Edit tour

Windows Analysis Report
Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Overview

General Information

Sample name:	Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
Analysis ID:	1483744
MD5:	f3f16a12cdaf4e3fe51bece5dff8970f
SHA1:	e4bb36e12d8f566617f940c32764870e052a89b7
SHA256:	f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	35
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Submitted sample is a known malware sample

Contains functionality to infect the boot sector

Found direct / indirect Syscall (likely to bypass EDR)

Found stalling execution ending in API Sleep call

Installs new ROOT certificates

Modifies the windows firewall

Query firmware table information (likely to detect VMs)

Sigma detected: Dot net compiler compiles file from suspicious location

Uses netsh to modify the Windows network and firewall settings

Writes many files with high entropy

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates or modifies windows services

Creates processes with suspicious names

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w7x64

Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe (PID: 2836 cmdline: "C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe" MD5: F3F16A12CDAF4E3FE51BECE5DFF8970F)

Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp (PID: 2580 cmdline: "C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp" /SL5="$10302,13566766,780800,C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe" MD5: 67BCDCA0E7E60025269D8C14094BADCE)

avg_antivirus_free_setup.exe (PID: 1992 cmdline: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl MD5: 26816AF65F2A3F1C61FB44C682510C97)

avg_antivirus_free_online_setup.exe (PID: 3448 cmdline: "C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be MD5: 678507E1459F47A4D77AACE80D42D52D)

icarus.exe (PID: 3668 cmdline: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400 MD5: 0CD5718F7F5F8529FE4FF773DEF52DAC)

WZSetup.exe (PID: 2596 cmdline: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123 MD5: 3C17F28CC001F6652377D3B5DEEC10F0)

WeatherZeroService.exe (PID: 2904 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install MD5: 2B149BA4C21C66D34F19214D5A8D3067)

WeatherZeroService.exe (PID: 1076 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent MD5: 2B149BA4C21C66D34F19214D5A8D3067)

avg_tuneup_online_setup.exe (PID: 2860 cmdline: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe" /silent /delayUIStart:120 MD5: F3B23C42A4CF4CA9F0C48F93B121CB41)

icarus.exe (PID: 2700 cmdline: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\icarus-info.xml /install /silent /delayUIStart:120 MD5: 97856AB19BE2842F985C899CCDE7E312)

icarus.exe (PID: 1724 cmdline: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayUIStart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu MD5: 97856AB19BE2842F985C899CCDE7E312)

netsh.exe (PID: 2728 cmdline: "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE MD5: 784A50A6A09C25F011C3143DDD68E729)

qbittorrent.exe (PID: 3488 cmdline: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe" magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA012D712 MD5: 22A34900ADA67EAD7E634EB693BD3095)

WeatherZeroService.exe (PID: 3032 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" MD5: 2B149BA4C21C66D34F19214D5A8D3067)

WeatherZero.exe (PID: 748 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DDFD1E983F83B350CD251831739BBC54 MD5: 7DC1C6AB3BF2DD1C825914F7F6F31B45)

csc.exe (PID: 3168 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline" MD5: 0A1C81BDCB030222A0B0A652B2C89D8D)

cvtres.exe (PID: 3272 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4C9.tmp" "c:\Users\user\AppData\Local\Temp\CSCA4C8.tmp" MD5: 200FC355F85ECD4DB77FB3CAB2D01364)

PresentationFontCache.exe (PID: 3304 cmdline: C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe MD5: A8B7F3818AB65695E3A0BB3279F6DCE6)

svchost.exe (PID: 3544 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

WerFault.exe (PID: 3572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 468 MD5: 5FEAB868CAEDBBD1B7A145CA8261E4AA)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\WeatherZero\WeatherZero.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
17.0.WeatherZero.exe.1f0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, QueryName: ip-api.com

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, ProcessId: 748, TargetFilename: C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe, ProcessId: 2596, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 404, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3544, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, ParentCommandLine: "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DDFD1E983F83B350CD251831739BBC54, ParentImage: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, ParentProcessId: 748, ParentProcessName: WeatherZero.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline", ProcessId: 3168, ProcessName: csc.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.22 - Destination IP: 146.185.153.16

Timestamp:	2024-07-29T00:54:09.852207+0200
SID:	2803305
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET ADWARE_PUP Win32/OfferCore Checkin M1 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.130

Timestamp:	2024-07-29T00:52:47.496764+0200
SID:	2053280
Source Port:	49168
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.130

Timestamp:	2024-07-29T00:52:51.895802+0200
SID:	2053283
Source Port:	49171
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.107

Timestamp:	2024-07-29T00:54:41.673697+0200
SID:	2053283
Source Port:	49342
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.108

Timestamp:	2024-07-29T00:52:50.640668+0200
SID:	2053283
Source Port:	49170
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.22 - Destination IP: 146.185.153.16

Timestamp:	2024-07-29T00:54:08.635419+0200
SID:	2803305
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.130

Timestamp:	2024-07-29T00:53:01.237664+0200
SID:	2053283
Source Port:	49178
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

GPL SHELLCODE x86 NOOP - Source IP: 184.30.25.22 - Destination IP: 192.168.2.22

Timestamp:	2024-07-29T00:54:33.429128+0200
SID:	2100648
Source Port:	443
Destination Port:	49313
Protocol:	TCP
Classtype:	Executable code was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.22 - Destination IP: 146.185.153.16

Timestamp:	2024-07-29T00:55:28.857930+0200
SID:	2803305
Source Port:	49480
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.130

Timestamp:	2024-07-29T00:53:35.072943+0200
SID:	2053283
Source Port:	49194
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.107

Timestamp:	2024-07-29T00:53:05.628798+0200
SID:	2053283
Source Port:	49181
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.107

Timestamp:	2024-07-29T00:52:59.901883+0200
SID:	2053283
Source Port:	49177
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.130

Timestamp:	2024-07-29T00:52:58.574487+0200
SID:	2053283
Source Port:	49176
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.107

Timestamp:	2024-07-29T00:52:57.086537+0200
SID:	2053283
Source Port:	49174
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.22 - Destination IP: 146.185.153.16

Timestamp:	2024-07-29T00:55:27.692235+0200
SID:	2803305
Source Port:	49480
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.22 - Destination IP: 146.185.153.16

Timestamp:	2024-07-29T00:55:30.043553+0200
SID:	2803305
Source Port:	49480
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.130

Timestamp:	2024-07-29T00:53:02.783274+0200
SID:	2053283
Source Port:	49179
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.107

Timestamp:	2024-07-29T00:52:49.169369+0200
SID:	2053283
Source Port:	49169
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.141

Timestamp:	2024-07-29T00:52:55.465931+0200
SID:	2053283
Source Port:	49173
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.107

Timestamp:	2024-07-29T00:53:31.647052+0200
SID:	2053283
Source Port:	49190
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 65.9.23.108

Timestamp:	2024-07-29T00:53:29.697413+0200
SID:	2053283
Source Port:	49186
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Virustotal: Detection: 22%			Perma Link
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	ReversingLabs: Detection: 29%

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DCB0E0 CryptDestroyHash,CryptDestroyHash,	3_2_00DCB0E0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC82F0 CryptDestroyHash,	3_2_00DC82F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC9250 CryptGenRandom,GetLastError,__CxxThrowException@8,	3_2_00DC9250
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC8DC0 lstrcatA,CryptAcquireContextA,CryptReleaseContext,GetLastError,__CxxThrowException@8,CryptReleaseContext,	3_2_00DC8DC0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC9020 CryptCreateHash,CryptDestroyHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,	3_2_00DC9020
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC8260 CryptDestroyHash,	3_2_00DC8260
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC9340 CryptGetHashParam,CryptGetHashParam,GetLastError,__CxxThrowException@8,GetLastError,__CxxThrowException@8,	3_2_00DC9340
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC94D0 CryptHashData,GetLastError,__CxxThrowException@8,	3_2_00DC94D0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC9450 CryptCreateHash,CryptDestroyHash,GetLastError,__CxxThrowException@8,	3_2_00DC9450
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC8EF0 CryptReleaseContext,	3_2_00DC8EF0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DE2660 CryptReleaseContext,	3_2_00DE2660
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011781F0 CryptProtectData,GetLastError,CryptUnprotectData,GetLastError,GetLastError,	6_2_011781F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01140810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	6_2_01140810
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C37370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GlobalMemoryStatusEx,GetDiskFreeSpaceExW,GetSystemTimes,QueryPerformanceCounter,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	16_2_000007FEF6C37370

Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_81d802e5-2

Compliance

Uses 32bit PE files

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.108:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.108:443 -> 192.168.2.22:49186 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49193 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49195 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49206 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49328 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49336 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49342 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49401 version: TLS 1.1

Creates a directory in C:\Program Files

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\Common Files\AVG
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Icarus
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Icarus\avg-tu
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Setup
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ro.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ru.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sk.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sl.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sv.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sw.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ta.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\te.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\th.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\tr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\uk.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\vi.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\zh-CN.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\zh-TW.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\chrome_100_percent.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\chrome_200_percent.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\v8_context_snapshot.bin.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\icudtl.dat.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\snapshot_blob.bin.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libcef.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\chrome_elf.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\d3dcompiler_47.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libEGL.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libGLESv2.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\resources.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\eula
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\eula\en-us.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses\readme.txt.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses\licenses
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses\licenses\3rdparty.txt.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Setup\config.def.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Setup\servers.def.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswCmnBS.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswCmnIS.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswCmnOS.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswProperty.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswSqLt.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_routing.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_routing_rpc.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\log.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_manager.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_manager_burger.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\burger_client.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\tasks_core.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\dll_loader.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\module_lifetime.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\commchannel.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswIP.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\serialization.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\perfstats.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\nos.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\ntp_time.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libcrypto-3-x64.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\protobuf.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\swhealthex2.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\asulaunch.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\autoreactivator.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\AvBugReport.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avDump.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\gf2hlp.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\pdfix.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\servicecmd.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\TuneupSvc.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwaheap.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwalocal.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwaapi.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwaresource.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwautils.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwavmodapi.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_adapter.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_common.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_controller.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_worker.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\wa_3rd_party_host_64.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\avg.brand.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\index.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\offline.htm.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\Overlay.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\SvgInline.svg.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\vnext.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\app-bundle.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\vendor-bundle.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\css
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\css\index.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\cs.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\da.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\de.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\en.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\es-ES.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\es.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\fi.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\fr.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\hu.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\id.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\it.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ja.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ko.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ms.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\nb.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\nl.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pl.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pt-BR.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pt-PT.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pt.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ru.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\sk.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\sr.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\sv.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\tr.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\zh-CN.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\zh-TW.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\zh.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\icons
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\icons\sprite.svg.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\icons\sprite.symbol.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\Kin.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\licensing.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\licensing.js.map.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\NitroAuth.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\NitroMenu.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\polyfill.min.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-dark.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-flags.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-font-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-font-one.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-font.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout-omni.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout-one.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-light.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-omni.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-sprite-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-sprite-light.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-sprite.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\TuneupUI.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\SupportTool.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30

PE / OLE file has a valid certificate

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49215 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.22:49403 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: icarus.exe, 00000010.00000003.645223142.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: icarus.exe, 00000010.00000003.554810296.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: icarus.exe, 00000010.00000003.581407235.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_threads.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.658108190.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: icarus.exe, 00000010.00000003.623485918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: icarus.exe, 00000010.00000003.560262551.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: icarus.exe, 00000010.00000003.637196830.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.630945228.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.550227376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdb source: icarus.exe, 00000010.00000003.578175744.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.568380322.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\8b0ebd312dc47f30\projects\avast\microstub\x86\Release\microstub.pdb source: avg_antivirus_free_setup.exe, 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp, avg_antivirus_free_setup.exe, 00000003.00000000.464690367.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: icarus.exe, 00000010.00000003.602293785.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: icarus.exe, 00000010.00000003.656050960.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_threads.amd64.pdb source: icarus.exe, 00000010.00000003.658108190.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: icarus.exe, 00000010.00000003.639234376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.637196830.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: icarus.exe, 00000010.00000003.539814740.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.545275918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: icarus.exe, 00000010.00000003.562545177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: icarus.exe, 00000010.00000003.647469722.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.540005101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.651614177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\AvBugReport.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: icarus.exe, 00000010.00000003.600052254.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.626175999.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.639234376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.604552209.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: icarus.exe, 00000010.00000003.545275918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: icarus.exe, 00000010.00000003.558030356.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.611563984.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: icarus.exe, 00000010.00000003.547922183.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.560262551.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iC:\Windows\System.pdb source: WeatherZero.exe, 00000011.00000002.768174796.000000000688A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: icarus.exe, 00000010.00000003.632946971.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: icarus.exe, 00000010.00000003.540005101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_product_tu.pdb source: icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.764331274.000007FEF6CAB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.570651063.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: icarus.exe, 00000010.00000003.542465092.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: icarus.exe, 00000010.00000003.653880116.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: icarus.exe, 00000010.00000003.609506682.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.619287233.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.591165681.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: icarus.exe, 00000010.00000003.552577889.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.623485918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.614138294.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.609506682.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: icarus.exe, 00000010.00000003.595591569.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: icarus.exe, 00000010.00000003.570651063.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_sfx.pdb source: avg_tuneup_online_setup.exe, 00000006.00000000.474219823.00000000011EF000.00000002.00000001.01000000.0000000E.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: icarus.exe, 00000010.00000003.617206870.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.562545177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: icarus.exe, 00000010.00000003.593454396.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.588848336.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.537808772.0000000004D00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: icarus.exe, 00000010.00000003.606705365.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.617206870.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: icarus.exe, 00000010.00000003.568380322.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: icarus.exe, 00000010.00000003.591165681.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: icarus.exe, 00000010.00000003.643295101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\vccorlib140.amd64.pdb source: icarus.exe, 00000010.00000003.575554023.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-2-0.pdb source: icarus.exe, 00000010.00000003.597791512.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: icarus.exe, 00000010.00000003.550227376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.542465092.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdbK source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.647469722.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: icarus.exe, 00000010.00000003.572869716.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: icarus.exe, 00000010.00000003.628643472.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.653880116.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb: source: avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: icarus.exe, 00000010.00000003.586562933.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: icarus.exe, 00000010.00000003.537808772.0000000004D00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.602293785.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.641302550.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_ui.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.547922183.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: icarus.exe, 00000010.00000003.621404345.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.539814740.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: icarus.exe, 00000010.00000003.626175999.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: icarus.exe, 00000010.00000003.611563984.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.632946971.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.578175744.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.593454396.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: icarus.exe, 00000010.00000003.566102420.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.586562933.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.649502615.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.621404345.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: icarus.exe, 00000010.00000003.581407235.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-console-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.597791512.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.628643472.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.572869716.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.656050960.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.566102420.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\vccorlib140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.575554023.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.558030356.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: icarus.exe, 00000010.00000003.630945228.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdb source: icarus.exe, 00000010.00000003.584240153.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.554810296.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.600052254.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: icarus.exe, 00000010.00000003.649502615.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: icarus.exe, 00000010.00000003.635056930.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_rvrt.pdb source: icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: icarus.exe, 00000010.00000003.641302550.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.606705365.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.643295101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: icarus.exe, 00000010.00000003.588848336.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: icarus.exe, 00000010.00000003.651614177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: icarus.exe, 00000010.00000003.619287233.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: icarus.exe, 00000010.00000003.604552209.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: icarus.exe, 00000010.00000003.614138294.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.595591569.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.645223142.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: icarus.exe, 00000010.00000003.552577889.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.584240153.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.635056930.00000000048F0000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DDA4B5 FindFirstFileExW,	3_2_00DDA4B5
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_00405A19
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_004065CE FindFirstFileA,FindClose,	4_2_004065CE
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_004027AA FindFirstFileA,	4_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0113C2C0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,	6_2_0113C2C0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01164F10 FindFirstFileW,MoveFileExW,GetLastError,FindNextFileW,GetFileAttributesW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_01164F10
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01139D40 FindFirstFileW,FindNextFileW,FindClose,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,	6_2_01139D40
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C310B0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,FindClose,	16_2_000007FEF6C310B0

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 17.0.WeatherZero.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.160.176.28 34.160.176.28
Source: Joe Sandbox View	IP Address: 34.117.223.223 34.117.223.223

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

May check the online IP address of the machine

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 127Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 289Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 384Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 378Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 375Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 380Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 372Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 407Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 371Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 363Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 361Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 397Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 380Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 384Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070ebUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 359Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Host: ip-api.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.108:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.108:443 -> 192.168.2.22:49186 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49193 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49195 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49206 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49328 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49336 version: TLS 1.1
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49342 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49401 version: TLS 1.1

Source: global traffic	HTTP traffic detected: GET /f/AVG_AV/images/1509/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WeatherZero/images/969/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/AVG_TuneUp/images/1543/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/AVG_AV/files/1319/avg.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WeatherZero/files/969/WZSetup.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/AVG_TuneUp/files/1543/Fixed_Build/avg_tuneup_online_setup.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /?p_age=0&p_bld=mmm_irs_ppi_907_959_m&p_cpua=x64&p_icar=1&p_lng=en&p_midex=00000000000000000000000000000000CF6E00279D845352844A379868ABE8A3&p_ost=0&p_osv=6.1&p_pro=111&p_prod=avg-tu&p_ram=8191&p_vbd=16424&p_vep=24&p_ves=1&p_vre=9662&repoid=release& HTTP/1.1Host: shepherd.avcdn.netUser-Agent: libcurl/8.6.0-DEV Schannel zlib/1.3.1 c-ares/1.25.0 nghttp2/1.48.0Accept: /Accept-Encoding: deflate, gzip
Source: global traffic	HTTP traffic detected: GET /?p_age=0&p_bld=mmm_irs_ppi_902_451_o&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=00000000000000000000000000000000CF6E00279D845352844A379868ABE8A3&p_ost=0&p_osv=6.1&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9311&p_vep=24&p_ves=7&p_vre=1966&repoid=release& HTTP/1.1Host: shepherd.avcdn.netUser-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0Accept: /Accept-Encoding: deflate, gzip
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org
Source: global traffic	HTTP traffic detected: GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1Host: api.openweathermap.org

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: d3ben4sjdmrs9v.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: honzik.avcdn.net
Source: global traffic	DNS traffic detected: DNS query: v7event.stats.avast.com
Source: global traffic	DNS traffic detected: DNS query: analytics.avcdn.net
Source: global traffic	DNS traffic detected: DNS query: localweatherfree.com
Source: global traffic	DNS traffic detected: DNS query: shepherd.avcdn.net
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.openweathermap.org

Source: unknown

HTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 127Host: d3ben4sjdmrs9v.cloudfront.net

Source: avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.480980287.0000000007EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625275573.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767558037.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.481074288.0000000007ECE000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/chromium/issues/entry
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002C6000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.use
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4Code
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: avg_antivirus_free_setup.exe, 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp, avg_antivirus_free_setup.exe, 00000003.00000000.464690367.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://https://:allow_fallback/installer.exe
Source: WZSetup.exe, WZSetup.exe, 00000004.00000002.601034182.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000000.468976681.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, WZSetup.exe, 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: WZSetup.exe, 00000004.00000002.601034182.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000000.468976681.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, WZSetup.exe, 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002C6000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625275573.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767558037.0000000007ED2000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.481074288.0000000007ECE000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.480980287.0000000007EEF000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761483255.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761305889.000000000018D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://sche4B004B0rosoft.com/SMI/2005/WindowsSetti
Source: avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://v7event.stats.avast.com/cgi-bin/iavsevents.cgiX
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.avast.com0/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.479845229.0000000007EF3000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364249850.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761815462.00000000004FE000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.367875798.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.000000000738C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/collectVc
Source: avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDELETEPUTCONNECTTRACECOPYLOCKMKCOLMOVEPROPFINDPROPPATCHSEARCHUNLOCKBI
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://:///diffs//universe/.cgtt:http://.lzma/defs/
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/15https://shepherd.avcdn.nethonzik.avcdn.netPRODProcessi
Source: icarus.exe, 0000000F.00000002.763140956.0000000003BC9000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519762707.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524224297.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519705947.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525234680.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519489850.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525272587.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519663457.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.0000000000404000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25
Source: icarus.exe, 0000000F.00000002.763140956.0000000003BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25N
Source: icarus.exe, 00000010.00000002.761906001.000000000236B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25f
Source: avg_tuneup_online_setup.exe, 00000006.00000000.474219823.00000000011EF000.00000002.00000001.01000000.0000000E.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25installSending
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25track-sub-idsplashtoasternagshelliconreleaselock-versi
Source: icarus.exe, 0000000F.00000003.519809089.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762519630.0000000002313000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524224297.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525234680.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521870091.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525272587.000000000232B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.avcdn.net/v4/receive/json/25~
Source: icarus.exe, 00000010.00000003.698510255.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.750730782.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.675483685.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.688473885.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.703706256.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/entry?template=Safety
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=am
Source: icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=am&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ar
Source: icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ar&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=bg
Source: icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.668085994.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=bn
Source: icarus.exe, 00000010.00000003.668085994.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=bn&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=caS
Source: icarus.exe, 00000010.00000003.673050245.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.673050245.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=csZkratka
Source: icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=de&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=deVerkn
Source: icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=el
Source: icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.686095244.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
Source: icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en-GBShortcut
Source: icarus.exe, 00000010.00000003.686095244.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enShortcut
Source: icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=esSe
Source: icarus.exe, 00000010.00000003.693418802.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.693418802.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=etOtsetee
Source: icarus.exe, 00000010.00000003.695985469.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fa
Source: icarus.exe, 00000010.00000003.695985469.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fa&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.698510255.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.698510255.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fiPikan
Source: icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?
Source: icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=filInalis
Source: icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=gu
Source: icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=gu&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=he
Source: icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=he&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hi
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hrPre
Source: icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=hu&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=huBillenty
Source: icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=idPintasan
Source: icarus.exe, 00000010.00000003.725660865.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.725660865.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=itScorciatoia
Source: icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ja
Source: icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=kn
Source: icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=kn&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.733297584.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ko
Source: icarus.exe, 00000010.00000003.733297584.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ko&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.735850770.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.735850770.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ltSpartusis
Source: icarus.exe, 00000010.00000003.738213957.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.738213957.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=lvSa
Source: icarus.exe, 00000010.00000003.740784742.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ml
Source: icarus.exe, 00000010.00000003.740784742.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ml&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=mr
Source: icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.745789288.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.745789288.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=msPintasan
Source: icarus.exe, 00000010.00000003.750730782.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=nlSnelkoppeling
Source: icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=noSnarveien
Source: icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u
Source: icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=plSkr
Source: icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity
Source: icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BRAtalho
Source: icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-PT&category=theme81https://myactivity.google.com/myactivity
Source: icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-PTAtalho
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxcontinueterminatetimeout-elapseddelayworking-dirreboo
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364249850.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761815462.0000000000565000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.367875798.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001EB3000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.765916615.0000000007526000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766625644.0000000007635000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://control.kochava.com/v1/cpi/click?campaign_id=kohotspot-shield-2oo5a3058127822662&network_id=
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364249850.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761815462.0000000000565000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.367875798.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001EB3000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.765916615.0000000007526000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.0000000007260000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364249850.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761815462.0000000000565000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.367875798.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001EB3000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.765916615.0000000007526000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766625644.000000000760A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/files/1319/avg.zip
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/images/1509/EN.pngig
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F57000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_TuneUp/files/1543/Fixed_Build/avg_tuneup_online_setup.zi
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_TuneUp/images/1543/EN.png
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000387000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F6D000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WeatherZero/files/969/WZSetup.zipllC
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WeatherZero/images/969/EN.png
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/f/WeatherZero/images/969/EN.pngj
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364249850.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761815462.0000000000565000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.000000000726C000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.367875798.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001EB3000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.765916615.0000000007526000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/o
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364249850.0000000001E50000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.761815462.0000000000565000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001FDA000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.367875798.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001EB3000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.765916615.0000000007526000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766625644.000000000764E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3ben4sjdmrs9v.cloudfront.net/zbd
Source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hns-legacy.sb.avast.com
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=eula
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=eulal/l
Source: avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/defs/avg-tu/release.xml.lzma
Source: avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exe
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/univ
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/039c/7d2b/e3ad/039c7d2be3adfad5b5622e73c92baf26305c08a1c93d68e0aa9
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/03ff/db03/6329/03ffdb036329a25beacf905d62611a13e3dfdda6cbd2d13af83
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/0438/bce0/0767/0438bce007674706ef0c13e9569a9c15a3c555dc69e719762d5
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/04d1/ea6f/fecf/04d1ea6ffecf8a972b4502877e3ece01b3332bd4e1e37276721
Source: icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/05a9/8b8d/c3b6/05a98b8dc3b6d5e3a224e17c144d873c3b84c6e704fd2b8dd65
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/06c5/90f1/b0b7/06c590f1b0b774a698133bc3a2636f9ab47b173a448fd01fe3f
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/08d8/11ff/57ef/08d811ff57efe50d9f365c76ec29e095474e0679e06bb4d0d4d
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/0be9/d91a/9dcc/0be9d91a9dcc5f3291697173f4ddf238ccb757c636bae1be16e
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/0ced/53f1/ac2a/0ced53f1ac2adc9525047d2c2a7592300dc48a5f52ad8b740ce
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/0e19/5a8d/013a/0e195a8d013a329a06df877a4569a3ec772f112ad29295f086c
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/0f54/3cf1/8ae5/0f543cf18ae5738c07081aa478914d143de3083896d6ec3d4a2
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1294/9111/bf85/12949111bf85a2236f071a294a508d99c90587a97b9ba7f61dc
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/137c/9569/1965/137c9569196502447db2a66b6431a556c88755f0ace956a806e
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1380/162e/4e38/1380162e4e38bb4d25be467e8a02420988036f7fc84d27f8968
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/13f6/7a42/aaaf/13f67a42aaafb7c1f6dadf60387b2769c8344299607b074870d
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1677/63cb/fa30/167763cbfa301f2ab7fada0d0a5b30f6571fb2b81a24d97b0c1
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/171c/006e/970e/171c006e970eb027d9f389c34fd5a508b7b10e756ee41b0cb66
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1742/9698/f20f/17429698f20f23090b16206bd12cb0ca0ba85a56c14e2dd2482
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1743/02c9/df05/174302c9df05f8f1c00c8d693594bfcedf11edb33bb2318a686
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1785/90c5/a7fc/178590c5a7fcf0d41d93724de8aa04f4bad7b9cec119a54a411
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1b00/87bb/b82d/1b0087bbb82d37048f2e3e67b981407de8a2aec642d263c4d6e
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1edf/013e/8900/1edf013e890072987b8957b77baecc37140bc01581e5de6b020
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/1ffb/04ba/6986/1ffb04ba6986f4a25f5191da50939cfe48d1581388148b7f64d
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/20d7/b576/daa4/20d7b576daa4bc3619df988004de4952315a1b855b0c51fc022
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2158/8e3e/4313/21588e3e43134224e3c571f7fe6d7cc790323142129aba3a242
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/21fa/942a/5f4f/21fa942a5f4f26996396f0d84807b6f8c01afd5809e2da33487
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2204/bb34/550d/2204bb34550d9d66fe7d4d0f1fe1bc2d25a61dc4ce323bddae5
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/233f/abe3/c589/233fabe3c5899101a12f8e1b55da2421c4b60c648e370f7364c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2375/2a37/2251/23752a372251b782f35f6fca4a17dc260159eca4620ddb610f5
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2418/a772/d39e/2418a772d39e45fbea52182965a901364ddcd5459a920c8dcb5
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/241f/3e52/86b2/241f3e5286b25864081f50edb93c4693bf001f04d7c7b98f5c4
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2432/f7f6/c297/2432f7f6c29745cff9af2feb01335ac30ec0068e92052a8e3b1
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/245d/48bf/ce5c/245d48bfce5cf6e9c5093e995d6ab5988e2401d32530fd6863b
Source: avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2569/a72d/3a55/2569a72d3a55ea7ad690d708907245c221664c5c88cadbc19e1
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2645/7724/f343/26457724f3431e3383ac833cbd990834dda8e5e76b961ff931d
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/27ba/ebb2/7c34/27baebb27c345e367f27b2ea8eb5895c2dadadea282a0fa94a1
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2a1d/bb21/1b19/2a1dbb211b19bad193f05168a92279c78d7a35d054136debae5
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2c55/7f6a/21db/2c557f6a21db6c99af6184637b5efb57e44b40fae892230a43e
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2c9a/8f8d/47b4/2c9a8f8d47b49d04a82e8e689ae9f6552482b1861eb8398f373
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2e23/b534/41ba/2e23b53441ba6b0779b222c120d44eb9a156d55cc3648f76216
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/2f9c/dd96/5650/2f9cdd965650440cebaf2349140a7dde9b587829b7753de8cd0
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3051/442a/3e90/3051442a3e905dfdfb8f17f49d12a3722c511faf9aba0fc86d5
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/32e3/ef7e/ecb1/32e3ef7eecb194ae922e54f69109325891090dca90e2226f9db
Source: icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/336b/6bfe/3568/336b6bfe35680a19b02d583f332df5d0f5dc6fa5729c2910fb1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/341f/513c/074c/341f513c074c65cb657b4f40466eb063403078ae565340bbdd4
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/352b/cc0b/ebb9/352bcc0bebb9eec1b41c99ef2f2b953be15835e4b1d1d9437c2
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3638/25ad/b27d/363825adb27d5a5bd249fe58460a977077f823e50dac7509e12
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/36f4/1a34/6ed0/36f41a346ed07708ce12d54e5a4c4612f49a375155d1655a23c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/372e/f659/3019/372ef65930199da89896452fd1ef236afd690429d3b7a7d17af
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/37de/e8b7/f925/37dee8b7f9251258d2be3aa006fcb5473d4adff044d087b6f14
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/390c/c2c9/18fe/390cc2c918fe5a4d764659f3a2e952e8f4e3042907f7ccd0ce6
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3a14/537c/a4e6/3a14537ca4e6f39d47cb8cda0fc81e2970eb3a112cb64c5ac4d
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3c29/339b/c247/3c29339bc247023d8bbe702780df818e728c8372a3417bb3a9f
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762437964.0000000002D27000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3cda/1098/0a23/3cda10980a23de97163a2c06b31829cca1ec3da63b0bb0a2461
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3e11/6ffe/2f55/3e116ffe2f55faa2c2b96aee4da637e6424cb48bab27d9f94a9
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3e19/9808/86a6/3e19980886a66ca92ea762b86ab44fac8e71fb16fbf4dd13864
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3f2e/5a65/ebf8/3f2e5a65ebf8938ff4e9676b12573b23c72501761f1bff4d5ae
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/3f6c/aa86/2fc1/3f6caa862fc1bc66230b24ea4d88d31f40303d0cfa1f5584ab0
Source: icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/411a/729d/9288/411a729d9288a62780c32d6bf5f4cf0fd8d221ff341ce79c2ec
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4161/709c/ff78/4161709cff780400d4964d10613191e22fc7cb2905e7503bcfc
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4314/b037/4ed6/4314b0374ed6018ce9bed89112801a9bdf9d9f9c1b55bffa15c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4413/6fa3/55b3/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4443/3466/2bfe/444334662bfeb9dae550a03653548d74c16ca7c3422e0df6a7c
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537671175.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4496/31a3/f5fa/449631a3f5fadef72acc2c2f84765208d0ca014ec1fe93fb9ad
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/44cd/f8d9/53ff/44cdf8d953ff2e52b40056d9e564047868b4341643737aa6a2f
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/44eb/de7f/2681/44ebde7f2681c0b8518e55ca242261b24f326994f089a4ef6c0
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/459a/55f0/6d23/459a55f06d23b6f913e3992e635847e6fb87175dbe48a0c5a02
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/49d8/c891/2087/49d8c891208721e90033878933141c0106712f82d4b52497886
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4a24/4eea/4596/4a244eea4596ebde0f9094cc6dfeeb5abb3c4385225bb0630ef
Source: avg_tuneup_online_setup.exe, 00000006.00000003.516339663.00000000003DB000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.00000000003DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4baf/b54c/d863/4bafb54cd8637586dbfe316ea6e7f9f50010ff021f813128490
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4dbd/e72e/cf65/4dbde72ecf65ac84b6c01251d37c425c4cedc00e3cd9cd40c0b
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4ea0/2b68/3513/4ea02b683513a157e21824b1c1e9ebb782d22f14209b67961f9
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/4f05/ebf6/61c6/4f05ebf661c65b1c9abcd5ab9641780ae3b082c25cbd3b44304
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/522e/7a2e/1f7d/522e7a2e1f7d8e49b5632759cb5dae269578edc522689bdbcb2
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/53af/ac76/a712/53afac76a7124a132a7c11261f3b6ba8d6a5466e7e8f683c8d1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/53ea/070a/f084/53ea070af084fe7967d52f51ec412972c0bb732686816c45526
Source: icarus.exe, 00000010.00000002.763106730.00000000044FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/549b/190c/3722/549b190c3722d4774cc7a8a2730f858dba66f063840469799ad
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/564f/66a0/78ff/564f66a078ff6e186c23983a233193e81e2c68df11933c16454
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5662/0353/61e3/5662035361e37f6c5e4a5a19de134df2ec20bd4c0f1be803203
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/58d9/a9b2/442c/58d9a9b2442c10140db98ba705e8c7b7b9ac5a2c030d3286a66
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5917/3f78/6dd1/59173f786dd1f3802f7ab26fd339aac4099dc10c6cb54a6a922
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5955/1466/831d/59551466831d1f99a090e9a0208e036cc704ba1143bdf2c9319
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/59a0/ad87/f4aa/59a0ad87f4aa0bbfc2d1462ca7d5e760e2f6f2911c6c31f0fd4
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5b68/63c0/1f7e/5b6863c01f7e3e843890a0b8deca14a1d883303b0303352005f
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5b8f/0683/0a22/5b8f06830a229865590f1cd767fb4eee53fc432652710e678d7
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5b96/001b/5c22/5b96001b5c227efa9e7e16a8d0cbe54fce402b30a8c59175e89
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5c28/d981/ffaa/5c28d981ffaaa929b0c7b273b6ed01d35d7bd1fcb5dad36a520
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5cbc/4bdf/c8ae/5cbc4bdfc8ae2b5e9d2ecd8370dc50123b9e6a7870ae6e0ea4c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5cd1/90d5/4495/5cd190d544956818f6a382b47eae08cb17c80002beefbf0e670
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5e48/c99d/d631/5e48c99dd6318b017686bde507cdcb9d6ecf25f4f78f345845b
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5eac/a86a/3792/5eaca86a3792d40db18e7d1ce39683471bed1e8b169d7161018
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5f51/066f/a370/5f51066fa370765762f4ba53f7862fab079e9d77dfa71c446f2
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5fe2/5816/8978/5fe258168978f52d2b3c6f063c7a7c381a70ac06e128ababe66
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/5fef/05d0/2e5c/5fef05d02e5c971e8d3f6b5584720ebeed7c7e6e5214320f09c
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6070/ffb5/e20e/6070ffb5e20ed032d460d323df981d369fa68045fab130fd100
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/60dc/a5a6/c69a/60dca5a6c69a13a6a63a2dd508c44802b950c25f8504adee278
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/60e0/f753/3dd1/60e0f7533dd163da804ac5445f2a80fbda26bc58ce26d8d2de7
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/61f4/fd60/db04/61f4fd60db04c3e0ec2cf35426863c2463254f9a738fd3c58bd
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6615/bd59/f075/6615bd59f0759e6af09309b8344c0e7f0c2dc2bec55beaa0afd
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6646/8ec7/4062/66468ec740624dc5ca9988e2aea145bbe915333db3327653f13
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/66f9/1072/1f44/66f910721f4477ea238603e5c14c858d1e26fc2ceaab3b48294
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6706/2dee/2093/67062dee20934c4d297aaf1dd96d97a7bee8bca5c9e3cf3c6a1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6ba0/a830/266e/6ba0a830266e0ceb14ac21b69091829f3799615969702124fb7
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6d78/64b4/185c/6d7864b4185c9ecf88c116aff35223eee67161d9b95eeb4eeab
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6e0b/6b0d/9e14/6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff61
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6eac/1b86/5eab/6eac1b865eab76398b25e532065cd1adbfb6933f88b90aff699
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/6fc5/51cf/bcaa/6fc551cfbcaa0f90ed24dd09fa117e9fb3b6755a3fc0251d33c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7007/0d44/c9e5/70070d44c9e5ec62c57b574837423f849ed363c0167e8019afd
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/70ea/0038/1aa8/70ea00381aa8ae93ce9f64ae29ad3de0263ee5991861120c8df
Source: icarus.exe, 0000000F.00000003.521853749.00000000023D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/73ee/5495/78de/73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7498/5d60/9359/74985d6093599400f89059340fbf2bbfd2b8c246a2650bd77e1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7519/6a8d/a0ff/75196a8da0ff755dcc03ef474a0ab81873fe4281d23efc518cd
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/75e1/fa41/330e/75e1fa41330e6e999c7d956d51b28bf854e5f3d6b1936f415bc
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7652/d063/f163/7652d063f1630e33228809834f71e6e2ffec75c472ec66b6ed7
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/79fa/0f06/8f09/79fa0f068f09ed239a8e0c3f1da0b35fa1f86622f9fa47721e1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7b55/56c0/6bc7/7b5556c06bc747b81202b271b527a7d777c1ad76cc53a3fe3d0
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7bef/0f11/011c/7bef0f11011c0563e927789bc82b44bad51c44a7607db3aed5f
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7d3d/8833/2d47/7d3d88332d4744c9b6be81e2ba8d42ced7657ce7879a26f5b8a
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7d5e/351b/5b57/7d5e351b5b57a91079f7671702f7994b4c331658e3691ecfc5e
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7da6/cf5a/72f6/7da6cf5a72f68aa3f9f254657f55fcaf31ee5b2936886a4e082
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/7f04/7181/c386/7f047181c386fceb204184cf02d1ad1859e5293db04122c5c65
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/80ab/358c/fdaf/80ab358cfdafe9533005571d832377a08e5df4801a6f61be7ae
Source: icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8586/2323/a312/85862323a3128490a2c1be66a36480f7eb73a2294d62ef4ff38
Source: icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8858/1d49/e6c8/88581d49e6c83ef74fe4aeed438c0380f321d9eaf3b8ef210d3
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8875/816a/3809/8875816a3809753c04acd961244608e9a47127523c1d5e50cdd
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/890d/bb72/c4c3/890dbb72c4c35266bd658c663c1242cfa3b50cf51e2873e986b
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8ac9/e9bc/1b5e/8ac9e9bc1b5e382e976b9e7e4d05a7710213479adb3c81c3539
Source: icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8b84/07ca/8727/8b8407ca872711857c1efe032f0c71df17fbe8d82107a09953e
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8c0b/2ce7/b8a9/8c0b2ce7b8a9a60fe60fbba387387081527964196e1bf5ad6fe
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8d39/adca/8667/8d39adca8667657a08604ace6a28b647e7eebddc6e306db032b
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/8ef0/02c7/ef1d/8ef002c7ef1d7207b5b41038f16fef198d2343c0539f1409096
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/901c/70df/9b97/901c70df9b9714b22d264375bf5c91ef469edafc25c6762e7b0
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9057/131f/628e/9057131f628e547c14754d545140ad6544e64606358104da508
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/90ba/9da4/3d67/90ba9da43d6705d76905e630505bd1fd097d1899c9bca3241ad
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/91de/cddc/6e80/91decddc6e80d742755a1f65261d10c3c0d059aaea6389bb2da
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9452/25e0/1a65/945225e01a65e5199aa7372b893da3b42dbd99f315c345f0e7c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/959d/a2f3/c415/959da2f3c415416b1e272c9b1e3210cd28fb308e8f61b4a6e09
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/982f/cc32/d761/982fcc32d7614cb921cc5203970e3997a33b31aa1d91f14db5d
Source: icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/990b/6559/fb32/990b6559fb32e86df8045cdf8687fe7176fb810c18b2032fbb1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/993a/f3de/5e1f/993af3de5e1fe2e3d0954cf06254fabb91a5a3aa513183fe084
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/99ed/148f/fbb3/99ed148ffbb35829480412dc64da6ad24dfabe2f9a0eff9ba14
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9b4a/ed11/a497/9b4aed11a497341e5a1787b5a7c7c0e8a3e00c6764292c10c1f
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9c58/80c3/95b4/9c5880c395b4e7db4b8d6de49c75909abdaeeef0b041c1703c7
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9d5e/a653/7bef/9d5ea6537bef2799f97f404eefbb9d074fa73d936889f71de1b
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9d91/a240/ea5e/9d91a240ea5e1e77db5d18ddb26932109163993916bd1420952
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/9f49/6e18/1b1c/9f496e181b1c862c7a7d03c09d9b0a5361535c98acbb1a9d50a
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a030/dc2d/fd2e/a030dc2dfd2eca28a9375c92989adf4daf161f988db5e16b9e1
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a067/9708/6a3a/a06797086a3ae1bd42bd93fdfb239a787d521cbabdda56a0c15
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a1f9/3015/8d24/a1f930158d24d738c36c146ab714d86f91e162fec3789cb11b6
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a22b/8186/4fb4/a22b81864fb4219821647d67196f91ef9ba3ba43497a7643b07
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a2d3/c326/b616/a2d3c326b616f0a7abdd5b67499e21a2fb6f319921121754a8e
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a467/c823/633e/a467c823633e6618637b567335b01c1398017684a761041cb7e
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a5fd/cd13/f711/a5fdcd13f711d4665d1960f512f1bd229dbbacb24c86bbb3773
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a73b/d7d7/5f36/a73bd7d75f368ab2fe949dcddbb25cd5d5975ff9091761a01b9
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a793/3fb0/85c6/a7933fb085c61ef63d8f8e29c1bf0f43b823b53b2f40f586f98
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a796/31a7/edb6/a79631a7edb6e5b700a7459d273f5261eb14177900423a8d3ba
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a83a/f0f7/9abb/a83af0f79abb5e5c818c6f38a38da80e531081f3255cb006ed4
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a883/8892/1f91/a88388921f91da37410969694603194664900a2fbd620c8a135
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/a9cf/f7d7/7828/a9cff7d778289b25bca696ff4873e45f098be21f8f4fa3105ae
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/aaaf/f8d6/c9f0/aaaff8d6c9f0307c4eb3dda812f566300073414de002bcefb27
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/aca7/9a9c/1f6d/aca79a9c1f6d664d99691fd0d3d84a8819993f784b2ff6d7baf
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/ad97/f170/8909/ad97f1708909ba1c2d6119de7536448805f00275273a8b33e74
Source: icarus.exe, 0000000F.00000002.761586681.00000000004A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/add1/dd3f/b660/add1dd3fb660dfb534317cb29e18a37e82f4e27000004ef2921
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/ae4a/8e4e/3706/ae4a8e4e3706626f7ba53cb395e2472389bdc1319fbbaaca608
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/afc3/aebc/6083/afc3aebc608357b890e53448a06153afaaa659eeb1368716d85
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b2d6/e3ca/b44d/b2d6e3cab44d82a35406407339f6e707ff6f6b65671d4d1b43b
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b331/a61b/852e/b331a61b852ef66a160956e9c2e62325c8bd09277449dffd567
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b33a/762f/0eb0/b33a762f0eb072033044e7ee89505b695f357c958d4107ce6f1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b61f/48c2/35bf/b61f48c235bfa90c7aa9d95320f72c7597948f3456e7620dd0b
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b771/5a20/2126/b7715a202126e0788545e7a179b92c95a51540ea6f5e630a989
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b905/7e83/1e61/b9057e831e615eac70b8de45d0f60fd98ca2ec086952d5702a4
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b967/887c/6313/b967887c6313fc
Source: icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/b967/887c/6313/b967887c6313fca79a82168645c1febe43c949f01e0eff3bb84
Source: icarus.exe, 00000010.00000002.762757687.0000000003A80000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537671175.0000000003C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/bb7a/4a5a/1876/bb7a4a5a1876c82573416be7fd1dd2d07fd8388b50f6db578f2
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/be1d/dcea/5156/be1ddcea515691d8a64442eb42b837b4d5b12e726ddb6251565
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/c1ae/0d42/a7ff/c1ae0d42a7ffb774a89edc4abf138fb10b07d4badeb624d4044
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/c2ab/b968/1f0e/c2abb9681f0ea55e9be7086c1b7a37297f28575cbe9122b0c3c
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/c418/afdb/d267/c418afdbd2677a8460ef2f0b1d2f83fb5737c7e8be77cfaa2f5
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/c42a/c2e2/e70b/c42ac2e2e70b86e9e884f598db48c1c386b12e1d8a2d6340082
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/c79b/92ba/066c/c79b92ba066cf5414fc37795e6a76e966c23143bd3c48c0cf5f
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/cbec/231a/3e3b/cbec231a3e3b760c82cc736ee6630498a6ed695da056a25ebff
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/cc1b/23ef/6948/cc1b23ef6948829b9831cbb8bf25ab50d57335c82e2d360259f
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/cc89/c31c/6bb2/cc89c31c6bb236467369dee2feaa6be10b2824fc31bdcfbbbf1
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/cd69/a244/caa1/cd69a244caa174161bb257f93adb9471bfb15b78d4295e25d0d
Source: icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/cefd/aea7/b486/cefdaea7b486364291fad01ff402ab8098e2e13bc73b2bbeac2
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/cfd3/2bde/b8a9/cfd32bdeb8a915b2a99cc609d0136cc8655cb48b4d80e8dae79
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d044/7e59/5d85/d0447e595d85098fecc0e0bfa51c93506f9e218ed10d0a916ee
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d288/6700/6ece/d28867006eceed94995b6db166ada3cc80a7045bb640b3d6e23
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d364/1bba/eaa5/d3641bbaeaa5a7e7d4ee0ee0ec64ccee0327cfba3d10b890941
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d512/4a5b/9ba9/d5124a5b9ba9392157cc2545d86a7f78a81772fd28bc9cb0297
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d56e/ae93/c55a/d56eae93c55abdc8eb77d132777049634e28a9b59fd4b2101d5
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d6c2/5ec1/5ccc/d6c25ec15ccc15eb7ffc2b8fcff230dc28fb49bdcd122580181
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d718/e1b6/c352/d718e1b6c352112c2f8e36b4ba5ed28e6179257fd2fe944c4a0
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d784/ec66/7a92/d784ec667a92778b3738fdc7b78f6560f54293764b26773bb02
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/d938/8848/ebfe/d9388848ebfe27138998518332bb507e5dbeb1d8851e9ed0300
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/dc9c/eba0/14a2/dc9ceba014a20b6adbaaa79198f56bfba335d59198db708a22f
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/de26/ad77/d4f1/de26ad77d4f163eb7d659e50bcc7227da271ba959e6969ccfd2
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/de80/8ac9/6fb1/de808ac96fb1be71fa36f71d0ce741a970ca6979319f6320694
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e064/42e8/a8e9/e06442e8a8e9b1b42c5030c8ec47498607185834a76b1279001
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e0dd/11e4/981a/e0dd11e4981a4028745e1e5e14c91a52725abda58cc0a2ee509
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e3b0/c442/98fc/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca49
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e4e8/5eea/1106/e4e85eea1106d361923995e53a0b961a28d4fb58555f4094500
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e66f/ae8b/e5b3/e66fae8be5b35ffbc6ca316a6d25c85a69aa0cb01e139c414df
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e6e8/39c6/d205/e6e839c6d205f91adaa3d980f843bab3131b8a25e06d152d0f7
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/e720/8292/8402/e72082928402426a47d26d7f30dbd6b6e4442073d5e89b8b0d3
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/ea32/3024/0917/ea323024091753a5576a343e46d19bfbf9939122bdde53d91d7
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/ea51/bf1b/18be/ea51bf1b18be61059770f076f526635bb2d880e1a64c4dd8533
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/eb78/51e1/82a4/eb7851e182a4675bb34633869938ff3579779a92a6c094194ef
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/eca3/cbac/eb77/eca3cbaceb77840c7d861b559ee3ceadafa9f7777856112c9bd
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/edb3/ff7c/ef28/edb3ff7cef28496d535e40769625e542dd3e13110c38ce2e3dc
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/edda/8867/ea50/edda8867ea50a6652a77933e2e737ecfab9dc6f3df958dfd416
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/edfb/cb2c/ed71/edfbcb2ced712f23842525cb076ee2c09cc7b811a389cf37922
Source: icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/ef0a/523b/cfa4/ef0a523bcfa4d3a1b7472947a1f2a0a68e24c628386f7f0056c
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/efe6/a9d8/dcf7/efe6a9d8dcf76f5286bec0496209f59da3de6ab6e355a183b69
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f25f/f7a1/8aeb/f25ff7a18aebd6ecaf56c2b125aaa22a1699fe2ee9cc6f190f6
Source: avg_tuneup_online_setup.exe, 00000006.00000003.498377072.0000000000452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f27f/92f0/0350/f27f92f003505dbca839513d233198211860de0ef487973a5ce
Source: icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f311/7e34/4594/f3117e3445945a872a35e91371e2a6c9f7b3fa5e74e5985f6ab
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f353/bfe0/2e30/f353bfe02e30f4fd5cdc89bd7f44703257f229a09f0d815d779
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f3bc/064a/760a/f3bc064a760af5a862cc57c1734b2a5fa78a259b634061ae8de
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f3d6/b13a/23a6/f3d6b13a23a6a032838f75255ed506051504e09c77121bfcf59
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f44e/e1ae/b571/f44ee1aeb5713a578b09a90ebd9735f79c4b5ad497a2f73f203
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f456/b99b/1cc7/f456b99b1cc7bca914b27b4c2b602bbffa24e5f6204e8286f22
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f5fa/77eb/a62d/f5fa77eba62dbe16cadf3120c397212224c930da261901b060c
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f65b/1b3e/a276/f65b1b3ea2767f98f0c29118e85b06f4e61654bec34b60b3abb
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f67f/179e/470f/f67f179e470fd6f75370cdae6b2b9caea0d4df5a5cff167ca93
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f843/cd00/d9af/f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c2
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f872/fa91/38af/f872fa9138af2b4632d1c48cafbbbd2cfac6eb80a04047bb402
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/f982/54e3/99a0/f98254e399a058df8be19d7536ab6e1cd89568a870ed8c0a408
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fa17/1dcc/44ba/fa171dcc44baf46cd4331d0a833172185ff6a166a31ab4f9890
Source: icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fab8/b112/187f/fab8b112187fcf9ba5102ff0aac2f5eec63a646c8bf808fc5a2
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fb0a/9a2e/1d94/fb0a9a2e1d946132cec6655a49056accfe79d9ca1477d1218f7
Source: icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fb4b/382e/2dfa/fb4b382e2dfa80b3427a98c51d3270b1e80b5c2a10fdae1a72b
Source: icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fb9d/a289/5730/fb9da2895730be8d82924d01d5e0dc28c454d8b91a1aab556d2
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fdab/2ebb/416b/fdab2ebb416bf1fc63c377a7dae059a7f09847d963d5c172e3d
Source: icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://honzik.avcdn.net/universe/fffd/59f3/d29e/fffd59f3d29e3c1e30d5f9db2e07483d1ac2a0c4cefa288241c
Source: icarus.exe, 0000000F.00000002.762519630.0000000002313000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519579336.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.761586681.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519608458.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519489850.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519449287.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519449287.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519809089.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519705947.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519762707.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521870091.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519762707.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524224297.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519705947.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525234680.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519489850.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525272587.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519663457.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.000000000236B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipm.avcdn.net/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000000.364149573.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: WZSetup.exe, 00000004.00000002.600783672.00000000002C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/
Source: WZSetup.exe, 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://localweatherfree.com/forecast
Source: WZSetup.exe, 00000004.00000002.600783672.0000000000275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecast9
Source: WZSetup.exe, 00000004.00000002.600783672.0000000000275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastMp
Source: WZSetup.exe, 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://localweatherfree.com/forecastlocation=Oyc5AZte6BRxw1ouTgQV3JSxfIPyPe4E6n3DJxY5EoFJbSpaRdWxWe
Source: icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.695985469.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.735850770.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.673050245.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: icarus.exe, 00000010.00000003.745789288.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comAkaun
Source: icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comAkun
Source: icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.703706256.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comCompte
Source: icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comConta
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.693418802.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.733297584.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.740784742.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.738213957.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.686095244.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.725660865.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.668085994.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle-KontoF
Source: icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle-kontoLagrede
Source: icarus.exe, 00000010.00000003.698510255.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle-tilisi
Source: icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comKonta
Source: icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comcuenta
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesntrol
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002C6000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: icarus.exe, 00000010.00000002.761906001.000000000236B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avY
Source: icarus.exe, 0000000F.00000002.763140956.0000000003BC9000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519762707.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524224297.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519705947.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525234680.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519489850.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525272587.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519663457.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avcdn.net/
Source: icarus.exe, 0000000F.00000002.761586681.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.0000000000404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avcdn.net//url
Source: icarus.exe, 00000010.00000002.761906001.000000000236B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avcdn.net/2text
Source: icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avcdn.net/:
Source: icarus.exe, 0000000F.00000003.519809089.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.762519630.0000000002313000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524224297.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525234680.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521870091.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525272587.000000000232B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avcdn.net/ear
Source: icarus.exe, 0000000F.00000002.762519630.0000000002313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shepherd.avcdn.net/ler
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeWH
Source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://submit.sb.avast.com
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/cloudprint/answer/2541843
Source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://viruslab-samples.sb.avast.com
Source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://viruslab-samples.sb.avast.comStreamBackavast_streamback_
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/priva
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766430491.00000000075F9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/privacy
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/privacyUninc
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766430491.00000000075F9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/terms
Source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winqual.sb.avast.com
Source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winqual.sb.avast.comhttps://hns-legacy.sb.avast.comhttps://submit.sb.avast.com
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.000000000030A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.000000000030A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F84000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula#pc
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.000000000039C000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula#pcY
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula%Q
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products2
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-productser
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.0000000007375000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-poli
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.0000000007313000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy#pc
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy#pcll
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.00000000003A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy#pcolicyM
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policyB
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policyy
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766430491.00000000075F9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.co
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767078299.0000000007D52000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.000000000733C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eula
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eulaontrol
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eulat.netU
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767078299.0000000007D52000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.000000000733C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacy
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacy884d
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761598091.00000000002D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacynet/f/AVG_TuneUp/files/1543/Fixed_Build/avg_tuneup_online_setup.zip
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacyro
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.733297584.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.740784742.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.695985469.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.668085994.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAdministreres
Source: icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAz
Source: icarus.exe, 00000010.00000003.750730782.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBeheerd
Source: icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlDikelola
Source: icarus.exe, 00000010.00000003.745789288.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlDiurus
Source: icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlGerenciado
Source: icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlGerido
Source: icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlGestionado
Source: icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlGestionat
Source: icarus.exe, 00000010.00000003.725660865.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlGestito
Source: icarus.exe, 00000010.00000003.693418802.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlHaldab
Source: icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.686095244.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlManaged
Source: icarus.exe, 00000010.00000003.698510255.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlOrganisaatiosi
Source: icarus.exe, 00000010.00000003.738213957.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP
Source: icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlPinapamahalaan
Source: icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlPod
Source: icarus.exe, 00000010.00000003.673050245.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlSpravov
Source: icarus.exe, 00000010.00000003.735850770.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlTvarko
Source: icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlVon
Source: icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlZarz
Source: icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/cloudprint#jobs
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000000.366591506.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/l
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/legal.htmlnt
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlC-4c4
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/SSOR_A
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computers
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computersn
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computerspb
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacyediu
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacytVerO
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.000000000729D000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F6D000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767078299.0000000007D52000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767144223.0000000007E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/common/termsofservice-v1
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/common/termsofservice-v15-44
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.000000000729D000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F6D000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.767078299.0000000007D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policy
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000000.366591506.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.h-
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.htmlm
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.html
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.htmlutW

