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\installer.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\TuneupSmartScan.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\x86\aswhook.dll.ipending.0699c975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\is-O1UUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus_product.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\Inf\x64\avgbidsdriver.sys.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\aswOfferTool.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Windows\System32\icarus_rvrt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File created: C:\Users\user\AppData\Local\Temp\nsd852C.tmp\WebBrowser.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\x86\gaming_hook.exe.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Program Files\AVG\Antivirus\aswidpm.dll.ipending.0699c975	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	File created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus_product.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	File created: (copy)	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus_mod.dll	Jump to dropped file
Source: C:\Users\user\Downloads\mozilla-firefox.exe	File created: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Jump to dropped file

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\setupui.cont (copy)	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus_product.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\aswOfferTool.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	File created: C:\Windows\System32\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\bug_report.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	File created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus_product.dll	Jump to dropped file
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus_mod.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2863637682\jslang\eula-zh-TW.txt

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\file_qK5-VP1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp TID: 7080	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp TID: 6952	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp TID: 6952	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp TID: 6680	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp TID: 7108	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe TID: 4732	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe TID: 3036	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe TID: 3480	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe TID: 3036	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\Antivirus\aswidpm.dll.ipending.0699c975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\Temp2863637682\resource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\botva2.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Memory allocated: 3D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Memory allocated: 47F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Memory allocated: 54B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Memory allocated: 5260000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Memory allocated: 51F0000 memory commit \| memory reserve \| memory write watch

Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select Architecture from Win32_processor where Architecture=5 or Architecture=12
Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select Architecture from Win32_processor where Architecture=5 or Architecture=12
Source: C:\Program Files\McAfee\Temp2863637682\installer.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select Architecture from Win32_processor where Architecture=5 or Architecture=12

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp FullSizeInformation
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	File Volume queried: C:\Program Files\Mozilla Firefox FullSizeInformation
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	File opened: C:\Users\user\AppData\Local

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	Memory written: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe base: 20C75060000
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	Memory written: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe base: 45A1B822D8

Allocates memory in foreign processes

Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe

Memory allocated: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe base: 20C75060000 protect: page read and write

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp "c:\users\user\appdata\local\temp\is-616ik.tmp\mozilla-firefox_qk5-vp1.tmp" /sl5="$d0078,831488,831488,c:\users\user\appdata\local\temp\temp1_mde_file_sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qk5-vp1.exe" /spawnwnd=$20390 /notifywnd=$2038a
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qK5-VP1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp "c:\users\user\appdata\local\temp\is-616ik.tmp\mozilla-firefox_qk5-vp1.tmp" /sl5="$d0078,831488,831488,c:\users\user\appdata\local\temp\temp1_mde_file_sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip\mozilla-firefox_qk5-vp1.exe" /spawnwnd=$20390 /notifywnd=$2038a
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe "c:\windows\temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3
Source: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe c:\windows\temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe /icarus-info-path:c:\windows\temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\icarus-info.xml /install /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe c:\windows\temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av-vps_slave_ep_ab8b7bb3-1f02-4903-a419-1d553e034ddd /slave:avg-av-vps
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe c:\windows\temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av_slave_ep_8b7017fa-856f-4c37-a8f5-998cf2feee77 /slave:avg-av
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe c:\windows\temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av-vps_slave_ep_ab8b7bb3-1f02-4903-a419-1d553e034ddd /slave:avg-av-vps
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe c:\windows\temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av_slave_ep_8b7017fa-856f-4c37-a8f5-998cf2feee77 /slave:avg-av
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe "c:\windows\temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pttvrlpuzzckt41o5wwkxvsl1qio7wvt8kwts0pbscyo5jmhu09aak2iqjparxmbpkyedrykg9h8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:c:\windows\temp\asw.bde788a01c0620e3