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49342
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49342 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49403
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.130:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.107:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.23.141:443 -> 192.168.2.22:49185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49215 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.22:49402 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.176.28:443 -> 192.168.2.22:49403 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Code function: 4_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_004054B6

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe

File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe entropy: 7.9989501137	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0 (copy) entropy: 7.99668482326	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1 (copy) entropy: 7.99970462794	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2 (copy) entropy: 7.99783504181	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip (copy) entropy: 7.99668482326	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip (copy) entropy: 7.99970462794	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip (copy) entropy: 7.99783504181	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\d41e33d9-e901-404c-9720-50ce3e8b93b7 entropy: 7.99992813799	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\dc8799ee-a375-4c12-9fb7-0f0f1e0242ca entropy: 7.99995855481	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\7110876e-c707-47f5-a964-c0235bc1063e entropy: 7.99981282632	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\d09e1dba-8496-4c81-9749-124976617f15 entropy: 7.99987125574	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\c071278f-9a17-4f4c-96ee-d32ed61047ee entropy: 7.99594032584	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\setupui.cont entropy: 7.99930510838	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\5dacf77e-50a0-4da1-8d1e-4762ff9b06ca entropy: 7.9992609024	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\setupui.cont entropy: 7.99930510838	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_product.dll.lzma entropy: 7.99963235345	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_rvrt.exe.lzma entropy: 7.99297729358	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30.lzma entropy: 7.99955246461	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30.lzma entropy: 7.99101302945	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30.lzma entropy: 7.99794723802	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30.lzma entropy: 7.99862047916	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30.lzma entropy: 7.99834824264	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30.lzma entropy: 7.99776935509	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30.lzma entropy: 7.99768833955	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30.lzma entropy: 7.99788320195	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30.lzma entropy: 7.99795149158	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30.lzma entropy: 7.99752478463	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30.lzma entropy: 7.99744240179	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30.lzma entropy: 7.99805381151	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30.lzma entropy: 7.99800257299	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30.lzma entropy: 7.99806031707	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30.lzma entropy: 7.99764457328	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30.lzma entropy: 7.99751556629	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30.lzma entropy: 7.99817934805	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30.lzma entropy: 7.9977962103	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30.lzma entropy: 7.99749560743	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30.lzma entropy: 7.99759656147	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30.lzma entropy: 7.99776224309	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30.lzma entropy: 7.99744836908	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30.lzma entropy: 7.99812650657	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30.lzma entropy: 7.99762534757	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30.lzma entropy: 7.99802387373	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30.lzma entropy: 7.99784968611	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30.lzma entropy: 7.9976845176	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30.lzma entropy: 7.99753660799	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30.lzma entropy: 7.99780595559	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30.lzma entropy: 7.99761454295	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30.lzma entropy: 7.99731102293	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30.lzma entropy: 7.99759521236	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30.lzma entropy: 7.99730017878	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30.lzma entropy: 7.99754477044	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30.lzma entropy: 7.99800583183	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30.lzma entropy: 7.99774313675	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30.lzma entropy: 7.99750132036	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30.lzma entropy: 7.99770045956	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30.lzma entropy: 7.99772711457	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30.lzma entropy: 7.99793804394	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30.lzma entropy: 7.99767305405	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30.lzma entropy: 7.99781791373	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30.lzma entropy: 7.99799447796	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30.lzma entropy: 7.99248329192	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30.lzma entropy: 7.99610780555	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30.lzma entropy: 7.99749512376	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\61d8eaaa-d1ef-4ef3-a7b3-fe99c71f4a10 entropy: 7.99991006484	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\c7b0a936-4fe4-4810-a524-cc4085ddf539 entropy: 7.99995308915	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\e8088771-abc5-48f9-aa6d-457c51e9bbfd entropy: 7.99983633814	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\801d32c9-f423-434d-9ea6-5b3548e0dcd9 entropy: 7.99988075731	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\ef6e8662-6145-4554-a04d-055f864f0810 entropy: 7.99856698372	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\setupui.cont entropy: 7.9994989192	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\9738121b-21ca-4ba5-a71f-2e2877cdee90 entropy: 7.9995336856	Jump to dropped file

System Summary

Submitted sample is a known malware sample

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Dropped file: MD5: e346fcecd037f0be2777231949977587 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0111B930 NtQueryInformationProcess,GetModuleHandleW,GetProcAddress,GetLastError,GetLastError,NtQueryInformationProcess,	6_2_0111B930
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0111F560 GetModuleHandleW,GetProcAddress,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,	6_2_0111F560
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0111B9F0 NtQueryInformationProcess,	6_2_0111B9F0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C32F60 NtOpenKey,	16_2_000007FEF6C32F60
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C33410 RegCloseKey,SetLastError,RegSetValueExW,RegCloseKey,SetLastError,NtClose,	16_2_000007FEF6C33410
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C33090 NtQueryKey,	16_2_000007FEF6C33090
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C33180 NtDeleteKey,NtClose,RegCloseKey,SetLastError,	16_2_000007FEF6C33180

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DCA100: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,

3_2_00DCA100

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Code function: 6_2_0111CCB0 DuplicateTokenEx,CreateProcessAsUserW,CloseHandle,GetLastError,GetLastError,GetLastError,

6_2_0111CCB0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Code function: 4_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_004033B3

Creates files inside the system directory

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe

File created: C:\Windows\system32\icarus_rvrt.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Code function: 2_3_00369E1A	2_3_00369E1A
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC52F0	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DCBB70	3_2_00DCBB70
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DDC9D0	3_2_00DDC9D0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DE126C	3_2_00DE126C
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DCD340	3_2_00DCD340
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DCEDE0	3_2_00DCEDE0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD66E4	3_2_00DD66E4
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DDCE7E	3_2_00DDCE7E
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_0040727F	4_2_0040727F
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_00406AA8	4_2_00406AA8
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01168760	6_2_01168760
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0115C780	6_2_0115C780
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0113A980	6_2_0113A980
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0114C8D0	6_2_0114C8D0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0114ABC0	6_2_0114ABC0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01158A10	6_2_01158A10
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0114CDE0	6_2_0114CDE0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01131070	6_2_01131070
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01169230	6_2_01169230
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011774F0	6_2_011774F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01189810	6_2_01189810
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0114DAD0	6_2_0114DAD0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0116FDF0	6_2_0116FDF0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01174170	6_2_01174170
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011C6170	6_2_011C6170
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011D218A	6_2_011D218A
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011C41CD	6_2_011C41CD
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0112A1C0	6_2_0112A1C0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AE1C0	6_2_011AE1C0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01160080	6_2_01160080
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011360D0	6_2_011360D0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011920E0	6_2_011920E0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011543A0	6_2_011543A0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AA500	6_2_011AA500
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01112570	6_2_01112570
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01186560	6_2_01186560
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_010FC570	6_2_010FC570
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0110E4E0	6_2_0110E4E0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AA780	6_2_011AA780
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01132670	6_2_01132670
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01114660	6_2_01114660
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_010FA950	6_2_010FA950
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011C0867	6_2_011C0867
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011C0BF5	6_2_011C0BF5
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01188A70	6_2_01188A70
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AAAD0	6_2_011AAAD0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011ACD90	6_2_011ACD90
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AAF10	6_2_011AAF10
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01110FA0	6_2_01110FA0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01112EC0	6_2_01112EC0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_010F1000	6_2_010F1000
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011D10DD	6_2_011D10DD
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AF350	6_2_011AF350
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0113D270	6_2_0113D270
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011AF260	6_2_011AF260
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011855E0	6_2_011855E0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01187430	6_2_01187430
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0118B4B0	6_2_0118B4B0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0110D4F0	6_2_0110D4F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0116B620	6_2_0116B620
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01115650	6_2_01115650
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011B5963	6_2_011B5963
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01175810	6_2_01175810
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0116D8D0	6_2_0116D8D0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0110DB20	6_2_0110DB20
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01159BF0	6_2_01159BF0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011D9A23	6_2_011D9A23
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01111AB0	6_2_01111AB0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01143AA0	6_2_01143AA0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01111F30	6_2_01111F30
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011B3F80	6_2_011B3F80
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_010FBFF0	6_2_010FBFF0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0110FE10	6_2_0110FE10
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01185E20	6_2_01185E20
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01119E90	6_2_01119E90
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0112BEC0	6_2_0112BEC0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_0042F05B	10_2_0042F05B
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00392810	10_2_00392810
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00391860	10_2_00391860
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_0042101F	10_2_0042101F
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00425560	10_2_00425560
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_0043150E	10_2_0043150E
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_003915B0	10_2_003915B0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_003915B5	10_2_003915B5
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_0042C9E8	10_2_0042C9E8
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00393690	10_2_00393690
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00391F60	10_2_00391F60
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00392FB0	10_2_00392FB0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_004313EE	10_2_004313EE
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0107C520	12_2_0107C520
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01073D60	12_2_01073D60
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0111150E	12_2_0111150E
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01105560	12_2_01105560
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_010715B5	12_2_010715B5
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_010715B0	12_2_010715B0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0110C9E8	12_2_0110C9E8
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0110101F	12_2_0110101F
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01072810	12_2_01072810
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0110F05B	12_2_0110F05B
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01071860	12_2_01071860
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01071F60	12_2_01071F60
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01072FB0	12_2_01072FB0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_011113EE	12_2_011113EE
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01073690	12_2_01073690
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C13BD0	16_2_000007FEF6C13BD0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C287B0	16_2_000007FEF6C287B0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C42604	16_2_000007FEF6C42604
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C16610	16_2_000007FEF6C16610
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C40400	16_2_000007FEF6C40400
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3EF10	16_2_000007FEF6C3EF10
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C04DC0	16_2_000007FEF6C04DC0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C0D820	16_2_000007FEF6C0D820
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3F820	16_2_000007FEF6C3F820
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C274D0	16_2_000007FEF6C274D0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C0F490	16_2_000007FEF6C0F490
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C41300	16_2_000007FEF6C41300
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C45270	16_2_000007FEF6C45270
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BF7EE0	16_2_000007FEF6BF7EE0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7DFE0	16_2_000007FEF6C7DFE0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C91F5C	16_2_000007FEF6C91F5C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C2DC80	16_2_000007FEF6C2DC80
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C49C80	16_2_000007FEF6C49C80
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE3C40	16_2_000007FEF6BE3C40
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C8FE3C	16_2_000007FEF6C8FE3C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE1D50	16_2_000007FEF6BE1D50
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1BB10	16_2_000007FEF6C1BB10
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7DC14	16_2_000007FEF6C7DC14
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7FC3C	16_2_000007FEF6C7FC3C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C45B50	16_2_000007FEF6C45B50
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C01900	16_2_000007FEF6C01900
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BF9910	16_2_000007FEF6BF9910
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3B910	16_2_000007FEF6C3B910
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C458C0	16_2_000007FEF6C458C0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C918DC	16_2_000007FEF6C918DC
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7BA00	16_2_000007FEF6C7BA00
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1DA20	16_2_000007FEF6C1DA20
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C9B990	16_2_000007FEF6C9B990
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE24F0	16_2_000007FEF6BE24F0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BF84C0	16_2_000007FEF6BF84C0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7C5C8	16_2_000007FEF6C7C5C8
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C4C560	16_2_000007FEF6C4C560
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1E330	16_2_000007FEF6C1E330
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C06280	16_2_000007FEF6C06280
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE4290	16_2_000007FEF6BE4290
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE2280	16_2_000007FEF6BE2280
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3C420	16_2_000007FEF6C3C420
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1C3F0	16_2_000007FEF6C1C3F0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C083F0	16_2_000007FEF6C083F0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C80134	16_2_000007FEF6C80134
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C22080	16_2_000007FEF6C22080
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C82050	16_2_000007FEF6C82050
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C44230	16_2_000007FEF6C44230
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C4AED0	16_2_000007FEF6C4AED0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3D010	16_2_000007FEF6C3D010
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1B030	16_2_000007FEF6C1B030
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE2F40	16_2_000007FEF6BE2F40
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C94CC4	16_2_000007FEF6C94CC4
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7CCE4	16_2_000007FEF6C7CCE4
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3CCF0	16_2_000007FEF6C3CCF0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C8CC7C	16_2_000007FEF6C8CC7C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C86D88	16_2_000007FEF6C86D88
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C8AB1C	16_2_000007FEF6C8AB1C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE2B00	16_2_000007FEF6BE2B00
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3EA90	16_2_000007FEF6C3EA90
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3CA50	16_2_000007FEF6C3CA50
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C0EA56	16_2_000007FEF6C0EA56
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C92890	16_2_000007FEF6C92890
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C2C840	16_2_000007FEF6C2C840
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C00860	16_2_000007FEF6C00860
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C06A20	16_2_000007FEF6C06A20
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BFA980	16_2_000007FEF6BFA980
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1C940	16_2_000007FEF6C1C940
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C34950	16_2_000007FEF6C34950
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7C954	16_2_000007FEF6C7C954
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C39730	16_2_000007FEF6C39730
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1D680	16_2_000007FEF6C1D680
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7B818	16_2_000007FEF6C7B818
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C07830	16_2_000007FEF6C07830
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C05830	16_2_000007FEF6C05830
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7D7E0	16_2_000007FEF6C7D7E0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C1D530	16_2_000007FEF6C1D530
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C27530	16_2_000007FEF6C27530
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3D480	16_2_000007FEF6C3D480
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7B444	16_2_000007FEF6C7B444
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C6F470	16_2_000007FEF6C6F470
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7B62C	16_2_000007FEF6C7B62C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C8754C	16_2_000007FEF6C8754C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C2D2D0	16_2_000007FEF6C2D2D0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7B258	16_2_000007FEF6C7B258
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C9142C	16_2_000007FEF6C9142C
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C493A0	16_2_000007FEF6C493A0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C37370	16_2_000007FEF6C37370
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BE3380	16_2_000007FEF6BE3380
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6BF90A0	16_2_000007FEF6BF90A0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C310B0	16_2_000007FEF6C310B0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C7B070	16_2_000007FEF6C7B070
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C631C0	16_2_000007FEF6C631C0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C3D1E0	16_2_000007FEF6C3D1E0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C39170	16_2_000007FEF6C39170

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\WeatherZero\WeatherZero.exe 9B92A8F962D7F8FFC9A06BAFECAFF854D88999107641229B17B68D5532E6E17C

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: String function: 01143E80 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: String function: 01196900 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: String function: 01108420 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: String function: 01117000 appears 115 times
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: String function: 000007FEF6C00150 appears 67 times
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: String function: 000007FEF6C00480 appears 120 times
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: String function: 000007FEF6C65C90 appears 32 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 468

PE file contains executable resources (Code or Archives)

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file does not import any functions

Source: api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30.16.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000002.762815465.0000000000654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000000.364176102.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Uses 32bit PE files

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: qbittorrent.exe.2.dr

Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal48.rans.troj.expl.evad.winEXE@36/285@117/9

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	4_2_004033B3
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0111F6E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,	6_2_0111F6E0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0109B7F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	12_2_0109B7F0

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC52F0 InterlockedExchange,GetCurrentProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CreateMutexW,GetLastError,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CoInitializeEx,CoCreateInstance,OleUninitialize,InterlockedExchange,GetLastError,InterlockedExchange,MessageBoxExW,wsprintfW,wsprintfW,MessageBoxExW,InterlockedExchange,InterlockedExchange,CreateThread,CloseHandle,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,wsprintfW,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,MoveFileExW,GetDiskFreeSpaceExW,InterlockedExchange,InterlockedExchange,MessageBoxExW,InterlockedExchange,GetLastError,InterlockedExchange,wsprintfW,wsprintfW,MessageBoxExW,CloseHandle,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,CreateProcessW,InterlockedExchange,GetLastError,InterlockedExchange,AllowSetForegroundWindow,ResumeThread,InterlockedExchange,GetLastError,InterlockedExchange,PostMessageW,WaitForSingleObject,GetExitCodeProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,CloseHandle,CloseHandle,CloseHandle,_wcsrchr,_wcsrchr,CreateHardLinkW,CopyFileW,ReleaseMutex,CloseHandle,___delayLoadHelper2@8,

3_2_00DC52F0

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Code function: 6_2_0111D040 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,K32GetProcessImageFileNameW,GetPriorityClass,GetProcessTimes,K32GetProcessMemoryInfo,CloseHandle,Process32NextW,CloseHandle,GetLastError,

6_2_0111D040

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

3_2_00DC52F0

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC38C0 CreateFileMappingW,GetLastError,MapViewOfFile,GetLastError,FindResourceW,LoadResource,wsprintfW,GetLastError,UnmapViewOfFile,CloseHandle,SetLastError,

3_2_00DC38C0

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

File created: C:\Program Files (x86)\WeatherZero

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\8a62246e55f35a6b98663f2142101ede
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2580
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{2c958236-012f-4348-b699-6519aeb48f99}Installer
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\573eb002bef37e5e6c49175343c27858
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Mutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/roaming/qbittorrent/lockfile
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Mutant created: \Sessions\1\BaseNamedObjects\WeatherZero.Already.Runned
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\5d9aaf76b58f33b091e656549ac2633d
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{32B25EF2-80FD-4C66-97E1-0890D9E9F87B}
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2c958236-012f-4348-b699-6519aeb48f99}Installer
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\573eb002bef37e5e6c49175343c27858

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

File created: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: /silent	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: /cookie	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: /ppi_icd	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: /cust_ini	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: Enabled	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxyType	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: Port	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: User	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: Password	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: ProxySettings	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: Properties	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: /smbupd	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: enable	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: mirror	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: count	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: servers	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: urlpgm	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: server0	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: http://	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: https://	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: allow_fallback	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: mirror	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: installer.exe	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: {versionSwitch}	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: stable	3_2_00DC52F0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Command line argument: %s\%s	3_2_00DC52F0

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Virustotal: Detection: 22%
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	ReversingLabs: Detection: 29%

Source: icarus.exe	String found in binary or memory: action-start-type(%s)
Source: icarus.exe	String found in binary or memory: Invalid action-start-type
Source: icarus.exe	String found in binary or memory: 'action-start-type' element includes invalid CDATA!
Source: icarus.exe	String found in binary or memory: action-start-type

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

File read: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe "C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe"
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp "C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp" /SL5="$10302,13566766,780800,C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe" /silent /delayUIStart:120
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
Source: unknown	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\icarus-info.xml /install /silent /delayUIStart:120
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayUIStart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZero.exe "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DDFD1E983F83B350CD251831739BBC54
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4C9.tmp" "c:\Users\user\AppData\Local\Temp\CSCA4C8.tmp"
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe" magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA012D712
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 468
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp "C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp" /SL5="$10302,13566766,780800,C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe" /silent /delayUIStart:120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe" magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA012D712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\icarus-info.xml /install /silent /delayUIStart:120	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZero.exe "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DDFD1E983F83B350CD251831739BBC54	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayUIStart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4C9.tmp" "c:\Users\user\AppData\Local\Temp\CSCA4C8.tmp"
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 468

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpqec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: qutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ws2help.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nci.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: napmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pcollab.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: webio.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: wkscli.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: secur32.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: version.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: credssp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: webio.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: wkscli.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: secur32.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: version.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: credssp.dll
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: d3d8thk.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: rpcrtremote.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: credssp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: presentationcffrasterizernative_v0300.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Section loaded: presentationnative_v0300.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cscomp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Section loaded: shfolder.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: wow64win.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: version.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: webio.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: credssp.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: secur32.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: d3d8thk.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: webio.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: wkscli.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: samcli.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: secur32.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: version.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: credssp.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\InProcServer32

Jump to behavior

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

File written: C:\ProgramData\AVG\Icarus\settings\proxy.ini

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: Run
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Automated click: OK

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Creates a directory in C:\Program Files

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\Common Files\AVG
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Icarus
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\Common Files\AVG\Icarus\avg-tu
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Setup
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ro.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ru.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sk.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sl.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sv.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\sw.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ta.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\te.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\th.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\tr.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\uk.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\vi.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\zh-CN.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\zh-TW.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\chrome_100_percent.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\chrome_200_percent.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\v8_context_snapshot.bin.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\icudtl.dat.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\snapshot_blob.bin.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libcef.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\chrome_elf.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\d3dcompiler_47.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libEGL.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libGLESv2.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\resources.pak.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\eula
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\eula\en-us.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses\readme.txt.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses\licenses
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\3rdparty_licenses\licenses\3rdparty.txt.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Setup\config.def.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Setup\servers.def.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswCmnBS.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswCmnIS.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswCmnOS.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswProperty.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswSqLt.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_routing.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_routing_rpc.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\log.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_manager.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\event_manager_burger.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\burger_client.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\tasks_core.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\dll_loader.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\module_lifetime.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\commchannel.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\aswIP.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\serialization.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\perfstats.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\nos.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\ntp_time.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libcrypto-3-x64.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\protobuf.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\swhealthex2.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\asulaunch.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\autoreactivator.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\AvBugReport.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avDump.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\gf2hlp.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\pdfix.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\servicecmd.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\TuneupSvc.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwaheap.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwalocal.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwaapi.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwaresource.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwautils.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\libwavmodapi.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_adapter.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_common.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_controller.dll.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\su_worker.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\wa_3rd_party_host_64.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\avg.brand.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\index.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\offline.htm.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\Overlay.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\SvgInline.svg.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\vnext.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\app-bundle.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\vendor-bundle.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\css
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\css\index.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\cs.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\da.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\de.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\en.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\es-ES.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\es.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\fi.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\fr.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\hu.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\id.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\it.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ja.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ko.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ms.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\nb.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\nl.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pl.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pt-BR.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pt-PT.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\pt.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\ru.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\sk.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\sr.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\sv.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\tr.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\zh-CN.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\zh-TW.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\i18n\zh.json.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\icons
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\icons\sprite.svg.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\icons\sprite.symbol.html.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\Kin.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\licensing.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\licensing.js.map.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\NitroAuth.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\NitroMenu.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\polyfill.min.js.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-dark.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-flags.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-font-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-font-one.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-font.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout-omni.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout-one.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-layout.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-light.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-omni.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-sprite-avg.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-sprite-light.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn-sprite.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\Resources\dist\assets\vnext\spawn.css.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\TuneupUI.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\SupportTool.exe.ipending.a168df30.lzma
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Directory created: C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30

PE / OLE file has a valid certificate

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static file information: File size 14472880 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: icarus.exe, 00000010.00000003.645223142.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: icarus.exe, 00000010.00000003.554810296.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: icarus.exe, 00000010.00000003.581407235.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_threads.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.658108190.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: icarus.exe, 00000010.00000003.623485918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: icarus.exe, 00000010.00000003.560262551.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: icarus.exe, 00000010.00000003.637196830.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.630945228.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.550227376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdb source: icarus.exe, 00000010.00000003.578175744.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.568380322.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\8b0ebd312dc47f30\projects\avast\microstub\x86\Release\microstub.pdb source: avg_antivirus_free_setup.exe, 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp, avg_antivirus_free_setup.exe, 00000003.00000000.464690367.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: icarus.exe, 00000010.00000003.602293785.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: icarus.exe, 00000010.00000003.656050960.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_threads.amd64.pdb source: icarus.exe, 00000010.00000003.658108190.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: icarus.exe, 00000010.00000003.639234376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.637196830.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: icarus.exe, 00000010.00000003.539814740.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.545275918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: icarus.exe, 00000010.00000003.562545177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: icarus.exe, 00000010.00000003.647469722.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.540005101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.651614177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\AvBugReport.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: icarus.exe, 00000010.00000003.600052254.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.626175999.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.639234376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.604552209.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: icarus.exe, 00000010.00000003.545275918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: icarus.exe, 00000010.00000003.558030356.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.611563984.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: icarus.exe, 00000010.00000003.547922183.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.560262551.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iC:\Windows\System.pdb source: WeatherZero.exe, 00000011.00000002.768174796.000000000688A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: icarus.exe, 00000010.00000003.632946971.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: icarus.exe, 00000010.00000003.540005101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_product_tu.pdb source: icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.764331274.000007FEF6CAB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.570651063.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: icarus.exe, 00000010.00000003.542465092.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: icarus.exe, 00000010.00000003.653880116.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: icarus.exe, 00000010.00000003.609506682.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.619287233.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.591165681.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: icarus.exe, 00000010.00000003.552577889.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.623485918.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.614138294.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.609506682.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: icarus.exe, 00000010.00000003.595591569.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: icarus.exe, 00000010.00000003.570651063.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x86\icarus_sfx.pdb source: avg_tuneup_online_setup.exe, 00000006.00000000.474219823.00000000011EF000.00000002.00000001.01000000.0000000E.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762637526.0000000000F00000.00000002.00000001.00040000.0000000E.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmp, icarus.exe, 0000000F.00000002.762756404.0000000002540000.00000002.00000001.00040000.0000000E.sdmp, icarus.exe, 00000010.00000002.762643947.00000000038F0000.00000002.00000001.00040000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: icarus.exe, 00000010.00000003.617206870.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.562545177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: icarus.exe, 00000010.00000003.593454396.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.588848336.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.537808772.0000000004D00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: icarus.exe, 00000010.00000003.606705365.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.617206870.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: icarus.exe, 00000010.00000003.568380322.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: icarus.exe, 00000010.00000003.591165681.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: icarus.exe, 00000010.00000003.643295101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\vccorlib140.amd64.pdb source: icarus.exe, 00000010.00000003.575554023.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-2-0.pdb source: icarus.exe, 00000010.00000003.597791512.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: icarus.exe, 00000010.00000003.550227376.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.542465092.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdbK source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.647469722.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: icarus.exe, 00000010.00000003.572869716.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: icarus.exe, 00000010.00000003.628643472.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.653880116.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\avDump.pdb: source: avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: icarus.exe, 00000010.00000003.586562933.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: icarus.exe, 00000010.00000003.537808772.0000000004D00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.602293785.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.641302550.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_ui.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.547922183.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: icarus.exe, 00000010.00000003.621404345.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.539814740.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: icarus.exe, 00000010.00000003.626175999.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: icarus.exe, 00000010.00000003.611563984.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.632946971.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.578175744.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.593454396.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: icarus.exe, 00000010.00000003.566102420.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.586562933.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.649502615.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.621404345.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: icarus.exe, 00000010.00000003.581407235.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus.pdb source: avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.763862993.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 0000000F.00000000.516571957.000000013F7F1000.00000002.00000001.01000000.00000010.sdmp, icarus.exe, 00000010.00000002.763759407.0000000140441000.00000002.00000001.01000000.00000012.sdmp, icarus.exe, 00000010.00000000.525811790.0000000140441000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-console-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.597791512.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.628643472.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.572869716.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.656050960.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.566102420.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\vccorlib140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.575554023.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.558030356.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: icarus.exe, 00000010.00000003.630945228.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdb source: icarus.exe, 00000010.00000003.584240153.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: icarus.exe, 00000010.00000003.554810296.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.600052254.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: icarus.exe, 00000010.00000003.649502615.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: icarus.exe, 00000010.00000003.635056930.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\BUILD\work\b1fc704878a8d844\BUILDS\Release\x64\icarus_rvrt.pdb source: icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: icarus.exe, 00000010.00000003.641302550.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.606705365.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.643295101.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: icarus.exe, 00000010.00000003.588848336.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: icarus.exe, 00000010.00000003.651614177.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: icarus.exe, 00000010.00000003.619287233.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: icarus.exe, 00000010.00000003.604552209.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: icarus.exe, 00000010.00000003.614138294.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.595591569.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.645223142.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: icarus.exe, 00000010.00000003.552577889.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdbGCTL source: icarus.exe, 00000010.00000003.584240153.00000000048F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: icarus.exe, 00000010.00000003.635056930.00000000048F0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30.16.dr

Static PE information: 0xCFE53440 [Thu Jul 11 06:27:12 2080 UTC]

Compiles C# or VB.Net code

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline"
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC8130 LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_00DC8130

PE file contains an invalid checksum

Source: INetC.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0xb6cc
Source: uninstall.exe.4.dr	Static PE information: real checksum: 0x60081f should be: 0x4fd62
Source: zbShieldUtils.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1fa834

PE file contains sections with non-standard names

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Static PE information: section name: .didata
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp.0.dr	Static PE information: section name: .didata
Source: avg_antivirus_free_setup.exe.2.dr	Static PE information: section name: .didat
Source: avg_tuneup_online_setup.exe.2.dr	Static PE information: section name: .didat
Source: qbittorrent.exe.2.dr	Static PE information: section name: .qtmetad
Source: qbittorrent.exe.2.dr	Static PE information: section name: .qtmimed
Source: avg_antivirus_free_online_setup.exe.3.dr	Static PE information: section name: .didat
Source: icarus.exe.6.dr	Static PE information: section name: .didat
Source: icarus.exe.6.dr	Static PE information: section name: _RDATA
Source: icarus_ui.exe.6.dr	Static PE information: section name: _RDATA
Source: dump_process.exe.6.dr	Static PE information: section name: .didat
Source: dump_process.exe.6.dr	Static PE information: section name: _RDATA
Source: bug_report.exe.6.dr	Static PE information: section name: _RDATA
Source: icarus.exe.15.dr	Static PE information: section name: .didat
Source: icarus.exe.15.dr	Static PE information: section name: _RDATA
Source: icarus_ui.exe.15.dr	Static PE information: section name: _RDATA
Source: dump_process.exe.15.dr	Static PE information: section name: .didat
Source: dump_process.exe.15.dr	Static PE information: section name: _RDATA
Source: bug_report.exe.15.dr	Static PE information: section name: _RDATA
Source: icarus_product.dll.15.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.ipending.a168df30.16.dr	Static PE information: section name: fothk
Source: vcruntime140.dll.ipending.a168df30.16.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD1396 push ecx; ret		3_2_00DD13A9
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011964C3 push ecx; ret		6_2_011964D6

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u	3_2_00DCA100
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u	6_2_0118D900
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u	6_2_0118DBE0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u	6_2_0118DF40

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	File created: \team fortress 2 brotherhood of arms_aez-lu1.exe
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	File created: \team fortress 2 brotherhood of arms_aez-lu1.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: \team fortress 2 brotherhood of arms_aez-lu1.tmp	Jump to behavior

Drops PE files

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\bug_report.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_product.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\WeatherZeroNSISPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\bug_report.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\INetC.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_mod.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\bug_report.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	File created: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Windows\System32\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\cqgrcbua.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\bug_report.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\bug_report.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\bug_report.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_product.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Windows\System32\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	File created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_mod.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	File created: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DC52F0 InterlockedExchange,GetCurrentProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CreateMutexW,GetLastError,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,InterlockedExchange,CoInitializeEx,CoCreateInstance,OleUninitialize,InterlockedExchange,GetLastError,InterlockedExchange,MessageBoxExW,wsprintfW,wsprintfW,MessageBoxExW,InterlockedExchange,InterlockedExchange,CreateThread,CloseHandle,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,wsprintfW,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,MoveFileExW,MoveFileExW,GetDiskFreeSpaceExW,InterlockedExchange,InterlockedExchange,MessageBoxExW,InterlockedExchange,GetLastError,InterlockedExchange,wsprintfW,wsprintfW,MessageBoxExW,CloseHandle,CreateFileW,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,GetLastError,InterlockedExchange,InterlockedExchange,CreateProcessW,InterlockedExchange,GetLastError,InterlockedExchange,AllowSetForegroundWindow,ResumeThread,InterlockedExchange,GetLastError,InterlockedExchange,PostMessageW,WaitForSingleObject,GetExitCodeProcess,InterlockedExchange,InterlockedExchange,InterlockedExchange,CloseHandle,CloseHandle,CloseHandle,_wcsrchr,_wcsrchr,CreateHardLinkW,CopyFileW,ReleaseMutex,CloseHandle,___delayLoadHelper2@8,		3_2_00DC52F0
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C0D820 GetPrivateProfileStringW,_invalid_parameter_noinfo_noreturn,GetPrivateProfileStringW,_invalid_parameter_noinfo_noreturn,		16_2_000007FEF6C0D820

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u	3_2_00DCA100
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetVersion,CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%u	6_2_0118D900
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u	6_2_0118DBE0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,_strncpy,CloseHandle, \\.\PhysicalDrive%u	6_2_0118DF40

Creates or modifies windows services

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\partmgr

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Stalling execution: Execution stalls by calling Sleep

graph_6-75940

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	System information queried: FirmwareTableInformation

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Memory allocated: 1D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Memory allocated: 2760000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Memory allocated: 660000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Memory allocated: 2B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Memory allocated: 19320000 memory commit \| memory reserve \| memory write watch

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Code function: 6_2_01140810 rdtsc

6_2_01140810

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Window / User API: threadDelayed 475	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Window / User API: threadDelayed 2110
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Window / User API: threadDelayed 4891

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\bug_report.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_product.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\WeatherZeroNSISPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\bug_report.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_ui.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WeatherZero\uninstall.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_mod.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\bug_report.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Windows\System32\icarus_rvrt.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\dump_process.exe	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\dump_process.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cqgrcbua.dll	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30	Jump to dropped file
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Dropped PE file which has not been started: C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Evaded block: after key decision

graph_6-75618

Found large amount of non-executed APIs

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp TID: 1912	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp TID: 1912	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe TID: 1100	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe TID: 1416	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2336	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe TID: 288	Thread sleep count: 475 > 30	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe TID: 288	Thread sleep time: -237500s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe TID: 3256	Thread sleep count: 47 > 30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe TID: 3256	Thread sleep count: 49 > 30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe TID: 3256	Thread sleep count: 70 > 30
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe TID: 3256	Thread sleep count: 37 > 30
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe TID: 3160	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe TID: 3296	Thread sleep time: -211000s >= -30000s
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe TID: 3296	Thread sleep time: -489100s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe TID: 3512	Thread sleep time: -60000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DDA4B5 FindFirstFileExW,	3_2_00DDA4B5
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_00405A19
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_004065CE FindFirstFileA,FindClose,	4_2_004065CE
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Code function: 4_2_004027AA FindFirstFileA,	4_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_0113C2C0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,	6_2_0113C2C0
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01164F10 FindFirstFileW,MoveFileExW,GetLastError,FindNextFileW,GetFileAttributesW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_01164F10
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01139D40 FindFirstFileW,FindNextFileW,FindClose,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,	6_2_01139D40
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C310B0 FindFirstFileExW,GetLastError,PathMatchSpecW,FindNextFileW,GetLastError,FindClose,FindClose,	16_2_000007FEF6C310B0

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC792C VirtualQuery,GetSystemInfo,

3_2_00DC792C

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp	Jump to behavior

Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: icarus.exe, 00000010.00000003.526185802.0000000000423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume2\DosDevices\C:\??\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\??\IDE#CdRomNECVMWar_VMware_SATA_CD01______
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "/s","r":["Microsoft\\Windows\\CurrentVersion\\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv"aQ
Source: avg_tuneup_online_setup.exe, 00000006.00000003.474926368.00000000003DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume2\DosDevices\C:\??\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\??\IDE#CdRomNECVMWar_VMware_SATA_CD01__''
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.000000000030A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":"","f":"ZB_Opera_re_V3","o":"O
Source: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":"","f":"ZB_Opera_re_V3","o":"Opera_reengaged"}K

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

API call chain: ExitProcess graph end node

graph_4-3302

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Code function: 6_2_01140810 rdtsc

6_2_01140810

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DD10FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00DD10FF

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe

Code function: 16_2_000007FEF6C9E8C4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

16_2_000007FEF6C9E8C4

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC8130 LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_00DC8130

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD7C5A mov eax, dword ptr fs:[00000030h]	3_2_00DD7C5A
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011D48E6 mov eax, dword ptr fs:[00000030h]	6_2_011D48E6
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011D492A mov eax, dword ptr fs:[00000030h]	6_2_011D492A
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011CD4A0 mov ecx, dword ptr fs:[00000030h]	6_2_011CD4A0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00429D02 mov eax, dword ptr fs:[00000030h]	10_2_00429D02
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_0042433F mov eax, dword ptr fs:[00000030h]	10_2_0042433F
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01109D02 mov eax, dword ptr fs:[00000030h]	12_2_01109D02
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_0110433F mov eax, dword ptr fs:[00000030h]	12_2_0110433F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DCF080 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

3_2_00DCF080

Enables debug privileges

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD1292 SetUnhandledExceptionFilter,	3_2_00DD1292
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD10FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00DD10FF
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD13AB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00DD13AB
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Code function: 3_2_00DD4476 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00DD4476
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011962BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_011962BA
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_01196700 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_01196700
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: 6_2_011BBD73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_011BBD73
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_0041D11E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0041D11E
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 10_2_00422603 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00422603
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_010FD11E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_010FD11E
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 12_2_01102603 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_01102603
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C66410 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_000007FEF6C66410
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C78120 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000007FEF6C78120
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: 16_2_000007FEF6C66858 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000007FEF6C66858

Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	NtQueryInformationProcess: Indirect: 0x13F51CE6B
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	NtQueryInformationProcess: Indirect: 0x13F51D563
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	NtQueryInformationProcess: Indirect: 0x14016D00D
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	NtQueryInformationProcess: Indirect: 0x13FDDA23B
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	NtQueryInformationProcess: Indirect: 0x13F51D00D
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	NtQueryInformationProcess: Indirect: 0x13FDDA933
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	NtQueryInformationProcess: Indirect: 0x14016CE6B
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	NtQueryInformationProcess: Indirect: 0x13FDDA3DD

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp "C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp" /SL5="$10302,13566766,780800,C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe" /silent /delayUIStart:120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe" magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA012D712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe "C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\icarus-info.xml /install /silent /delayUIStart:120	Jump to behavior
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZero.exe "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DDFD1E983F83B350CD251831739BBC54	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayUIStart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4C9.tmp" "c:\Users\user\AppData\Local\Temp\CSCA4C8.tmp"
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 468

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe c:\windows\temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayuistart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe "c:\windows\temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92ptu5fbojrx1hwr5yms8nikngalcocmkbepd0y4asab9stlv2t6ssboew9gycpp2iguxbycnb6jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:c:\windows\temp\asw.8bb23e66c52bd2be
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe c:\windows\temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:c:\windows\temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92ptu5fbojrx1hwr5yms8nikngalcocmkbepd0y4asab9stlv2t6ssboew9gycpp2iguxbycnb6jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:c:\windows\temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe	Process created: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe "c:\windows\temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92ptu5fbojrx1hwr5yms8nikngalcocmkbepd0y4asab9stlv2t6ssboew9gycpp2iguxbycnb6jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:c:\windows\temp\asw.8bb23e66c52bd2be	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Process created: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe c:\windows\temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayuistart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Process created: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe c:\windows\temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:c:\windows\temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92ptu5fbojrx1hwr5yms8nikngalcocmkbepd0y4asab9stlv2t6ssboew9gycpp2iguxbycnb6jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:c:\windows\temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Code function: 6_2_0111F9B0 AllocateAndInitializeSid,GetLengthSid,LocalAlloc,CopySid,LocalAlloc,InitializeAcl,AddAce,TreeResetNamedSecurityInfoW,SetLastError,

6_2_0111F9B0

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DD153D cpuid

3_2_00DD153D

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: EnumSystemLocalesW,	6_2_011D40AD
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetLocaleInfoW,	6_2_011D4613
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetLocaleInfoEx,FormatMessageA,	6_2_0119543A
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_011DD47F
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: EnumSystemLocalesW,	6_2_011DD727
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: EnumSystemLocalesW,	6_2_011DD772
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: EnumSystemLocalesW,	6_2_011DD80D
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_011DDDFE
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_011DDC29
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	16_2_000007FEF6C99D78
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_000007FEF6C9A7B4
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: EnumSystemLocalesW,	16_2_000007FEF6C90494
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_000007FEF6C9A5D8
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: EnumSystemLocalesW,	16_2_000007FEF6C9A0C8
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: EnumSystemLocalesW,	16_2_000007FEF6C9A198
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: GetLocaleInfoW,	16_2_000007FEF6C90884
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Code function: GetLocaleInfoEx,FormatMessageA,	16_2_000007FEF6C692F4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\AVG_AV.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\WeatherZero.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\AVG_TuneUp.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\finish.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Queries volume information: C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Queries volume information: C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\sfx.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Queries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Queries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Queries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe	Queries volume information: C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log VolumeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Queries volume information: C:\ProgramData\AVG\Icarus\Logs\icarus.log VolumeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC41B0 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetVersionExA,GetNativeSystemInfo,wsprintfA,wsprintfA,lstrcatA,lstrlenA,

3_2_00DC41B0

Source: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Code function: 3_2_00DC41B0 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetVersionExA,GetNativeSystemInfo,wsprintfA,wsprintfA,lstrcatA,lstrlenA,

3_2_00DC41B0

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Process created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Process created: C:\Windows\SysWOW64\netsh.exe "netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Command and Scripting Interpreter	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	2 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	57 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Bootkit	11 Access Token Manipulation	2 Obfuscated Files or Information	NTDS	161 Security Software Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 Install Root Certificate	LSA Secrets	14 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Process Injection	1 Software Packing	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	33 Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Valid Accounts	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Modify Registry	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	14 Virtualization/Sandbox Evasion	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	11 Access Token Manipulation	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	11 Process Injection	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Bootkit	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	23%	Virustotal		Browse
Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	29%	ReversingLabs	Win32.Trojan.Generic
Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe	100%	Avira	HEUR/AGEN.1332558

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\WeatherZero\WeatherZero.exe	0%	ReversingLabs
C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	3%	ReversingLabs
C:\Program Files (x86)\WeatherZero\uninstall.exe	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs
C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
d3ben4sjdmrs9v.cloudfront.net	0%	Virustotal	Browse
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	0%	Virustotal	Browse
shepherd-gcp.ff.avast.com	0%	Virustotal	Browse
eu.api.openweathermap.org	0%	Virustotal	Browse
analytics-prod-gcp.ff.avast.com	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
api.openweathermap.org	0%	Virustotal	Browse
analytics.avcdn.net	0%	Virustotal	Browse
shepherd.avcdn.net	0%	Virustotal	Browse
localweatherfree.com	1%	Virustotal	Browse
honzik.avcdn.net	0%	Virustotal	Browse
v7event.stats.avast.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://support.google.com/chrome/answer/6098869	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://www.avast.com/privacy-policyy	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/4dbd/e72e/cf65/4dbde72ecf65ac84b6c01251d37c425c4cedc00e3cd9cd40c0b	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/f3bc/064a/760a/f3bc064a760af5a862cc57c1734b2a5fa78a259b634061ae8de	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=huBillenty	0%	Avira URL Cloud	safe
https://webcompanion.com/terms	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/efe6/a9d8/dcf7/efe6a9d8dcf76f5286bec0496209f59da3de6ab6e355a183b69	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/75e1/fa41/330e/75e1fa41330e6e999c7d956d51b28bf854e5f3d6b1936f415bc	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlHaldab	0%	Avira URL Cloud	safe
https://www.avg.com/ww-en/privacy884d	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/e720/8292/8402/e72082928402426a47d26d7f30dbd6b6e4442073d5e89b8b0d3	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/1294/9111/bf85/12949111bf85a2236f071a294a508d99c90587a97b9ba7f61dc	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/53ea/070a/f084/53ea070af084fe7967d52f51ec412972c0bb732686816c45526	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/336b/6bfe/3568/336b6bfe35680a19b02d583f332df5d0f5dc6fa5729c2910fb1	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/f456/b99b/1cc7/f456b99b1cc7bca914b27b4c2b602bbffa24e5f6204e8286f22	0%	Avira URL Cloud	safe
https://www.google.com/cloudprint#jobs	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/2418/a772/d39e/2418a772d39e45fbea52182965a901364ddcd5459a920c8dcb5	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/b905/7e83/1e61/b9057e831e615eac70b8de45d0f60fd98ca2ec086952d5702a4	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/549b/190c/3722/549b190c3722d4774cc7a8a2730f858dba66f063840469799ad	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/aca7/9a9c/1f6d/aca79a9c1f6d664d99691fd0d3d84a8819993f784b2ff6d7baf	0%	Avira URL Cloud	safe
https://winqual.sb.avast.com	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlAz	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/f353/bfe0/2e30/f353bfe02e30f4fd5cdc89bd7f44703257f229a09f0d815d779	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/039c/7d2b/e3ad/039c7d2be3adfad5b5622e73c92baf26305c08a1c93d68e0aa9	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=filInalis	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/890d/bb72/c4c3/890dbb72c4c35266bd658c663c1242cfa3b50cf51e2873e986b	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/5cbc/4bdf/c8ae/5cbc4bdfc8ae2b5e9d2ecd8370dc50123b9e6a7870ae6e0ea4c	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/b771/5a20/2126/b7715a202126e0788545e7a179b92c95a51540ea6f5e630a989	0%	Avira URL Cloud	safe
https://www.avast.com/privacy-poli	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/2e23/b534/41ba/2e23b53441ba6b0779b222c120d44eb9a156d55cc3648f76216	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlGerido	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/9d91/a240/ea5e/9d91a240ea5e1e77db5d18ddb26932109163993916bd1420952	0%	Avira URL Cloud	safe
https://www.avast.com/eula#pc	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/a83a/f0f7/9abb/a83af0f79abb5e5c818c6f38a38da80e531081f3255cb006ed4	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/univ	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/59a0/ad87/f4aa/59a0ad87f4aa0bbfc2d1462ca7d5e760e2f6f2911c6c31f0fd4	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlBeheerd	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/4413/6fa3/55b3/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c	0%	Avira URL Cloud	safe
https://www.winzip.com/win/en/privacy.htmlutW	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exe	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/6070/ffb5/e20e/6070ffb5e20ed032d460d323df981d369fa68045fab130fd100	0%	Avira URL Cloud	safe
https://www.avast.com/privacy-policyB	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/8858/1d49/e6c8/88581d49e6c83ef74fe4aeed438c0380f321d9eaf3b8ef210d3	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/20d7/b576/daa4/20d7b576daa4bc3619df988004de4952315a1b855b0c51fc022	0%	Avira URL Cloud	safe
http://https://:allow_fallback/installer.exe	0%	Avira URL Cloud	safe
https://www.opera.com/he/eula/computersn	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/fffd/59f3/d29e/fffd59f3d29e3c1e30d5f9db2e07483d1ac2a0c4cefa288241c	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/f5fa/77eb/a62d/f5fa77eba62dbe16cadf3120c397212224c930da261901b060c	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/2f9c/dd96/5650/2f9cdd965650440cebaf2349140a7dde9b587829b7753de8cd0	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/a22b/8186/4fb4/a22b81864fb4219821647d67196f91ef9ba3ba43497a7643b07	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/a2d3/c326/b616/a2d3c326b616f0a7abdd5b67499e21a2fb6f319921121754a8e	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/44cd/f8d9/53ff/44cdf8d953ff2e52b40056d9e564047868b4341643737aa6a2f	0%	Avira URL Cloud	safe
https://www.premieropinion.com/common/termsofservice-v15-44	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/be1d/dcea/5156/be1ddcea515691d8a64442eb42b837b4d5b12e726ddb6251565	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/990b/6559/fb32/990b6559fb32e86df8045cdf8687fe7176fb810c18b2032fbb1	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/73ee/5495/78de/73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ar	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/5fe2/5816/8978/5fe258168978f52d2b3c6f063c7a7c381a70ac06e128ababe66	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/2375/2a37/2251/23752a372251b782f35f6fca4a17dc260159eca4620ddb610f5	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/9c58/80c3/95b4/9c5880c395b4e7db4b8d6de49c75909abdaeeef0b041c1703c7	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=am	0%	Avira URL Cloud	safe
https://www.nortonlifelock.com/us/en/legal/license-services-agreement/SSOR_A	0%	Avira URL Cloud	safe
http://crl.use	0%	Avira URL Cloud	safe
https://shepherd.avcdn.net/2text	0%	Avira URL Cloud	safe
http://www.avast.com0/	0%	Avira URL Cloud	safe
https://www.avast.com/eula%Q	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/c42a/c2e2/e70b/c42ac2e2e70b86e9e884f598db48c1c386b12e1d8a2d6340082	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=deVerkn	0%	Avira URL Cloud	safe
https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/images/1509/EN.png	0%	Avira URL Cloud	safe
https://passwords.google.comCompte	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/1edf/013e/8900/1edf013e890072987b8957b77baecc37140bc01581e5de6b020	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/8c0b/2ce7/b8a9/8c0b2ce7b8a9a60fe60fbba387387081527964196e1bf5ad6fe	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/e3b0/c442/98fc/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca49	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/ea32/3024/0917/ea323024091753a5576a343e46d19bfbf9939122bdde53d91d7	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/79fa/0f06/8f09/79fa0f068f09ed239a8e0c3f1da0b35fa1f86622f9fa47721e1	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/cbec/231a/3e3b/cbec231a3e3b760c82cc736ee6630498a6ed695da056a25ebff	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlSpravov	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=bn	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/8586/2323/a312/85862323a3128490a2c1be66a36480f7eb73a2294d62ef4ff38	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/d784/ec66/7a92/d784ec667a92778b3738fdc7b78f6560f54293764b26773bb02	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/8ac9/e9bc/1b5e/8ac9e9bc1b5e382e976b9e7e4d05a7710213479adb3c81c3539	0%	Avira URL Cloud	safe
https://www.avast.com/privacy-policy#pcll	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=nlSnelkoppeling	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/564f/66a0/78ff/564f66a078ff6e186c23983a233193e81e2c68df11933c16454	0%	Avira URL Cloud	safe
https://ipm.avcdn.net/	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/36f4/1a34/6ed0/36f41a346ed07708ce12d54e5a4c4612f49a375155d1655a23c	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/0438/bce0/0767/0438bce007674706ef0c13e9569a9c15a3c555dc69e719762d5	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/f67f/179e/470f/f67f179e470fd6f75370cdae6b2b9caea0d4df5a5cff167ca93	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=bg	0%	Avira URL Cloud	safe
https://honzik.avcdn.net/universe/b331/a61b/852e/b331a61b852ef66a160956e9c2e62325c8bd09277449dffd567	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/rsStubActivator.exeWH	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse	unknown
d3ben4sjdmrs9v.cloudfront.net	65.9.23.130	true	false	0%, Virustotal, Browse	unknown
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	212.229.88.3	true	false	0%, Virustotal, Browse	unknown
shepherd-gcp.ff.avast.com	34.160.176.28	true	false	0%, Virustotal, Browse	unknown
eu.api.openweathermap.org	146.185.153.16	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown
analytics-prod-gcp.ff.avast.com	34.117.223.223	true	false	0%, Virustotal, Browse	unknown
localweatherfree.com	188.114.97.3	true	false	1%, Virustotal, Browse	unknown
v7event.stats.avast.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
shepherd.avcdn.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
analytics.avcdn.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
api.openweathermap.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
honzik.avcdn.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://d3ben4sjdmrs9v.cloudfront.net/f/AVG_AV/images/1509/EN.png	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://honzik.avcdn.net/universe/f3bc/064a/760a/f3bc064a760af5a862cc57c1734b2a5fa78a259b634061ae8de	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/privacy-policyy	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=huBillenty	icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/terms	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.766430491.00000000075F9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/4dbd/e72e/cf65/4dbde72ecf65ac84b6c01251d37c425c4cedc00e3cd9cd40c0b	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6098869	icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://honzik.avcdn.net/universe/efe6/a9d8/dcf7/efe6a9d8dcf76f5286bec0496209f59da3de6ab6e355a183b69	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u	icarus.exe, 00000010.00000003.745789288.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/75e1/fa41/330e/75e1fa41330e6e999c7d956d51b28bf854e5f3d6b1936f415bc	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000002.761406675.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000002.761540431.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.481096665.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487722136.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.516313437.000000000040E000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.646607698.000000000040E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlHaldab	icarus.exe, 00000010.00000003.693418802.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avg.com/ww-en/privacy884d	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/e720/8292/8402/e72082928402426a47d26d7f30dbd6b6e4442073d5e89b8b0d3	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=fi&category=theme81https://myactivity.google.com/myactivity/?u	icarus.exe, 00000010.00000003.698510255.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/1294/9111/bf85/12949111bf85a2236f071a294a508d99c90587a97b9ba7f61dc	icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/53ea/070a/f084/53ea070af084fe7967d52f51ec412972c0bb732686816c45526	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/336b/6bfe/3568/336b6bfe35680a19b02d583f332df5d0f5dc6fa5729c2910fb1	icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/f456/b99b/1cc7/f456b99b1cc7bca914b27b4c2b602bbffa24e5f6204e8286f22	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/cloudprint#jobs	icarus.exe, 00000010.00000003.712622164.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.728032159.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.681026749.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.756388934.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.710100826.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.707616225.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.748389072.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.718180433.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.691009456.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.743180981.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.730719022.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/2418/a772/d39e/2418a772d39e45fbea52182965a901364ddcd5459a920c8dcb5	icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/b905/7e83/1e61/b9057e831e615eac70b8de45d0f60fd98ca2ec086952d5702a4	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u	icarus.exe, 00000010.00000003.753789558.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/aca7/9a9c/1f6d/aca79a9c1f6d664d99691fd0d3d84a8819993f784b2ff6d7baf	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.innosetup.com/	Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000000.366591506.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://honzik.avcdn.net/universe/549b/190c/3722/549b190c3722d4774cc7a8a2730f858dba66f063840469799ad	icarus.exe, 00000010.00000002.763106730.00000000044FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://winqual.sb.avast.com	avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlAz	icarus.exe, 00000010.00000003.720708845.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/f353/bfe0/2e30/f353bfe02e30f4fd5cdc89bd7f44703257f229a09f0d815d779	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/039c/7d2b/e3ad/039c7d2be3adfad5b5622e73c92baf26305c08a1c93d68e0aa9	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/890d/bb72/c4c3/890dbb72c4c35266bd658c663c1242cfa3b50cf51e2873e986b	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=filInalis	icarus.exe, 00000010.00000003.701069588.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/5cbc/4bdf/c8ae/5cbc4bdfc8ae2b5e9d2ecd8370dc50123b9e6a7870ae6e0ea4c	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/b771/5a20/2126/b7715a202126e0788545e7a179b92c95a51540ea6f5e630a989	icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/privacy-poli	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764709169.0000000007375000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/2e23/b534/41ba/2e23b53441ba6b0779b222c120d44eb9a156d55cc3648f76216	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlGerido	icarus.exe, 00000010.00000003.759007900.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/9d91/a240/ea5e/9d91a240ea5e1e77db5d18ddb26932109163993916bd1420952	icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/eula#pc	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.763072834.0000000001F84000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000357000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/a83a/f0f7/9abb/a83af0f79abb5e5c818c6f38a38da80e531081f3255cb006ed4	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/univ	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlBeheerd	icarus.exe, 00000010.00000003.750730782.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/59a0/ad87/f4aa/59a0ad87f4aa0bbfc2d1462ca7d5e760e2f6f2911c6c31f0fd4	icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/4413/6fa3/55b3/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity	icarus.exe, 00000010.00000003.683485325.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.winzip.com/win/en/privacy.htmlutW	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exe	avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607412622.00000000002E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/6070/ffb5/e20e/6070ffb5e20ed032d460d323df981d369fa68045fab130fd100	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/privacy-policyB	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.761756832.0000000000359000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/8858/1d49/e6c8/88581d49e6c83ef74fe4aeed438c0380f321d9eaf3b8ef210d3	icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u	icarus.exe, 00000010.00000003.723222578.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	WZSetup.exe, WZSetup.exe, 00000004.00000002.601034182.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000004.00000000.468976681.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, WZSetup.exe, 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://https://:allow_fallback/installer.exe	avg_antivirus_free_setup.exe, 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp, avg_antivirus_free_setup.exe, 00000003.00000000.464690367.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/20d7/b576/daa4/20d7b576daa4bc3619df988004de4952315a1b855b0c51fc022	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.opera.com/he/eula/computersn	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/f5fa/77eb/a62d/f5fa77eba62dbe16cadf3120c397212224c930da261901b060c	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/fffd/59f3/d29e/fffd59f3d29e3c1e30d5f9db2e07483d1ac2a0c4cefa288241c	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/2f9c/dd96/5650/2f9cdd965650440cebaf2349140a7dde9b587829b7753de8cd0	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/a2d3/c326/b616/a2d3c326b616f0a7abdd5b67499e21a2fb6f319921121754a8e	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/a22b/8186/4fb4/a22b81864fb4219821647d67196f91ef9ba3ba43497a7643b07	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/44cd/f8d9/53ff/44cdf8d953ff2e52b40056d9e564047868b4341643737aa6a2f	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/be1d/dcea/5156/be1ddcea515691d8a64442eb42b837b4d5b12e726ddb6251565	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.premieropinion.com/common/termsofservice-v15-44	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/990b/6559/fb32/990b6559fb32e86df8045cdf8687fe7176fb810c18b2032fbb1	icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/73ee/5495/78de/73ee549578ded906711189edcef0eedbc9db7ccbd30cf7776bd	icarus.exe, 0000000F.00000003.521853749.00000000023D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ar	icarus.exe, 00000010.00000003.662996506.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/5fe2/5816/8978/5fe258168978f52d2b3c6f063c7a7c381a70ac06e128ababe66	icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/2375/2a37/2251/23752a372251b782f35f6fca4a17dc260159eca4620ddb610f5	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/9c58/80c3/95b4/9c5880c395b4e7db4b8d6de49c75909abdaeeef0b041c1703c7	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=am	icarus.exe, 00000010.00000003.660623519.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nortonlifelock.com/us/en/legal/license-services-agreement/SSOR_A	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000036D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.use	WZSetup.exe, 00000004.00000002.600783672.0000000000319000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shepherd.avcdn.net/2text	icarus.exe, 00000010.00000002.761906001.000000000236B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avast.com0/	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000002.764279705.000000000216D000.00000004.00000020.00020000.00000000.sdmp, avg_antivirus_free_setup.exe, 00000003.00000003.607318593.0000000000344000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.504343304.00000000032F0000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.509879598.0000000003460000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.487748487.0000000003310000.00000004.00000020.00020000.00000000.sdmp, avg_tuneup_online_setup.exe, 00000006.00000003.498986237.00000000036C0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524241872.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.520725221.0000000002700000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525354979.0000000003DA0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521853749.0000000002334000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537806773.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.364983182.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe, 00000000.00000003.365531645.000000007ECC0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.avast.com/eula%Q	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/c42a/c2e2/e70b/c42ac2e2e70b86e9e884f598db48c1c386b12e1d8a2d6340082	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=deVerkn	icarus.exe, 00000010.00000003.678588804.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://passwords.google.comCompte	icarus.exe, 00000010.00000003.670525548.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.703706256.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/1edf/013e/8900/1edf013e890072987b8957b77baecc37140bc01581e5de6b020	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/8c0b/2ce7/b8a9/8c0b2ce7b8a9a60fe60fbba387387081527964196e1bf5ad6fe	icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/e3b0/c442/98fc/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca49	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/ea32/3024/0917/ea323024091753a5576a343e46d19bfbf9939122bdde53d91d7	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/79fa/0f06/8f09/79fa0f068f09ed239a8e0c3f1da0b35fa1f86622f9fa47721e1	icarus.exe, 00000010.00000002.762757687.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/cbec/231a/3e3b/cbec231a3e3b760c82cc736ee6630498a6ed695da056a25ebff	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlSpravov	icarus.exe, 00000010.00000003.673050245.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=bn	icarus.exe, 00000010.00000003.668085994.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/8586/2323/a312/85862323a3128490a2c1be66a36480f7eb73a2294d62ef4ff38	icarus.exe, 00000010.00000002.761446130.00000000003E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/d784/ec66/7a92/d784ec667a92778b3738fdc7b78f6560f54293764b26773bb02	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/8ac9/e9bc/1b5e/8ac9e9bc1b5e382e976b9e7e4d05a7710213479adb3c81c3539	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/privacy-policy#pcll	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=nlSnelkoppeling	icarus.exe, 00000010.00000003.750730782.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/564f/66a0/78ff/564f66a078ff6e186c23983a233193e81e2c68df11933c16454	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.762757687.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipm.avcdn.net/	icarus.exe, 0000000F.00000002.762519630.0000000002313000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519579336.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000002.761586681.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519608458.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519489850.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519449287.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519449287.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519809089.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519705947.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519762707.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.521870091.0000000002331000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519762707.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.524224297.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519705947.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525234680.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519489850.000000000230B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.525272587.000000000232B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 0000000F.00000003.519663457.0000000002395000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.000000000236B000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/36f4/1a34/6ed0/36f41a346ed07708ce12d54e5a4c4612f49a375155d1655a23c	icarus.exe, 00000010.00000002.761906001.00000000023D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/f67f/179e/470f/f67f179e470fd6f75370cdae6b2b9caea0d4df5a5cff167ca93	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/0438/bce0/0767/0438bce007674706ef0c13e9569a9c15a3c555dc69e719762d5	icarus.exe, 00000010.00000003.537746651.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=bg	icarus.exe, 00000010.00000003.665469202.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://honzik.avcdn.net/universe/b331/a61b/852e/b331a61b852ef66a160956e9c2e62325c8bd09277449dffd567	icarus.exe, 00000010.00000002.762757687.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000003.537746651.0000000003AD6000.00000004.00000020.00020000.00000000.sdmp, icarus.exe, 00000010.00000002.761906001.0000000002390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/rsStubActivator.exeWH	Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, 00000002.00000003.625101763.0000000000307000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
65.9.23.108	unknown	United States	16509	AMAZON-02US	false
34.160.176.28	shepherd-gcp.ff.avast.com	United States	2686	ATGS-MMD-ASUS	false
34.117.223.223	analytics-prod-gcp.ff.avast.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
65.9.23.130	d3ben4sjdmrs9v.cloudfront.net	United States	16509	AMAZON-02US	false
65.9.23.141	unknown	United States	16509	AMAZON-02US	false
188.114.97.3	localweatherfree.com	European Union	13335	CLOUDFLARENETUS	false
65.9.23.107	unknown	United States	16509	AMAZON-02US	false
146.185.153.16	eu.api.openweathermap.org	Netherlands	14061	DIGITALOCEAN-ASNUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483744
Start date and time:	2024-07-29 00:51:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	4
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
Detection:	MAL
Classification:	mal48.rans.troj.expl.evad.winEXE@36/285@117/9
EGA Information:	Successful, ratio: 87.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.174, 184.30.25.22, 142.251.37.14, 2.20.93.64, 104.208.16.93
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, ctldl.windowsupdate.com.delivery.microsoft.com, watson.microsoft.com, e9229.dscd.akamaiedge.net, s-honzik.avcdn.net.edgekey.net, ctldl.windowsupdate.com, legacywatson.trafficmanager.net, wu-b-net.trafficmanager.net, www.google-analytics.com
Execution Graph export aborted for target Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp, PID 2580 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
18:53:44	API Interceptor	3982x Sleep call for process: Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp modified
18:54:24	API Interceptor	421x Sleep call for process: WeatherZeroService.exe modified
18:54:38	API Interceptor	9029x Sleep call for process: WeatherZero.exe modified
18:54:42	API Interceptor	720x Sleep call for process: avg_antivirus_free_setup.exe modified
18:54:45	API Interceptor	6x Sleep call for process: avg_tuneup_online_setup.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.223.223	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	Microstub.exe	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	Microstub.exe	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	ccsetup621.zip	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	_.exe	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	_.exe	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	MDE_File_Sample_c7da8e8d530606f98d3014dbf9ce345b0d07dd48.zip	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
	https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient	Get hash	malicious	Unknown	Browse	v7event.stats.avast.com/cgi-bin/iavsevents.cgi
34.160.176.28	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse
	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse
	winrar-64-6.21-installer_AmGAP-1.exe	Get hash	malicious	PureLog Stealer	Browse
	ccsetup624.exe	Get hash	malicious	Unknown	Browse
	806aab44-6c03-4577-a3c4-83aa13dc7875.tmp	Get hash	malicious	Unknown	Browse
	Microstub.exe	Get hash	malicious	Unknown	Browse
	Microstub.exe	Get hash	malicious	Unknown	Browse
	ccsetup621.zip	Get hash	malicious	Unknown	Browse
	https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
shepherd-gcp.ff.avast.com	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse	34.160.176.28
	ccsetup624.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	806aab44-6c03-4577-a3c4-83aa13dc7875.tmp	Get hash	malicious	Unknown	Browse	34.160.176.28
	Microstub.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	Microstub.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	ccsetup621.zip	Get hash	malicious	Unknown	Browse	34.160.176.28
	https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient	Get hash	malicious	Unknown	Browse	34.160.176.28
	http://www.poweriso-mirror.com/PowerISO8.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	_.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	http://aged-recipe-9bb1.samuel-okitipi1.workers.dev/	Get hash	malicious	Unknown	Browse	217.20.57.37
	https://etransfer.interac.ca/ViewInBrowser.do?tokens=eNrtV9tu20YQ_ZWFGqcJYEoUJVGSC6MWKSlw2zip7T4VBbEmh_LG5C6zFzlK0b73L_rW-hv6qB_rLHWJJUuKkKBNCtSIAWf27JnZ2bMzw58rQrIR41QLOcgpy85oDpWjygXIMYtBkVDwmGWMklMeVyuH63CEgpaUqxTkSTzHMoTGIl9BD9kCL69ixjVIGuPOVKGjEzTNN1wBh5TFjMrJ_XAuqUxYekj6dMwS0uNaMA4b4AhNdIk9UZrdQE75Q-J3oShTFELqk5gtAygk4FEkJN9RPjJ0ZL2nEhdgDFxHeEQNbzQaCzrJ0VKVMDIZtQgljIwhYiriQrM0ogVD3GQlDVHKokyMBC5ca12oo1ptmT-nJEfKeXqqMa2lsmbhUdhz7U-jWvDRRsII-L6cwPflxIN_XJz3sv5xJ6-72xk_-Og7ST_07EvSuUCiUlDAURnc5FdgacNeenkWN4fWtcluNkEabqvR7XY7bc_xXK_ptr02phU3xEZpkUca8iKjGuWWIBqXrDTjCP0vMSBni2HPj9uvbp59Gw9X32TE937sJTRiPLoGmoBUe-7CZM59nAchCSh_bYCciwnNYCNwdpUWW4LsjpvNwPJ6NpGu3eXcfXgahJsXZy53rJeeNqzzvUvThuTtswt2V7SyyLCYaiZ4VCwlZNVgy9WbAiSzhiQyqpSUlsa6UNdY8mKjIyOzTRK_L22sg0xCrIdS5BfzfZdiyKqJ-Lo47R8vhPw4G-vjeiMI-l6n2fDrnh802_X6sNVt-vhn6Ae9djPoh816u-P6w0YraIStMGy4nXp_0Bg0O26nX3-cspJy9ooeZ1iAj8vSez_iLY_9swoaQ1wLenMx-QwzDRwFGuWQ2zp9ZvLpnRQkAYLFJWUyL8VGjkh4cfn84nzQanaeVcn59M9RBrbWkZ5SBg8XA5n-Np7e8ZkVbSSjpKxXqZA5kEsW34DOqcLzkyeJUIrhHy3XdVzfwZi8esvxGvWn6Or0-csX55e9s0vikB801hkFb0kGJBfaBlZQpdDb7-S1oVpioNcsTSVWJeBjMZneIUBi9EbiY8i-IhiUxFeDFGOhCOPJ9E4xSa8y3KEYGo0iHEj2JR0jBsmJhOkfpkpeIgXRwmgglCVwaDOiaazhrcPtpvtubDjnMM_JMiUDHCBKy_fh-qREhCFjphiy7d44f_oLAUVaaGofcdc_9LrkEXkS9vpPHwBmb-ZR168iaAukVOg6TSEFZibH_kSVsBwPbDPqh-aSDs0JxBlWthWGVduSYc28YMBHwQpmG-lclVammmqj_pfpf0WmErBFKx0lmFm8MK9DXhmWZaCJnW22IWfK-MZkE-J1DndDS7Xs4MV2uPTuEyqmf23HzPz2zAinKOL5h9uBM69rfLnJNCsyiFR8DYnJsAEvdlaOUpopuEeFd2F7QOXIffAiy6VyAb8o3r0CmkTzz5Yl2-p4hFDbTNb7--3tbRW_s6Sdk65wrLJ3ZEfXXCSgnITGOMrVtEESlIaqWV0yB7SDdFDY9-Qk4KSCJ6pGOcdPntKGqwYHjdl_xtjBrACcRV-71nlW2RXfajffGOItnShHC8ca5vHhqWu2UzkUf218bAxOLjhMarFVYmaNGWU5AhaxOOAs264N64ujX4_sl9yxFgee--LHg4F30HEPev5P-hrQsryyneGv9PVPmGEav1ETtdRZhIX05n0TB0a2GCpqHztQbAlhj2HtHw_h_aPXv5EIgaqSds76lPnIxRXDuvRAHNuSMWzW_bbn-42mX--4_WA4qDdag17D9YJuMMAIgmGnNQz6LjodhMFg0PGa3UF32HWbQ_zXrfzyN_jDSBM&templateCode=2&productCode=0&customBulkExternalId=003_conc_001&langCode=en	Get hash	malicious	Unknown	Browse	217.20.57.25
	https://muscletherapytec.com/wp-admin/bvn2/sprom2/popular/4e3ca076003281dc76236e73f1cc5142	Get hash	malicious	Unknown	Browse	217.20.57.43
	http://www.linktr.ee/debank.notification	Get hash	malicious	Unknown	Browse	217.20.57.27
	https://app.gopay.co.id.sg.wuush.us.kg/	Get hash	malicious	Unknown	Browse	217.20.57.19
	https://arborstaff.freshdesk.com/en/support/solutions/articles/153000192392-new-docucment-shared-with-you	Get hash	malicious	HTMLPhisher	Browse	217.20.57.23
	http://bafybeid3xndcv7gdf3q272cm4c7rhgipbjnxuzokef7kehqtunj464crfy.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	217.20.57.20
	LisectAVT_2403002A_207.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	217.20.57.38
	LisectAVT_2403002A_495.dll.dll	Get hash	malicious	Unknown	Browse	217.20.56.34
	LisectAVT_2403002A_76.exe	Get hash	malicious	AgentTesla	Browse	217.20.57.26
eu.api.openweathermap.org	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse	146.185.152.21
	https://yti.com/	Get hash	malicious	Unknown	Browse	146.185.152.21
	http://Yti.com/gatelink	Get hash	malicious	Unknown	Browse	146.185.152.20
bg.microsoft.map.fastly.net	http://pub-a29070233cb54ef393c1ddea471f903c.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://chattts-49f1.beszyrecala.workers.dev/c7a442e4-6621-4b46-bbd9-51=	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://drop-box-roug9779888876n1a2b3c4d5e6f7g8h9i0jk1l2m3n4o5p6q7r8s9t.vercel.app/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://gdhddyyyu-yfdrfs-f48b55.ingress-earth.ewp.live/wp-content/plugins/ddrxmis/pages/region.php	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-6840f5a0b95245c4bd997b2a34ceed17.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-cc49e80c5ae14b709b4ffb31615a777f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://metamaskuh.azurewebsites.net/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://qoinbasspirologgn.gitbook.io/us	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-1b65b2cfa1de4d88a583e494abc8b391.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-63ee9e97e9eb46d78c12a9137fdc4d90.r2.dev/invoice.htm	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
ATGS-MMD-ASUS	http://boaint.surge.sh/main.html	Get hash	malicious	Unknown	Browse	34.36.212.39
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.160.144.191
TUT-ASUS	EJH8vdN1sP.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse	208.95.112.1
	Nursultan Alpha Client.exe	Get hash	malicious	DCRat, XWorm	Browse	208.95.112.1
	Easy Anti-Cheat Analyzer.exe	Get hash	malicious	DCRat, XWorm	Browse	208.95.112.1
	encrypthub_steal.ps1	Get hash	malicious	Unknown	Browse	208.95.112.1
	encrypthub_steal.ps1	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	208.95.112.1
	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, RedLine, Stealc, Vidar	Browse	208.95.112.1
	Modrinth_Installer.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
AMAZON-02US	http://pub-a29070233cb54ef393c1ddea471f903c.r2.dev/index.html	Get hash	malicious	Unknown	Browse	35.156.224.161
	http://drop-box-roug9779888876n1a2b3c4d5e6f7g8h9i0jk1l2m3n4o5p6q7r8s9t.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.98
	http://pub-6840f5a0b95245c4bd997b2a34ceed17.r2.dev/index.html	Get hash	malicious	Unknown	Browse	18.192.94.96
	http://pub-d2409a02e97a44dca2eae780356db722.r2.dev/index.html	Get hash	malicious	Unknown	Browse	3.70.101.28
	http://msn-pdf75.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.98
	http://pub-8d80ac938c6b433695a7e0831c963d56.r2.dev/index.html	Get hash	malicious	Unknown	Browse	35.156.224.161
	http://pub-02289f87e8ce43fe8c47a86f49b0a533.r2.dev/index.html	Get hash	malicious	Unknown	Browse	18.245.31.33
	http://pub-58a4baf41c124648bdc4fe772188accd.r2.dev/index.html	Get hash	malicious	Unknown	Browse	3.70.101.28
	http://pub-1ce9e7a22bad4d9e82b69b2884dabbd9.r2.dev/index.html	Get hash	malicious	Unknown	Browse	18.192.94.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	pn24_065.docx.doc	Get hash	malicious	Unknown	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Get hash	malicious	GuLoader, Remcos	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	invoice.docx.doc	Get hash	malicious	FormBook	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	New order.exe	Get hash	malicious	Snake Keylogger	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	042240724.xls	Get hash	malicious	Remcos	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
	dukas022.docx.doc	Get hash	malicious	Unknown	Browse	65.9.23.107 65.9.23.130 65.9.23.141 65.9.23.108
7dcce5b76c8b17472d024758970a406b	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	pn24_065.docx.doc	Get hash	malicious	Unknown	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Get hash	malicious	GuLoader, Remcos	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	invoice.docx.doc	Get hash	malicious	FormBook	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	042240724.xls	Get hash	malicious	Remcos	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	Scan file.doc	Get hash	malicious	Unknown	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	fLnj4EeH6V.rtf	Get hash	malicious	Unknown	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	34.117.223.223 188.114.97.3 34.160.176.28
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	34.117.223.223 188.114.97.3 34.160.176.28
36f7277af969a6947a61ae0b815907a1	order072724.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	girlfrnd.doc	Get hash	malicious	GuLoader, Remcos	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	PRZELEW BANKOWY.xls	Get hash	malicious	Unknown	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	PRZELEW BANKOWY.xls	Get hash	malicious	Unknown	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Get hash	malicious	GuLoader, Remcos	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	2FBexXRCHR.rtf	Get hash	malicious	AgentTesla	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	042240724.xls	Get hash	malicious	Remcos	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	65.9.23.107 65.9.23.141 65.9.23.130
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	65.9.23.107 65.9.23.141 65.9.23.130

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse
C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse
C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse
C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse
C:\Program Files (x86)\WeatherZero\WeatherZero.exe	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse
C:\Program Files (x86)\WeatherZero\WeatherZero.exe	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse

Created / dropped Files

C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	447488
Entropy (8bit):	6.049704714571602
Encrypted:	false
SSDEEP:	12288:Pf2wvmWyF2kVbFNCK9FGFMSvmEzBIyDInI:19yFpbfcFBIyDInI
MD5:	E346FCECD037F0BE2777231949977587
SHA1:	50E571B3AEA31DB3DF2610A1CA4DFC94612A2CC4
SHA-256:	EFD8CF9A3BC2AB4E15FA33D42771E18D78539759CBF30652DF4C43E6825CE5F0
SHA-512:	FFC183626899D1AD1806786BC95C4809AAB3947C78FBFDB38A01D312F2F679DC7DC82F8389074CBCC470D055982CFC370D482FF4D0B3B91532CA409B1FCA32A9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^W.........." ..0.............&.... ........... .......................@......y.....@.....................................O.......d.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...d...........................@..@.reloc....... ......................@..B........................H.......d...`...............X.............................................(......(8..."..(9.....(...."..(....&...(....&...(....F...(.......s......{...."..}......{...."..}....V.(......(......(.......}".....(....}%.....}#.....}$.....0..E........{"......YE................+..{$...o.....X.{#...j(.....Xr...ps....z....0...........{"......YE........R...R....{$.....~!...o......!.r...po....&..o....&.r...po....&.o.....1....o....&..o....&*..[o....&..{#...o....&..]o....&

C:\Program Files (x86)\WeatherZero\WeatherZero.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2876688
Entropy (8bit):	7.928270982940127
Encrypted:	false
SSDEEP:	49152:g6+PPRw4iT/VLUBIGR6KmgG5sMU+Fojk7DcPfKZOHUULruOdHqDOAfCFkw:6nq44Az8gB22jkXufKs0ULruMHcOAfCp
MD5:	7DC1C6AB3BF2DD1C825914F7F6F31B45
SHA1:	50DA5DF89A759DD1D6F123B98B8AA35298699B3B
SHA-256:	9B92A8F962D7F8FFC9A06BAFECAFF854D88999107641229B17B68D5532E6E17C
SHA-512:	695FFAC94223F5419229D84C5E46BACA22C9AC5C57E27B87CDE347A80F343926A529F9EA008390053F7306E8140D421FCBE7789D636B2E489C089F0CB7B7F752
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b..............0..D)..F......6c).. ....)...@.. ........................,.....c.,...@..................................b).O.....).\|C............+..Y....+......a).............................................. ............... ..H............text...<C).. ...D)................. ..`.rsrc...\|C....)..D...F).............@..@.reloc........+.......+.............@..B.................c).....H.......d_..H.......r........O(...........................................(.....~....-.r...p.....(....o....s.........~.....~............~......(....Vs....( ...t..........0..5........s!...}.....(......}.....s"...}.....{....(#...o$...(%...o&.....('......{...........s(...o)....{...........s(...o....{.....o+....{...........s,...o-...rE..ps.............s,...o/....{....o0....o1...&rO..ps.............s,...o/....{....o0....o1...&.{.....{....o2....{...........s,...o3....{.....