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Users\user\Downloads\mozilla-firefox.exe "C:\Users\user\Downloads\mozilla-firefox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.fileplanet.com/windows
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av-vps_slave_ep_ab8b7bb3-1f02-4903-a419-1d553e034ddd /slave:avg-av-vps
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	Process created: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /track-guid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3 /er_master:master_ep_738ca827-da74-4562-9ba1-e9f652c54ede /er_ui:ui_ep_6f29ae36-8495-4fed-b4d0-9942d8f28919 /er_slave:avg-av_slave_ep_8b7017fa-856f-4c37-a8f5-998cf2feee77 /slave:avg-av
Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTtVrLPUzzCKt41O5WwKXVSl1QIo7WVt8kWTS0pBScYo5jMhU09AAK2IqjParxmbPKyeDRYKg9H8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:40b3861a-5115-475b-998d-cf8c430d8b96 /edat_dir:C:\Windows\Temp\asw.bde788a01c0620e3

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\mainlogo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\WebAdvisor.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\AVG_AV.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\finish.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av-vps\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\event_manager.log VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\event_manager.log VolumeInformation
Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\avg-av\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\event_manager.log VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-3IJB9.tmp\mozilla-firefox_qK5-VP1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe

File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\compatibility.ini

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	11 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Data Encrypted for Impact	Acquire Infrastructure	1 Software
Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 DLL Side-Loading	LSASS Memory	44 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	1 Registry Run Keys / Startup Folder	211 Process Injection	133 Masquerading	Security Account Manager	22 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Modify Registry	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Traffic Duplication	14 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	14 Virtualization/Sandbox Evasion	LSA Secrets	14 Virtualization/Sandbox Evasion	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	100%	Avira	PUA/OfferCore.Gen
(copy)	29%	ReversingLabs	Win32.PUA.OfferCore
(copy)	25%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-A83TO.tmp\file_qK5-VP1.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\_isetup\_setup64.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\Helper.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\Helper.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\botva2.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\botva2.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	100%	Avira	PUA/OfferCore.Gen
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\is-O1UUD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\is-O1UUD.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\saBSI.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	100%	Avira	PUA/OfferCore.Gen
C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS03140D36\setup-stub.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7S36.tmp\prod0_extract\installer.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\CityHash.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\CityHash.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\InetBgDL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\InetBgDL.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\System.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\UAC.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\UserInfo.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\WebBrowser.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd852C.tmp\WebBrowser.dll	0%	Virustotal		Browse
C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\bug_report.exe	0%	ReversingLabs
C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\bug_report.exe	0%	Virustotal		Browse
C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\dump_process.exe	0%	ReversingLabs
C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\dump_process.exe	0%	Virustotal		Browse
C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	0%	ReversingLabs
C:\Windows\Temp\asw-5df2d909-5b4b-480a-bf74-871bd5941ba0\common\icarus.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	100%	Avira	PUA/OfferCore.Gen

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
dl.jalecdn.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://dl.jalecdn.com/US/mozilla-firefox.exe	0%	Avira URL Cloud	safe
http://dl.jalecdn.com/US/mozilla-firefox.exe	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.fileplanet.com	104.27.203.89	true	false		high
a.nel.cloudflare.com	35.190.80.1	true	false		high
accounts.google.com	172.217.14.205	true	false		high
secure.statcounter.com	104.20.219.77	true	false		high
c.statcounter.com	104.20.219.77	true	false		high
cmp.quantcast.com	108.138.94.40	true	false		high
nlb-home-mcafee-7e003388d1151bba.elb.us-west-2.amazonaws.com	44.240.196.74	true	false		high
d2nko69k18f2wb.cloudfront.net	3.163.178.91	true	false		high
dl.jalecdn.com	162.210.197.141	true	false	1%, Virustotal, Browse	unknown
mosaic-nova.apis.mcafee.com	54.190.8.5	true	false		high
analytics-prod-gcp.ff.avast.com	34.117.223.223	true	false		high
cdn.fileplanet.com	104.27.203.89	true	false		high
shepherd-gcp.ff.avast.com	34.160.176.28	true	false		high
www.google.com	142.251.33.100	true	false		high
clients.l.google.com	142.250.217.110	true	false		high
d1i3c1dyhuowa7.cloudfront.net	99.86.37.179	true	false		high
d23sp3kzv1t6m5.cloudfront.net	18.65.229.6	true	false		high
clients1.google.com	unknown	unknown	false		high
analytics.apis.mcafee.com	unknown	unknown	false		high
shepherd.ff.avast.com	unknown	unknown	false		high
sadownload.mcafee.com	unknown	unknown	false		high
v7event.stats.avast.com	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
home.mcafee.com	unknown	unknown	false		high
product-details.mozilla.org	unknown	unknown	false		high
cmp.inmobi.com	unknown	unknown	false		high
analytics.avcdn.net	unknown	unknown	false		high
honzik.avcdn.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.fileplanet.com/windows	false		high
about:blank	false		low
http://dl.jalecdn.com/US/mozilla-firefox.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.14.205	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.33.110	unknown	United States	15169	GOOGLEUS	false
142.251.211.234	unknown	United States	15169	GOOGLEUS	false
142.251.211.238	unknown	United States	15169	GOOGLEUS	false
108.138.94.40	cmp.quantcast.com	United States	16509	AMAZON-02US	false
23.192.209.23	unknown	United States	16625	AKAMAI-ASUS	false
99.86.37.179	d1i3c1dyhuowa7.cloudfront.net	United States	16509	AMAZON-02US	false
104.20.218.77	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.215.227	unknown	United States	15169	GOOGLEUS	false
18.65.229.6	d23sp3kzv1t6m5.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
104.86.183.41	unknown	United States	20940	AKAMAI-ASN1EU	false
104.27.203.89	www.fileplanet.com	United States	13335	CLOUDFLARENETUS	false
142.251.33.100	www.google.com	United States	15169	GOOGLEUS	false
52.84.162.68	unknown	United States	16509	AMAZON-02US	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
54.190.8.5	mosaic-nova.apis.mcafee.com	United States	16509	AMAZON-02US	false
34.160.176.28	shepherd-gcp.ff.avast.com	United States	2686	ATGS-MMD-ASUS	false
162.210.197.141	dl.jalecdn.com	United States	30633	LEASEWEB-USA-WDCUS	false
34.117.223.223	analytics-prod-gcp.ff.avast.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.217.110	clients.l.google.com	United States	15169	GOOGLEUS	false
104.86.183.33	unknown	United States	20940	AKAMAI-ASN1EU	false
142.251.33.72	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.20.219.77	secure.statcounter.com	United States	13335	CLOUDFLARENETUS	false
142.251.33.74	unknown	United States	15169	GOOGLEUS	false
142.251.33.99	unknown	United States	15169	GOOGLEUS	false
104.18.20.226	unknown	United States	13335	CLOUDFLARENETUS	false
3.163.178.91	d2nko69k18f2wb.cloudfront.net	United States	16509	AMAZON-02US	false
104.27.204.89	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1342832
Start date and time:	2023-11-15 08:20:51 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip
Detection:	MAL
Classification:	mal84.rans.spyw.evad.winZIP@43/229@69/112
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe
Excluded IPs from analysis (whitelisted): 142.251.33.110, 23.192.209.23, 104.86.183.41, 104.86.183.33, 142.251.33.99, 52.84.162.68, 52.84.162.20, 52.84.162.70, 52.84.162.16, 34.104.35.123, 142.250.217.110, 52.13.240.171, 44.240.42.210, 18.236.60.85, 142.251.211.238, 142.251.33.74, 142.250.217.74, 142.250.217.106, 172.217.14.234, 142.250.69.202, 142.251.215.234, 142.251.211.234, 172.217.14.202, 142.251.33.106, 142.251.33.72, 104.18.20.226, 104.18.21.226
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	Avira: detection malicious, Label: PUA/OfferCore.Gen
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	Avira: detection malicious, Label: PUA/OfferCore.Gen
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	Avira: detection malicious, Label: PUA/OfferCore.Gen
Source: C:\Users\user\AppData\Local\Temp\is-O8FHU.tmp\is-EOSUU.tmp	Avira: detection malicious, Label: PUA/OfferCore.Gen

Source: (copy)	ReversingLabs: Detection: 29%
Source: (copy)	Virustotal: Detection: 25%			Perma Link

Source: https://www.fileplanet.com/windows	HTTP Parser: No favicon
Source: https://www.fileplanet.com/windows	HTTP Parser: No favicon