C:\Program Files (x86)\WeatherZero\WeatherZero.exe.config

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	200
Entropy (8bit):	4.747046586710027
Encrypted:	false
SSDEEP:	6:TMVBd1IGMfVKNS7VNQAofS7V2bofJuAW4QIm:TMHdGGsVOAzofLSJ93xm
MD5:	3F15E291A768459274F9B10338692974
SHA1:	F1BFC8F7525487B18E05B99C40249C7873C75E4F
SHA-256:	4C246E60C38399126CA36408BDA7E63BF43B9ECB18F9DAA6E224D36633DC0B69
SHA-512:	0CDA1129BD34EB72E4927782C3D9BDF3BE7B5E2FE92279E73DE068FC7E4BF4035323AEBB9578CDE8F7630248B47CC67A5EF64AF7B144621CAB10E86010BCF85B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v2.0.50727"/>.. <supportedRuntime version="v4.0"/>.. </startup>..</configuration>..

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3385616
Entropy (8bit):	7.769464020201907
Encrypted:	false
SSDEEP:	98304:EuOjRHrd1zBPC474Iz8pEeVJmUXyevkUL38/cSUJ9yElx7W91a8G8C:91VzF38/LUJ9yE37KGH
MD5:	2B149BA4C21C66D34F19214D5A8D3067
SHA1:	8E02148B86E4B0999E090667EF9B926A19B5CA7D
SHA-256:	95F0E021C978DDD88E2218A7467579255A5AE9552AF2508C4243A4ADEC52D2B8
SHA-512:	C626F89BC01FDB659F4EE2CF86BA978F04E4BF0DEC2624170C83C21D5AD29E20335566B1F7545D9BADC4E47CA2EA90535C4CB08B4AFA3457B72A5801053706D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................^..........................................u...T.....T.D....,...T.....Rich..........................PE..L.....b.................&...4)..............@....@...........................3.......4...@...........................................2.0............P3..Y...`3.X,......8...........................@...@............@..(............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data....d'..0...X'.................@....rsrc...0.....2......h2.............@..@.reloc..X,...`3......"3.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WeatherZero\uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	320035
Entropy (8bit):	7.891495118554517
Encrypted:	false
SSDEEP:	6144:V1ssjvm3L1cBg+0FaZLqKxIyCMVr8ozzirUi:gsoL1c++0FCGKTCkpm
MD5:	44C6F7F2084D37AAD08C078A43F2E7BC
SHA1:	FBD6EB7B7BCADD6257CCB30FDC5344B895AFB5BA
SHA-256:	010D36593138E29B90EE5D344BA720369B9D21C20FDBDA93FC5A6C2AA1E46FA3
SHA-512:	A8806E66405B9AE160CB2F41332506659FAE3594CE6906B6B53153F4BC884A4ADA99532828F075E68C0886F9C4AF2A99879B7C4BDA8FC6CBC8FA519DE253B741
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L...<.Oa.................f...\|.......3............@.......................... ........`...@.................................D...........HD...........2_..Y...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8U...........~..............@....ndata...................................rsrc...HD.......F..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WeatherZero\wz.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	MS Windows icon resource - 11 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	146222
Entropy (8bit):	6.2734588250494
Encrypted:	false
SSDEEP:	3072:I0GLQ/1t912mCTFpbEoAu6QRG38ulhJ/eSk91MjXYqMFgK1s2BylAvKirweQpeUB:IFE5Nli9Ux2K
MD5:	D1DE53F6C0818C7137207D5B6A95158F
SHA1:	64FEFD3B51375198E52D932E193AB3BC0790A60D
SHA-256:	6F8107DB61996754E700964B2716E055914D2ADF475BE8FDA12234B5B98DC4E4
SHA-512:	2F4A2E586A133173540768081A4CA681001CBF5E37B5F55140CF26F919898F0B4D2F83366B38E81E14DEAE6084A32F2E08B7165F7908D272358730B1B681EDD4
Malicious:	false
Preview:	...... ......................(.......00.............. ..........n...........h............. .(...~!..``.... ......)..@@.... .(B..N...00.... ..%..v... .... ......&........ .h....6..(... ...@.................................................................................................ssssssssssss...s...........17..0.............0...............8s...............0..............7q...............1..............7p...............1...............p...............1.w....w@.......0H.......wwwv.w.0wggvwvw.gww.ww.pxww.wwwwxww.xw.1(.......wRwwwr.p.x.............0.......q1......q.....wws0......0.....{{........q....s...70.....0....1..........q....s[.s.......0......07.......q......p........0...............q...............1..............#...............8...............p..............7....3ss77777777..................................................................................................................................(....... .................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.71364264787421
Encrypted:	false
SSDEEP:	192:+OAWAhWeW4pICSjRof0cVWQ4GW/gYbOEU+9YX01k9z3AWB2c:+jWAhW82xlcdUOQGR9zBB2c
MD5:	0909E61C8C9C717976828F65C987E5F9
SHA1:	B5AFFABB8AFDA55EBB1F404EDAB69C6C239AFFE6
SHA-256:	03FFDB036329A25BEACF905D62611A13E3DFDDA6CBD2D13AF830258E8CF40EC0
SHA-512:	7F78746E40DA64631C08D0E173FBDEB40BEED180932B42382D9F3AC0CDB4348D2A5B1C29770BB98F5D4823CFD66ECAC2285AFBCAF109F82C8B75C7711F10C49D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...B4............" .........0...............................................@............`A........................................p...,............0...............0...%..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7382
Entropy (8bit):	7.974507560089598
Encrypted:	false
SSDEEP:	192:OaNMM7qApXfmb1uRd+Gs9+B/yIwoRyttVxJCZcs5Gs0:f11pXW1uud9+5woRstVxgZcs5Gs0
MD5:	6A979BB02036A7C50F373475848A446F
SHA1:	D361AA5379BCF29FCA8C314D43F58D9400B4C4D2
SHA-256:	33030A8FCED653A1D85A05C56C86E05585ADDEAC6CD7B298A57AD0E183571602
SHA-512:	66D3DB1EA165F1F49B36193A7BAC28B0834FB631386910354A93CEABA68AD9C5CE6953F046C3A97CB1EB10B9BC516DE09769EDD8CCF248F305FE66412D8382EB
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.F.]a.....2..~Ky....Dk...k.f..R}...8.Y..'gj.}/....<..,.6..!.P..V...e......E.ay..(........tq.S....X..g_..C..a...Z.z.VR.{^?..G.....U.lu)lJ._G..q{._....{.y..!.`.W..W.........%..o.k..f.(.k...?.G....5y.e.G!.M.r.'..].:..}.X...+.\..y.9.......}fZ....g[.^..s.X..l..(.S..?..v.._...:qJ..{...w..!....h.)x....Y+...ES....)YY.L..Q.pB.#8.~......W88..2Q.e#i.....:g..-W.<c6.(...k..T......ZW-N..+.^^#....WZ..XGn.....d..g... .vK..2.I...<.#..onl(.!,.;.....7G.+..../..E.a..%9..'.....X..zTe#.\.l.I.>cS{k.X.OK.3..3..c..Y.!..M..........\|h^.Rt..^...._.l.[..99S.;..p.}...e.....j.U+y?........E..E.P...}M.i..X#..........!.".r..I.......6.....hE....Gf.,..\|S.........../b6..q.O7..n...#?"P}.....jd.4T.B.k..@...1.i..tzi_G...1...rf..[f....LS.V..s.I....-50../.{]..N.<[?..V.q..Z.o+.C....[.e...J.o.J<........s..Y...T.....\.wF. .[M..H...W.r.!<........

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.745792799529898
Encrypted:	false
SSDEEP:	192:p9qWAhWGW4pICSjRof0cVWQ4iWnYU7h+Il+jX01k9z3Az3TzRL:mWAhWk2xlcQtEjR9z83/RL
MD5:	6B33E6F1D77CEC0901EA8E91473BC18B
SHA1:	A397D2C6AEAD0B3E57D413A8D4AF7F28E67F4166
SHA-256:	449631A3F5FADEF72ACC2C2F84765208D0CA014EC1FE93FB9AD805EEC1D40EAE
SHA-512:	8F5214E38202719F6A7549B2B97AD24288974CFB6CF0DA1E9EEC5B3B2092220F2330A260B17E28AFA90B90226666A765A4E64FE91107E2063CDE8E285F64773B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....=.........." .........0...............................................@......n.....`A........................................p................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7411
Entropy (8bit):	7.973871521418058
Encrypted:	false
SSDEEP:	192:lQqFTH2cLVAzEb5Il2xw6A6b42oLSxXaaiRirkwFjU9J:Vb9Ib6JBqaci+
MD5:	1C622AF4DC3E5649938C7542E4747F1C
SHA1:	FCAEF972C285C44D8A82F8027BD07CEC7A01FC21
SHA-256:	35006EA8FA8603931AA746B3D6B99CC6BFEAEF2FF0CF7DBD72BD41D84F5F7AA3
SHA-512:	634F9C9BC37DEE63AC55533D54C7D9F667539D3B7C8D43F394EF6DF45DB3D058071CF88FCCF82E52DCC6DDE40E0F9C05D2D2A9C2B80DC2F401E61A7E67B7E6FE
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.`3z.d......@,.X.B...B\|.....:..a......W..&8K.a.W.\|'....!-.$..3....i.,acD.l.J.. .......5....UB.U.\|t..~..P.OG....~.+.7..}..v..S=...xU\|. .0.....c...e2.~G......J..-F.s..;.s..d..,G.m.:pa...&.e..(...Y.h..'K=.....isq....0.,.....3..ww..V...?.x.5...O$..Q. .8.....~...ya=.....SmK._.#..[.....[..r.....uEm......lx.......oW.y..k#2.....j.L.,.S"..v.].u....Y..\..Z.U~G.hm{5.>...;]^U..S..W.v.4... ..%6....'.....w.........X.....?_..t...B @=.\e..~...m......d........g;.v...}.i..3.......p7{.2G(y.E.`..!....&f.J.......-.{.;./.W...47...Bm.YH.....V.'.T.O.Q..y...ZD.IT.A\|.Z.c..Kw.L....qog".u.dW.?.g....>..^l@O.=~}Y.".P..N....x...~......._.....U...4....q...<.1....G.........L......m..!...D....2.....du...+.9B...\|....4,xp.(&D..$.?z..\HeXQK.K..(..-.0....s.4....H../.. ...J...}c.~....R.....^"h...{.%`..\|%P.\?.d&;.T...~$..Lvw.`.w.....}K..O...0...\...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.569418929626657
Encrypted:	false
SSDEEP:	192:JWAhWSWCYtvnVWQ4WWd/q+KKnAX01k9z3Adaoy:JWAhWtCqTKAR9zsao
MD5:	2B4A3A51E075AB9819C6D6BC40EFB4B5
SHA1:	BC52C10DED8B087C73229DC2F98714B5A368F521
SHA-256:	D718E1B6C352112C2F8E36B4BA5ED28E6179257FD2FE944C4A0D404B5C15B5AE
SHA-512:	13B07DC2247D51DAD1AB9BC7DF93E0D3E1BD6CC4FD16F9AFF87CEFFD40A56933D569A5FB82177DEA7B6EA04EBF9F909F95451D123126155A13DE6A85F747C592
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...FBe..........." .........0...............................................@...........`A........................................p................0...............0...%..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7256
Entropy (8bit):	7.975913617788272
Encrypted:	false
SSDEEP:	192:lQg1PbHbE6LddNQdzgVuvqb7QBIJisWM/f2Y:PLddNKg+2qIJl2Y
MD5:	BF4444AEB95F466B553CAF7C6C405FA0
SHA1:	62394C103127278220D25B4AB80270B6D84EA024
SHA-256:	6E0FDE2C1664BFCA7D8B582BBC8DCB3D522BD020B455F103C90632E47B72AEE2
SHA-512:	5523F7947DD5602E6CA59B81707968C9306D05B72B8335B7823CE9E6497B16A4289CED0A5EF2AD9EA9EF52275EC015562611405DE93918981161F1FFAA1B6FA7
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.F.......w7./].q...Y..Gr8!..z..0%X.z.Ts{-.I.r.......s/n...2c...5......_.U.>9@.^m..B.Q?Z...j..k..."..WY;...o..9......x......h7.,....1...F.vF.q..t\|UF4..v.....FS3U...A. 2}...w^\|....3Y.8.oc...qi.F..R.....;~...."...D.'..):....".l..9f.n.t.ym...2.....itHP..>eD....E...."B.g...&.....g&..VmM..p..6........L..R..)o..\|..vfbP.....(y.Q.[7...Du.E......q...J.".#{r.\.@.4....+;...@[..[u2.......t#w8=.)...>..D.x..Mi.=.75..#]..Y...n.z..../.Y.~/:.K...W.-Y~...Np.X@Y.>.7h..w.ZVK....GI.A.....i>.y.p...Q.#.....=..(....-.\|.I..).r......\|J..Y...Uiv..../pW<bG.....%psjfp..,..b.w.".bO@"..5)...]P-.....h...4.-...%.1.F..:..'.XP..Z....'..........(dz_]P[...YfN.Z.Y..i.._=y`.....;.J,GQj.\|.7..........k.oJ..Do..</.+..A(i..f.#..).W.. <....2_sz..CY. .]...\|m...k3@.K.{2._.01J.......<.ZB..O...46Np....F.;..Zh+....K7z.q.G..Z.......1.E\|....j-..F.7'...s.vGB

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.566717694457395
Encrypted:	false
SSDEEP:	192:YWAhW+W4pICSjRof0cVWQ4GWk2QYIN5vCX01k9z3AiRDZXobo:YWAhWc2xlcSbUJCR9zdRFX1
MD5:	607703B245D9B4FC69A8B5363FF626FA
SHA1:	DCF4626787EA220B19E08CC5BF9E55553A3A2AEF
SHA-256:	F65B1B3EA2767F98F0C29118E85B06F4E61654BEC34B60B3ABB593B24EC29AF4
SHA-512:	92D761F733F2C678946894CA72459B0E6DC62CD3ABE1073653104689AB48C19603E6E1109C07B2F110822B424430F22D112F87C629B99D0B3CCC16E179549628
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...@4............" .........0...............................................@......3>....`A........................................p................0...............0...%..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-debug-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7262
Entropy (8bit):	7.976409554739153
Encrypted:	false
SSDEEP:	192:OubpKMqpLjiDajcRK7YCft3NQuMeRyaK4UYKyxktPFzC:bbpKrpHMUt7YKt957ZK4UYKBY
MD5:	092E7BB437B4068852267026656DE7F1
SHA1:	C73759313D43F7549DE526F171FE27DC937146A9
SHA-256:	3F1D280F6976DAEB453080AA76AED1E1CA6F56E59F5F78C14B7111D3AF031670
SHA-512:	B87893E714F597E6D7ED6EE59EB553FF2C4185B2B44DF2B8729D5AFC482F56FA4AF65CBC982C8EA6F237D28C80C3F498C6272BB2A088E78A33BBA908F4AACF10
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.E.x.J..A)b.<.T.O..}f..z.o..ct...O.L.}.....xZT..._........3...y..VG.<{..XGjFl5.$......\.....i...N6...`....S.2Q..'..R1....yf:Q....9.......efs.2E..fD:WD....3.....Hq...C1@...e\|.%..o....X.M....[;....^.$..,..;.d...v.L.D0.G..DP..r\|_..Js.....9.e.lZ.Y...0......1......y....P.I..:.4.A..h.s1..Q(.%sn.gw.q...a.6k...-..N.EowG.u;JACK...h.%.?.F.G.0.!...O.b..(i...B..S..s.Y...3....X6..0>Ay...].PQ...........Ny.....:..f...E._.y....g...8./f...AV..$~W..?.X.e.....:.^...,-..Ey...I.\|K~..l.R...U6._zr.q..X......LjQ.Pn....3..Ho8.+a.....hd.g.DJ..^..%a0........=.^.7...........<)eA.q.K...J....s\|..uQq.E.e....;..N...F....U3?.d........Z/..t=..h-........3.^...!d.Q..U..@]..)gFw......%>.z...sj.n..g.s.6 ...'-.d.....Fb...u.C....d.i.....b.(gs.<i.."[.s1.H7.....>.f#.....:o.\|.../P.b.T...o...;..#....1...A....EO.@.uqg...nus:1.-sp..%

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.615131561223465
Encrypted:	false
SSDEEP:	384:9f7xeiIFRWAhWWlReaLMB+6R9zqoHLdg5CG6:EFVros29zlacj
MD5:	059129BAE1776F03C59D3BA66A6F6DEE
SHA1:	33B1DBCABA1D16EAF5413F1378119CECC1298724
SHA-256:	A83AF0F79ABB5E5C818C6F38A38DA80E531081F3255CB006ED4C29635CC0B9CE
SHA-512:	6A7DA7E58620BC1CE4B6D3CAB1E0B746FC9FCF05A84D85931F845412301880786FBC63B31611D9442B5A1CFA72558966375EF14EDC749473E2B7C988DD20B675
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......v.........." .........0...............................................@......2M....`A........................................p................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7306
Entropy (8bit):	7.97465168649291
Encrypted:	false
SSDEEP:	192:2XPqvn8Uy2MhVF+qlPV6yYDFc/xgrYSbd47CfLv:QPYWhVFfl9SDFc/xgrl27CfLv
MD5:	25868F62B20FED67FA24DADE81D4466E
SHA1:	97716ABB983C16E828E260D2D292ADB6C1190684
SHA-256:	6FE6B1D8E2E212073CFD38B9F4B67896F0B6862455A3858A2E634AFF27AFBC30
SHA-512:	219FC2489A1075B9AE966CAD800907B7DD5F0E1A710026DBF2E8B48456AC5450440A943558F26BB7B8D1306CAB7B2B2AAE9F34214228DCB92F89ED8E3F15A00E
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.^u.....)qz....D:...Bx.....`.....3Z..2....R@.t.e2....>......j......z..s...t.i..6.P.>=.....D.....,o;..L......p..v>.........x.W2...?^O...`.XA/...D.....U...`2.DXe..Q...]....~..Z..g....K..>.h....6/....\rD.@..gG:_..w...v...zn P...K?.......9.0..UN..Lk.'".OH~.0..x!R.mF..$0..l.Z...Kb......Xal....9....D+.=%`..-..^..d.....W...{.. ..~.,^..1.c..h...}..,.0.eM..m8"...E..0...J....F....9....`..)...N:.mOy...g..5.n...s...M.....}....I.['.._.a..=.i...8\/........ts..!.0.p.:.q4.A..~.p[..p4....y....UD..C~.t$W..#.r.....;...O.G.MUi...f$.9Z.7N.p.j...8a-.TmF.......'..(...g.K.N..w....f.h....hZ...5...p\|..%.{..b$...H2....&..i.A.SIQ...0..Ci..3......E....h.,.W...9w...N....;.i..G...&IT.....@....%.\..!.).K...i..].z........6..;.T......\|\|...p...../R..I...+.&...G....B..V.....?..sJ..].6...J.,Cr.<F!.F3.J..KD)SI...w~tF..y.....?h._...,..6.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.554332090212878
Encrypted:	false
SSDEEP:	192:nWAhWqW4pICSjRof0cVWQ4GWGjwUBuvdOEU+9YX01k9z3AWW9q7fUV:nWAhWg2xlc7BulOQGR9zBaqjE
MD5:	9FA3992F5DAC5EA5DFA15B9669C68154
SHA1:	A453FB6C4064DA8C01AD03A4EA3C0434EFE82635
SHA-256:	9057131F628E547C14754D545140AD6544E64606358104DA50841E9A1B03F442
SHA-512:	AD73F3952DDA55CFAA6A0D6A0233DF785650F5965CAA4859B6C1577E3FBD6020E60B4B26338387690CC48B16A186D2B530708A71D2671AB17EE8904399DE292F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....cc.........." .........0...............................................@............`A........................................p................0...............0...%..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7241
Entropy (8bit):	7.9741498106504345
Encrypted:	false
SSDEEP:	192:OyRrXik29vHug0t6JVsCjAph4PSO51uKaoTI2PyWsWUgF5:jR+fvHfk6PsD+wKzJP7LUgF5
MD5:	7C5C9895D185EC4428B4735EAAD959F8
SHA1:	F4E06ECAE6DB01F83682C4587E2CA9FBBE3D2BE3
SHA-256:	096A7F4601B9B61131852AE5D2444403C0EDC9D6303494A3BFCEEF24B5B028E5
SHA-512:	8A3E0B72FE6B166B612BFE78798E5DDFCE785F631D23836859B4BA45BAD357F707AE3EAF5939B9AC6932622B90109FCF0B953CDD38B85B39872C73C0E1880DC9
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.[.....k "...c.e....R.>....,..^.U.S.Q...n.F..b..,.Sj.D..[X...^84Q..B.I=..%u.T...`..E_..L.b.ka...g..k..@z....S.....d..\|.znxN.....3.NL.t6...:Vx..v..Te.E;.....>..`..<.Q/u.$....a./.........p..x..n...+....0(k.Q..z4.}....H...rB..S...T(....8.^.!....Y.#n._$L..).B~..bK{........=.'...(........M..-..8@..(.....\s..'..>[l........./..p\:u...\|.....d.[../.`../Y2.@`....5...........Sy.l\|~..V.D%?.0.-o..b....I{.....o.L{m.K...6%Y}.).A?C>j...A.5....W#>c..)Q,~T..zYu..o.......l....:[d.....c~.....[....]..8t..i5....?!...i..S.$.&..U&.......7..U.9Mk......\|.+.53z.s.X.......p+.)...m..T...%2....J.......D...Q......J.,..]..V..8w.@_.=.@....\'^..IV..V..F,Vg.A..E....D...]...."t.Pw.;...._eJf?..U.j.(.4....~.=oBFZ...}..e.f{.....;&..?P....F..,....`z....^s...<.P1.<..m.%....M.....l.s.$...30..R..Y{W.3(F.u....O/.....Z>F\|.1...}..].o

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26080
Entropy (8bit):	4.837118118155243
Encrypted:	false
SSDEEP:	192:1NtaNYPvVX8rFTsfWAhWBW4pICSjRof0cVWQ4aWJLk4xOEU+9YX01k9z3AWBwCy:rPvVXBWAhWn2xlckOQGR9zBBwb
MD5:	817F9A76B7EADC1226B006CCBDD38A11
SHA1:	8B81897CDD4D48BEFA389C1DF2D0B887FFEB58CB
SHA-256:	99ED148FFBB35829480412DC64DA6AD24DFABE2F9A0EFF9BA1493455D7127677
SHA-512:	53D8B2561862C6B2465665D761612AAA8B7ADC887058260FBF970AAC0FB006317283ADA01468B1E042FD9DD44DEF90451793AFEE297ED787086645CEBCE45CD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...!..e.........." .........@...............................................P............`A........................................p................@...............@...%..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 26080
Category:	dropped
Size (bytes):	8100
Entropy (8bit):	7.97817882007266
Encrypted:	false
SSDEEP:	192:eiWPDvavBNzZ1cHar+2q9fPCbIPGh5HkYsdTAF:sIP9rr+9fPgIPOATAF
MD5:	310198BF252A40F6F988D7CF86A200ED
SHA1:	CDD02BEF9D2A4C66D4F246193DBFB190AB30BEB4
SHA-256:	DED9999A48AF1F6C0C091A0F932FDDC33744D32F58D4954D496373115081020E
SHA-512:	F7DC091347882F5F74422E1CEE970ED9916032670B56FCC076242F06EBEC7256A62B3F4BDF85FF61913678CFCE4E7C08FEC2233D654E7EE669038B8054BBDE54
Malicious:	false
Preview:	]..@..e.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.@:c..-4.\a.X....hP.....Ue.D.H./."7.b.8..dD/.z\|.N%z .....bY.7 T#....m}..X.+.i..G.t........{.VM.P..U...\|.......9.cYn^$.R..AQ.y..P......nX.....N....mt.U.i........n./Y.....Sqq.T.......$".%.....VGe.3.z_2..]...2..39.u}x..G....$.\|...'..1-.1....8..0..x.)_..{.02....?....W...AS..58.#.s......+.Y..9.yhh..$.Z...Q...3..E...2...+.w....W'?.........6...C...[..=...Ks......7.H`...T.IP..8c3..x{.?U.i...\|7\..g.U..@k..y..Q.@1M,2S...X..-.q..../zM.V.^c.....A....l.tk\h6...N.P...h...:.uG@.j..!h!.......b...U.........U..B.........v..@W.\8..a.Iv.":.H.7.J.....I....R...........7.gjPIj..<Ku...,..$.....^5........&aO.".T.d.nj{.y...W....h...SDc..W&..Bs....f.....8.t.$............v.Q.....A........S...R.,...!.}@...'.1.;X.1_dD.0.m.@..v..<V.z>R....4[u..@..\|......J:....?...T.{\|`...NF.R.._KS...;..u.;...2P.\|.R...P.\|e..C.....L[..`..R$..a....3; ..a[`.z

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.585310852882511
Encrypted:	false
SSDEEP:	192:hsIkWAhWW7WCYtvnVWQ4OW0mOOt5equ/X01k9z3AFpYlQ:h9kWAhWWCK56/R9zgWy
MD5:	E334F2FE1E0E6D5D6966F139ED328D97
SHA1:	68B2CD826F3DFA59531397EBB3F382DEC9AF5FE5
SHA-256:	D56EAE93C55ABDC8EB77D132777049634E28A9B59FD4B2101D51351546B984D1
SHA-512:	FB6EE02F06447C906A4353D93CE247E14A9A1EA4255819A88E395AFE2E3775FE3AEB622B7A97D86086D88C739BA4D2E2FBA9E8FD6467E167FC75D595C9182327
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......~.....`A........................................p...L............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l1-2-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7269
Entropy (8bit):	7.974411580181125
Encrypted:	false
SSDEEP:	192:2VPivY2GgmuM2E8KTigRUvMoXpXlepgvC6iJ:QT2tM1pizvMApXhvCl
MD5:	F4DBC085DF2643B792A8856132C75124
SHA1:	0C48D8C5927D0165EBDC308951BAC2C55688FFEB
SHA-256:	3BF6E0A0A4399D21196771E393C296493DDF0723027F1E5E96074F9FA8574D8B
SHA-512:	68920F6C6A8A0EAD92178E259D3A40D1E8BBE540F068B6FBA742EF7D5E1B4BEA193FF1FDDEFBE6EEC21FB5D6528A2A4D8152E0BE0FD389EBD9F5F838C2FA9DE8
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d._#..v`5.....I....F..Y.R.F.L"".2.6.z........t....J..eN..;.!.....]..1...Et.......l..J....Z+PQP..-p\|......LVc.)....<G...~.......uUzakO.{.@3".>eZ.qa(...Z.S...pgqU.V{....F...p...E),....L..@..O.....s..KP...{..5.6......7.]~.&X....s.n5,...'c6.........2W...V.&.+9..t...(.a,.$. ..>. .0....X...=W.%w....T..uFs................Q....<..r.R........7Zq4...0tG>.O....o........i..m.........9..T.k.s.`m..Z..k.......h.y-.@.....Q.q....@...P).D..@..j..o..!8..%.a...{......fT..2..O(H._.o...F...6sC.7..W..M...Q.ut....~.}R.......q..w...gb.....R."..xV.n]#E.......n.....@...H..;....7.bX..9%.j.5...9C..e.;.........i..a`.Vi..X@5.f...p.....q.iK(...p...R...hW.....}........m..X....%..E..J(&........./c...^_+>..\..&....9=...Z.'......a.\|.X.q..S.S.....eH.......E.J..M.N`.5.3.O..\>.V......!.83s0.......3\|*..d.........U.;N...._...W...3...m./..%..:W