Process:	C:\Users\user\AppData\Local\Temp\is-616IK.tmp\mozilla-firefox_qK5-VP1.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2541680
Entropy (8bit):	7.670383335074764
Encrypted:	false
SSDEEP:
MD5:	F709593FF1FB625B1D073724961F0956
SHA1:	90DDD0F3E846AD6C858A264578AB5055412ED5FD
SHA-256:	EDDE07449DFE986670DD3F7DE55293E2A3AE2509F8C118791D419B6139E59876
SHA-512:	C0F70072E1C8FCA793CD4876EA83952DBBD9E953B99C6D1621070A5DCCB8B3D30CB3C9B69F577C4CA77A1E77F7E672F3E54CFF525F017A3C4BC284D00CD0DF1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 25%, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................R...^.......^.......p....@.................................h.'...@......@...................@....... .......p..............x.&..-...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

Process:	C:\Users\user\Downloads\mozilla-firefox.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	249
Entropy (8bit):	4.459801270300294
Encrypted:	false
SSDEEP:
MD5:	005F1777D0861CBD64BD38E14729B6DE
SHA1:	BFC3878265A157297BE4E7A0AB7DB76973A89D6C
SHA-256:	F42504379A353FC779B0DC7D552539A0219A4C17949824D1F352F84232EAC537
SHA-512:	0815A984E412DDADF18F32895364881A65EB1321C243DFE5E0B3E4F36479A692D15CCF8F85A4713100CBAE900E7C05BACA2868A752651BEC0562DEC22F762FBF
Malicious:	false
Reputation:	low
Preview:	campaign%3D%2528not%2Bset%2529%26content%3D%2528not%2Bset%2529%26dltoken%3D1951e78d-224a-4b85-892b-94732047a07e%26experiment%3D%2528not%2Bset%2529%26medium%3D%2528direct%2529%26source%3D%2528other%2529%26ua%3Dchrome%26variation%3D%2528not%2Bset%2529

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 15 06:22:18 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9753662704052664
Encrypted:	false
SSDEEP:
MD5:	1404D54FED72058BFADBCFF182096792
SHA1:	923FEB79EEB87F4B2690F109006DEBA0338B1230
SHA-256:	03201DBDFA80638D7ABEDA854EFC0591AA9153C14A1A1AB871D45902CE76E7B1
SHA-512:	ACF72E076F873AF89197BB683D4D9A6E3615263C24C3FD3502A536FDB153B202827314F0AF6F61B3C24867AC31451AECD1FC09A90E50D93C80AE8C0A021F2F9A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...._.w....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IoW.:....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VoW.:....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VoW.:....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VoW.:..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VoW.:...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Windows\Temp\asw.bde788a01c0620e3\avg_antivirus_free_online_setup.exe
File Type:	ASCII text, with very long lines (2194), with CRLF line terminators
Category:	dropped
Size (bytes):	18271
Entropy (8bit):	5.645258877192454
Encrypted:	false
SSDEEP:
MD5:	40E291A25D7EBE5AB93ED33947A6DA45
SHA1:	1E5790FFC68A8FC699D5204EB12996F27CB16F33
SHA-256:	1D5E26D0BBC8486E987F53CC5E6BAE5CABC5EF470C3949246C4AB4467C3ECE0A
SHA-512:	67B2CBDBD34BF37A61FBB436E4582270C75F965D12AA5C662DF868EFF743EF6054D68D059EDAAB28D8B06F6CD9A25BA064DDE31A227ED88FAE575D0C9C04EB6E
Malicious:	false
Reputation:	low
Preview:	[RemoteAccessShield.Setting]..BruteForceMaxAttemptsPerDay=60..BruteForceMaxAttemptsPerHour=40..BruteForceMaxAttemptsPerMinute=30..BruteForceMaxAttemptsPerTenSeconds=12..[Settings.UserInterface]..ShellExtensionFileName=0..[WebmailSignature]..GmailEnabled=0..MaxRequestSize=16384..OutlookEnabled=0..YahooEnabled=0..[WebShield.NXRedirect]..Redirect=0..[Offers.GoogleChrome]..DefaultState=0..ShowInComplete=0..ShowInIntro=2..ShowInPaidBusiness=0..ShowInPaidConsumer=0..ShowInPost=1..UseTryOffer=1..[Settings.{D93EF81A-B92F-27FE-AF54-9278EA8BF910}.const]..ScanAreas=*RTK-SUPERQUICK;QuickStartup;QuickMemory..[AntiTrack]..Enabled=0..[FileSystemShield.FileSystem]..EngineLdrModuleFlags=0..[Fmwlite]..License_check_interval=16..[PerfReporting]..AvastProcessesWprCaptureInterval=0..[Components]..ais_cmp_fw=2..ais_shl_spm=3..[GrimeFighter]..info2_licensed_period=3600..info2_unlicensed_period=3600..LicensedClean=1..UseGF1License=1..[StreamFilter.HttpPlugin]..ATisON=0..DohMode=3..Pinning=0..[OPM]..def_base=e