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.669696963438038
Encrypted:	false
SSDEEP:	192:iCuWAhWGkW4pICSjRof0cVWQ4iWwLuCFaqDu0K9X01k9z3ATd83:zuWAhW/2xlcuCFYj9R9zsdM
MD5:	7F0EF1CF592D04B082B65F75584652CD
SHA1:	F7B9A2851A66A6A8EB509F2541B6CCC3B551F2FA
SHA-256:	9F496E181B1C862C7A7D03C09D9B0A5361535C98ACBB1A9D50A27BCFB0A2BCC5
SHA-512:	30D2D695773E7BFD67DE8691C40E571B3B91858E72EAB3D78C84902B359108E9988247BF81689AB15FEF6ED0A9EF62031F1937C6E7CE4CE8E1A34970BA23E727
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@....... ....`A........................................p................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7368
Entropy (8bit):	7.974865745945421
Encrypted:	false
SSDEEP:	192:lQyamPsrGPyeMG9UFiGe93AyvCi1JlaAfEWdQ87hGfWSt5:phoRcqFi593AyJaA8WCYGf5t5
MD5:	BBAF718AB0116D8ED46D57CA9B636E1B
SHA1:	DB1CDE8D62AF894EB4C1A75653C9697DD7E1D353
SHA-256:	68656BA6AC6269C14DC3B06390E7AA377D5AEC6D85D60CF3DB34EAA0667AF3A3
SHA-512:	2D4F25181E0B98F332067B1A6CD6358E35B29601803D70CFFFB9178088C190F0B08864A0824B90909F48ECF16AAFFD1C47141439AD76ADB2561850035D6F1151
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.RD..-.....`.Z+....I..S....N.............\|,.}F.7[.a..74q?...Y.....3+`..`..t'[.."^...........iKP.....S&\C.s9wG..@.h).`0......._<..7=aPD...(@i...u.....=....;.Hp...'t.....C.z ..Z..W.bT..MHjOD0....26..ar.e..u.`...u^.R._[Y].w1=d.{k.}u....&.+......2........Z4'.....m..-......{.q. ....B..S.. ..X..@.....0r.z.HUxF%...3t...O"".E.g.3.].L.`8..;+2W;.7.\|...])2..X..4f....'.....T'...K&..Qhm..\......k.[?.]....1_R.Iq.:'#qWf!...........Ah.7I#4.L^g_K.0.......SQ2Hw6..6....9x#.@...+...N.L(.....nKd~...1....x]Z.......F.,..v..l.D..X..1.zBZ..Eu.....}`........(.h../...u...r..,...3..sJ};..W...2R....{..x..^..C.E.:.f...."_.L...DER........\....k.vQ..#.*.u._j.8.EI..G^ V.....C.@.?....y6.j.6A-ncW.>v..:..D .#m.pC.....>~.....}B..@...-..E..z..M0...v.Es;..O..T.e[..1..T..rR..i..z......[...>M...w.c...{F..w...p..A..c..+We..U_b..Z....k..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.587345105035237
Encrypted:	false
SSDEEP:	192:jPWAhWWMhWCYtvnVWQ4OW8vpgVt5equ/X01k9z3AFpT46cuwY:jPWAhWWMAXp456/R9zg5Tcu
MD5:	1902B85A588178857E9637902E5A1B85
SHA1:	31AE4CF76A34CCBD92FDBE60BEE080998741EF4D
SHA-256:	5E48C99DD6318B017686BDE507CDCB9D6ECF25F4F78F345845B865E443F1EE66
SHA-512:	0755E9C0ADC9E374060C851D4F7FA62633EC07DDE0BBFD56FFC9BC8ECFF5B9EFD6FA8418C43E838770EED43A54A48FD61A41226D9EA84834275A4A36C7796472
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@...........`A........................................p...`............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-handle-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7270
Entropy (8bit):	7.975182887500323
Encrypted:	false
SSDEEP:	96:FQ/EjfBHukAdFYRhZiHJ27sl2eIT7mpwF6C/62xmugbcl9+FQn0TkG3Bs1IvXgOI:2/Ep8uB6o62xmugxpTkWB2EXr3WCs8K
MD5:	B0F454DF8619D28B9058FE410ABE7B62
SHA1:	DDCFB33E8F7F2CE8D6E82D3594CB6361656B4DE1
SHA-256:	FF1BCA6FBF39B3BADEB21D82D8A4757EA4E00138BAB6C82EDA3A62ADAE7BDDE3
SHA-512:	35EA604334396898F20EB8A83C7638CA7FA283A81C2C8496DA05CEF834AF4AA7F05E9E769A07194704FB64663388DCFAAFCEEB7AEA913EAFBD3B8B75FC4A4E37
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.Z.vr._.....Aw"...F....v.W.D....+.G@l...6...+... .)..4. O...)W^.....F.............. ...3.>....9...u#...........x1AV..."..\.k$.>...q.Q..S.i.........i8...l......nOD.+5.(..f.R.V....P.5Z.Kp)0...R..r..>.A.2(..H.......:P...WlE.....v..?Di{.Z.W...Y...Tw.J..cF3...w...].....xQtTa...._........"4I..a.j....v..T\...../..5#..Ya0....T...J..AA.,..`..?.E...&.b..Q.w.XqW......x..i.............Y.@...p;'}.a..Q.UK.mx8.=.....SR....Kt\....=\|R...5\X.......T..KtW.^.;...Tw....;.....hg...7s.......}]G.y.%.U..t..)4lko..P.@Y.:./.e>.&..t......3.. ........H(...,...y.u.\|..i...&.P.!.`Y...AUM.I....o.L4.@.D.n7.A.n..<x7 ...\|....R...y.L...?.4.9...S..sb..<.......]'..4.ia...g.H.).ue....K..CFh..!W.t9...S..+?hg...e....X....5..P..b.[&R..c@. ....y.5......0..j...j....qi....\|.``.......!.4.+.fS~....9-...B]..G..._.R..C...8...M2...i.....9.,...fV.."e...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.702065061071228
Encrypted:	false
SSDEEP:	192:UxlwWAhW8sW4pICSjRof0cVWQ4aWQVKbOEU+9YX01k9z3AWl9:UxlwWAhWV2xlccbOQGR9zBl9
MD5:	892E47390F34AAC7D20AFE63FFA92F20
SHA1:	4A78A77AE1D5BDBA55534167F781A3C8675C7ED3
SHA-256:	6070FFB5E20ED032D460D323DF981D369FA68045FAB130FD100803A00AB88C23
SHA-512:	8B37866EBDCA5047673D984BD779B1DF052E3D44E3FABC3A4CE2E747489BAA2BD86ADD629D95C76CF08150F74281D89D46372EF64266B90304CF7DD581AF3A93
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...)\Ix.........." .........0...............................................@......^K....`A........................................p................0...............0...%..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7394
Entropy (8bit):	7.9748851722637
Encrypted:	false
SSDEEP:	192:OaPWUMDMFVhHeqQNIefhkiO+e5UJVGMlQa40V7zMSV:bVMDMUqQNPkiO+yooMhjzMc
MD5:	CC73C1319E2A721BCAFBE3504BA769FB
SHA1:	23E22DC271C3C2F10CE8F24257AB241F249CE2B3
SHA-256:	CDFF3F25E42AA696D07A0292751A019B27B09BC79AE822CE09627F385012E637
SHA-512:	750F9795191D070F2BC6EF8B042EE27759CB327C618198157AF47B0CD175D65ACCCB37F86142D4AA23337F5D27C6AC348F10318FDC0F55F31AC2E52B540B7174
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.A..e.p...8.w..Ph.^.p..&jf.fG.+...+....~......2...C.6%B..q..mZ.>...^NX?..Z..FM....<?n.Prk6@z\|..{x...V.....c$...t>..u..m/....',.........R..+...R..,WT}.l]..K.h.2...A.\|s....L8.EjO..e.9@....w.J...P......Kw...f..8?.v...U...o.y.%...s{g..2.w+cE9...#N.&1..s...l.\|.Pv.5E..D.rd....w..vAQW....t.]0...$...a....v.4.K cy..u.V+.%.k...R.,\.?.. .i..6<2E..64..,.ye....6HL..2..Z2.<H..g..^k..KQ.ig..[......a~..\a6E.!;J.4.1=.".Ny....p6......... #.{.q#..\|d..6....Y.He.N.q..J..Nh=.J...p...Y..s.w...?kj..+G.=..t$'.....l...2.G:....#$..zi.h.>.........0.5.M....s...\.M...{B>_.%..{...aw.Y.R.a..#I......6..._.a.#........V5...Yv.h.3.e!...{.L.B9.....Q,...6.j{..O..=.0..,.!$.U..x...@.lZ....6...G..`g....f0EJ..M..p....1...[&.... .%j.h....C.s.......R......h+.H#.>.8.5..D...]9_.y....g..@...7........!`.mk.B.27_4..^P00.N....q...{T.@...1....#?,.\|..`..Q..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.616496394521552
Encrypted:	false
SSDEEP:	192:aDWAhW+W4pICSjRof0cVWQ4GWgQirmYIN5vCX01k9z3AiRYCj0+y:aDWAhWc2xlc1frJUJCR9zdRYn
MD5:	D8999E328AF5EE1EB23C216336637CB7
SHA1:	A7BDE6C833E4D6DDEFCC4050997B1583FF1FFA42
SHA-256:	4EA02B683513A157E21824B1C1E9EBB782D22F14209B67961F97B1F79673D3ED
SHA-512:	4F041ED2DAF781B7F86B4459E74330650B2687EE46DFB961ED7A0716AC7AD2082A631CB619CC6D3C7D19F550BC030553B9656AEBA14F969DD52DF0B40A0E418F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......\|.....`A........................................p................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7310
Entropy (8bit):	7.972299133320187
Encrypted:	false
SSDEEP:	192:OkXmWdNucYBhRIpBUXRk10/XGgXbm2C6+I:ZWWdERL8UXBXa2jP
MD5:	26C7C2230FBE9978A65533AEA7773A3C
SHA1:	C23C1D96836937A1C5F341E1657460DB26248721
SHA-256:	BFE2052A70A53E6082A3702547B1313D2DE53CC9A445CA6E30ED8C3F8CC62E67
SHA-512:	BAEADFAA2DE0FD60D64690D7335DFAF43978EE9B2468655CBC799795998BEDE521B4B33D86DA0AA891E7780B04DFD594A97B73FD15CB4B6998E133F24F47EF0D
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.P.`.....N.........o[ilsw.tDv9...'.Z.5f.._/.T.}..~}..H.0..?..J.r=...R..r..%.I.@Z.^..zt...A ..X}{K.SJ.{......0.91..,.....a..2.F......%^@..X.&oo&...P...K..}.".X}j....V_.b.."I.-O[V...b....G.?d.4..uyX.. . .....~.....0...C)dk.h.....&..s.F.......c.U#..+x.S.....U~...&.g.C#..ReV.L^.(..N.../...av.N.&.J..6%.P.).d.:I....{u.).J..4.:.G.G........ya.x...z0q8!'.s.0..c..F..A..z%.."....... ......\...m.....!.....i.4....M..p[.\|.]v...._..[).W.}..6.h8.O..`...9.8..L.3.w.....RU.=>..n.s.5.$....Lm!C.M-.{v+t.C......#j...../...Cvh.9[.E..3.-vO\..A.O..@.....=_n-.. P6.<u..p...M_J'b.._.....H.:...i.\|..s.e6..x..1c..1.......O.....)g$t-......V.......p.Z........;...[......v.".=..9.!z0]s....(...X&....vv&.q}Wb...q.Z.x..<.d'_.^Y..m...s...&F....f5[...c_...{...C....n.../&.3(.;.K..G+.R.-........C.p...}bH....0....I.z......7...~...X.WY...dm.(0\|4.jMZ.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.839363272167962
Encrypted:	false
SSDEEP:	192:ETvuBL3BBLRWAhWWfWCYtvnVWQ4GWPMk07iK2YdX01k9z3AcxvEaJcmIF:ETvuBL3BHWAhWWGvXgwR9zvsuE
MD5:	6337654372AA9ADF6A8FC97D9676A33D
SHA1:	B790F4828E7AA18CD0EAE77E78C67DDD66F3EC5E
SHA-256:	6FC551CFBCAA0F90ED24DD09FA117E9FB3B6755A3FC0251D33CA64862A9A3414
SHA-512:	4A888D71747C64CB4A964D8DF956C5ED9E3DE9E8CF30D804E3BA76E8C35502E1802423CE527A419935B0D8C8E4C0F6168657B2734AB79D01AFC946521A88D528
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...P.1..........." .........0...............................................@.......6....`A........................................p................0...............0...%..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-libraryloader-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7555
Entropy (8bit):	7.979287736427383
Encrypted:	false
SSDEEP:	192:2CJ5qlhaqI3yb/M/nUY8pF8B5R2ujmmNcaIyymV8TfTaB:d5qlhaqqybU/UY88DzTZye1
MD5:	A7C2E9FB414BC773FC872FA285466B98
SHA1:	4AC8C8B5585146052E21C1FDCDE56FF156838A46
SHA-256:	BBFF85932276575DCDA24DB0184F54FDC4F274918EC15F15F1C9EDEF197BFCA8
SHA-512:	8AB8991BB26FBBB8463FEA5889FE6AFEBBB6049A1B03D41AE611F8E14718AFE8ACAFDC045BBDF89A3A1199502AB483BE7C6118303B5D2E73C47C394F411928E6
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.i.&..z.[k.O(:.B.....V.....u.%L..47.NL..3.....B .f...+H1...!A..).N..IW..6.ow....~w&.&.!..N..2I..........Z.z........A.....a.h^...M.P.m...}......C.@..w.s~..P;.I.H.....ym'.H...]a...`nI..G....ra..2.......5.^.=...`.$..%..].?...!..aG.L../..w......_....O.t...F.b:^.v.....l.A...v.D..$Z..C.E.L..">..E.......-..`.....]kJ....S...u..H\|.V..N.}Z.):n...\|..wA.'....7.^....V.xY.....<.C.-Mqi......5.k.Go............m.._z}.h..\`.......:....>bJ...e.L..N..Y.8.>..3,.+....8.j..]..9....Z<.....U.1IZ(.3.....c..3l.k.+......P_+L.....&....j8...."..Bsy.C..p..6.5.C.r...O.c..S...s.'.uu^.ET.....r"n.......W7...+.\...5q.wG..4Uh..(.....W3. ..p.#B9..Tb#..A.q.........U."E...~$d..hq8n.7.T..i......sK......i.q[Y.wz:.P...'8;.sH.(..Y.`..F......{..?.r?.v].PE.U..P_..F....s.....>.....,e.".. ,..$.!L..r.8[`.5<p..*...j...8g..W<.r=...C.......&;.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	5.324569432191895
Encrypted:	false
SSDEEP:	384:RnaOMw3zdp3bwjGzue9/0jCRrndbDWAhWWVAKwR9zvhQ:gOMwBprwjGzue9/0jCRrndbPJM9zG
MD5:	D4BAD006E413ACE7D729B1249C49B92F
SHA1:	CF0DFF1B371316C8517619FDEFF81C583268BAD3
SHA-256:	245D48BFCE5CF6E9C5093E995D6AB5988E2401D32530FD6863BD5F8FD688D780
SHA-512:	D1A5001633F1CCE60DB2687DA28706F66644613672FA8487B065E3AA8D77DDCC96D9272C665D894B243E222E1C104BE10BE1DFF8E5D007490E50F2BD2A708D0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....3..........." .........0...............................................@......aF....`A........................................p................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-localization-l1-2-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7955
Entropy (8bit):	7.97333975311743
Encrypted:	false
SSDEEP:	192:2ChTIo6hZY0/dDy8d7bFV5usmcq2qxYZNnnsPacYwa2MLwI:7V6zT/FdHxjXq2qxiNpcgLb
MD5:	7E38537A394EDA17FDED8F87190B6A77
SHA1:	A6CAA5D61E3A6F1BFC0A26396F54053683813CDC
SHA-256:	D39086030BC35574C5906DE3B0226131111CFC62E5F9FAB9877D24E4B8C96494
SHA-512:	FD7877B5ED116F9544E7362144EA801B346742721C8A3BA2BC0FD6AD156C50E1B1FADBA63A405B9B6034BF14E2741DA416C550164BDDBED22B9CBB1B98749907
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.9...B..@#.Ke...h.F..U.`.P......5..o.N.'k........n...o...<.....E)Z.A..z./.<!3.4..4..]...e...J........)x.FG..$.........ThW..F.......7.A.'A?`.c.W_...bM.j....)M............p3CSH..x.....h..,...8.....l.`..-l..K.9.T..x...}...)..b.F\|<.5[...R..?-..?....&....aG9S...^.a.~....D..)\.$.4d.,.5...?f...c.8\|W.z.o...mjW..=<<..h.T.d.. .....K.^.q......,...'..#9=....^.....Y.-B..Zo..:.....#p5..1.....%....1...o.w...^_.u.m.1..2..em....s....@.....l{.j.....we.v'.<...a....a.p[.A..a..6.i<..$7?S3.4h.@NV]..A.......z.K.`7.$X..A)..D.&6.?......o.E\.<..,..\|...EP.c.O..jNBB.f....E...~....D~.bx....}lP...p..1..b.......Z..6..\|x....R.F.q.~..P.f.b.>0...-..lWU.t.>.a..S....0q.#Y..L.<a.Um..iO.t.w.8B..........j.....0...T._........1..J...W^.5. GS.l....rV..1y.p....\|..48.Y...9... ...L.Z8..1....Iby...F.....2...].....p....`m.7......BtH.....u.......dB.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.731117607281418
Encrypted:	false
SSDEEP:	192:FqPWAhWnW4pICSjRof0cVWQ4eWsxiRh+Il+jX01k9z3AzRf:F2WAhWl2xlcJw3EjR9z8Rf
MD5:	714E850AA29E808568933C5ED8C7DF5A
SHA1:	AD84833BCAC69B5217705E1C4D33D54C856525E1
SHA-256:	4A244EEA4596EBDE0F9094CC6DFEEB5ABB3C4385225BB0630EF55A431FE1C4F2
SHA-512:	3A220AD4E2FD49F40F7FE5FDFC53608B114661F31993C0329E993C5D733B6D6F3A366EB46F93AAA9D5CAD90766B21D85E5CCD09CB9C5AB905118D70702A3ED11
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...dIx..........." .........0...............................................@......A.....`A........................................p...l............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7411
Entropy (8bit):	7.972527601095368
Encrypted:	false
SSDEEP:	192:lQzAGGS4fOI5eaM8WCRIT5nqrkSxNQj0ol5zGBUON2kIEt/:qAzJOI5kC2T1qrkSxNc0oDQBIu/
MD5:	50B7E4E6DE87599FE15DB9386DFD764F
SHA1:	B55FAC6A7A39C86C3DEB003BF491910541E3C8EC
SHA-256:	A46E8C73A7AB2316C00E075DF06CBA1465C74116362CDEB05691417CABFA7AAC
SHA-512:	C4D369726C96B27B3057D56A3CFE48AC4440B0751F54C7105A23E6C44DE6EEF1B958281200234063EA5EC69530A3D7DFB8B836F97061F8389B8D8488F1F7DBA8
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.....fb.......bk&..P..m...bq/.V.A..&....Pg..g'8.=.H...."&\|vv..uYZ.....RF&..........Zo.L....:...7.;.'.DAG(8-...O....OU...7tH.Ul`....G....uH......N.@T..d.'...W.P=..=....U..@i.Mt.t0..D=~....S...l..zK....HL.ah ..K.Jj3..}"..nB'6F...K....m/ ...&....x.qz...Q.........OiM....B.Q.+...B..=$...X..F.}v.h:..2...<w"....Z.Wy.I=#_.o.1...T.c......B...4i...W..wq..Y.@~....!y..}.q..B.........Y.Ef.;r.s1.@A..N.T..)?....X.G1...........Z..3<....D]+.j..w.....V.....*.........J+.?4..a......:..I....#.......,n%...$-....A.../.M.]^G...z[.}.K<L..kGX.lQ.Ze~..L....22....<9.........8.".....v..'...L~.D.j.....#..i]..)...K..g...\|.G....YLV.X<.V..}.L0....q.g. ...Se.......MA.B...XQ.ML...)Tf.e...!S0.w(.0. O.......]..H..l&).....\|x.z..NM.....4n...tx.../.<V..+.... .#a....'}...b...D...U....../7.c....].,e%.^.....bP.[.gL..."o,....p.v"..t.?X..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.6757492996691825
Encrypted:	false
SSDEEP:	192:8WAhWpW4pICSjRof0cVWQ4iWa1O7IL0sAWAC/X01k9z3A5S0tL:8WAhWv2xlcTO7XzC/R9zuSIL
MD5:	9AD2E67F2B1F04B760DEB00B889FAB53
SHA1:	465314C9BDD359840F7DA11A619AD0B409C271D8
SHA-256:	5662035361E37F6C5E4A5A19DE134DF2EC20BD4C0F1BE803203B37C95EE61265
SHA-512:	CDB358848D48CD3913E7249EAA45470BEE4BA9F9D92D975215018477A57DB930C16B349541DA2D82A2F9131220EC3B3CF9FF471CA411C2F705BFE916E8736BE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....2............" .........0...............................................@............`A........................................p................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7365
Entropy (8bit):	7.969278132083918
Encrypted:	false
SSDEEP:	192:lQMPUQYNZYTCB8ClhjxNm0goijTjhPkNi/F6ziNajhZK6:rPUYTC5NmowTjNH6zuuho6
MD5:	20979662C7CE391127D0B0B278FE1D90
SHA1:	FE733EC498632B32FDD8068AE11C4DDEDAEEBACF
SHA-256:	34B1448BCB1D230F8D7041442C333545BD419E1C706AC344A9D5B2A7761AA7F3
SHA-512:	F9B44A42BC9EB3F15AC20D3A79E113954E8D9F43BB524BB1F662D087F67CA5834B10B5629178E329358DF131CF58BCB6A8FFD2D0B45313B6BB5E0BD13F81F479
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.\.H7..W.\|N.&u....p.#.....4...........b.u.Z^...B...:..M\|..M...dz.7.oR....6b..1.?5. q.+.....>}...;i.o.....-...z..(7....W..U8g..`...)!.c.....=....~L...K..$.......4..%.....N].Y8..0?.....b)......%..NjD..uz.:.<y.1.}$.cnW(....B.k.%egz~.1.....f<.~.9..z.......o;9...d..Jt.......=juKA...i. .;.I.>k.........!.rSj.o.............U9..M...=`...G.67..1`^...T..i..^.n.I..Q........1...<~....J....($.`..e g...'Tm...$.qM.../... ..f~..v.2.Hx.~^H.Q...n.Fo=2....\|....^.@g._.(t)..Ov...)....<.q......$.d....su......J.c.-P....p..-hc..v....N.X....i..].2 ..7{wp.F...L....}g...R...uq.. R!A~....#..!-kO!.....b........Q.A.M..j....JI..s.a......6...g.h$..J.....q(#..d4Q4.G...4.......%...w.B..L'.\|.....-h0..G1.x.hM.@....m.&M..P..H.+.E.mS..SaZ9(.SO+...Y.......m..4..H..m.-F....b!....b.L..g4.'W.^3zo......Q..t..sW..~k..m.T.....^..m*....X6.g......

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21992
Entropy (8bit):	4.858532007429405
Encrypted:	false
SSDEEP:	192:eF3aWAhWaW4pICSjRof0cVWQ4mWBSMyEBsvH3Tz7PX01k9z3Aeu6C2m+fmBfNUJP:eFqWAhWQ2xlci72vH3rPR9z/unVhBf4P
MD5:	772D6C07E47E77A4479C7A9ECCFEAC4D
SHA1:	B88DB71FC80EB57182DB6DC6AC00B022E1E47CB3
SHA-256:	2C9A8F8D47B49D04A82E8E689AE9F6552482B1861EB8398F3733E97327191C2A
SHA-512:	F87BB803E818372F57319AF97227834673CCE9988C81FFD4A3D1C6D7038C6F7398E06A7133A17F063CAE152AD27666A6D18F87ED77BB46DBE141C1272BC3AC84
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21992
Category:	dropped
Size (bytes):	7495
Entropy (8bit):	7.97070858022606
Encrypted:	false
SSDEEP:	96:m9gOfcp1FDkL+08/n+iHCUMtW8UJXac5mV8Q/9YOwWGk9hyOQ+ijJjEDUG+UXqTs:mg0O/+AlMtAKumVh5/TOjJIDUGrXZJG2
MD5:	2F27BE535CF7BA8EA5191854F4E082A0
SHA1:	7F906F1EB9454AFC2182A0B0B5CF0FDBB8A8C945
SHA-256:	FBE8836CB0E47768A8150F70D7A7F06D28C2D07D0F8F1DFE1C0B375F4886EAAC
SHA-512:	7E3690751DF1CFB69A48D6B2851CC9C155B8A43EC85031184F1DB64D4E7D1048F9BE5FC2BD2FB00C58B4D988AEF07E0F5A3DC8E19CB5A71B690A73D968C8E04C
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.X$.j....\|[/P&..,X..L}..wvy..0...._Wl.B...(.b......Ly..........v.?.<.......o`B,.p..%.o^..{<....J.......uQ. .+..z..L.e..^FJ..G-.i..Z...k^..:."#V.....s.}.].~..[..........}7..qb.m..l...".;..\....y.EQ..+G@.2.0.4.W..Ka...V.l...o.....L......}R....X..Ww.. .qz @.cR3......:.!..q.....e.[....O...n...71o.e...`.sE..+..R....}...Yb.S..Q.(...g:.....l..j.....&JdC..(q.}V.K0%Z.S..>...=8.c..3.nx...mQ...U=.<\|.@...+.b3.}...T...~.....6......I.~.1g.......kR.......'4w..HiBB.......<......n.\....:aoC..,...z.H....a@.;%..,....`=.!........]......._.... .=.}......m\|f..I..qc6w.W.....h.;...i....qlm.:B...H.........Mq}.\|...L$....mB.w..j8..<.F..b.....qK...o..p.F\|....Xr.kG1.x...h......q~s...uU.."...VR..@..X..\....B...b.Z..p...+.?..n.....w... ......g.aJ.o...D...E..%......L.{.].}.w.L..Y...l..w...c/y....>F.o. .O..A..Q.K.AZ.. .:.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	5.203730016113422
Encrypted:	false
SSDEEP:	384:1ck1JzNcKSIGqwWAhWX2xlc4VEOQGR9zBxOwJ+Go:5cKSjy2xeOQ69zDz5o
MD5:	9AC788A87032640E046F305413585503
SHA1:	41B74CECF0F78134204DD3D8AADDFAE34D6AACBB
SHA-256:	363825ADB27D5A5BD249FE58460A977077F823E50DAC7509E124FCBAC1512128
SHA-512:	CC725796AF3F7793CE6E6FAA96A201EBF5E77ED00DFAC3211A66A95EE071E559C9EFB8E47AE0287D9CC1FEDED559000A582A2138736AB8C628325428C78E648C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......Y.........." .........0...............................................@............`A........................................p................0...............0...%..............p............................................................................rdata..4...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7877
Entropy (8bit):	7.9784111629772925
Encrypted:	false
SSDEEP:	192:OSUN06qAlexUjHdgz8GJm18OCsnOBweZzzqC22SlFZgRTuO7M:4m6qAleyjg8GAjC7K/lFCTq
MD5:	C76D6D18082A389661833AE38BB45994
SHA1:	7F9735CA314CE5AE05DA9535D5D08CD74966F271
SHA-256:	47263BD7A8578128D8B303C377C740CE2AB0B7CF957AFA4217660ADFE52679FB
SHA-512:	C27FB0F44231693F9D5838590250C453D40D64FA9B62D8B99BE37FE94212E39D846CD3F133350C7991F7C08F0C456DF9EAD0EFFECA2BAAAD319E4E3DC9D6A486
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.Sbc...q....!5....-.M.R.:..#......V.............P.t.o..J...;..2D.....>...D..C..\|...gN..dh..d7.N=.......EXu.......y.....z...1..W$.m.v..QS..iB.x.U..X.....F.tg..bX%..Q.......i.<Ms...!.0.]la.0/.3.6..0."..u.>.!aV...i.6.j..<?.bO..{4z>....Iwk".....E.J.R.!M..&P...Suhm........6.)]....dF.M.Q.p..g.x.....dC}..............Uk.R.~..j.)P;V.L%-.C{.......F7!@.5/...M<...}T..o..^....tE.]p......z`....\|........7@`NIo?.j....<......`...b"F.F.d..2.v.Ko.=.j. .+....'..Y..].#........G.`."......h.....`Vx.v4.)N_..Qs..z.z....Z.oJ}....=.HLBK..o.&.K.c......d.?...?....G..o%?.ruc.<..V.m.........%..k6$.P.]D.G#u..(^.#..L..h.2X=.N\...3..F\.....N..gX...h.Md!.kn?.%lN;.p..fi...M@...u.....c...*r]...-q..C.HHhE.Wu.19..T...l....^..>....A...cY..h.11..z..@.C..j&.Kg&...n/A./&.Xy...X.k:.-.@Hh....v...........^..hcxL.HH...MxE.T.u.G..;..\|...D..k...%. .N.q..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.7606594391551855
Encrypted:	false
SSDEEP:	192:E8QpUwzDfIe+WAhWhW4pICSjRof0cVWQ4WWVPsUuks9gICQX01k9z3AbgHb:EtDfIe+WAhWH2xlc2UUu/P/R9zJ7
MD5:	31F60BF9A22A86CB8879FCE5C1022254
SHA1:	23CDAA4D6AE0E953D083B968558A2AF49BF95A4F
SHA-256:	53AFAC76A7124A132A7C11261F3B6BA8D6A5466E7E8F683C8D12AC370B7D6B62
SHA-512:	C41EBB39CC0939B38D788B692E75C10C78A806CC8844D8526FF25869777EEFD086518CFD817EBB700E20B3937401D6C0F7F506BCD479FAFE1B801507376F4BA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...%p_W.........." .........0...............................................@......\.....`A........................................p................0...............0...%..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-processthreads-l1-1-1.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7447
Entropy (8bit):	7.973781985248784
Encrypted:	false
SSDEEP:	192:lQtZCU5KBMyj1iz6Oz2+3z1Q35dj2bZUWUjF:dU5xsijC+DS35R3V
MD5:	841279CF87BA68A644FDE45D17ADA1CA
SHA1:	7A9A6CED2939E73C25623910547494C456B3C01D
SHA-256:	8B0058153EF626B8D928E1DDD3311A999C4E8E02A07266A191C9FA33E6F63854
SHA-512:	CFB0376D151157C5ED441B14679561544A2A0CA61F31E6C8AB7313D5D41AE80605C2E05678CA999037EF3CD224D9C221B183BD35F8715C6F7D81E32099A86943
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.@.\<..[.o.s....y.h...u..C..h.[...02..H.)..55 .D.a....s.Z....r.sm%..~.....I...(..&Y...w~.D...e.kx..yq{..4.J.....c..[..T....D.'..y.b...0...R......}.8..zNv..c.W..d_N..[Ti4..a...J...._c..V....._j.]7...br\L`...W....q..E..m~..:...%...:.a....gJFgs?.p..t..l...-..l<}..].V.C...].E(P...j.t..J.x..a<.xjc.H.:...:\|...B....'UY..q..6B..>J._.G4&S1...o..W.^.0(Pn'YSk..+8..6U...>...(.qV.....j.a..?*m.}.}.o...@.7....5y....^....f........YTf.,...'&.fW..$..,.:.....DH........_.....3..[.;IF.]..@6@R...R...(s.x.."H.1.rU6...Uc......u.>.,...Rf..;.H.@L..h....0..z.\|.0G.....m.m.?.\.\.K.2.....[.$.8..b)J.....]..<..`...j......s.n5X...}..oP..4[.h..?..U...IXa.qj..\...D{1.t.2..vu..2.1>..2.{....a.9...........9.H3.....s.WU.7.....`M.%.1&_Y...(m.Gd.`G#.&.....uo..].aQK\..R...2...Sduk.>f...02....0r1.......g.....?$Q1v...y.GvPG.....h.._...k.P.....a...Jw.wyin3L

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.550817141020882
Encrypted:	false
SSDEEP:	192:mWAhWWEWCYtvnVWQ4aWenDvWrkAmSGL16X01k9z3ANoziLtpWuhO6Mr:mWAhWWfVLMB+6R9zqoziLtC6M
MD5:	948E3C479E87AD905A3689BC94CBF86B
SHA1:	C9B2DCC45FEB9B0BCD52122B51ADF98D7FA5B0E5
SHA-256:	982FCC32D7614CB921CC5203970E3997A33B31AA1D91F14DB5DB25A582DCC3AF
SHA-512:	6F15478BA5E7B403580B4B52924866E52ADCD112D82900DD17A2CE67EFA10306A5A86E1BA5CAB76BBE3577E2497B83ADAFD6CF6C39A81C35B53B528E8BF6B440
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@.......#....`A........................................p................0...............0...%..............p............................................................................rdata.. ...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7236
Entropy (8bit):	7.972428870392096
Encrypted:	false
SSDEEP:	192:2YB7x5dFA+qFrJo3wlyHlTudpespkJ9Ydpc3sk:F/5d2XFr2w4lSdpHdpc/
MD5:	F57471A3292C29760AD0EC0452E4F0B6
SHA1:	72296E15397F47BE1EA6128A07DB385748FCC5F1
SHA-256:	7F148FFEDF4F2F111385A8DB60CCA1053AA0086107F12DF05F6C59360B3688B7
SHA-512:	9B00A2A28D8BB08DB7DE487B32DE7BB910E4EFD48664AF692A19BEFF67338F361A5773E35EFE0E0BF0AE7050E602F5668C59F78D7594A8C384E5BC42183AEAFE
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.^b..w.....R.(.b.q H..U.h..=.r.u.,.=......u...M.q.q@..w?..%.N.k..Dk_D......,.m.5.....k....a..`..~.b.}..r`)Kb..8..a.\|......e..{9.<.........1V.s.m'..i..e8....x..PW.c.l.X.u..n.)..so...C.R.b:...8......@T.l.....{....f.P.g...t..A\..6..... &.(Y..9..._(.....B.......hV..T.RP.0.H...)R..X.8.p.o.3z?%<h...u.$J.D.,mY.5...V.C.....I]..........].8........P.T6Z..j..3K..I.a..O5...-s...RL.l....x..R.)...9.^...bm......z}2(..Zpm........)..Vy{,........y..C.$.I...l:.......&r.....3....D..m.1.F>r.'.#iD...Tw.S.$m..........5.8.dd...'.....u..@....?.w...%q...]3-kr....9.2.}..aQ..bU.......+.e. e.T.W....uG.f..../..,....K./.HZ.8x ..x...4O.-/0.C<~=.....}.f+...3Y...,........X%.<.&.-3._..9p...Iq~.....x]SH...P..^.y.../........p.e6...k..!`....jeV4B....@......8........9.....6...?NL^.....".!8".b...K.$.B..........zhMP..l..CV.....<....

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.718338890121096
Encrypted:	false
SSDEEP:	192:MGeVTgqWAhWACW4pICSjRof0cVWQ4iW7WsWGaN4NhrJgX01k9z3AiP7t3t:MGeVTgqWAhW12xlcRTN4tgR9zBP7t3t
MD5:	57745A06849D90CD5C79CCBEC559E7B5
SHA1:	71D3D3C0998E648EF6B061F7C65850C6A2A8593E
SHA-256:	890DBB72C4C35266BD658C663C1242CFA3B50CF51E2873E986B7AB2E055AF4A4
SHA-512:	CA28053575E40EB805F366A7363257B3D40A6FA8EF46FFB5B58FF17CFB0EA2668F5CDF2661355E94866B73B914950C09940F5C32FEF5F9A22439932E35391DCA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....C}.........." .........0...............................................@......L.....`A........................................p...<............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-rtlsupport-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7440
Entropy (8bit):	7.975993695855342
Encrypted:	false
SSDEEP:	192:lQWB28ZDnIaGLzSOXsCbh4kOvMuOIR0UAr2bwozGKVd15xn+u:1pIaGLzSOXs6h4kOEWjAr2bwo6KVd153
MD5:	DEF4AD187578950C6573471C30B37581
SHA1:	7982509D1E49B8FC0C8FF94FF68AE653E5AF7CC9
SHA-256:	E28A747C6C29321107783EBE19F792CCB334A3FB7ACC2CB61E36373D4758F6BF
SHA-512:	3DC3D62F736E03D7285DF6E96E65F55147DB671AA66BBECFC61C8CF40970BFB1B3D44E386545F2996258B467BBFB5F3A4BAD12AB4CF1298FED9C62335B827D29
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.X#..%.M/.o..>.[.?.......V........Y.A.......X...:.FA.&..'HN.E.u\..a......e..UR.c...q&...B..".....4.....x...fC@...~..f...L....>..q.iS..9!+zp... .v.Z~.....q..J...}^c. .<lO.>.7A.].l....O;......ze.E.... x`.....<...v.cy.C..X.T.b..b.3.D...N?9?j+....k..o...Tj.....O8&..F:..(..r.\|tt(.Y.<_...9...o.'....8.d...t...rsE.F.[..B(.8.a...0..\|.O.{......^....{.L.jv.T._J.A.W..r.g.h..L...K.K0...fm0.....'.....c...V.....S..z........!l".$'...N./.U.L.Fu...o...[.yc...+..;.w...(....-......q9.a.-.....R....=<...M.O.i..4.G......].@!N...3.#._...s...mG9.3@....5.9^pNB4>.1.....g...etv.XOk.5..>-.N0=..+...zbM%iI.&n..'.e.j].T.W...C..9.....e....s)..(.....+.x.7b.h._.AQ.NX+g.F....:...M..y..s1.C%.L.\|...dj...M..m.#.9......!...-.Qz.zSR$.Q........y....%..(v..[.\.....1..D...Q:.r.......}....&...7m.H_F...._.em.J.vkj"?0...HT."..+.Z...._)............]V

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.62677676857865
Encrypted:	false
SSDEEP:	192:90yyMvJWAhWWJWCYtvnVWQ4GWuqhBf3kDvWrkAmSGL16X01k9z3ANoELjLDH:tyMvJWAhWWoGf3kLMB+6R9zqoELz
MD5:	1862F49D5C2BA7C2BBC78BC517CB0B38
SHA1:	DBDCA39D6D9D166F9CB5B8855D456653419136C2
SHA-256:	90BA9DA43D6705D76905E630505BD1FD097D1899C9BCA3241AD0DE5AB08EE366
SHA-512:	C9C85EC2851F5B793DE07E672365E6DB28F1150ED6B6057D15BE828A36029F4BA9E0D4CCE12C7D424DA4C94713C18AE256D9ECBA9E59AB88AF639ADF56ED6A3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....%fN.........." .........0...............................................@............`A........................................p................0...............0...%..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-string-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7309
Entropy (8bit):	7.971668493220382
Encrypted:	false
SSDEEP:	192:2R7rmlOi9E3TTRKgHjuOXOazElV5W03hz1dNb:6o9E3TTR3CzmkV5W0VJ
MD5:	08FA785F132A449CDB3E8428FDD0C384
SHA1:	01889C49AE46BF5B8240FE25491A49586EF08E3F
SHA-256:	8811F7814436B1E1F76EB41487B8688ED52EC8C6016A7779A78A87E688E32E4A
SHA-512:	21273BA14755D152065CB0BCCCD6F7718727AA322B16BFB4DB8347B591C812A80A6EBACBD33D8DFC57BB71EA6F880F6B7D3AA1BC6FE573569D43A1DBF07761D6
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.>.'./`.`.+7.~.#.9.......y...;....1......,..+.....JP..33.S<.-.f].-......E.h.a\|.x.^....FB-U......N..S.A.Z.....m3..\8`...F............7`...#JTT...S.o........v\|{....x..E4m/..(..2.Q.Bs....2...N5.0,..`i.._.3._F.._..iaN.e3b.H9W.....p1c....L..s....:.,..jb.......h.?..h....:=..R....T.......8G78v/@g....xy#J...../....f..p..i......^+.X....;.A.Ai+...x.....>MZ.wp..h.L........HN`TJ....)Pb.S.........B\.......n..E.8..]D..p..B@.^.x.".NAT..A\|.6Z.XfhX........h......0.....R.......@...m.h0Jc....m..M..84.nfCi..0..^.f...3K.#RLr.....g....aI..C.C.W.J...8....m..`..>F..0....._.,....0DZ.E...e...."..W.TF..k..I!.....7Zl....+...z.. .j.=.K..iQ...V.b..c...r.eR.tNs...h...\...!+..;Q~#..\...$........N.........S.......g....-o.Y\|_3.!(.B.....Q...2.b...($.M.].0......rE.dnuN.I:.F._................o.y.5c$..r...a.1.:.\|.D#.E.=..W..zyhO.A".a*....cZt..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	5.111227798238419
Encrypted:	false
SSDEEP:	384:Xgwidv3V0dfpkXc0vVaLXWAhWWMMHNwR9zvoM:wHdv3VqpkXc0vVa/jM9zQM
MD5:	AFC4DB1AE7EB74D1B43EDA3D7EA5B43C
SHA1:	F31B2C1161024EC2F89C72631631E11FD5CEAC60
SHA-256:	FB4B382E2DFA80B3427A98C51D3270B1E80B5C2A10FDAE1A72B7C464E57FC6A7
SHA-512:	A014E4BBE207FD707A87AAA0228241FA7C414062AF8922F51E46210B958284096357B21F89E59141FEF28039A999DC6AC832EC7FC38BC4895E88FBED6B9A45A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....>F..........." .........0...............................................@......_.....`A........................................p...X............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7749
Entropy (8bit):	7.974506721647926
Encrypted:	false
SSDEEP:	192:2Bp8CdCapjaM6rJ1U7kOEUL6LEbxlyVZnej8hq01gFO:+qgXuM6jWJEULAAU9eBO
MD5:	3C88FD9F8A507D10D2593D227435AA3D
SHA1:	9A6DFF82D17BB0A29DE55F8BF6F944A8973D95A4
SHA-256:	2E6A1560E37AB384859CBA9DA1079E53313BBB3C86BA8FCD8B272263BACF69FA
SHA-512:	79CBD8C6F806BF8AC59961B9A82BD7153D775DCD463F36029B8C9E6A90139F3797E98803C20572765ADE3A8FE4E5EC34EFD09D44B553E5EC31A8C6882E0DAEB2
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.Qf...d.6..,...7..&r.[.........k.."..g.i..G...?.O..&M.>.5n4+. ......o....}....3...joX.q...EI..Kp:......@C%..p".......T9.l.8r.<.9.M..r..S..I...4....7f$.XRA.,B3.n..._..!.....u_.../W..1... ...I_...H....9.W......CD..D..Uy3.._E..a.dF.6.......%{.....-.xG..oe....4A.....E..{.RJ...L..k>.......^>.!.k.FM....bL..'u.B!>&+.{.I../h...../..wXD...........k.Q...gg...=h.(v...Xu.....pl.;8...Q..Hr\|?M:[n.....{..$j..<M{_..S.wFh....w..8.)...%.....}.s...mt.d.......BE.(T.......).[...+... 3.,..`.!a.X8Wb....%..gN...T...l...o......../.........`..M.l...,Vm........l......,...-.zNq..........F}.}.;...y+\j.o....>.D..$=&.V......lk?$.gw...b.......<.;.\.+....P....aA..)..[..n..S-0.cAL...c.r.m..g..<...W....6....."..Jb...]......(J......RLB.G....Q..?.8..'.w.....O...H.x.0.l..V.....CD.X9b..5..0.p\|.;.0;...y.U..s...{q.n'..}\|....LZ....#6 -.....2v.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.7995619414217705
Encrypted:	false
SSDEEP:	192:YtZ3ZtYWAhWWaWCYtvnVWQ4GW24LBiK2YdX01k9z3AcxvcXN:YtZ3gWAhWWV0qwR9zvUXN
MD5:	5DEDF9F86BA1366D9E920F33EB03721C
SHA1:	605312CE6D623889A1D404354EE653414A7E4920
SHA-256:	0CED53F1AC2ADC9525047D2C2A7592300DC48A5F52AD8B740CE22E3F3AAD85FF
SHA-512:	BED8C7A74E57F4CD44BD0EDBC1BBB1F528CE261D7AD6A5545C33974C223BA910D648F0CBEA8BF0736DEB5AEDD3B257F373CBBC4F9765D12C56A78E823D05D4B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......u.....`A........................................p...x............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-synch-l1-2-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7469
Entropy (8bit):	7.975334005937049
Encrypted:	false
SSDEEP:	192:2V2tUJQKasw9TVV4zpmPPDUIg7ZrlDcQnx9thGsqvQCNfc9:22tSXasy4Pz9BDcSx9mH7NU9
MD5:	7CB6C196E11DA8ABBE1A505747AFC428
SHA1:	6079CBEE01ED11B1BAC5C44E04ADAD54006383B7
SHA-256:	6EAD8F5AB2DAA86975AB6ED0A9946D74EB1EF4B403E9B3DCB452877322EEB60A
SHA-512:	921426C6A614FE37EC809648FD1B400DE42A7FF59C6CD6562A66258FE1A5A96104946DF0A7448C1EDC04265C4C0F6477DAD57F44E732EAEE0291C7910F06CE2A
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.a.Sm...}..Vt....y.C\e.<.PW.G..0..C...C...~_.eS5.,.v[H....#.^\|qS.} ..K8.........C....M.a..S...=..'.......1..X.f.t....c......B=......}.4...._...l.#).A..Y....H.)..'.....@.P........;&..g.....Ll.).DD'!.$4..J.....2%........B[T$d>...N......F..ax.m.vF..-3..}L.;...]...:G..jd.X.W.!..........YO.G..L......g.......sj}...K.k....L@.;..5H.-g.Sp.7.J......../.ijR&....0.m%...F&....A.7.....!.@+......,\|q...)5M.D..<k.S...+}f(..\|.be..4.E.B.UB~.\|P.o<i...wr.0.E#......>Y.}....#h..:..v......iN.'`..5.I....Lb.....T..Us............q...,.[a#..)..N..:.....C.FG}....dP.....>.w.....,....yS..^..........0.....5.'Z....V.,.*w..q.H.....GU2,...M.....uZl^c...(ie;..:..w..h%_..V.\.._@MS%..............f.:y...2C._.5...^.......%o..;^K.._...Q7..5.[.v]......a.6..YiwZoo...f.H.m...)`..V.2..E/.+.4Q2...(.1.@..@.....O../.p.'......m..?......?@_.\|...nx.5..R.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.858100199217766
Encrypted:	false
SSDEEP:	192:NgdKIMFemVWAhWLW4pICSjRof0cVWQ4iWY3FsIL0sAWAC/X01k9z3A5V4xyFss:iHUWAhWx2xlcIXzC/R9zuV4a
MD5:	177009944EA3860B58C09DA1871DB999
SHA1:	01CF9CAB3AEC3A1EA89111269F8CB036E73916D6
SHA-256:	F353BFE02E30F4FD5CDC89BD7F44703257F229A09F0D815D7794DF902F67D1A1
SHA-512:	279D1E663ECC151DD2DD15462191EF41E668C7A2BFCB7930B8D568FACF7695A030948C3AF7F9907226B00DEDE255A7F30169083AE2CE544F2381548DB31C9981
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......A.....`A........................................p...H............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-sysinfo-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7512
Entropy (8bit):	7.975174111238645
Encrypted:	false
SSDEEP:	192:lQ8ZxfArZbchCOQ+bmzDOmHyrNYh4mA+pLH+WfNCvZlcMdNPNPVRk:33ArZbYCOt6vryrZapr+WfNGlT/ZXk
MD5:	8D540C3B8F042E9BA3833BFEAC14B6C8
SHA1:	F507AE4DD23E2FCB7B4DA12E21EE81BBCFE30167
SHA-256:	BD04A53420F641D81145081032A2D465DF169366B1C6CFFB0929160EFA23E9B9
SHA-512:	691C1B14DA186C0E7AB022B99D2E6284EF421851FE1C7D75DBFAAD31D2E7DEDF097DD803C4C19B3EEAF564985C6BF18FFA19FD8D4DBB6F12ED3922B0C080F237
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.>?,dds-.1kT...N..-_.7.ld@.........=n.JZ...H..Q.~N`...e..J8.~.q;.Iw.Z5.]4/....)...F.cH.8"3........kc.........8.4..j...G...a..D..K,..Vf...."....r..m...K.....E.....9..{.b......d.ug:..^...f.....Qb...G. .......1..3.L..x...........QdH.u.8.tu.E};.C5=W.....,".$.:....T.C.A1......~"..4.4...1.i}..7..-G...^{~.b_]{..T.L.....W0K.p./\.i..a0`.6o3./.y.- ...B..W\|.n/.7...x......0v....+..uW......0.#.X.....a......B.Av.Up.e..U...7....K...}.b....)})..]....I.d..s#...$gY.5.#.&...%h..(.......n.}.y...y..\...{`...0E(...p%LB..}...ne..\|..yI......w.......16.F6&.....%.....V.....m...%.u'.<!.=3.G.'..Z.2rK.x..H......V.......\|x';.I..m................}K.7k.OB2.&V.....5.L.........A..]~.{..k.m.]15...;..<...+..hjX.:).WN..kPa./...4g....2..:.Q....7.D.Mn..5.S.I.l.m....F.".."o... ..?....&..u.0....{..nbQ...1..~....@cm be.a=....7D..jI....H

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.793237988742561
Encrypted:	false
SSDEEP:	192:4cWAhWJW4pICSjRof0cVWQ4GWoyVyNOEU+9YX01k9z3AWneGG:4cWAhWP2xlc/zNOQGR9zBhG
MD5:	70F8ACDE94E2C3952B7BA7F56A4EBFB4
SHA1:	955064391F0C9B41362CDDBFF7A070AB3888AD3E
SHA-256:	91DECDDC6E80D742755A1F65261D10C3C0D059AAEA6389BB2DA6FD3AA7EC5289
SHA-512:	71087A283D560F08E43B1A183258F1153AB5091D5D318CF4EE0FC8385285592C377D8E68A0F06D3F0BE84202AAD6DC7376B56057E23B6B3753A445323580F287
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@...........`A........................................p...H............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-timezone-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7411
Entropy (8bit):	7.972059767801837
Encrypted:	false
SSDEEP:	192:OQ9+GjBSH14m4LTZ71Tm5G5OGfW5OG1zrO/NH:9HdO14Dc8Oy8OUzra
MD5:	FB389F67DD890492DF34F48BF8C77F06
SHA1:	8C6C969E6CD05AEF79F2FB85063DB4D8FED4D9AE
SHA-256:	8616F13C08EC4AEFEE4B6A1DD0BFFD5172B5A4E894087BBF58560C787F7C2D9F
SHA-512:	05B760687DB1AD5CBBC44065B2DC0A548F3F4C0F6940F56B614DA3C2ECE5966AEFC0CFEB65555696D1CE97A48EE7363810B012024C85956976373AFB4A6BB2B5
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.QOR3N\|..d.....7J.1V.K.F3S.....=..%&1.!...r..??..,....J.....}.R.+....$.....b.z...8....up...b.....sJ..@2.a..2.2..O......P..9.r...I....U...........NS.f..=.^.,./..".<.V.....1K;..u../HQ.=....z.$.;.s....uu.".2..g.I7...;.".....r..K:?bq.d..Vu...~14..]t.L6i.$...U......#..O.... #.\|tC.'R...V[h:.s.....R.C@..O........>.y....n.$t..X..co..5...+..3..#....i.EV...U..:3..`...Q..y....O..+..F8..Ak........+ ..8....`W....JWVe..n......O..Y.Vt\|.........%2..1@.]-..q....K.f$..k!"...H@H..e$..X(.2.Z..4)./...:..m........H....]...J. (...O.>.v.xK""./~n.f.Y!..8..=._...+q?../.t.....V...r.?k.r...R.m%.Y...c.n~+....^irG...L3T.{.Vi....=..f..1]&..o........HG..B;.`.....;..^...n.......\...d_<}...J&..;+..1...^.E....m...m<L.........~Q.jG..Cm.....d<as..w...N..d5.G.Q..GL.$.pco.{.vl.+......c. .j.qeF.....E...V.....Y... &Q.A`a...q..R,t...;.....0...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.57424834373488
Encrypted:	false
SSDEEP:	192:Q/WAhWPW4pICSjRof0cVWQ4iWTO6aqyjNq5lOeSjX01k9z3Ar1oRBcv:mWAhWN2xlcz6aRj05seyR9zI1oLk
MD5:	D91E6C55A2304AA59D24E76F34884535
SHA1:	04EBC0BC4932C09C3DC7D9259FE7C9A6166B7233
SHA-256:	8875816A3809753C04ACD961244608E9A47127523C1D5E50CDDBD83A4627821C
SHA-512:	19C1E2458C5475DE2B41013FB18DCF3D149C88C0B3816596B67C90F7BDCED3D5214FEA97DC3782F56F8A276F93FD28CF519018257BF432C00435EF6BAE60A8B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......#.........." .........0...............................................@......Fy....`A........................................p...<............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-util-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7244
Entropy (8bit):	7.9775474992777395
Encrypted:	false
SSDEEP:	192:lQt5zLzI9p7/RVbIgyF9f8scaKADK3j7OYtmXl:85PI3bbyF9fNcaK73Hc
MD5:	8D0281C8875C11954C67309C421B30FB
SHA1:	287F762B2880DF2329C179BB391D79489C753A32
SHA-256:	419AE99DCE41EBDA155141C90E0F4FED508D4731BC6E23A58CFFE16FB3FEED41
SHA-512:	1FA01B58A791A222E2D2F47229ABEACADE2D66B7CF8BECF328213125CFD18BA73201377181F7952D0A0BA2EB545F77C89AC295B83F2F6FDF636E95995649C7DD
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.Wt...aC....S.'....s.}....@-........~....^0u$....0m.....i.?.....5.-..3h..VS....>.H.0..1..L..s@:.....u..n.s....U.Xm.......B...R$..$.[:02.../.5..3.+=$.y...l\|.!.;....4.V.tx.....I....u..i.iI......7]....e.7...r#_JW.0.-.y\|z.p...\...h...:..G.$I....g.cB....5..1...99\|3E.8C..@.A........n\|...b............[Z2\+...G.$.5..f....Zi....q.{br..m...._...c..d...<.]`-M.q.voX..e?..:U......c)...~.&$R3...... .r5..A0mX.&?\...J...bU.qo.d....D...'T.7=8.#. ..D.8t..q'.4.tX.......R.S6..8.."C.....I.w.,p.;..-..E.:.K...m....C0.%".i..[Y.......+..4@6.[9..Q..G.......<............k.c.v./."Lo......S...}.....hxd6U..X.2..M..G;......Z....l...S!.Z..J......bK.R...n.{Ct.%/..s-....~K........\.TC[...b.!n....).5$...&..d..._.........g...uy....B/........i.k....x\|)l(..<.F.....d.....g...1U.......J$.....2...Yq.....k...........0..i..U5C.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.887102104227407
Encrypted:	false
SSDEEP:	192:vUWAhWDW4pICSjRof0cVWQ4WW4O1Jks9gICQX01k9z3AbgmZt:cWAhWp2xlciJ/P/R9zJmZt
MD5:	A1BEE0AF7BD944FAE7F14174D9DFDFFC
SHA1:	EA699130CD63857569BF34826B9CBCB5ECFA1A21
SHA-256:	2C557F6A21DB6C99AF6184637B5EFB57E44B40FAE892230A43E96AB05AB27D40
SHA-512:	C6E9473EC6CDFC0BDD1B8F9F42BDCF3D31855B6E106B811CA52D2ECA895328889451726FE12ECAF0AF9A238D74C10E79BCF0870F056E7E85CCDB9BE49F4515A8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...8.?;.........." .........0...............................................@......N.....`A........................................P................0...............0...%..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-conio-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7525
Entropy (8bit):	7.972818963903635
Encrypted:	false
SSDEEP:	192:lQm8sG7UyJmQSCmDovjosf2xWMGpndnfu:n8sGZJmOmkvjvf2wMUW
MD5:	3FBBCF26C2E87A801354B88A304FE528
SHA1:	9569DF49560C41C4C64E01118AFFB62E8FE13D6E
SHA-256:	B91C89ABDFE68E931CB26A07A0408E1F52427297A3229D95BE7D6BAE83ECB746
SHA-512:	4E200828FCA4A79B7A2BDD36B769EFEB4ACA8678C384F2647EAD61AF5F185A38D20D0ADD5DF182D73D4620D42D2F64E58A23BB9E088F070800C097D854BDBD96
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.DD@..XE.].A....}......S7..Vx.....TU.....X...^Q.....~.%......%...\|3.y..Xh?.......),C}-o-.\..u..L6.)..o.PdC4=....^..S..m_..d......z:...j..p.i...j).K..f..2).?.(.t^.-o.. ?........<...........zW..E....m...<5...N@..y.J....P.,..J....D......+...`P..z.A.!`$M..'.&,.q.....$.....h`......c.Q.l.Dd89!F..7...]....~s...1...=.[...i.....tlO.....](......}..j..^......%.c....j.....4.4MC....j....D.m%.8Y.+..]GN....~O......K..<.)q...JC.[..l....8V.....B...i....ZH.u.G...#..;..F).`.<...L..>Py.G...+}J. .........pl.Yj..dK...gBo.....7.....L44...q2/.........:P../.!./.=..&I..y~..z..W...z..J.o.b..n.E\|3.'..i#..<...\|.a....;.....s.u..N......J.C?.T.....H..Q.........$-5n.c.^.....\|.8.N.h..(..g"..s........\.......i..X=w..{.x...WdX.>.d.Y.g...)..f..Q...zy..(...Z]=3.D..Mo....S....q.!e.z..[.")...[..NCL.E....9..U:N.7..4...q.F.Z..B.yW.5H..i%..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26080
Entropy (8bit):	4.85347828224575
Encrypted:	false
SSDEEP:	192:ljQ/w8u4cy1WAhWfW4pICSjRof0cVWQ4GWSYnuC1/or7o0X01k9z3AntFe:dy1WAhWd2xlcyF1Z0R9zMtk
MD5:	B9D80EFA3F5B0B75C523D4CED4DA1FD2
SHA1:	F493358454A273D0DDC6467C9AD82BF460DCEBC2
SHA-256:	44EBDE7F2681C0B8518E55CA242261B24F326994F089A4EF6C060F8DDA04D62D
SHA-512:	D597C0E7C5309B9631966B01FFF7E166C0DD0FC9D63534D588D47F9DEEE593CB2CF79CD490145AEFD472B9493DD65144E875D5870742C8D09FA4C7D459259FEB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....A............" .........@...............................................P.......Q....`A........................................P................@...............@...%..............p............................................................................rdata..>........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-convert-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 26080
Category:	dropped
Size (bytes):	8207
Entropy (8bit):	7.979717017647219
Encrypted:	false
SSDEEP:	192:eNtD9U0ZW6lpvI8K+ECIqMLyy4dwqJ70BDknIOi1Vdi57:sD9UYHfO+SqMLgdpyYXp
MD5:	11F2D2EC56F1ACA5625D2CE98CEE9AAA
SHA1:	EB6BF80665C0C297A0365578CB4DD711A233A466
SHA-256:	0CE37033BB4F29665627322948426B6B6462FE902DB0311C5E92277B7622CA69
SHA-512:	29116DB4C21FBD3BD84F421D97B376820651551821AB52A6F0A8590C04605427BEA3B6F92608BC4B8E397A9EE956CECBDE70E797C3D3CDFBD558ABFBDE00D839
Malicious:	false
Preview:	]..@..e.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.?K...Q$..+sc..mJ.].U.ltA.m.L>A...]M.....a.O.0..q.hx2..y..FV..R........M8......4V......T0..Nw.j5...R................q..Y....rZ...l............V.P\p...#..nY_"....=.....6+.Q4.[.....O.f:..P(....@y..^Y@... ..x.....Q. (G....,j.@O0.9..^Y.):L.-.K......z.jT.m.2..:......~....:.3..7.a.j....xB%.>..;y..kD.gp...........X.J...n..h.(.5.H..M....A....H..'....^l...<!.....S^...Dh........wSC..D...\H....._x. .E.......J2....z...y......PR..Me\|}.Q.D.....:.w.f......0.tu.J....E?]>.........6.^.D`.].0.<}y...9IBa.J.-.`Q\|..b.1..+fcg..{.O.f...F".....{....%Qu...F.....y...u..z.B.M..3Y....(......m..@..(.E...C...o8%..b.+...&y@ns...i#g.[..il[S...+p.ek^.s[./gr...%.......Q.@.SB.I..SZ...u.f...2.MA.].\|G)..n..4....3...5.R..{...n.eM.)..e...e....i....i.......z@..*..)8..tn.v.#K......x.Zd..).....!...t...Fa..mL.f.VM..$:......l..([.f.F.}....X6..ct.C..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.703414053422508
Encrypted:	false
SSDEEP:	192:WLGju+OHWAhWUW4pICSjRof0cVWQ4iWd6yjNq5lOeSjX01k9z3ArH3Qsscj:WLGjuJWAhWq2xlc8j05seyR9zIXQss0
MD5:	6E245FDD89BB6F88F56784ADBDCA0B0A
SHA1:	9AC5D68FF969F984F74E6A8CDED8E683B98FFA36
SHA-256:	0E195A8D013A329A06DF877A4569A3EC772F112AD29295F086C6D3E53F322FB5
SHA-512:	601248C38540DCBDDD61FD26203DF39EF5D450827570F01CDF0E415873E098913D82CA6E3C7B21A9BCAE267B4CB67E970237CBD1C6320B8FFAB58C9FB675A3CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................." .........0...............................................@......]g....`A........................................P..."............0...............0...%..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-environment-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7390
Entropy (8bit):	7.975097207890923
Encrypted:	false
SSDEEP:	192:lQPb8rAuCSGM+hliqPOYrnepjE1+z44CUzLZDh:ISt+20CpgwlCmLv
MD5:	13FC90280111B235DC5902E2F6A03ED7
SHA1:	1985B7D6B006CF7DD59C4C5DD45DE55FDB6DB760
SHA-256:	A159B06B1235655C019BC8C99E9F60E0A2FCD16AFFC4DFC828420B982629076B
SHA-512:	600C9D533694476396E46556E1E7CB904E6754753AE7ACD210F1B64D54F315B78456013A4137A916A7580E141578C0AC3A275B7431CEBA303A04CBAD0FC0949C
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.U.g...U6.N.B..#.a...0&d..-.2......q.E].....^..8r...............K..7.CQOS.ZU/+S.q..cT...2.5._&X>p...`$..u..... ......K.......</....R.pN..t:.q...s.#....TmV.X`...K...z..(../>.~$....-.........C..#I];.0!....YygS..~..a\.K....;.............9..Z......G#F./j.r..;.-..d..b..p......8./.aL....#.\..FO..X..+..D..O....A....(...M?.;...jC..#a.r..A.6./5j8...&..F..`..O.V]...... .:4...@..gs...I.;xN..MtW....dH..)...\].I.Ruy.vJB.O..]..............R..'..(...k....l....cA#...yj.:.#q.VO..F ...W.Q........l:y.i.S..]...+..8..ZA;..9...MT..:`.g.....wS..O.^#.R.!.....P%...eR...S'H~.....[...J.H.s.\,m'Zx.I...E.B?...b.1.Z.s.k.".............Aha.W........2... %.r.@.x.~.u..;..r........".!K...R^"...k.Qs+.m#9.Z@.n..)A...7.....b.d.R. #8.r..*..\|.3}....W..M....:...4..I..H}.B..g.4.).t......i.COUmgjQ?...>..s$...Z.'d.f:.B~.Z.tr..8.._....=

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	5.167040098082105
Encrypted:	false
SSDEEP:	192:SSnWlC0i5CtWAhWWLWCYtvnVWQ4OWfwNv7JGlD/Jn9VOMbSX01k9z3AW3c10cBr:SSnWm5CtWAhWWyjGlD/LVNSR9zl3+r
MD5:	E4FCBF91666504C1EB70644DC4C5F479
SHA1:	BF96622C082EEC928920A052BFF477CB0C9E0573
SHA-256:	58D9A9B2442C10140DB98BA705E8C7B7B9AC5A2C030D3286A66DEBF63B615C1B
SHA-512:	9DD34F36144010B3C1400ED1B1DB8AC8E97997A0D2C803858ABEACA75E26D19DC56512714B566EDEE581CA20C813C3CAFD47A3F774A1596B31E23208B1EEE4F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@............`A........................................P................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7873
Entropy (8bit):	7.974916118159756
Encrypted:	false
SSDEEP:	192:2cKX2YIKUqG3L20paS8rpc18MOW9UNV57MIweA+NUnmeQ:nbJ3L2a8rW14EUNX9AwUXQ
MD5:	24AAD1E2276CBFBE97F1CF8D3ABC2C69
SHA1:	BEC13589646B31A0691FE9F4A36051F36DDD50CF
SHA-256:	4793D32639EC46E91D6184B6E8F1C56122F87C6E2A4BA05389958FDB4EF8184C
SHA-512:	E8F19FEB11B230BDC93FA5873F2EB161056E5F6B986DB96CAF19126FC4016B10CB189E09FBF6493F5A52ADB931FAE53257082ABEC7510FAED23A6D6DA40C5B3E
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.X.Q......0....6...qk...R.2dA.~....!...ht..[....q.......@.@....D.\|:....-@....[f..F....}A..m@.Zq.%H.p.&w.....`:.r..g..+...c.Z.Ig......ob.. ..e...........4z.Iv..f.3."mN..J...Z..h..-!.V.&y.g...4...{..]_#....1..,...i...J..Z.[.t.i..AsY..q>.... ....C?..Po...c....3... un.........e...u#..M.Q!f.1.X...........M=..c...}\.N..#..$<s.ch+...4...w#X......?...E....._...E.VT6\b.%.WI.6......lx..`..L.C}O..R...9<!.C.OoxP..D..]GET..?.....u....w.;...%i.2...g......d..]...$u..?.p........[nz...,..r1...=..CL.1I.C...$Gqa.....X..W.K^..l....Kqn.o'.......@.........HvY..cy5.P_.."E...{......,N.a..I.V....I:)Ps.t1.%z.P..$......Q(...:G..@2J...<..6o..>e......T ...q.9.5S.#..ct..I_..]......i.kC{........w.......5....?*...."=n[....F...p{6.].......v/t..5.f7...;ylzk.~.Pw.v%...m.n@UZ.$8...:N!.S..hwZ...,.AL;.p.s....N.o....[}..E...CJ{`gz`4.O.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21976
Entropy (8bit):	4.830942356399538
Encrypted:	false
SSDEEP:	192:PcFY17aFBRYWAhWWjWCYtvnVWQ4GW5zwDvWrkAmSGL16X01k9z3ANopLOID2GxED:0Q1WAhWWKEwLMB+6R9zqopLOXiED
MD5:	374D505CED3719D875AC316CE365B1D5
SHA1:	24DA4D65EB7A9116C626BF16C3BC95B563F10176
SHA-256:	1EDF013E890072987B8957B77BAECC37140BC01581E5DE6B020AE454BB57F8BF
SHA-512:	D9B82D1679AFD85C660EA985D6F57CC13FD35B4D7B8104C6D9CE1F182789B615A573B68D5F1DA6C25682CB35068AE0AAD3C1C9B4509F339FA1A83A9EEB7F74CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...G..d.........." .........0...............................................@............`A........................................P................0...............0...%..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21976
Category:	dropped
Size (bytes):	7528
Entropy (8bit):	7.979154754567061
Encrypted:	false
SSDEEP:	192:2D1M5MYsbW7CL+0av1VbhqQSLancDM3tu3NL:oM53iL9aNVbfSLacD135
MD5:	D8A018E365AD2646C712A72B86787D79
SHA1:	8C255F9991997FA6C8974C230F0EABCC444AE6F3
SHA-256:	C1B7E244E92970895C4AAE3F1E5B9C09F0F2EC674FE180D8237364637AE8869C
SHA-512:	4A445102DDF6B3E4965B6688EADD018628790A27DFAEE47B04C34943836E4F8331DCC0C3DD15000E775C5127C7F5E21956DC15D1FA2330E768EC8391D26409BB
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.G3.mN-.tWl<..h`R..........T.:..av..-.T.........o).&&A=)Z...?.....6Eu.2..Dd.iQZ.....52...!-#0.9.Dn...)pD........."...z4.W~i.B...._.iC.\m..q...J.M.S~V8]&.COe..#..A...zP..!.E..D.F..f......bpzb.i..k...P8..Yc~#6.....Vd+....t.....&x/..j.....p^k..L.b.ul{..XI.J.r......6..y..Y..9...\~`)......]G..{..cy-...S........c...mG.,.M?...#....4.\|dR...i..wa.....p...}..Z8.......x.Q..X..2.(.G.K..(x..&T..T.X.5fm.%8..T...........f...y>S.[...+oZ..h'R..I.f....05.A..N.Z.,.J..P.c0...!.t{..).9L.A.e.x.y?.q.5...u..6.y..]e.^......Df.>u.:K./..z;...&....D.\l.1...\..BW..C .K.r".Q.Z)V..%....Oz.0...........4.m.*,.X..mU.ZC..p...m...;..l.....T..Q..a~G..a............GJ.....#ws.......!......J..]V.b....TZ..p.J...'....,#..S.c.&.H.+....?........\|..D]l..Oz...Y.W.&..3..g}..=_...n...u...=....&.,...h.\|...d....<$.@..Cs.-........-.^.@.?.9....,..Q.0.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22000
Entropy (8bit):	4.790530283361049
Encrypted:	false
SSDEEP:	192:98iWAhWsWCYtvnVWQ4iW0ClCFaqDu0K9X01k9z3ATdqheuRp:9tWAhWHqCFYj9R9zsdq3
MD5:	152925BE0E3A0FF77B0979BCAE7A7583
SHA1:	4AC4BB649B42893A8D5BA345A1C92AB2DDD1DDDE
SHA-256:	2E23B53441BA6B0779B222C120D44EB9A156D55CC3648F76216017EF06F9A16F
SHA-512:	17B41057B82B1EB037A59715970496D402AC00A59FCBE67245203F117FC38F1B7E7F5B78872850AC4FD7A5DCF4A3EC561DFDB3FB0E827EC7043978B535E9EE26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....h\..........." .........0...............................................@............`A........................................P...e............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-locale-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22000
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	7.9781083051787025
Encrypted:	false
SSDEEP:	192:+tcCgnuj0yXhdLBbQoiWllEYXon5UBhF0Sp5gCCPV:YenuhXTLdhiWUKon5OhF0G5gx
MD5:	6B6D3C9A6BE6D15821E04B65330B8D07
SHA1:	A09804AA044D37D21730472F0FD19ED3B4532D3F
SHA-256:	A3BBD055C368958815CAE35652F7C1B8817AA04CC90FF38386C63B442AFE8090
SHA-512:	F7F633134D6F25E6E48DF08ACCC26A14EC5A26C00F5B0DDEDABC1ACB3D7C13E9B5C90503A48D318FA3ADD3FDA385026C341FFCC898CB74FB6C89C61D3E901CCB
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.>..R......b..Z...B......."..........K9.b...:.GL.l`..7....../...q..u.@Yo......e..O...l.].......$h$.....a..3....b._i.......Q_4.y..F{l.g......<.N...y....s..q&....~.?..S..R.L22.\.W..X<.......I-.y>R....e/J....e).,..r4.a..&S.c..o..mO....a.A...3..p...R.+.T..O..B.wp.i`."...Z..)...GEC.&......l.u..g4.HG.&C.z..;o.".^.^M.sU/..JD..CfkQVN..R.p.8..O.6JV..J..m...f.].C......<.N.W..D...N..(..&0C.z.x.S.....\.y6.....%.P.'......#...L.\...O...._y9q..y-.....x.U>...7U.....B/...k1..:.Su.<K.........JH..y ..r...Ou.8.....Y....+............G......k6..`..:{.M..0.....Ki...d..$..>-...0\|-...2...f..@....,8'...[9.....y )..?DG..'....+..S..E..9.=g..:..l.E.G..6.d..7*ln.7.^5\.......5.Z?.]+.......QE..N......h.g......w.~d.D......L.P..a.2.al..=.B.u..:....H....D.o/$...]o.Q.[W'..{...C.....X4J.}6.l..G._V1..4y.y..~=...c.U.....:..M..... .q.@q.d......g.$.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30200
Entropy (8bit):	5.109996502126957
Encrypted:	false
SSDEEP:	384:RQM4Oe59Ckb1hgmLJWAhWP2xlcACl8R9zni1c:KMq59Bb1j9+2wlQ9ziC
MD5:	BF69D049653E504A7A1F8B55A6DDE7BC
SHA1:	737A1CBF1FDDC0AE93A0A99D2FEDDD474F4B85BF
SHA-256:	E6E839C6D205F91ADAA3D980F843BAB3131B8A25E06D152D0F70A6E98FBE0FB0
SHA-512:	A8D834D46FCAF03AA53BD48B4CEC816E0FD599B06B16A14006E402BFAA5A470F47DC6A55C1A94314D635AF55FF2322EB242B0C535A02FC830DAC83E375ADC6A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...J..R.........." .........P...............................................`.......C....`A........................................P....%...........P...............P...%..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 30200
Category:	dropped
Size (bytes):	9377
Entropy (8bit):	7.982152145314377
Encrypted:	false
SSDEEP:	192:2ZzNbn8iG1fvXfTK9pHXFjRaAHAsU4o9XmmiB+teoCE5L:JvXr2HdtAXjiB+zCWL
MD5:	6401060557035D7613F2FABF5CE2C782
SHA1:	E0852A93FF572F5A4E9C7B70CE870BE3B1AB6D0E
SHA-256:	F76C77D7DF84690F1D9F2958AAE33714F63FB1AC6329A521913E015F281B3BCB
SHA-512:	22AECF81DDC91985C764FE99409A3823CC566770D85535B1EA368D9017E62F2BD1A8DB93D03DFCA6DFC93B6C10967025FF95C31A80515AD2D8B8C80771AAED8A
Malicious:	false
Preview:	]..@..u.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.G.{.(....f.z.........9P.m^........_..!.r{M.o..~..6..Y.3.p.%..1..L.....C..cEuu..i.;.......&J...s..m......h.\|9=Ws...q.N^....O...K._2.h-p.V..j..GeYE\NW.....@h.;........!...w'..S........f^....[9.P=?.,.&~.7.C...z......X...u,Z........i......~/.ic...N.:.7Amjo+..}.......].5..%..A.\|...F..".......c=.%...).f..J..GC..I.i.)...@..t.b.0..0.\^.O..}....;....z...-5:.`..g.v...[..<c.4....!.w.Ks.z...]T......M.<...[....[&..KbO.....[.X.._..q.p(YMH.H..#N7.'.Y..A.b8..L...[.4.4..!.N.....^j.7..a../gS.+R..Od...i1....h.E.n.R...`.h........k..].....Q;G,...:..W6.q...;O-.X......\.....t......O.[._. c8.'T.. ....i.......dj..].8.......$..L......B.s.j:......D.)..h...5..1..qF.$........j....W..f$g.v.....r..9.W..+q...C.\|t..J.@.7>.PV...C..}dg.P.h}. x.,T.R...._"N..*5V.....T..NA.iy.....\;........M..@.p......h.L&.-.6\|&..uw.J....[n....&=[.B..V..j^..!.4.c.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30200
Entropy (8bit):	4.939072825452394
Encrypted:	false
SSDEEP:	384:TA/kPLPmIHJI6/CpG3t2G3t4odXLJWAhW42xlcdxql8R9zni2:k/kjPmIHJI6fF2oxqlQ9zi2
MD5:	4847091828AD3B0734418343C712CFFE
SHA1:	24E69B32DBA65631B92493B7AABD68D141CF21E3
SHA-256:	D9388848EBFE27138998518332BB507E5DBEB1D8851E9ED0300F15E14B6958C2
SHA-512:	5E8061CC226F3471E3964C04CDC5FBD3A607C9ABD22A11A1E818EAEC42B20AE873FA80CFCE7F47B8F8844F3127CE98282C737F25666D20DED47704E0DB6F29E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....T............" .........P...............................................`............`A........................................P.... ...........P...............P...%..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-multibyte-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 30200
Category:	dropped
Size (bytes):	8891
Entropy (8bit):	7.976447941492427
Encrypted:	false
SSDEEP:	192:2FhqXNtrEMg3Mvonzj/MBXqOjVfuAQw6EdrQUnU6l9XLp+Uz0Y40KnN5if6jWnK:ghqX7EjcvozQBVfh6EdMKlV3z340KN5P
MD5:	379D5C3E52C7E73F6B7AA3A47F3F7205
SHA1:	4EA2FB6FD3F11835E2513DCA84E3ACC73429659A
SHA-256:	820663846CBC6CDB9F904829BC51D2CC997CBDBB751EB653E33CDB5D8290FEC9
SHA-512:	99CC2FE8A8B6103D2924F053BF5F3CEFBEE93107D04CFFCCDFD6E4B21634661333771F8F973172F8AF7C80703201FF8AC475C0897EB4D9C89D0997A86502A895
Malicious:	false
Preview:	]..@..u.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.bW&.}....K..."L.@.....2 .....]S.....P z....p..[3/Y..P...B.o..............;(.T....f.M.P.2........bH.t.............:.L.N.....b}..wF..1.z...v..3..k.-.M._.._....O..i~.....pmG..H.y..l..e..Px..+:[......Hx\|./..>....'..6.}.er.r..}.....Y[....Z........B.>..z. q1/=...\|..L!.w.LH............l]..=U.w.8.......g.).,..".W...{y{......y..-...P......S]w.esqQy@h1.......;...z...........x%-.4..8..7.-....%..J.JU.........j..w .$b+.....G.`Z....K.=u-.u.w....Y...O.c...?....h.........dQ}^h"F;Q0ZX~F.K..9}...V.f~.i...q..d....Z%.t^1......[.BA.. on...9B.>..K..{W`LS\|...(...J\|z.=.&%r*.{m&T......>.....T..w.Y7hJ.N.7.b.............b..y:...\|..$.A.l.~.K..L.z..K..........[...U>0...t2......R....0.D...}..O.0.8.?..Z.$p..U,0.Yq....Ht,>=5.a...m!.,.....a.#.u,..g.O#.~.wPR...><.t..e.....;..vM.1..+.6.q.d....Q..K...[m-...U...7.].V;S..[....~O...(v...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75232
Entropy (8bit):	5.192576382674742
Encrypted:	false
SSDEEP:	1536:SLraHgDe5c4bFe2JyhcvxXWpD7d3334BkZnjP/22jzzq:IaHgDe5c4bFe2JyhcvxXWpD7d3334Bkm
MD5:	533B418AFD2EF8E423F42D414CDAF5EF
SHA1:	09D3A595BAD8F0E7AB5604FC02EF832D11A26B88
SHA-256:	66F910721F4477EA238603E5C14C858D1E26FC2CEAAB3B48294CAC069790202C
SHA-512:	EB73C82A91CE67F8D0265AC4F0739849E5696EC0069AB6508660368B8D382A230DC88EEB89AACF8BC9FC6B7E31C009521FDEEB979F4EBE6E80CFEC083129CCF1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....+..........." ................................................................$u....`A........................................P....................................%..............p............................................................................rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 75232
Category:	dropped
Size (bytes):	17560
Entropy (8bit):	7.989061778060517
Encrypted:	false
SSDEEP:	384:IYScLvafghJ6vEw3EZ8YFdt2/L5vYR5nnZRaZ6ZcQyAl7D7NdsuxX9LAF/:bnLqQ6vGXdg/LBYXZEZ6Zczy7HLs0AV
MD5:	1F318F7E2D3019BDE6029E8F0599466E
SHA1:	A5AEBB654A5666E0E238D6A447068815B1C27845
SHA-256:	7747508083153D2EF27A93CB4D94ADC18D7DD58C14A6323EEAFA680D018454C1
SHA-512:	AF2C1F66CD377EE7EB883F8EC681C24750D7F4ECCF9B65C51F3E93BCC262022D9D5AAC5E698B164D9DE6C9FF12618849B5508F56921E79AAB20344D385128397
Malicious:	false
Preview:	]..@..%.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.]ec...s.a...............F..k.3l.V.uC.\|J1.}..K."...~xM....U...lC.}qP...W7.C......F.`....9.+.p"..(r.J.E7n.r;...w.H-^....).t.._9....J.J.....L...A.v....>.N.4r..]d.z.`Q......Bw.....hc .^[.<.]..M.....6.%..D...P.J.r.E..<.a..X.f......\|......\|.4.J.<.C..d..K..J.e......f....?..r$...2.Do.HmU.Q.dLX.......2<c.z...3.TJ..%...r..-.[.../74..]6..+.......FK..j'.hMi..1BT.....\|u6..U.3.0...."..'.....+...z..e...."..v..5P..v.!V$.G...$.Z.....vr....R&.2.G.....^.`.....q...A..!..c_3G....;..q..]v?....9.#.uw$:...{..X.@......-....#.\|vGk..D.$...x....%.......E.#.O...%.._.{..L..6w..F...GMR.N.A......S.......lA..O.......c)5T....,))R...lR..j...f .nc3.....p.y.$.^.].G......U.Xv....B...._.A@...h.q.MD.T.9V..o..NV.R...n.C.....A..9\|Y.q.T....^..^i.Kd.....6.F...a.....D..h.,...6..dI*}.HV..V.Mh.....9.v.B...0.!.<..i..\..8c..)..!.{..'..J...ia...4

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	4.844044363530328
Encrypted:	false
SSDEEP:	192:gadyqjd7VWAhWTW4pICSjRof0cVWQ4GWtv8YIN5vCX01k9z3AiR3Kjc:gaQUWAhW52xlc43UJCR9zdR3Ko
MD5:	DC3FE259A9B778480C2405FDD7405C9C
SHA1:	D28A588217738AF932FC43B809ADD215EB932856
SHA-256:	B33A762F0EB072033044E7EE89505B695F357C958D4107CE6F1C4D68F88D3277
SHA-512:	54F58F5A0D1AECFB9A6C8F12B5AAC30E26EC427DCCC097F8015D690A0A2244603E80810C19FB8EB2EE7AE9122D14829B3AAA81C69C77B6B4C5751D040C3849F7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w>..........." .........0...............................................@......M.....`A........................................P...x............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-process-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7535
Entropy (8bit):	7.9746141030497775
Encrypted:	false
SSDEEP:	192:OdNTO5JklTpDoG3U0NNKOHLkEty/8HIIkcrzHDCovl6k:KNTObiTRRU6NKwS/8RzHDC8gk
MD5:	53A6FB3CE0882A22052E43ED6CC97573
SHA1:	3C6F0292AFCE21B9C45817741A41FD7B4AD3CF88
SHA-256:	6DA20C279910BC6AB76A59D73EB27B5FD76393EC03891D3C2A2DACDFFC73D868
SHA-512:	AE5EDB0B9613524FA3BFDB5A1EC0438923BD4B7FC0958CF9FF0C583CAF001DC509DE81D8FC78C5A2B5A607B66E5B59E7ACF1F9F06AE3BD5D625A3D6DCE3CE0E8
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.>=+F....).)..f...G.w...B............8.....F..f....iI.T6..-.........v..7.p......w~3..sR.h`I(.q....z....m.Mx(L-.x. .J..;...>.z...!b......s....I...f..w.4\N...3....Oj-....'-_N.].....Z...)a.oWZ$..V.Yl...'"+[.#5..3.>..Zc....1....pX=?W.1..V..............K...d.W.5&..O...ea....".!~..~.."........$. ...ua%.V. .....Ju....(...X.".Id.`.......SP(.......0M...y#......at@e.....T..Y.~....t.r.g..z.@\...X...&[..'A........g..7.....4.^.4...M.^...HQ.t..&u....g...m...i.j.06..x\..ayT..k6.\|w..J".y..e8..W.9.....&g...*j...../.#. u..}.-..R.<.....to2........l.."..Dg..v...m+G3..Ia.H).l.E.0./....;(...X:.d.w8....t.kn .UK.B.!..........ad-0b-......#.....m.lV...}.Js.:0...hcOv......d.....T..a..b.>3.7.?...N.<...E....R .....?.[Vq....w&0.6.D..5m...U......ig..i@.?+.J3....................Z...... A.$\|.@.V..5..].o;M....($_..A...N...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26072
Entropy (8bit):	4.99171912400366
Encrypted:	false
SSDEEP:	192:iHUW9MPrpJhhf4AN5/KiZWAhWWMoWCYtvnVWQ4OWSj5t5equ/X01k9z3AFpGhS:iHUZr7/WAhWWMjh56/R9zg3
MD5:	80E80532239AA8929EC0FDDEDB7AA8AF
SHA1:	312E743535E66735D782CBAFFACF94C6C791EDAB
SHA-256:	D3641BBAEAA5A7E7D4EE0EE0EC64CCEE0327CFBA3D10B89094144EB70A0867A9
SHA-512:	87E7A5496BB2DFB9BED4E9B9913DB2656B335B916EB1277EBEBC33AC9D6622BED50A22293DCC02193F846BE5E0B4B0F032DFBCC673955AA90F04CF81B47A9305
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...4{.+.........." .........@...............................................P............`A........................................P...4............@...............@...%..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-runtime-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 26072
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	7.97700006802905
Encrypted:	false
SSDEEP:	192:GaiH4uJYryYJmdyDdB+WAVb6nvg/bTsAnEm2DSuV:vuaeYJmdyjbAhkvgDTFFM
MD5:	829AEFC88CE9F6BF51EABC5D0246EFAD
SHA1:	E813C653D2173F1104DD4EE230DC5824103B51E9
SHA-256:	372449B1CA458EF0DABC54C6324414F2D0439969C65A63733AE8D1B32BD3DB08
SHA-512:	D5D90B8BA952D16DDF0C09B9B5A1D77E85DEC5D02A207BFADE9C949C3089924E5BE6559959E9FF255669EE8F68C7691DDC374C6E083BEA78B4F308BE7464DE77
Malicious:	false
Preview:	]..@..e.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.C.o{.yx.,..W..5.Xa.t6...D.n7c..H.a...+...9.C...0.. c...B..I.`....X..a....k...[.e.g...)..W .zZz..G&.!..N.......5o\|Om.)...D....).,.Rv.._..[D..^.L2.~......G.\]........xR...p.c/.aUJce7..._.k.."{sk.Um.#k.....\..(._.[..9.=r..s\|.N{..^..+B..y.H......\c..`....E..@Fc.ac..[t..G.9.....<..".B\|..... E..p@.................%.+)>^...7........,..L.]. ..I.%:..s.....L..Y......L...../cn1..$.._..SL./e...........D..Z@.Fg...ub.z.bEZ....... ......c..Uw......k.t....'.d......K..l.v2j..ck.Ln....}.......:...x.zi............V\|...n._y~.M..U.....i.6.]..u.4.p&%5.(A4.f.j[..h.K...r...V.G...%.....K.ge...\$...cK+.;..s.e........$y..o.h...m...1~...X..^...z..}....q..3.V.....%H..'pq.............t......$.a.....:GL.....T..M.p......P....o..X....iCX).oCSKt@.3.9..>.J.....d....62..Q.l....;l\"`D.J...)w.%.v7D...ec...(U.8........W.3....!.n.`.-h(..8...B.u=..T

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26072
Entropy (8bit):	5.262742024708906
Encrypted:	false
SSDEEP:	192:PA2uWYFxEpahLWAhWWPcWCYtvnVWQ4GW8/T0siK2YdX01k9z3AcxvT8w8:PIFVhLWAhWWPXh0fwR9zvLI
MD5:	58A8C2D2404AD7BF6FCA8BDFBB8A5B3B
SHA1:	6E834364437BFD23B48E66D8D891966860528D08
SHA-256:	EB7851E182A4675BB34633869938FF3579779A92A6C094194EFBC970F3765DCC
SHA-512:	D44E3B47DABD29621A3FADAED16074A46B646E1190FFCFFFB7EC835B8CD6EEFAC88570812E41A490DAAE485A1D71FB2D035C91E73B65C2FBDE649FDA8733CEB9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...+b............" .........@...............................................P......C.....`A........................................P...a............@...............@...%..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-stdio-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 26072
Category:	dropped
Size (bytes):	8724
Entropy (8bit):	7.979599197806479
Encrypted:	false
SSDEEP:	192:GTAMcO8UsN0MyHtclBP1wJ18P3I8MX4HvwN3BNN1xj2RfQnSxsIt9MqYl4bd:Ay9Ua0MyNclBP1wvyI8u8vwNRfWRyjKn
MD5:	64495B4A7CDE735E644D14BCF5693812
SHA1:	4C5A81DEEB736BEB8A20EE2D1BAF5D51964511AD
SHA-256:	C7C129BFA248C6B6962687CD4D7542E97B93B2FD44E306146A602A21CC0082CA
SHA-512:	68C44B6AC47C8A26C9A7564770E8A9CCC9D7B44D1FF5431451C21BC8F89E6E18C7BD82F5A4FCB5E8B109351572210A622E508AE8222712DE0E55EEC784C4A8BA
Malicious:	false
Preview:	]..@..e.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.B...9.w..(.+..3S.g.(...:.)....sg..eT5{aLQ.$.6....F.SLP..g._.h...{..w.{j!..G./U.J..4.X/s....c.G...i..q.".#\|._...Ju.w.D.OQ\|.........XW..M...?.m>.$MI].7...`.6..Wx0..!y>..@.\H..]`..!/..,8v.uD.......s.~..+.D._L..R:O..n....<....0^b[-E{.d....ps...T......u.-.;..4..l..U.F...Q.....].dI.S..`.4../..q....s"....>.........U,Z.h.4D......l).b+)M..V...f.c..G0...uJB..Q..<..D.A....0lp.vQl.ASx...a...Z.."..k....4I.p..+q<..I.,..%St.S....0.lr...Q......4p..6..3@X.W.,.....H'w.:.\|.:L..I..............Ml?..;...l......`yi...-.......lAP........X..AT..g$..z..x..^.p...3....\|7{..q...Q...7...........a.@..cD...ts....}..E........WL....)..[Z...>.>.6LH....P..sl....Ik=uBm...j]Q.'.1.a...z}... ^.(..8aZ..w..9...0..<y../...V.jV/F/.DU.u....}.8X.q.LL..5~..v.j6.......P7...y>.3!A....b.hi...w.......U....yG...[F..,].z..k....I.1..u].o.......&.I.&

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26104
Entropy (8bit):	5.261519723110946
Encrypted:	false
SSDEEP:	768:JozmT5yguNvZ5VQgx3SbwA71IkFQ72N+Xzg9z7/1:JozmT5yguNvZ5VQgx3SbwA71If72N+D4
MD5:	D7164AE82B7332432BF2EB7FC7774E72
SHA1:	221D79C77A8A80068621A0EB8688DDB86224408C
SHA-256:	08D811FF57EFE50D9F365C76EC29E095474E0679E06BB4D0D4D0134B0120B40D
SHA-512:	D1A4CFC0A21509382606F4650A67556B0616283231E71BB1870CCAA5DEBA42FD77583C3130D60D632E98F5ACC4763F57A2ED932AA2EEEF49601618761ACD9429
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w.e.........." .........@...............................................P............`A........................................P................@...............@...%..............p............................................................................rdata../........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-string-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 26104
Category:	dropped
Size (bytes):	8699
Entropy (8bit):	7.978583532390088
Encrypted:	false
SSDEEP:	192:maqCYrgREdCsnX4PW4zjkMCMlAWGsH5qI54ZgIr8bQNdBeUpfFTeO:srXdDnX4zjMcPGsH4W3IB1n/
MD5:	739654C5D7A7DEA88F3AA2829F518BEE
SHA1:	1220A8F88D45CCB6D7860DCAC326F439CD0F48FF
SHA-256:	671C23E934E426F363C7DAB525DE4190D4D1405BD1CF64B84A7DBB636AEEDB81
SHA-512:	FAB7A50C39538E429A21CBACC0DEA9CBA142FF0C5629D0C65944CFDFE4C3A704686F3DDBBBA021A9E2C353925538D0FC7C1A35356AD0A7E34644F661FF667EBB
Malicious:	false
Preview:	]..@..e.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.b..n.16...x?%mR.....P1...`V8....G?..{Y.J}..../...".T/.....y\|r<{.jE..S.k..<.bE.....n.(s..:z....tA:X...$+...m.+..7...{.e.a.>.lSL}5....'...J..}w..6..v........K.....Y..L.\.Z.Ve.h..gQ...'..QK(.].](p.8.]R\|n...s.G..Q..1+.?.>.s.......=.s`[8g.5.N..@.!5.....T...(...z..#P.wf.....2\v.D...p.X{.^n..(.` .T&~^$......Q.vk.D.v..{.R...p.....iW..].}iV..&.s.^..mR..S...48...E!.Y....3..7..L..A.....I..1!S!z..D.......:-9.#N^.!EnHmt.[..4.V...M..D......j2ha.....!....h@......z`.n...#..7.bf...1.<..,.........)4f=5%..1...l.a...\|..~\|.g..r..-.U..M.3.-.81Q1s.,.........(._].....5`x.....B.Ft=jeA..'..'L....k..r..2...,..cH...Y.D.s...'"..i.....&..f.7~..V....}p0..9/..cF...&./..V:...V....".....f\..~....5....*.....9..L..Hsg.F]G....0.......a....Y........:...%}.Y...._..r.../\|.U...y'..,^}B.N.e,!.....N.EH.6.i.?#A..c..DZ$...;....4Al.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21984
Entropy (8bit):	5.225581899943725
Encrypted:	false
SSDEEP:	192:nND6WAhWyW4pICSjRof0cVWQ4GWK9bcK0OEU+9YX01k9z3AW9eO:MWAhWI2xlcjcK0OQGR9zB9J
MD5:	6AA7B1323C5D8E314F2FB42F855E9B12
SHA1:	044CD0167DE5E9C1B014E07287C90473C96944A5
SHA-256:	9C5880C395B4E7DB4B8D6DE49C75909ABDAEEEF0B041C1703C7339B05D7D2866
SHA-512:	E99A14C8772662DBABCAA504BC61EF616590BB6F7384ADF8AE0637E0A365F94C67FE4222B978605B7A2EEEAA62505E57C32857B17B51F4B2E9A0D8A033F0A204
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....p..........." .........0...............................................@............`A........................................P................0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 21984
Category:	dropped
Size (bytes):	7927
Entropy (8bit):	7.974811406442444
Encrypted:	false
SSDEEP:	192:O7iHDiWRtrqrODnlqyTXvYarInABZkEt166e5ac4v76K:NGablDTrL+QLSrNK
MD5:	CCFE34246ECA2FA0EAE5B9E0E10E9B07
SHA1:	9A222F10ECA67B0D2DD9FF7CB0E3BF8CCA46ADBC
SHA-256:	5A882474A20ACD02F9907E515EC50739230F3C110FA1341CCF5FD6E6EFCC6F6B
SHA-512:	C942F8CD705DBB5764A846015A9A2BC4B193176A37933379B040461AB101510A669C20D0447A06BE41D728950A398D08E6F6039B9FE39E9A284C7D841F97F7E0
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.Y.W..f.]."...>.....P...JR...7....>.z5}........t....C.].o.@.@b..q..B.&5., j....Y....Y-4<...@}...).Cf.u...(.m.R.B.....E...b...o.;&\|...62.e..(...'..pk..{...3..-....V..[6{..[.1....Pp.\|..YG7....8.....t.....T.Hp..o......g.....a...._.-..i_.]..\[f...d.h....A..M..e.?\|.$..6..i-Q....u...<.=.V.....j......'r-.).-OU.,.la..?.I..R.g.R.c.......2....NEQ...i...!...1..}.0R..wI.b..Y.7.....$J.`=...?J..............5......?L.....2....v..aY'..Tx.:E...../.`.+x...^\....}...N.J...Q.@..C..i.l+......."VB.#.....\|8.#J.s...!Z0$.1.<\|.<.{..\|....k7..{.P. ~r...5T...X..h...w...j.rD.@{.<..b>..~B:E.T..X...%z...'OJV.....t..-R...B}...p..RV8.[.#.......,*...D{.D.[.....w^WF.)..-w.+...]C..t...G..<.k...HVk.v.DJL-...oQeA...............V!B8H..M...Qv...8..;"R...6.]W.?....\.$..2.`d......Y.8..2.1..>`....u.x....`..h...5/.T.[.z....l.8...=..5....~.q.v...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22008
Entropy (8bit):	4.77907639420577
Encrypted:	false
SSDEEP:	192:rPjfHQdu3WAhWPW4pICSjRof0cVWQ4WW8tqDk+KKnAX01k9z3AdSPBMp29:ffRWAhWN2xlctqDkTKAR9zsS5Mc9
MD5:	7B7F4484966036FF86A7E4CD303D3871
SHA1:	18A789E9D1E9DF0FDF22E94D71A18C483CDEB611
SHA-256:	7D3D88332D4744C9B6BE81E2BA8D42CED7657CE7879A26F5B8A8D3BB2331ADA0
SHA-512:	39E986994A99361FADCCCBF5BD861CE9C4C6DE65CE5E3DA4D390B234FFF34D7C561637EC012CCDB2757794ADC222BC80DE19A60A8917FE65FC221FDB3054149C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...w............." .........0...............................................@............`A........................................P...^............0...............0...%..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-crt-utility-l1-1-0.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 22008
Category:	dropped
Size (bytes):	7515
Entropy (8bit):	7.9728882823694
Encrypted:	false
SSDEEP:	192:lQ7IUiHAu9uBJIl1R7sEZAQh6gGS0qeJ9ilYuPf:iIUUAu9uBJIlnsEZAQh8oeJEff
MD5:	E6CBB8651D2C71673F3A188526DE16D1
SHA1:	2787B2D21E7525720B09A0276FF61519B095F189
SHA-256:	0658C4977F6471A2F0E6B7A262340E6239E739953E493CF6D41FE914944C1965
SHA-512:	6CCD1F8CC9CE497F3A5542158EF0BA175AE805247D57161177C150D043D526208C65B28CB25D593245220B367D59558B6A88030D198E474321F1AADA1CEE398F
Malicious:	false
Preview:	]..@..U.......&..p.........../D.\|........{...cl..KN......TS;...p....."...gW.....~...~....oF~;..e1.>.vpV\.)..?._D.[15.......#."T.[4.i..3.d.O=....OD..yd.'N..]..\.....k.2....E.~\...?..d.T..R<.-......#...D...........G..O..r+\|.j..dt...g....mYM.J`J..?..U.v..........C.....\|/.~n.^..e....gS...GqP$.>%.N.kU.^.2@....{...4.l.....C}m..?.D.G..n....4[..YgS..t.(.{.s../.v./r.<n..\|.....~l{.>M...1.........(......[(0..b..I..I.V....<..u..+...7..;..{g.n58_.U.]n.z..)..G[oV.'..d....D.;.tM..k..;...!...q.....B.....1..qqi.KzG.......u..qz+...k..~....A....m_.C'..N..E3.$...tC9.%.&.......z.;^.M...Jx......1E&O...x..m..`..`).<Ok8..+....@./...i.#.l.qQ..Isn..$.Yk.....'+r..3.wT..l../......E1/>...}E .A.~p.KlA...C.*}>....5...K.....d.XM..~..H..B......n..E....XK@d..&e..uV3q.1..&...r..s..9.^......;{....rQ...N9d}o.....oK..Z...87F.3i..D+5m......0....\|:oA.X..X..#(.J.......o.&dj.GS.g..............7.V4mO....._.8.p\.6...n.AF....id..^9]...pW.E.~.."T.NyF.\|>....^..w..........4.S.....0.P!...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	10826
Entropy (8bit):	7.634281393506577
Encrypted:	false
SSDEEP:	192:GGIYiYF8AzI77cfMy/A5K+o/y2sE9jBF0Ny0aHE:JIYiifMuAM+o/8E9VF0NyfHE
MD5:	C52B2F4F75F94DC33263E7C00698F264
SHA1:	73BC9B0202129D522E95E3ED0D5406B27186A314
SHA-256:	233FABE3C5899101A12F8E1B55DA2421C4B60C648E370F7364CBD78DD1C7FBA7
SHA-512:	486230B7AEC989CC29619163FECF0E52FD51A52186C326BF83077533F0201CCA0FD9E14825C8D643E28134E62BE2AD7C295DFEE5773AA54746C7AAAA56D06D77
Malicious:	false
Preview:	0.F...H........70.3...1.0...`.H.e......0..\..+.....7.....M0..I0...+.....7.......,~.R.L../..\)...231206144803Z0...+.....7.....0...0....R6.B.8.5.3.B.D.4.4.7.9.3.3.6.B.0.A.0.9.A.B.0.1.B.5.4.1.1.7.A.1.8.F.6.C.0.E.E.B.7...1..0E..+.....7...17050...+.....7.......0!0...+........k.;.G.6.....T.z....0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......50...0............@.`.L.^.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0....H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....\|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.cat.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 10826
Category:	dropped
Size (bytes):	7950
Entropy (8bit):	7.976533078874502
Encrypted:	false
SSDEEP:	96:fhHcbWgubuLtx0O4OJp8e0qhI0dy5vouM2hgOn6vijT7WCozyj3vJO5o3DIt7cHS:fJgYuLt6OJpXqoFCn6aPCqRO5o3Ec14J
MD5:	726C128FEB78112264F5340C23D4300A
SHA1:	8042703F59C16F60548C4BB19427FFF57CC02EFF
SHA-256:	C4497423B77A3A03427F63AC53BB238C1477726476C8F4B12C2CC919691E51AE
SHA-512:	492637217E2FCC4DC6EB27B74C3B7EBB6CE860BB74E7A12FDCC013252BAC60F0EE077306415345A2F511D573966D02A8E9923F4B6710F6FD54401B2B109C5CE4
Malicious:	false
Preview:	]..@.J........ .D=0........&p].`...c+(S...G^~._.I.!?.=fV.}v..8..7CBF%.'.... ...5...k...X.'.6......IrN.tQ...6..}......FX>.J~...r..'.4K....$}..Z.(...x#c1...{x.8.kl[.=.:.....k..O..T......Y>.2.`.c.r..(6.H#.9.%l....^z.....8.......N.{o.........u...bO.1......&r=,...?q_.."~...G.yR4.b.._......\|..M.d...../a.%NB......o..z.....l=.c...IRF.]p...........4c4~..g...?).Xxp.ulD.......F..@..R..:..r......dLD^....>\8R\|W{I.H88..Y..M.[..,.Nr.Tls.{h.J.....v.Pv.5V.G..Q...%...:_IN{..>.].9...([._.."e..._(lQ..W\|O.^.^...w...V...`...u....x..X...&Zp.3.@....$"S...,.]y.......F_..'...;...F..-.u.&.(1t..."..D.,+:.4.1m...B../..5....C.YL........1.........6L.rA..0k.]..52.v.....J....eq>>q&....=P..#J..I=...W...\|.c4.6.Je..(....2..z....:ck.ki7..nP...nZY.......l......O.9.1~...pJ..d....a.Iz."..bO..CP..7..7..i.N^..E.@..#..O~f.....m.+lvwE..H..:.<....\|]>O...v.........r...M;....3E...[$..&7....N.F..M.Q.&....s.-.d.]nY.....w...C.lC..1.......'..sZ#.K..V80C.*....mY...]....Qj.R..m...6kQ;..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (536), with CRLF line terminators
Category:	dropped
Size (bytes):	28338
Entropy (8bit):	5.364886653558455
Encrypted:	false
SSDEEP:	384:qCJE4xeyWOHqkOwuy03GBz0YFaaE9eE2/h4FgeY1Mm3rGFJcZkaWUEQBLt4FE5D7:62KiaFfw1f
MD5:	B5DC4CD84E001ABAF9167D3970A5300F
SHA1:	612BF55FD5A43B7DA96268A541148BDF3E0EF333
SHA-256:	5CBC4BDFC8AE2B5E9D2ECD8370DC50123B9E6A7870AE6E0EA4C937D8ED6890F2
SHA-512:	44EBDD8956AA027985BE8A58EBCE8BADFB039A563DFC333B6D1743C6316834444851A065C9D73830A90362027EC7CBFD3DF3CC51DFB2B8CA9E79A7F930DAEBDA
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="avg.local_vc142.crt" version="14.0.0.0" processorArchitecture="amd64" publicKeyToken="129215daab62721f"></assemblyIdentity>.. <file name="concrt140.dll" hashalg="SHA1" hash="c29a5ecc7d7b397066de95c810b62b60df27f6f0"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>1H+ve2+K+O1nVG51aTIA0CLr7M0=</dsig:DigestValue></asmv2:hash></file>.. <file name="msvcp140_1.dll" hashalg="SHA1" hash="d3448b7ee46fd218b932b7066cc1b827dde36f9e"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:ds

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\avg.local_vc142.crt.manifest.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 28338
Category:	dropped
Size (bytes):	3882
Entropy (8bit):	7.951795867119924
Encrypted:	false
SSDEEP:	48:DaBTcdplj7g1iel41CASNIIPqk1KNWcl0tOJDXC1M2FNg+o5D7dOPJwepgZ3NLit:myRhNGB1K0BOy1P75Y1OPqLOr+ATn
MD5:	D45B5E9AB428839F7D644527DDF13B7A
SHA1:	72B1CFD2E38FEAF861E6909CE2947069292E70AE
SHA-256:	2A569F523EF426F632BC27A2320B58354C8F669E61D3CFA0D6DAD5FA13735616
SHA-512:	D6D5698369AFEF72E1F03126F8212A82A81E40466E909F74D61610C58B71D63D9EE5FFD306A3627276DC37644B504ED7B80E037DEAD19BE419817D92F903F67C
Malicious:	false
Preview:	]..@..n.......w......3.a`.....f...'D.$.."8..S...5..\.z.......K._..2.....?}...$...:...Y......P.;3.J.x..3....i.F./.}.R.....'.v.>._..r...n..:j.....2.!!J(.....h.U..^.0...6...>(I.,.PK.he......P.....9.9.D..h.....%....._c,..D.I..z...\|u..U>,j...o...Pk......W..P...xq...a../..5......1..`.O.F..u&.r...I4.....C."\|.>..W....u...h......v..Q..bQz3.x....O3..m........!....!..G.i......~....;..y..5..........#...x...I.n3i.2.L.B..Z..=...(.&....Ou..<..E...{....(g).........Hj.........w`.[1HJZZ.%xXZ.'...=..ALI..m..L..\|....T.V.[1+h..C.e..D.[...(=.....X....Q7$+/[".....b.Q...TI...U[.y.4.i.n6$_W.@.pm'..u......dr...g0..^.T.b...i.o..p~.S_.......tJ..uS........K.x...ET..];.j_.[Z...?]....[h..3.,9/..DF..d.e...v...3`.92M..Lo..{v..X..n.SV\|..g.H...8...m%.#.gj.......P....SKJ ..t!.........n..y.....\..K.c...mO.R.k.."..u...w....aD.S.?+\|..h..>...t2I...e.hG+>.=36.>._.9~vi'0s.. ..j.8....c.zy\|.f.~.....L.q. S...B.pO.iF...4?*..h7.P%;..\..e......7.&.(...._$....}.J...c.K/.3.N...x8.T....D.......

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	322640
Entropy (8bit):	6.351629780096352
Encrypted:	false
SSDEEP:	6144:y9QszIL+si++MHC2NeJjqFnKEx0QV5bUjwwwMMnWzgs+VA1a:uzIL9+52NL/FzM3zZ1a
MD5:	E6D7FF1C7C1311A9011F1039639ADC3D
SHA1:	D47FAF7B6F8AF8ED67546E75693200D022EBECCD
SHA-256:	993AF3DE5E1FE2E3D0954CF06254FABB91A5A3AA513183FE0841B897EAFDAEEE
SHA-512:	35EAE324DC30A6BF652CF571DAEFA8D34D12C09361B248D8931CE721940347ED50A2D51222ADAA655ABBF9C5A0AB58D57CD91CB1CB26DABD487ED721790378EB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................%........&.....O........\|...O......O......O......O......OJ.....O.....Rich...................PE..d.....<..........." ...&............`...............................................;6....`A.............................................M...................p...6......PP......\|...."..p............................!..@...............P............................text...<........................... ..`.rdata...I.......J..................@..@.data....?...0...:..................@....pdata...6...p...6...V..............@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\concrt140.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 322640
Category:	dropped
Size (bytes):	120715
Entropy (8bit):	7.9983482426444565
Encrypted:	true
SSDEEP:	3072:/stoZjtI9JIt8G6PBLxhoC62ZN8q74U3Ivi2CuTvQd:xZjtI/It8G6P9oC6uHLYvpTYd
MD5:	E94D98BC0DC2281C32F76CD5C0EF212E
SHA1:	BFD7F9FB2C866A55C7F2C80541A1584679433A8B
SHA-256:	43E6F4F8AD39D01002C2024CBFB8B549FB4FDCD4D9C98693335A0948EDAB6BEA
SHA-512:	45CA8400182802DB728C3B16BC8533EB54944219B964B69C185A877C0E0189586ADC9C87160750D70319345970127239E44469C06081663C4DC437624F3F77FA
Malicious:	true
Preview:	]..@.P........&..p.........../D.\|..(....U..)..B.s.Q....L...Bf...2f..'.6...gg.D.....(.[.[...1.Ic2.b..S....h.........V.Z...y3...c..U..].....g..E..4..{Q...........G1.....K..05..C.Y....%p.D.u....>.&..@.!;...<.$G..=...B..wj..$8.E....t+...../.s].F.+..8X..).WS6..l.......cm i.9g...)h.2.G.b...pT\...L3.+....D...k..;i.u........F..b.<O..}./T...<b.....x\.........d..#.p.6k&tT../.P.O.[P.O..J..W.Z.5A.7W.A[..i..R.._$....:.e..H....Q.:.l.k}.O.)/[.F...R..W..)..9.c......t.T.l....b.....Z... b~.7\H...wk.E....u.m.<..Y.`......gN.f..`......x.12..\C....s.).....D.F..G..r:..p>..9.6..y..[.f..eaCI.M.4.?.........3A..!$]..n1........L.h\d........~......-..,S....[...J.L..E....}.W....v.8./..{.LK..C..z]@j..]2......`..Ed.N^.Swt.1....5l..y...>j.*eg.....w..8..2........kO.r..L.].N43'...[.Y........Ka..:..l...f^h..G.......g.`...~....Z.V...D=.X.}.-../\......y3..9$XD......7....k...7...a)....6....V.....zgPU..a....t..C.d5........_5W.z.x...+..8`.@0....Bs-C.}@p..7...j..<..

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	573008
Entropy (8bit):	6.533193480826957
Encrypted:	false
SSDEEP:	12288:APeu+VwM4PRpJOc8hdGE0bphVSvefAJQEKZm+jWodEEVwDaS:yqwpzStJQEKZm+jWodEEqD
MD5:	EBF8072A3C5C586979313F76E503AABF
SHA1:	2FD9609F099A8F42B1B7AE40AD35BE1569C0390E
SHA-256:	A030DC2DFD2ECA28A9375C92989ADF4DAF161F988DB5E16B9E10678EB0DFF4C7
SHA-512:	438C2DB953606818B843E42C04240D510B5E398617E8E5539498264F93CF1893AE9A6B6B02EE35B169AE60B0E3B5621D7D9F7E2945D0F1E7C2E7E0C1E9E3C1DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.(..bF..bF..bF...G..bF.....bF..bG..bF...G..bF...B..bF...E..bF...C..bF...F..bF....bF...D..bF.Rich.bF.........PE..d...{+............" ...&.2...T............................................................`A........................................`1..h.......,............p...9...n..PP..............p...........................P...@............P...............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data....7...0......................@....pdata...9...p...:...&..............@..@.rsrc................`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 573008
Category:	dropped
Size (bytes):	141044
Entropy (8bit):	7.9986204791583075
Encrypted:	true
SSDEEP:	3072:OtQ/+4LZPeOi/CeofG64ZCwpb1UEJTTh69jULBxyFjE5wo7LTpF6ABz:SQGfDrofp4tpZUEJCjSBCA5x1Fr
MD5:	CC22D4730120102087A77034CA9FA881
SHA1:	1DEB808F3C7F80BEFC19EF0064F7E566CDC9141C
SHA-256:	5CDCDEB05EBDA25627C2EA4CD0B320D9B6EF5B6DC55A94C1DAAC88C99CDC01AA
SHA-512:	9AACB351B8B3E437EF8D2EBDBD7D82AEDAAB875F0CF4A21F619A0ECD5B7BC1300AEBC983EBE4C8A051AF551280AFCD8622DFAFB0D8F89F8772D11B7215CE113D
Malicious:	true
Preview:	]..@.P........&..p.........../D.\|...).1...../Aq..k..Lx#..t.8..Kp...s.._.gr=N.`9....?.O.gp.0.7..y\{-........o.........?9..s.l^.E.......kNk._...++-S@.)...\|.._.a....._.....z.k.3-....?...!..f3.[J....LL......r.........o$..{.K..f...Z......lv2.q.P....g..]..W...Qg-.........n3.V..=....r0.) ..]..b..1..U..y...........q..<.m"z6.yVQod.......N.c..>.VK"...-......V.i.S.b.l:.~ip...=Z.}m..=)2M...Q.F.Z)+m...0..s.......\|.4.]t..k.o.X.?KU.A.yw...\|].6..0X..G.3...4G'./.........Q.....B....v](P=tt....e......=,..........4....W.Ic.x.....^D.....r'6u..\.............JN...N"..\|.......Uw.....'qb..T...d..Anz..(..E.........B.(.I.z..t..W..;..G...W<.!...}..S...........A..z.G........(.-z.w)Q?.w..My.\..........o{.!8.c>l...,rR.h&.P.h..'a.....).g....{....8E..C...fg...D.b.q.....Q.em...j/:S.....e./t...S...F..K..<7.?9/.&.,.3....\...Qi.F[..Ks...0........6..6.s....p..!-.N=.....20..z.\.....#.......qJ....B..'2..J^.v.......V....A.\|.D.96.k..wM.5.......u....4z^...1..C#{..b^;...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35920
Entropy (8bit):	6.602477276957385
Encrypted:	false
SSDEEP:	384:vhSfZMC9jvOoKF4ZWcx5gWyHi0pSt+e4Js1nR9zZDbJoRtHRN7M1nR9zZDH7Px:pSWCtvOjajUi0QqS1R9zZ/2RtM1R9zZB
MD5:	11D5D26552C1730CCC440F13A1FCE188
SHA1:	4C534EB613CB05455809B6471D38E1E0976AA919
SHA-256:	EDFBCB2CED712F23842525CB076EE2C09CC7B811A389CF37922D04EF1985E10F
SHA-512:	2428C4257AC8349035EBB286DEC236A25ACDBF23178AAA80FD5461B2ED3101C0A67574BF7DB8728D0C101D92F45DC72E7BC578049D5B18FAC367BDFB44ECFBF2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..Q>pVQ>pVQ>pV.LqWS>pVXF.VU>pVW.tWV>pVW.sWS>pVQ>qV{>pVW.qWT>pVW.uWE>pVW.pWP>pVW..VP>pVW.rWP>pVRichQ>pV........PE..d...a7.K.........." ...&.....&......................................................Y.....`A.........................................?..L...<A..x....p.......`.......<..PP...........4..p...........................`3..@............0..8............................text............................... ..`.rdata..2....0......................@..@.data...8....P......................@....pdata.......`.......2..............@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_1.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 35920
Category:	dropped
Size (bytes):	15424
Entropy (8bit):	7.987101819585757
Encrypted:	false
SSDEEP:	384:DfpHXNYoW9eZKyz2Na5RIROs822/ANgY9a:Dft5mNa/G24Pa
MD5:	1DE198ECE0A27BB87DA0967A62358F0F
SHA1:	B46A1511A4B42F6B0E913399D53178724E00DB63
SHA-256:	5373F5A6E75625046B5FC1EA5851AB686EC41562A4524B87837FFE6E1D248B77
SHA-512:	0CC56299A897DC116837E2F372288A1A3F86F839A3D03C1C0AC37AA453F3BA878F6AAF5BAD4D8A0F118CE1CBE95DCABE3D72B027F87773E99D8182D1C40E4A41
Malicious:	false
Preview:	]..@.P........&..p.........../D.\|...).1...../Aq..k..Lx#..t.8..Kp...s.._.gr=N.`9....?.O.gp.0.7..yX."`.A.=D...`a...i8".l.. u....0U.m..\6...#...,.~.>...U.....,6...j.p^..8.C8..Zi...`...E.O.<.G{....i.svw...r.+.....k...K=w.U..y..Ys3'.E.......9...r....$...OY0wZ.....[.Z.a.....A......@}......g..N.1M......{A.W.JI.......y..P..p....%p.......Z.L.OI.I..G.vA.V.yO.k.B..C.]e..S..=za.8.N............[].,P[. ...pG......~2....A.....`8;.P......".D.....}^...?...t.....R.b..&R..0...........dv.X>@...O.$[.E.L...!!.~..4Xo..%...."G..X.x. .!W.....w&.b..[.f..4s?.J.....%.....A-.....$$`...7#...iS.\...Q?..p..=.....w.....Lp.8t..y.g....:.J."8u....Z]G.\|.7q.Z..QM6..7b'....~11=':O.....%9....Z.rJl.}..f8.~..Br..gt...g.5C.0....."M`.f..Q.............B..\.fuR..S5\......0.}j.c...._....4....A.9.{...29g...#.....Z.._......N.\|.Z....A.I.{.n{..P..?..".7. .m..K.Y>..r..M....l....T.f.U...P.Y....T}.#.!.......'."T....a.6....L..S..TB...$.. ...ZY....'.X....C.......#Yl....U...g...2U.mv.ok...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	268264
Entropy (8bit):	6.522762633343934
Encrypted:	false
SSDEEP:	6144:ZQlhTFL4EDrHNvteLN3XjlGXMdnMMWQclEwY:wBVvaXjl5vW8
MD5:	718E5C4A63D2F941EEB1B4E9D6D85A8C
SHA1:	DECA5196D35D43C7ABB35D9AD4B0AC0756585FD9
SHA-256:	F3117E3445945A872A35E91371E2A6C9F7B3FA5E74E5985F6AB12AC101B280FE
SHA-512:	61694FF307BCF3869DC14DAC45E74B0CDD5A661D40E8483CFE96DEBE4727EC45CEEF867D18E972D25A6B294C43BA0569562392B6752E068F2BA7C15407FAD975
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?&..{G..{G..{G...5..yG..r?k.wG..}...sG..}...xG..{G...G..}...\|G..}...nG..}...zG..}...zG..}...zG..Rich{G..........................PE..d...b..=.........." ...&..................................................................`A........................................@...................................O...........R..p............................Q..@...............x............................text...{........................... ..`.rdata..............................@..@.data....*.......&..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_2.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 268264
Category:	dropped
Size (bytes):	87735
Entropy (8bit):	7.9979472380166365
Encrypted:	true
SSDEEP:	1536:kxCJ0KBwNUY+yVFJwIS+QfdbTOtFsdnzz5qaR21P5oDLrgDa5/Ehd216PvDVoc:kTgw0yVFHQfRTOt6RzwPPeHD5K+c
MD5:	6149EC086D2C1878427096AD4096E7BC
SHA1:	5CC6E6793568991D7C1DB43600C5E2E7FC30A883
SHA-256:	636C9D1F9F6DBED13D1FCEADF63136CFFE2BC61AE5B4BE09D76E5E0569EE8D3C
SHA-512:	1A11C6ABD0577F2494A05EFC75F9CB5929650C004EF92D9A40D987CC6BDBC8149D5E7DD32B8654EE09651050E7DD74E996D519302CB4CE0BE6C1A103378B7393
Malicious:	true
Preview:	]..@..........&..p.........../D.\|.......`1...~ a{R..T...[..qN.U..t...f..X..Oy..kM<...2[J.O....G.5.f4...3.lCC.,....-.=@e...L;`..r...S.9..k.z.x.;..:...h_.L..T....'...xlD..~.-...<A.j.E.i..o.v#.J....).B.yK(.....G...X...:........".D....ci....!. ...?...A...g...A.P......O..U>;..K.ih..'.8.6..6.......O."Yo.3kOQ2.[..^....2.{.a.K..5...L.U.h^.......A.......I'<...<Jz.`Q....&#8.6vaK.G...'w@jfU9[...F.6F....b0.2.3.....wf...X.....Y......3aC..F%.H@y........:SSI..#^i...%.(..7d.j.~dI<......Z1. .v....^.6....jC.5..w1..2.-V.k.e....)..U...D..K..SOU.I`.<..o..M..H...<.....M.0.oR.zf..U@.."b..\|.R....J.X...a...V.j9...a...g...._(....O.L.Z.....d....b+..+Rz.:...w<...$...0..5.k3.9/s.q&m<..._Q_....}..d..;.9%.*.\|.e..<.<u......E.2..MB.=X:......p...C4..{..r1.`.H(I..D....q......i.@;Q\r<.....mB.v.....J_...2..&u..(+l"/;...............v.E..]a...b.u....[^./.......v.q.X4..A.....9Q.f..W.....-_g\|.9...0..C......r....5:0.is..R{.U.i....4.5...p.).(.o...s...B....e'.:..".j...?...3.`..9ji.>^.X.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50256
Entropy (8bit):	6.641326955561771
Encrypted:	false
SSDEEP:	768:Z2RFMT8ZxzboOqnSuLxaXeCo4YEi0Qg9zSRtYy9zT:ZaoFLxaXeN4YSQoz6tYOzT
MD5:	F9C7A19DFC5FA60B1405C81208BD959B
SHA1:	4EB70DF0A412D79FBD8011FA17EF815E10189C0D
SHA-256:	2F9CDD965650440CEBAF2349140A7DDE9B587829B7753DE8CD051933A777F499
SHA-512:	2EA1E4D7D63AF427A0C764B4A9A646421DAC1F1EBA15C1D43BD040B284FC611C8059D889C48EDFCA56E745ABB996939D8F430FF3E249A5C6455E81B520307A55
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.C......................D.......................b.........................(......*......Rich............PE..d................" ...&.:...........>.......................................@.......v....`A........................................Pf..D....k....... ..........P....t..PP...0..X...`X..p........................... W..@............P..H............................text...~9.......:.................. ..`.rdata...$...P...&...>..............@..@.data...H............d..............@....pdata..P............f..............@..@.rsrc........ .......l..............@..@.reloc..X....0.......r..............@..B................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_atomic_wait.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 50256
Category:	dropped
Size (bytes):	22311
Entropy (8bit):	7.991013029452904
Encrypted:	true
SSDEEP:	384:v+POXvFdvgzx+flZgiLw+9b5wN/O1BpDgthi0KyAz+QXi8hHB6Oebl:vGCdgzE9ZKcbzflwUJ+cjHBNeZ
MD5:	CAA4335C1AE52A67A2BDE4C08CABF127
SHA1:	BE4918A2D54DC037AE95F1BC17C4239C0CCA5437
SHA-256:	72BB22B02F134509C710EA638405BB74386B7FA911A6E46EFBC9BF739986485E
SHA-512:	E1A430AF482EA36421E5BD702F4E4B3E186A333FE01729B2DA66D60F3AAE3E927FE72D816913F3D70BA6D0D1748EC9CB2DFFF5C825421F77490BCB692B6D55FC
Malicious:	true
Preview:	]..@.P........&..p.........../D.\|...).1...../Aq..k..Lx#..t.8..Kp...s.._.gr=N.`9....?.O.gp.0.7..y[o.....B....3...(.D..SQ3.a...t....7..U.....95......:.....w...-.....G.../H:....R+ov~q.h...eZ8..'L ......r..s...<$..K..V.........?..HB.Em...qJ.$.M4....C9. gr.c....R.}..5Q .2?.......... .d.nE.-.}..!w.=..;....G.X.t.....y4T..\|..P...G.oR.p................;.}....u[.....[A\|.3grxz.S....(..R...L].....5.S....+..@I....{..K......A..h.."BRj.vf.RCD.tyO$NY!.......H[.r#K..%.->.lm...w@..G....[uc.6..TC.....T..-]yj.P.=..y..`7..K..o.FP...S..Ci8=,.p....w..g...,v..x......7.........&.[B.R .[.\|....)..K.....t.)-..HAHW:.ev...WJ...dM....N5..q...>.............._.G"..m.T...N'N{.TR.K.s...+.).6.j.j3.(.Q....O......<....._../t...?b....a=E...F......S.T...h..P.fYa`{..f....+"?*?7!=....UJ..0.?.o.Ov%.1..I.(.M;...U..S..\|.#...<.f..R..0....6...\|..bc;h....H.J(..GO.r-;...'.^ ..hW.K.c.....P/...?D..&........+.J-.qs..G...2..J.m.j..e.i@...v.x.~..+...I[.!....xs..../n. ....t..i.T..s...)...Nz..^.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31848
Entropy (8bit):	6.797442394442606
Encrypted:	false
SSDEEP:	384:S9agMU9WifEWzQgKSt+e4McYR9zdovsHRN7VcYR9zdF5M:S9tMURzl+Mn9zKwVn9zJM
MD5:	0F4E5F6C68C514E63C4CDAE9EB9E40F5
SHA1:	B755C91CB14E9F22C690209D0B4C3661AB20770D
SHA-256:	945225E01A65E5199AA7372B893DA3B42DBD99F315C345F0E7C136AF88E897EF
SHA-512:	8962E7F92446C535151B38A7E34BACBFB9F0F48AB57D4C2C8F2162DC2F1CD9F15BE70742032192B41AA368C97A149E1E6FA6991E29077B7B7D7C1708F1A54F9B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.z(...{...{...{..z...{...{...{.T.z...{...{,..{.T.z...{.T.z...{.T.z...{.T.z...{.T.{...{.T.z...{Rich...{................PE..d...20.y.........." ...&............P........................................p......m.....`A........................................p(..0....)..P....P.......@.......,..hP...`..,...."..p............................!..@............ ...............................text...h........................... ..`.rdata..B.... ......................@..@.data...X....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\msvcp140_codecvt_ids.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 31848
Category:	dropped
Size (bytes):	14296
Entropy (8bit):	7.987170183403303
Encrypted:	false
SSDEEP:	384:gszu6MPUiN7XmPF7Fxh/GYDCEKDsfLqgo:gMWdWPF7FxheQCFuqgo
MD5:	546ADC4EE97088B26EC5FF9F8D32EC2F
SHA1:	C72B5EF4FDC15661EE0B8F868A657B7EEDB0628C
SHA-256:	CF2CF989D6E3AB1E177F8422B67224F6AD3FE95D8600E2BC8737BBF1B0C8B464
SHA-512:	9B212B6AE936B8AA5CB46EFEC69852099D7D0A20C861156FF8811F7A5E26AB652EDD4EE93799A5FFB27FE4119B82DC3976A61C0294CE04C1CCCFCE0B9DE4DA51
Malicious:	false
Preview:	]..@.h\|.......&..p.........../D.\|..(....U..)..B.s.Q....L...Bf...2f..'.6...gg.D.....(.[.[...1.Ic-\.?.H.Q.w-y..(G..h.?.....6...nH...X.s}0.J...Vz.....w1X..Wr..h.s.....X....d.z..)a..1...T...$~@.0.^..w.1yk5.O1~......k.....4......Y....!Ns.C.....H..&..v.....=.\|.2.:...?...........TPG?.UI.y..}...n.v...9.y..pR.....\.A..k}4..k.O.`..}.q.o.y1........b.b...D.n.m....M0.....}.........=..J...1..zZ....L.....S..LLp.7...I..L...\...>.y.... .dO~..\|..bKb%}..W.."..Zw.s.3)....Tz.JZ5.9.Ch..v.,..G..~E.n.:..{.......h\|..hW_..!..E.CGq..N.4o$......E...l..b....2...5\_Rs=.m......4_.E.9..".......4v.^...sB.d.r....&.?..Q.._.. .......\..F..p.....u..?....P....\E..4...$T.7rX..............s.v.d.@.[...o...C..a.8..B.s...U..~.....o..\'.....~.A3[.q....4.>....5b_.._'O......N.<iUU^3%V.g..T....,gN>.f.bt{p./.8.t. ...[..6d.`...,.Ne6........G.0;..D.D f=D.^m./$M...'.;.#.G.6...g.Cyf.....rZN..7.q..k..f.P..2f......y.$^2...X-.\|..;=,.jZ.Z.l...r..%..)H..a<:..@..V..Q...P..'.....d..}..a_..a2..B._

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123832
Entropy (8bit):	6.648839167675594
Encrypted:	false
SSDEEP:	24576:3JG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypF:RVGrT6SAk3e
MD5:	932DCB8D7D06F4B89FC3915726C418B7
SHA1:	33A1FDBFC3DFA0A1B7D2FA3B2E8BAD8E8C71E961
SHA-256:	A73BD7D75F368AB2FE949DCDDBB25CD5D5975FF9091761A01B98F5E26DE543EE
SHA-512:	FA24B5F9A4192FBFE737506899DC052C51F48980992CBDDA878DEEF01ED0280CA455BED0C813089503DA3CCAC92A0289DD8FDFE64CBF6BABDF70D7BAB531540D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^..............................................z#....`A................................................................. ...........%...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\ucrtbase.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 1123832
Category:	dropped
Size (bytes):	410207
Entropy (8bit):	7.999552464612916
Encrypted:	true
SSDEEP:	12288:d+WO17S2Q0N5+XMfE4homp85k4B4gpNTF9jYIReW0q4lE:wRlu0v+8xN85kzoRF2IAW0qz
MD5:	2521566C1E8F5B02E3DDEA8EAF3E5D6E
SHA1:	AC391452B0904B910B73645C462E8E7ACA19CEAE
SHA-256:	3C721F2D445F1CF98CE7298074B1F3A493A640AC3161A0A4BEF2D24C70FB64DC
SHA-512:	5FC1DB087C165527695892DD1B4CCA8B6C45E48EA0B21F2327B1508E764470E84EF73F590EC78B7CF25363D35BB801E1E740F0455AACCAA1B26AAEC84A9A7869
Malicious:	true
Preview:	]..@..%.......&..p.........../D.\|...).1...../Aq..k..Lx#..t.8..Kp...s.._.gr=N.`9....?.O.gp.0.7..yc.Y...h.Z..z.2a^,[.W@...(...z.....i.<..w.\..D.b.e{'.>(x.......^.u...\.v..i'.qk..5.k.I.L......uW?....0Z.5......,.y!w..0{;.......vC...X....2..R...3Z..`..#e.....k........<.)....6/.....(..F........S8.K....r.\|m.?.g..D......@.1.B. .w.&Z....p..Y....+.....^LVMw`1.....r..Z....Be.BP1........"u...\.#.L+..n.?....G.....\|...\Q\|...?<....h..v..V...M.p......bnNc.W.......n...u.........r/............)..*.i@_.Av"...;..6KDV@..\|.....TY.6K...gC.....e...Z.d.&...{.Q+.&..A. ..?X..w.O...G..[.r...:.qk2..&Z{.....@...D.a.w1k...3.2..j....Z..>_D.E.C..]...v..V...yIe.....;.,.....\..7R$7..J.<.r7y\|..m...:.....=8.R..2.9............>.).%.s...).s<.....YC.....03y.......D.;......7rLiuKX.P..0CkH.=:...6.K....S.a..\|.......,.8....6.6.S..........s.i......;.."U.y.p]..[......;....#.&.+.W......jD......=..V.-...........d\..h.H."0pp.........{KT...[7..>t.=^....a..&...[.'..i.ox.SCa.`$..O^q.k.

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	348784
Entropy (8bit):	6.04763354098135
Encrypted:	false
SSDEEP:	3072:iY2JXxXk4wV1J2Rv9DwCx1Rp9tuwqmhLhfdP2EcCkiNNWA/LL3OpawCLRa2rUjLU:QhXrwUv9kCl2+WKf32aNUT9/h/I
MD5:	22A66D8309244779B8A7F275A3FF5CBB
SHA1:	195E58FEC7A5D39FE7A6275DAC37295777DA1352
SHA-256:	ACA79A9C1F6D664D99691FD0D3D84A8819993F784B2FF6D7BAF8E8AB2E15E7B0
SHA-512:	B39EACF78B9B97D968E96E357725BD6CBAD7592BEEF5E0E5B301189CC76847BE49F8A5299A16D68BD5C1C2D0E86D5263F865B29B66DF8360CB1D4725B7B00AC2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K].D..D..D..R...D...E..D...A..D...@..D...G..D.GXE..D..E..D...M..D...D..D......D...F..D.Rich.*D.........PE..d................" ...&.....~......P........................................@.......q....`A........................................ ....>......,................ ......pP... ..........p...........................p...@............................................text............................... ..`.rdata..............................@..@.data........0......................@....pdata... ......."..................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vccorlib140.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 348784
Category:	dropped
Size (bytes):	86920
Entropy (8bit):	7.997495123755109
Encrypted:	true
SSDEEP:	1536:VnEs2vm536iLLhdjx9Kxsez1aq/CbitVc0hmIGX43YBcqsGjEfu4a9hsG5E:ZNb535F9Kxhz17UiTc0cIWrBMMGu48hm
MD5:	479380F76AC93D9A30D4A41B158D86D6
SHA1:	7ED3491C534ED9A108DF809AB0B2949D16EECDBA
SHA-256:	27FDD5D57B0B21F212006E0BEBCA60F46AA89CA2CE6957B67581A71336B49897
SHA-512:	018142F2C11F290A68BF95DAF5F960CDAE12FC34EEE10297D31C10DCE6CF37D9517F991423E4BC82B08811AA3F31497FB6F55DA618105E21FD73AF24A45D0D03
Malicious:	true
Preview:	]..@.pR.......&..p.........../D.\|..(....U..)..B.s.Q....L...Bf...2f..'.6...gg.D.....(.[.[...1.Ic4..7....u{..-hy..........P.!.l......H......y...H`.f...V.........V.......&Hl.-k..:...O....%.j.I.,.&T.sp...D.7..-glX7..Lg..(..a1x..\|.t.=@.P.^@.5(c....K%ah...8.K3..l.f.c..2y;..gq..5q.....R...5....:2...}B.O.n....P........@...Q...z`d..qx._=...H.t...~. .....%..e..Uu...G.?.......[..:.b....W..~WHG.u.....^......h....X.>....8......./...*Q.......e.hT.m..:.\|.E..v......R...u.@..x...i...E;.9J,.Dt.t^d].&{..yq......:W...e.c.,.E....Lv..@]...w..`.jY%.e7L".<.......@i.W...}X.j.V.q.k..^...5'k...9s@.u.V.Qc.).e .........3..=.++..e..'....1)}.h.8..pt.}.<H.YR...2.......8.aH..h...?....4n...J8..\.#."7...............yUhh...L}.....%...O..s>1!..k..#...3.&e..j.4.bXqh...........>.p...XOtG.N..\..O...!....t..5.XR E..A.`..=.-.....y{.p.s...:b...&..!H8...8.)[......z.....+.B..toY..h.K....."....1.....'..R..@..[.E.E. ..4.^........O..o...l.MWq.S...-.P....0dn.].[.E#.9E)).3.<Cbw.@j'

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119376
Entropy (8bit):	6.604870536069721
Encrypted:	false
SSDEEP:	1536:KqvQFDdwFBHKaPX8YKpWgeQqbekRG7MP4ddbsecbWcmpCGa3QFzFtjXzp:KqvQFDUXqWn7CkRG7YecbWb9a3kDX9
MD5:	699DD61122D91E80ABDFCC396CE0EC10
SHA1:	7B23A6562E78E1D4BE2A16FC7044BDCEA724855E
SHA-256:	F843CD00D9AFF9A902DD7C98D6137639A10BD84904D81A085C28A3B29F8223C1
SHA-512:	2517E52F7F03580AFD8F928C767D264033A191E831A78EED454EA35C9514C0F0DF127F49A306088D766908AF7880F713F5009C31CE6B0B1E4D0B67E49447BFFF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d....<............" ...&. ...d............................................................`A.........................................e..4...4m..........................PP...........N..p............................L..@............0...............................text...V........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 119376
Category:	dropped
Size (bytes):	51232
Entropy (8bit):	7.996107805549517
Encrypted:	true
SSDEEP:	768:OnvTPS3wa2YcMp+Ym4rn48LftZf7EpNuQdYegB2V0ZV9K8+XB1+neobE+b/s:IKFwtYm4j48bLf7aysWRC1o4+b/s
MD5:	1691FBD89A065448EBBDEB807F4581F0
SHA1:	CB1B7D27E59927A1A53D416FCC9DD1541BDE8A84
SHA-256:	E98581D3E1B0C5658D6765FF0A99B367D069A943A5D6BE118E167FF7E11DCE2F
SHA-512:	1DE8758C59BAFD33C2E4235DD1EE54D1BCBECF9DFB5FC89895B8B6681A2685480CDB04C15D6E31B443636FF9A7008FDB94D1F33A5703C600B3B9AD5372B9FE14
Malicious:	true
Preview:	]..@.P........&..p.........../D.\|.......`1...~ a{R..T...[..qN.U..t...f..X..Oy..kM<...2[J.O....O.......3...-...8.)....u0.G...(+.0.b.9.#.?.p6.-..7.B.....K2.....3..2..rG.F..5Ty..k.-....c.\....wW...(.j......j..lK5...._...>P.....:..~sf.{k.3...j...C...(.8.......K..~....c. .lU.L..Y...c.&=`$;...i..l..Ih..a_.......!.\|..V......_..3`.G.....].aN...4.K.;V.u.......8.[QB.p.\|..RV.GzE.....\Jh......#.nXp.}"..^6.L...+[H>m,...w.[.eN...j.'E!E...I..].3....5@l-.\|..W.^2w/_.....%\|.....9.f..&.w...E.%]>GB...d.h.K....}tF.k.U..Yv.!.....[@/.o..-.R...r..8-3.M.A.?.REo.o.-Th6HB.;B....SJ.X%...+{.....r)...X.....^..&..S......4M.$..q#.5.Q..w...._,NZ}724.."....".T..GB...1.1..#y........\|..fG.D}...f$..4-"...&..".c..1..w.^..R.....;\|.P49v....hYLB.j..<..s'GJ.sv2.......M.....k.L..%'...G.....B....N.os.U... .<...7.Z.H.....@.8..G..K..6.`.....aH3.K&.......z.*.s..LO....$...#...p...61.<..2...",.8Q.{.o....i...E..b...&...pI.8k...WF...r.V...b.u.8c....x<.~^.....c+.d..E.j...S-...e./..B...N

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49776
Entropy (8bit):	6.676049207852517
Encrypted:	false
SSDEEP:	768:GPIyGVrxmKqOnA4j3z6SCz7OezlC9znkwju9z6E:xBr87uWJvOezleznkwjqz6E
MD5:	9410EE0771FF1C2007D9087A8C316A4B
SHA1:	3F31B301B5A99A13486DDEC08D25646D5AD510DB
SHA-256:	E4E85EEA1106D361923995E53A0B961A28D4FB58555F40945003F35E5BF2C273
SHA-512:	434A32CA6C4FDD8FFEB45D1BDB4D9F3C1B1259A1260AE66EB241F8BD63524CD1A3EC29D5EEFA2D2F266DD740273E69B6BB8A7771BADB77E781DC789DC18DE2C9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d...f..O.........." ...&.<...8.......B....................................................`A........................................Pm.......m..x....................r..pP......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_1.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 49776
Category:	dropped
Size (bytes):	24219
Entropy (8bit):	7.992483291918365
Encrypted:	true
SSDEEP:	384:hP20lS+V0daV3IZiCsSm8m8O+xaOCt8ReOm0nhZphWb2eb6qUvcpUFDutfwkbR6P:hP2EH6daV3WhZm8nO+TCtzO7nhBGpUFN
MD5:	E2F3BC5AE37B583650363AAF1F005C9B
SHA1:	0A87DA1F5028532CFF57D696D48E1789D3762F1F
SHA-256:	B6AFE1A128143D56688F517091882D9952B2BFBBB88B2C0767F17B82FC1C2FF2
SHA-512:	6035AC0EC5E65D0D0FDA850271962518E103AD15EC1C54ECE931830BFCC77E4347464CEEC26284C231ED271C259323857F103A39CCF11D27AF49BFD7579C4E84
Malicious:	true
Preview:	]..@.p........&..p.........../D.\|..(....U..)..B.s.Q....L...Bf...2f..'.6...gg.D.....(.[.[...1.Ic,r.<..u.o..66Iz"........+...#.._.Y...6t..$gs......C..e..&..!r..C..4.M.}.T.B....@V.z.Fb....S......]<...=fW.....o....n..M ...a.....p.u.y(;a..l5tp.L(.U.Br#.'j..<..e<."NL+....x...?.:.....R.9.k.{.i....Mp..!G?<..., ..B......N...9.?u.....?.N\._1.[.z.../.6...OP.MW...rk........,.f..Se.?........a.+!>.I<s*.....q.T..\|.. ...E..6....\|.kF..K....U.TOZ..sl....O?..`.O.K.......)._.N.".R>..\..<\|$..[5z_O.1.......9.2u.k.Yo....l......<......P.{..,0.G..=2.2....p..}4.Bg..6^^...5.{1>@.,=.2....f........t..P.K.=..).{V\....F..dni.-S..$~.2...j.E.@ut...A.=...D.g.d!..@.{..r..k{4..Mv.._.!)..{ZQka....9.L.../...\|..v)i.c.....lzY.n.V.... .$......Fu..u...UW..k........k.&..s.....2L.{..62..\o`..L/.._..=.L.w.....7.......(5.KU@....U"....l....Bn?.B]6....gI4.....w....><..K.f...I..F..R......X%%,.0..>..v]...&t.=.U.j....h...?...........N.m.7.=....Q.[.1.N.M.[...9......+..........e.....!E.."....:...

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38480
Entropy (8bit):	6.772246914888492
Encrypted:	false
SSDEEP:	768:NcGvEQQVHOn645dKVDozEvVi0QNOQ9zykRt5uOQ9z0:2tVHa5dKVDoY/QLzhtyz0
MD5:	268036DFA28320D2186B9B21631D443D
SHA1:	96FA44F2214AF9EDE1160E043C7CD31B890B437A
SHA-256:	EDB3FF7CEF28496D535E40769625E542DD3E13110C38CE2E3DC1CAA8687B892A
SHA-512:	99CE4BC5798320DD7F736725EB85A98553E277AB93353E1675FB7842BD258BB408A5DF7BC530A161D91C1ECCFCB510138F98085A80E892C3F54E2E8A723BB841
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j\|.Dj\|.Dj\|.D...Eh\|.Dl..Eh\|.Dc.YDm\|.Dj\|.D*\|.Dl..Eb\|.Dl..Ei\|.Dl..Ef\|.Dl..Ek\|.Dl.5Dk\|.Dl..Ek\|.DRichj\|.D........................PE..d....Zb..........." ...&. ...(......`#..............................................N.....`A........................................p;.......>..x....p.......`..$....F..PP......0....4..p...........................p3..@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data........P.......:..............@....pdata..$....`.......<..............@..@.rsrc........p.......@..............@..@.reloc..0............D..............@..B................................................................................................................................................................................................................................................

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\vcruntime140_threads.dll.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 38480
Category:	dropped
Size (bytes):	17444
Entropy (8bit):	7.98991790039857
Encrypted:	false
SSDEEP:	384:tPqP+puunJ5Aq0iPnlg0qF8gw/RZwCXwWiSq+yKHeP5iFyE:tCWpiUdrqFrw/RZ9gWiSqFK+5E
MD5:	ABB92DC8951C9441DFA7D102A09BC32B
SHA1:	9A31A3692733E9139A14BF9420F23C4FC0B7F56C
SHA-256:	8769DECFEEA2FCB31678003CC7DD57316CBB0739F736CA68EF461D037D22D96D
SHA-512:	CAF15E2DAB306DA00E36622F333A96D5507883EF79BCA6ED3FD58999FE818A94C610FB30B731FE3C05903EC0C5B23F918DC1EBDC8204E45459A6607939883172
Malicious:	false
Preview:	]..@.P........&..p.........../D.\|.......`1...~ a{R..T...[..qN.U..t...f..X..Oy..kM<...2[J.O....Fo..^.h...8.~.( ..X..0Kq.J.=......{.fn......KC.U.`.E"")=..l.8._e..j.Eh...V.7}.qt...`.z.:#Y..a..b(.....fo..o,........KB................@...5..t0.-q..(k.........h/,.U...W<.g.8..H....8T+..#.........m....it(./.1;... ..Q\|l.g&....G....'.^J...eE.....Dw.........;.....E\|."t.@.D..Sm.m.....7E..S1/O?:.9...7._..4/3..6.{...........Nj...A{.i.PJ.F]O}.#N.~y...K..W.!..... .kN.&.....5.. ....P.RL....\|.Ue....ZBl..X\...)qH.8."...........d.=...<l.)/&......#k../..T....5....}....(J..'y..s..1<..xF.E....B7....D...d..,....Q.B.?'.%N2.W.D..<O.B..}.z2..Y... D...}..1/..$]...$W....In.u...=........Ae1..c..(D<Yb.-.7. 8L.p.kc.\+.........#e.....e...?..'<..m!..8....9ht.p4.H].q..w..)...X..`...M9..ut.3v...ybx.Ul.;......VB...m.\|n.A..gMm.^...../.....S...{~...<.E...]..9.G.gYZ~e.....:s../.....<..nX.$.\|_.1"v.v~/.0.z...nR$+'....w.h..`....h....B.+#..w..O...aQI.W..N...x..y:{g+.Y.

C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	464155
Entropy (8bit):	4.964697482114359
Encrypted:	false
SSDEEP:	12288:H0BTdi4uz800V9gvDe53ZIQpKx30jH8+Y:0Tdiy00V9g7e53ZIQE
MD5:	AD4ACDFE76C998B945642B9AF2756EA8
SHA1:	025EA273D63FA71F3C10C578B1A3F657DBDB3F96
SHA-256:	4DBDE72ECF65AC84B6C01251D37C425C4CEDC00E3CD9CD40C0BD5A6081359B64
SHA-512:	81F71679D2EE24EF8124E81F39F49B113A157C88AF093A6F571C34B67D19933C200D095AB65CE099000F132FD2A04A44829047816C1E53A42ED4C5B517E90FC3
Malicious:	false
Preview:	........Q.B.e.....h.....i.....j.....k.....l.9...n.A...o.F...p.S...q.Y...r.h...s.y...t.....v.....w.....y.....z.....\|.....}....................................................................>.....Z.....p.................5.....M.....w......................6.....U.....W.....[.......................................+.....J........................................'.....F.....h.....~.................................;.....A.....D.....S.....\|......................5.....d..................................................".....1.....J...................................r.................................(.....+.....].................................1.....4.....5.....A.....J.....f.....m................&.....x............................Q.....a.....~..............................................@......................2................................................. .(...".M...%.....(.........+....,.....-.......A.../.c...0.}...1....3.....4.%...5.a...6....7....8.$...9.=.

C:\Program Files\AVG\TuneUp\locales\am.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 464155
Category:	dropped
Size (bytes):	86083
Entropy (8bit):	7.997994477955437
Encrypted:	true
SSDEEP:	1536:xcQb3gUMGJHfvyETH6UEDKb6JUBQR/qo9b42iRtkdcnSngZ2WLm0qvJVagkyX7kf:97HfbTaUEDVUaRiOcr0doVZ60qzLkyXS
MD5:	9A4D2243C45EBE0C903E131895F09C91
SHA1:	DC6974626164EC302413C1C97B7A37889D2D5BA0
SHA-256:	97D9A994D5125AF6C56B379D5C092B036B405371E7F30FF21D3C36AE6F6B098B
SHA-512:	C3FE619A4CC3830E55FE963AF0009DD0D6C584079811CAC7F6B273BAAFA5407B0D5E8950BACADD7D947884C6964BFE2F7AFEDEF4414DD76C4EF77D1E0352BD9F
Malicious:	true
Preview:	]..@............6...Cq.1.\..U.......}.N3..<.V1h.EE..W,M3......E{...B%..k.ks..yR.cZ.%...k ..(..~D.......C)u[A..w.......1..hS......,E,....HX.....L]0..q..$...b#..b~.y7....U.~-t..L.P-..X...ne.......Wi..G...t.-....#.x...Oi.w...;?..U...2z...7.....v...0.R.....95.'.-.x.....f..~.f.B...>g...uuQ..4mx\.W.u..3.m..jF.$....m.b....[.@..../r...."j;....+Kx2.v..N"..U.J.h..)4.D.f.....)..S.)......G ........A.....C.K...Z:$.Wu..X8...w.}.(..y...$p.P&uh.a..b.J..[.#..r..?L.k..0.....&yf...Zk..V.m....j3:'.U...p.....Zo........W....l.....8.........d....Gn......Tq.....@...i...@ d........@(..'..I.R=..B......3.3.......Y.t2;..x.....,Fhu--..e.F.p3"{H>1..Dx..d..6..6r......B1.?....[.:.W...!..&..6xi.l..../...F.........e...j.......\.4.5.T...g....n2=.,+......Q.)...v>=n.p...0C.;.........j.......f......]......W..............P....B..M.Y....*H.e...>.$2p.].V{q..{.......c.ig...k+ .9.G...-YZ.wUO.!...V..s.....S"......j9R...\|.+.P..9..<....l./j~.n..m...Q..+".......5.S

C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	491301
Entropy (8bit):	4.986571516413603
Encrypted:	false
SSDEEP:	12288:cQGkvGDyWKMn3WFyvvIUYQ3Dy+5sNbD+7rDB/n:dGkvGJsk155
MD5:	98230353D1463EEE93D64A4856F7008A
SHA1:	10D98E7D0E095DCD947FBE0B8D771ED1574E3CA0
SHA-256:	36F41A346ED07708CE12D54E5A4C4612F49A375155D1655A23C52256838617CF
SHA-512:	53B9D1B50BB79E245D74DD30CF66DA4715C81EF63AF3D569EACE6329EEC00356EACB7357271778E837B60FEE08DEBA2BA445B8EA74619A955BFA2B8E5C05358C
Malicious:	false
Preview:	..........v.e.....h.....i.....j.....k....l....n....o....p....q....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~.......................................................... .....W.....g.....................+.....5.....[................................2.....^.....h.............................................Z.....s.....w............................).....G.....O.....b.....y........................................-.....c............................#.....+.....2.....S.....f...........................'.....C.....q......................%.....<.....X.....r........................................!.....=.....D.....G.....Q.....[.....i.....p................&.....x............................}............................................R.....p......................&.....Z............................................"... .4...".Q...%.....(....."...+.%...,.C...-.Z........./.....0....1.....3.....4.C...5.j...6....7....8.#...9.<...;.W...<.x...=...

C:\Program Files\AVG\TuneUp\locales\ar.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 491301
Category:	dropped
Size (bytes):	87256
Entropy (8bit):	7.9978179137270455
Encrypted:	true
SSDEEP:	1536:KpJFsEiGQPJsLldk1f+FkWfoIN8mX4lubjLdj7Y7KRUtmMDkRTD5k6mG4IsT:oLrD2f+yWPIMbndjcLmBKrF
MD5:	221E56569D6BB710636915F0CD0F1670
SHA1:	78BEC225FF9BEEA897CD787C2CEAEFA6B86CE084
SHA-256:	C47B65055505A35F59D416AA10FBD3B3543A17003ADD7BDDB388A8794CEFED29
SHA-512:	A57428B28CD8FCE59406CBA6B68C74F3A260987F504EC941D4CF930EB72C626BACA5E1F75B74111E150DEEFE1AA131935091961C27EE59EDC40F1AC7B9D42941
Malicious:	true
Preview:	]..@.%..........6....m.]..h..e...P...jB...zJ..Po...p..v.7F..<......5.hIA..w...}..Y3...X.....q.h...es.g{.9..M..!C..Kkj..`.`.\|.......R...b...T.k.....SX....u...0........EG..0.$P.....a..S..J..?q..o....<i......8:..8...N.0..]Q.Vq.W..].KQ..`1:.^H$....w.C.......2.g.b....Bj...dt..{...d.(.<U....fs..\x/..$...E../t....=..^....b),Y2u!.:8#0.D........tt.B...u.O..[O.s.7JP...(S5).^..q..z...}R..c.y..5..h.+k..73.R....Q..H/. MB.y....ex.Y(...{...S[../.y.XH$.@..O..J.Oz...o..e...}?.R..\|..%......<U..v.s.....~BDZ...p.P.<;[${c..WT_.01..eP....q~..1.3.:.a..a.2mu..hK.s.n3G...A..... .Q.!bgG2PY...:..el..s..t.=..d.(....}VA....g..;.v.K..SRCD..Ab..!..j: .v..`..?......O..d....4.J<.(z.~5...6.Q4.....S#O+.....\.o.P.Y...SW..S..`..&fv....!..2cK...5#.........7..\|C.G...P.-....!x.J.@.>........%..;.<HS.[.z..(..>..,(..L?....#j.Z.e...T.V.X.........6..=J.$.s..o..^..R@.IY.>nK..U..D........L..S..O.q.VY..W.5.....`X............J..@S...v..&.s3.0..o..j.......[..x..v.X...0...c.:.. o.+.<..

C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	530918
Entropy (8bit):	4.740290704961306
Encrypted:	false
SSDEEP:	12288:XY1BZlYIdAs1a6Ub+QaVVBsQ9BeDR33KNAJsefy8JRWu8Bz/GSZpW5sVTaNnvOLR:o1BZlYIdAs1a6UShs20t33KSa1uUz/lD
MD5:	DEC816E6E65E705BE74917F249E43FD9
SHA1:	6F90B68E6B1D904B3E41892CDAB1923F4F868376
SHA-256:	EA323024091753A5576A343E46D19BFBF9939122BDDE53D91D7DFDBBEA5A9C68
SHA-512:	D21FCAF4FE07F4CC6C369D7CC5A1BF06DE5DDF7E2433310B45B53AAC340259F5276E1E86E15591EDE8D4D5C05D719871D586942664FFC76EBA1712EF3145395B
Malicious:	false
Preview:	........R.A.e.....h.....i.....j.....k.-...l.8...n.@...o.E...p.R...q.X...r.g...s.x...t.....v.....w.....y.....z.....\|.....}....................................................................]............................A.....V............................E.....j.....l.....p............................;.....b.....u...........................E.....k.....w...........................>.....{.............................................?.....n......................M............................................(.....].....s............................H.....i.................#.....@.....V.....x............................F.....u...........................................,.....=.....`..........y................................9.....\......................................k......................e................F.....r...................................... .0...".`...%.....(.....*....+....,.....-.b........./....0....1.C...3.c...4.....5....6.M...7.q...8.....9..

C:\Program Files\AVG\TuneUp\locales\bg.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 530918
Category:	dropped
Size (bytes):	86920
Entropy (8bit):	7.997673054048932
Encrypted:	true
SSDEEP:	1536:TTFGlnqv8zcuN76TjPjO3ng5p4vsdA5xjrNpYYA5UU9oHmHoIxrlyP4B5:TElndzcwnWDdA5RHYYfUemHomkPe5
MD5:	C8B3F1B8750B6F8C8A78325ABB04522E
SHA1:	26E7AC156F9595C2F836571B06C7399EEEA9EE79
SHA-256:	AF53B746EADFC752652D111A5D69559D69C8519D0E395F7159D7D83692500B38
SHA-512:	C73E8E57F4AAE69FC16326DC9911966D52E6DF807633E3950E66A85301DB71E8C40588D66CED0A6E4EB57CBEE0B8ECC5C6D841027B5AD0FCC1E614A2B62B6E58
Malicious:	true
Preview:	]..@............6...D....M...@......0..p.xk...L.?..#yC..^...~.&.-c.p8...)b...0quC..../......d...".c......?..l.t..>.]..b.c..j?k..n...I..P.pG.3...>.L..t....v5`.=...!<.2.mz[C.9z..na-..........Z.2u.....@p.....K(.w..l.p....;..(..-.<..6.../....%p.!l..[W...C1....7g.C....2..n...Z.d7a.......j&G..d...9.a._.;g7]z....:.)r..3.L.....!........Zp.....h..a.#t.oL./..R......M.w.y4.p~Rm...P..!....x.A..!}.b..6.q....S2Lq.......=.S..6...b..I...M......~5.d.zh(6V..\|<....S....6..3...V...&r.`....3.k..u......6..>CF.b.:.1..mG$.;.........5..)..]..~BXO.....^.b'dY.(T.....#N.b\5(..-l.j9S.J.S.../..>...y.Kd.M........W.c.....L....3..nYcI.....z."...`.<..&9G..#..Cwy.v.1....a.._o&.%...!.......]/..YK.H.....n)..mqZ...r\.A1=.`..J.....p......tD...pE.W<.L.{....V.....).o@...t)j..(.]g).U.sm.....g..-9.O..7....,;x.k...['...Ro...........&.b.V~.=...i.xg.[.\|.,y...:..T.(h....TN.%d...3.m.........d.......f.9.....S"..,G*.uI[.R64.Q.s..N.t-....../g...............C;K:.".._4.4..P..B..e..

C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	688116
Entropy (8bit):	4.332576699423293
Encrypted:	false
SSDEEP:	1536:v1fTYbrE+zxEVLjf3uYFA+/WXssObtNvJSeA43Q7fM7rG18sTe0ScUNVvCTInavK:v1fTYPnzCVLjfhvPM/mk9BbKb551kexT
MD5:	C7B9E899EE655E2CEC7A49B9CB2300A2
SHA1:	5C471604D1A755A393F1CA2F1ACAFD6E014792BE
SHA-256:	522E7A2E1F7D8E49B5632759CB5DAE269578EDC522689BDBCB23B74750F53E77
SHA-512:	B56E1AFB9C3F67CE891EB0215A68CB3588A82FE51E0DD2F9B18335F2312BAD156CB3BE032CAF641A7A39DDC0A41038F96F7B36469CA327051BFCDA620145F6DF
Malicious:	false
Preview:	........U.>.e.....h.....i.!...j.-...k.<...l.G...n.O...o.U...p.b...q.h...r.w...s.....t.....v.....w.....y.....z....\|....}........................................................... .....!.....&.......................0.....B................T.....x................I..................................(.....Z............................K.....y.................<.....R.....a......................Q...........................$.....-.....0.....<.....i................&.....f............................".....).....5.....a.....}.................J...........................B..........0.....I.....u............................;.....j........................................-.....@.....k.................:..........f.....~...........5.....Q.................................4.....F.....u................Y..........1.....m..........U.................................7.....D... .Y...".....%....(.,....h...,.k...-........../.,...0.3...1.....3....4. ...5.....6.....7.D...8.....9.....;...

C:\Program Files\AVG\TuneUp\locales\bn.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 688116
Category:	dropped
Size (bytes):	90730
Entropy (8bit):	7.997938043941428
Encrypted:	true
SSDEEP:	1536:N6y0iQOh87HfeKu4Gr6viNzpolY5wE4r0X3ggudZyPlqZHHIfO4zb:N38DWKVzK1pKYehr07udgPlqpHIfO4n
MD5:	61B9E3A137E4DB8148AF7692C609186D
SHA1:	53696E1A075FD750D74AA90B8DD142E2C2062C6E
SHA-256:	71CF36C7D80DBDBB62A61D77F6DF9B697B87AB2CE67E61C648CE8D7C69B9DCD7
SHA-512:	0482E0A7909E693F1684C639641B847CC253FBEE49AD7743841D419766AF9C370D4A2438FD7644418BD9EED3B99CD90F3EDEF5D73B047D3B55F32DF83523A031
Malicious:	true
Preview:	]..@............6...G...0.....S.&.e.....%..q$.f.W.id...A......R.@..#.....<...V...u....r./y...\....W......F<..B..Nu.8^...C.!TZ.Yg...r.Y.R.b:.....i8....pr..9...h1.,.VP:....S..:....?1..u.....,.`u...^$Yx....!...S{.ka...+...r...$..VM#].b...S..c.%..C.Ozl..+.=.S..J.%M.S.C..^\|...5...{E%.......bYi..U.v.....6.$.R..~."..<K..W..-o.k?U.,.....9.......-.. ...3M....6.$=..#L.....=uID~..H.ds....S.g..]......".i....j.<..z^......S.kB.T......4..... .D......?q....V.G4(.Z.Q.;Qb..q...cZV_.`....t........_.....0..g..m....}L9..R.9.t......o...e.NLAWU...iY.<z?..D....)..fp...d..d....r\|b3Vs..-..b.%..j...W..w...6.(..T....~6$.&.m...>....+..v.0....:_....6...R.^.....W...;.8..X.S....a.~...H...xy.{....r..%Gt..).CA..v.W..;~......E....a...........9.2 ....q.@.MbzqM..H.L...;....qL...Z..-.._Z.t83.....W.b[.4 .,.@....L.....P9X..sX<.....'8..By.E...O.Nm.Z.V.<.%.y...S...l.pN...[..vTf.C..U.;.B1...(..6c.b.<....o....]..W.6.k..!...../.... TC...;..V...p.._.4a7.....K9......?m.gG6?

C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	326875
Entropy (8bit):	5.4542809651012485
Encrypted:	false
SSDEEP:	6144:u+4N1xI9o5963816+5PAk4N3Mw2juwYMpHy37cIs3ckTN8PsX61w3/wzenuLb9uI:u/N1CO5963816+5PAk4N3Mw2juwYMpHi
MD5:	8FCB9F17F850F0DCFFA2512236E25790
SHA1:	429B36872ED7B655D745FD8EFBA6B5239AD340A0
SHA-256:	C79B92BA066CF5414FC37795E6A76E966C23143BD3C48C0CF5F61AEDD5CDAFEF
SHA-512:	1553CBD7FA4FC87341BFCA39CF58E8834D6C3100571E34BCD5A1961884776ABB69592C627CEF414B918E8CD4BD709A83C4AF2BED5D5C4A84B9509E896B8FBF42
Malicious:	false
Preview:	........P.C.e.....h.....i.....j.....k.)...l.4...n.<...o.A...p.N...q.T...r.c...s.t...t.}...v.....w.....y.....z.....\|.....}...................................................................3.....M.....f.............................................D.....w................................................... .....-.....>.....\.....v...........................................5.....Q.....W.....c.....v........................................................../.....L.....`.....e.....m.....t...................................................8.....G.....x..................................................$.....;.....P.....f.....z...........................................................;.....}............................?.....O.....f.....k.....u.......................................".....B.....d.....\|............................................... .)...".?...%.d...(..........+.....,.....-.........././...0.4...1.j...3.z...4.....5.....6....7.....8.....9....;.8...<.F.

C:\Program Files\AVG\TuneUp\locales\ca.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 326875
Category:	dropped
Size (bytes):	79100
Entropy (8bit):	7.997727114570849
Encrypted:	true
SSDEEP:	1536:UJ4Cl2L/mvaUjBe9/OhzfYJ5Hzqzjv9+8a57UJ9SJegyjsdAq:UJYsQAs5TqPkMjiAq
MD5:	4A8F5C027C8F85F7D43BDE53AD7DB374
SHA1:	B6B70AB38E60819F6D4C56C65F5719A178CCCDBC
SHA-256:	6C3635529E249F0930FE835E7A75C58457EC0FE699A19776BC28064E456958EC
SHA-512:	795D2E901FE97997D8A65B481A549F6B2695859BFD27B7E43DD379CC109D5E088D30F2EB28AA0F9B6DA3C9CC6C7B39FDE3BBDF23A509EA38AEBEEC3F790E79AB
Malicious:	true
Preview:	]..@............6...BP......V(v]B.O..l.Hn.._w.T.......7..a.......7mF."?A....K........_7.`C.Ol..i...a.....ar.....\...?.Z1(.(Y..vN...e0C.u....>`....}.P.S.q.(....Y.Xq.w.....P...U.<. .k....E........V..X.Pf...5..~..x.~..(r/.4..g.$:...P=r>..^o.y..k`..{l..[.&!y..G.F..`.,.....o...s.%'\.."..R...=......._H...dc..w.=.g...9M..'..#....kY.u.4Gy}..L...c....@....L.$..lT..(l....E......d .L...f.#.on8....R5\...H..E..'.....t.0..f....G..@B.U...8.d..7&...y8..Z.F..S...*.Fi...?....M.13.....NB(Sq)k...........uo6.Ewz.A.zl.e..b.....J..@N..~.+......f.l..5:iSl..[./3u>)...0..ty..'.{hc:#,L...y..4..F........AD..z"..~.f,.vQ.?.7T).n.7..x..r....I.....{.."..Wh..i.--..k..m.i.bQb..e..<..>. .f'.X...AZ...E.M.".x...9wT....c.q......3..-.'..x.J.'.tp<..T=O.B.p.......T..Ln...Z../.kF..8..d..P....;.......us..S.,..d.E.F...]..}..Q.....p.{..s?.{...6....b..8h.!.....H.u..vc.yl...q..G.......o.t...K.LT'...v..............u.G.%....`v..->.K.........]cO....0.Y....E.)..=......j..H~Z.p..C._..<..i.

C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	333598
Entropy (8bit):	5.870073241116992
Encrypted:	false
SSDEEP:	6144:W4AIQOvn3v3jrAErn5KzQl6/P78Q2srdb9:W4AW3v3pn5KzQl+P5
MD5:	0161995C04F022922E5C036D374ECEB1
SHA1:	5294111882537C10E4EA4DF72B3508FBF2D2BC30
SHA-256:	3F2E5A65EBF8938FF4E9676B12573B23C72501761F1BFF4D5AE466B68C85130C
SHA-512:	C04C549E23D2FF33CC424746F1A1A6D70E4660612D857070810C7AD9C7021AACE09ACF62E0248F139ACFA2369FC511B4F329E14F3D6126813FF66EE7D44B3611
Malicious:	false
Preview:	........4._.e....h....i....j....k....l.....n.....o.....p.....q.....r.+...s.<...t.E...v.Z...w.g...y.m...z.\|...\|.....}......................................................................................@.....I.................................3.....o..............................................................-.....W.....s..................................................".....=.....B.....J.....[.....j.....p.....z.............................................".....:.....B.....J.....Q.....W.....g....................................................9.....h..................................................................../.....D.....K.....N.....O.....\.....i.....p.....{......................V.....\...........................(.....D.....V.....c.....l.....v.................................(.....H.....y............................................... .&...".7...%.^...(.z...*.....+.....,.....-........../.....0.&...1.a...3.o...4.....5.....6....7.....8.....9.).

C:\Program Files\AVG\TuneUp\locales\cs.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 333598
Category:	dropped
Size (bytes):	84581
Entropy (8bit):	7.997700459563678
Encrypted:	true
SSDEEP:	1536:fLeVEMOCZB5yl7oZxioh8vD+uKBBI0WIAQyFWXTw+jvdHNU9Bqmb1kvIsuX8WZ:yF5j5/1VLHISA7FWw+7dH4V1kw3
MD5:	C65F71A8CE6EF04F3C77002CC4E7CE46
SHA1:	B199920B4EC007DDFBA41010561F1A0B306CBA49
SHA-256:	29FB482A7B79A4D371E4A9A6D35B24D450FA0611E30CFD9871D989667E7DC8C1
SHA-512:	7B549357A37DE1EB389A6078AB9AA5C34FCDACF9D378612C53DA274D52ECEC368998548A35E4AEB2BA406716D4823616834D204EC8A6323B756F9662F4702387
Malicious:	true
Preview:	]..@............6..."J..\|3C........h..v.. .vZ...jS. ...`JO...;.7..W<.n.l....^.....E..Z.....,.W...8M.f4.....@...-.(v..x.T.t...PU[....U...K5-.Y.Zc&..4=.GwG.<.7.Y...zH.bG H.H.6..I'P....aQf.1>..$}.Oc.jO..r....'.R..3...u.`.#sEA....^:(.?...;....}.%.....V....=....0+#C..)..i..'..9..+...=.:v.&'(L!..&...$........6c........x....kNJq8fp..] z.....nKK......#QW...9_#.a.m...E$........I.N.?k,..K.%..e...X_6...t.m<.~d..y.......I.......).X..X...4i.C.6.o..'%3'R./k-....+G9..]W.E@5....\|.....09.Q..{.Ltr......_+3}.)O.J.6....JL-...[.../...9;....r..g....X=..7N2.>j.OUj&...7.`k.......&LcL[%]h]...2...Z.pM..^\|N.b.dN.e .<.10....v..F.S......y?.E.$.D.sR(.....3H....d.."P...o.Bt}.7..M...X]..7.E.)..q..B.7....[..Qx..Z...0....!B\!}...k..........S4..h....}.6.],e.h{0.........'.WC...i._t..dA...W.:E....-x[..F..o..Y.`jx.FP...nT`..E......".2.R6.).%..ho..&.H....D..>...El..P.:3.1..L.....=.&....o.#.xo.zk.V......'....>l.(..pTh\....HY,..m\|.....{:..T..A..0C.X..M.\|.."....C. ....Dd(>.O

C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	301139
Entropy (8bit):	5.494276388208015
Encrypted:	false
SSDEEP:	6144:Rfo4hLEweb5cHvZkq8wirY6J7FbBwJ9z55hfIiQJe:uoLgG9Aq5Se
MD5:	F1E5E7DC819670C061902A3DAA17DAA2
SHA1:	583CA07AF55F3055CE127B81FD825FE45CB722CA
SHA-256:	CEFDAEA7B486364291FAD01FF402AB8098E2E13BC73B2BBEAC25C8A9DABA8DF8
SHA-512:	B8E8E79F052D5165446A8392A4836FD6915CB87CF199C499E9B4E767E6E60E4E94D601420E798ED3B7354C8CA91304B1D062332CFD5016614705AA57462AEC83
Malicious:	false
Preview:	........].6.e.....h. ...i.1...j.=...k.L...l.W...n._...o.d...p.q...q.w...r.....s.....t.....v.....w....y....z....\|....}..........................................".....)..........+.....-.....V.....d.....t..................................................^.....w.....y.....}.................................................1.....A.....R.....i.....y..........................................................&.....4.....8.....B.....G.....a.....x...........................................................................@.....H.....[.............................................".....+.....7.....O.....R....._.....l.....w..................................................................%.....a..................................0.....:.....I.....N.....X.....Z.....`.....n........................................:.....r........................................... ...."....%.....(. ....N...+.Q...,.o...-.........../.....0.....1....3.....4.....5.-...6._...7.p...8.....9.....;...

C:\Program Files\AVG\TuneUp\locales\da.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 301139
Category:	dropped
Size (bytes):	76527
Entropy (8bit):	7.997501320361737
Encrypted:	true
SSDEEP:	1536:++FEecfThVLxQRzjhEwOzTWf95IxmgIV51zGv3hRFIlxSxSMDlEDcfpouiEQ:7FmLhVLxUjhE5WV5P/rGv3zFmxSxSsl0
MD5:	04B7A2AD20B0876823E4D374C2150C20
SHA1:	D6DD2F2B06C1EFFF7089288F9BA195988712F71C
SHA-256:	87D55FF2CE8EADCDDFA70E8934F1C69A47627BF4300E52EE40F915C926AF6184
SHA-512:	DAE1D13CF4D91C965A3154793DEF22BBC4C6FFAD95C99E0D7BA8B35CE8002D1548AE51E9703D3937C53068FCA7EA1355D436E06CE0A352E5312FD63944185C94
Malicious:	true
Preview:	]..@.S..........6...P.#......+<.[........4.`.b.x.^.....~./)\|V.az.-C.u2......p.FW....-.....7..iX..Cd.8...w..CpcP....Z......y..=....b.UR]q.....a...(f..<....gV....... h.`.Y..!w.,N;]Jd...f...N.......okl=X_..n.DJ....V..!=....`....1^i_.xl.p.E.BV..dC.W.....ri.\q.&..>.^^.k%...........E....2..qV=..u....).8.H...m..#<..m........j.....:&.....`N.A./......a...{....G..........u;...r...Y&Z.X8BP..'.)/uu?........o.B..z....~....%.....v..@>..F...[.rp..b....../.Z........##.....-ms...I...Q........T.S../@q\......~/.m..5....`?..-=..~.ijw.......H..F ../.V.5..-.S..@....`.D;...;...^..5.+.9hO...HSh8....b.{j.<.l.]e;.nO.O6..)..T...p.!....3....g.=3$...B@.@...0.ay......p.Y...z<..#.!rN..[PEo.%L...r.o.....b%l\QK..L.-.ND'.tr..?J..p......h...O......y..........I6Lvbr.>U&*.H..@.) ..\|..oZ....1U.NQ...i..........N0ga.(h.......3....FFH.......>...,.e......r.l}.N.v.....`..._3.w.g...>+.5Y..$.f..x.qU...G..L!..Q.>..,X.zR)..a...?.64?......F....d.}.v,....m..jCvX....N3...(.NU+...Cyl...

C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	325102
Entropy (8bit):	5.525783001058293
Encrypted:	false
SSDEEP:	6144:f4qg+ePK3M+HDQmm6rLaZ9Er33nBeEFq9ef5C4pEgr2S8yz:fdbGiHDQmm3Z9ErHn3qQ5Ag2SJz
MD5:	6932A8734C0EF9949FE0DC3B2282E16D
SHA1:	817C17D5592129B6277075845557148E1E59CC78
SHA-256:	88581D49E6C83EF74FE4AEED438C0380F321D9EAF3B8EF210D39F8378836A1C1
SHA-512:	076F2741F28F76FB0DA8FA35BB55418874DB7E2304DD09AFC0CC818B0C5E645831CB0C3EBF97EAC474339C584E640F562B4699F54496EBD761E3733777490B6B
Malicious:	false
Preview:	............e.v...h.~...i.....j.....k.....l.....n.....o....p....q....r....s.....t.....v.....w. ...y.&...z.5...\|.;...}.M.....U.....Z.....b.....j.....r.....y..............................................................L.....U.....n.....v................................................I.....\.....q.....{................................................... .....1.....C.....X........................................................,.....C.....\..............................................".....(.....5.....@.....^.....e.....z...........................#.....E.....S.....c.....r...................................................(...../.....2.....3.....=.....G.....W.....`.....q.................>.....G.............................................#.....(.....-.....@.....Y.....g.................................H.....d.....j.....v........................... ....."....%....(......+...+.....,.L...-.]........./.....0.....1....3....4.....5.+...6.w...7.....8.....9.....;...

C:\Program Files\AVG\TuneUp\locales\de.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 325102
Category:	dropped
Size (bytes):	80566
Entropy (8bit):	7.997743136749309
Encrypted:	true
SSDEEP:	1536:PMbFfXwgeNrZhpnkke8FTI0q3GntYK3BL5Vhc7+m2vBiTY368Qnx:PMbFfAbVZhpkke8RFmK3d5VC+lZiTL8w
MD5:	4FD9030373BFDC2A79C7116E16C4B448
SHA1:	8B862980BF581FA582CA3FD8C7A503870D49CE3F
SHA-256:	594BCF908C2834EEBA6D7AA37D0799D1846E828D384065E4DB4CEBE0C2CADCB6
SHA-512:	E9211CD29C109E855263FF3A38745D1AA15A10FB8934292164DB997246DBA2CDCB90586C0862F53889E1442B0C56F7D185A544D1CEDCAED5B306E1C36BC06784
Malicious:	true
Preview:	]..@............6......_\.../....n.EO....wl...u.n.-.:.].G.u7..y..8h68...<.....C...j.w.]I...7..~]..! M"o.n......f.....K...9.(6...c..Q.9..W.I.Z.....nQv..7N8NC.S.~....+\|\|Ya>.......[..x'a......M.^...yy.mcu]..7.l.p..3...n,.p........%.'.;.:.....c]j.S<...K..&Oy...c..5V..C..4.F..... ..!n.~..r..yq.#.G."A._.>...Z.../...y8..tY....>....l....`0{k..8.0..$...{.7b..&.Z.L.s.bM[.6<.gA..m`..x...b.....-G.Y"...j..a......&........$91..5....Y.@....'.6.$...A[.4..h..>g.....%.;......c.A[}f`....N.e%..p.$....X<....?..z.Rh.g.....0.uc..L.<..f8.\|^..0...z...\..(@(..r...e....C......P..\|..\|....G.\ ...\8.......>..X..4..'kg..8.......Rp..8..9G...k.....3..<N. [..3.>i`.W..u..DX.<.e.j....z.m........4..J.w5....h.<.6=.W=L\.?M....=.e.6.u.6.....];@.:1x.5g.~..8. ..z.....w........2.k..G.j...[...3i.-c.,...2.@.P....0.....l..{....T.....u5Q..Y.X"....x...cc:.oM......t.......<M$..j...!.B.Qz.;....S.K..\.`.....U}~.....z...@,..sZ.\|..O..........}.;....#.r...SW..-%.i......fkB........~...v

C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	579750
Entropy (8bit):	4.817028210558125
Encrypted:	false
SSDEEP:	12288:EuKUqK3tVCkyk0U02j0hOqa23zO+fFdpNhBBwxDF2wWHT9rka0gJsQY8WItuMd3W:7qK3sU02j4Xa23C+fFdpNyxrWprka0gQ
MD5:	C6009C7B038068B61AA6275B4CB9F860
SHA1:	4B77F7F822F4EE15C57DBE873C6F7549FB608028
SHA-256:	EFE6A9D8DCF76F5286BEC0496209F59DA3DE6AB6E355A183B69A7E4BD5D36CC2
SHA-512:	D3D5EB21CAAF361BB92E0453EE1DB4EF9349E071BE2736589A8D2F5CD587E85D33C7D65F01342758DEDE0AB0A037B294D7E263D82F60C29E583EA1C30C9F3FA8
Malicious:	false
Preview:	........C.P.e....h....i.....j.....k.....l.....n. ...o.%...p.2...q.8...r.G...s.X...t.a...v.v...w.....y.....z.....\|.....}................................................................O.....v................................................+................................#.....p.................................`.....q..................................;.....Y................$.....,.....@.....g........................................E................0..............................................).....W.....o............................i.................B.....Y.....x.................................$.....G.....t...........................................+.....>.....V..........{...........$................4............................ .....3.....A...........................j................-............................@.....z............... ....."....%.....(._........+.....,....-.......\|.../.....0....1.A...3.f...4.....5.....6.p...7.....8....9...

C:\Program Files\AVG\TuneUp\locales\el.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 579750
Category:	dropped
Size (bytes):	91538
Entropy (8bit):	7.9980058318270215
Encrypted:	true
SSDEEP:	1536:vmL8Jyfk7l9AIVW5FGGdlwozuhB1s6lq3DJJMMbrig270D5GEnDUiZRTr7wLXCu/:vmYwk7DcwGdlFGBi0q3gMbrl80D5GEDa
MD5:	912389B77C10E64B2FBEC0065F403218
SHA1:	99058ABF633F15B30AE0FCBC7C5645B7FD439D5F
SHA-256:	6F2C6EB976AC230752F427ACE2ABFA08EDBBCA76709F3C3EA3DD52004DF9A867
SHA-512:	E904B77A10739F87F470859A19BE7592BB8C003367D94CC5BB0F10338512E95B8B0D53421CDCC3916CCBD6801972667595C0DBD53394A6AD1FBEC1A6F7298843
Malicious:	true
Preview:	]..@............6...3..jl..O.o.\|.6,..Fd.w..C..\|H...B...G.](.....2..a...C.u...go2....-./D8a....3:m...%X....c.k.V=.4L.8... ......w.E..n.....m.t>..r..@...../...u,v..E0.Q.&,?W...+..}.a.y.o:..\..U...{.?..XCk.J..y....""..2Wo.m..3..d)..j..%.`IZa.~.S..R.j..>.8..p{p.n..5.....`...Z.?a....wC}.5A(..u..p.ut%..hC9......8......./...d.d%...h..7@.=34V.mU.Ha5..1..T.Op.._.z.+.C........q@.3.9.\|.%X.....q..B..PZ....),[.S...x...#.O........y....._.r..Q.Hn.sH.KXR.NG^.(...N......}3u..7...:.V......!E.n.r....mdj+`l\|.;h..+..........Tu$&...>jV.mp..5..Ud...l~5....{....S..6g.....H.j&..G.....;..z.QX.w.f...5a.g.}..F.`........f.g.0..u...Q...6......0..(..4...<.D.A.A.7..j..&......-..y.F..8....F.$0.@G}.......?.. ...%....6}..E.m .{.NCc.U;...q.A....>.+z....i...i..B...k.QSO......p.q.#..Re..=.(..G.M..@....d.z.2..r..oSU........@....KF..F.s.F.sO...#....+%}.5...Z.O.5{.7.H....:w...3Mj.Fg....0.[2..1....qOJ0]...i......F.1..8`r.1.X.3~@..\..T..vw.J3.F).._"QvSx.^..n.).Y..#P?....kj&1..Z.@.L.

C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	267081
Entropy (8bit):	5.5947001002268655
Encrypted:	false
SSDEEP:	6144:nI5GHZdu1ZuYMD9eHd1oefaYk+NI5V5Ym:nWgg35MC1olX5VSm
MD5:	314C49194E366808B2B36253FDBD7714
SHA1:	E9E8BA1FCFE91B80E232899C69844282D39D0D23
SHA-256:	411A729D9288A62780C32D6BF5F4CF0FD8D221FF341CE79C2ECA25DFA03C9821
SHA-512:	5C24BCFB043EC09F31E5C8E640D1BED4932F9560D68256D4409D5D51A8948AF3381E2BBF164515A2E35CD7E6AB5349D9FCFB4916BD8D11453DA9D69E7CD8F5DE
Malicious:	false
Preview:	............e.x...h.....i.....j.....k.....l.....n.....o.....p....q....r....s.....t.....v.....w.....y.%...z.4...\|.:...}.L.....T.....Y.....a.....i.....q.....x.............................................................'.....0.....G.....O.....Y.....w.........................................................(...../.....;.....V.....h.....w...............................................................$.....0.....=.....A.....D.....J.....Z.....i.....w.................................................................#..........9.....h.....r.....~....................................................1.....4.....E.....U.....e.....z...............................................................................V.....].......................................................................(.....A.....d......................................................... .....-... .1...".:...%.Z...(.q........+.....,.....-........../....0.....1.*...3.8...4.L...5.c...6.....7.....8...

C:\Program Files\AVG\TuneUp\locales\en-GB.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 267081
Category:	dropped
Size (bytes):	72898
Entropy (8bit):	7.997544770440822
Encrypted:	true
SSDEEP:	1536:Oc31b+cDWAwaHBGckLn17ZNme/row3dZXNRPThC2tZLtq0SUtOL7aVYe:Oc3sAwahGnb17ZsezpX3ZL474OLWYe
MD5:	D26BAD875BE8C270A96DF60933C2F671
SHA1:	CA29402AE1D363364EC001EF41290007DA009E0B
SHA-256:	ADCCACE6656C49607C8A861348BB776FE74DC00575CA33B8F4CD35F8506BF621
SHA-512:	0429186F887525C36558ED2283A13E2651775AFB5769D41CF844D96DDE5A06A92C050EBB9531B06DDC5D10C99DBB82009FC6D591D276D1067BBCC8770183826B
Malicious:	true
Preview:	]..@.I..........6.....e....._.0.c.