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.999842772173318
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip
File size:	1'192'377 bytes
MD5:	5e6ccbae7e98529febf929d16266987f
SHA1:	5f70c4d02eeb8c2ccfc1e55bb1c20561f4a99dd2
SHA256:	f5efe4bd130acb6905088afb7ebfa1ec3de6aa4f2bcd6cb6605abf4484956634
SHA512:	11be48bb104885b29efd6e688da292121f3669b069b019a133d89e54cd41d1021cafbea6aebe5e2978b8ebcef10542f81e5dd85014afd1376d1461742326fcbf
SSDEEP:	24576:IOG34t/380sE2UvB6jrbuS41iD1smRXemlDmV/mCHchOSl61jt:JEUp6juS41csp+DMuCHcgSl61p
TLSH:	C3453380BD861944D7876FD3CC6E85FC55A65BC263EF3D65B1266CA40047E382EBC2B8
File Content Preview:	PK........;{nW5..1.0........$.mozilla-firefox_qK5-VP1.exe.. ..........Y,......Y,......Y,............Z..B...x'..0~........,<..........R.i.Nm!....~^...I.l.l44..GI..rc).$Uz!..]L.HMMpa.,3u. .8.eo..mp/Bc`Y._.O...=.e[[.ZV..2.}6....5..:jNfS.&....3..r..5.._-.q..F

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

(copy)

C:\Program Files\AVG\Antivirus\BrowserCleanup.ini.ipending.0699c975

C:\Program Files\AVG\Antivirus\Inf\x64\avgbidsdriver.sys.ipending.0699c975

C:\Program Files\AVG\Antivirus\TuneupSmartScan.dll.ipending.0699c975

C:\Program Files\AVG\Antivirus\aswidpm.dll.ipending.0699c975

C:\Program Files\AVG\Antivirus\dnd_helper.dll.ipending.0699c975

C:\Program Files\AVG\Antivirus\gaming_hook.exe.ipending.0699c975

C:\Program Files\AVG\Antivirus\hns_tools.dll.ipending.0699c975

C:\Program Files\AVG\Antivirus\setup\aswd2a3a6766f965e6a.tmp (copy)

C:\Program Files\AVG\Antivirus\setup\config.def.ipending.0699c975

C:\Program Files\AVG\Antivirus\x86\aswhook.dll.ipending.0699c975

C:\Program Files\AVG\Antivirus\x86\dnd_helper.dll.ipending.0699c975

C:\Program Files\AVG\Antivirus\x86\gaming_hook.exe.ipending.0699c975

C:\Program Files\McAfee\Temp2863637682\analyticsmanager.cab

C:\Program Files\McAfee\Temp2863637682\analyticstelemetry.cab

C:\Program Files\McAfee\Temp2863637682\balloon_safe_annotation.png

C:\Program Files\McAfee\Temp2863637682\browserhost.cab

C:\Program Files\McAfee\Temp2863637682\browserplugin.cab

C:\Program Files\McAfee\Temp2863637682\downloadscan.cab

C:\Program Files\McAfee\Temp2863637682\eventmanager.cab

C:\Program Files\McAfee\Temp2863637682\icon_complete.png

C:\Program Files\McAfee\Temp2863637682\icon_failed.png

C:\Program Files\McAfee\Temp2863637682\icon_laptop.png

C:\Program Files\McAfee\Temp2863637682\installer.exe

C:\Program Files\McAfee\Temp2863637682\jquery-1.9.0.min.js

C:\Program Files\McAfee\Temp2863637682\jslang\eula-cs-CZ.txt

C:\Program Files\McAfee\Temp2863637682\jslang\eula-da-DK.txt

Windows Analysis Report
MDE_File_Sample_bacdeece4458ac1ee50cb505bd775588c4616b45.zip

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre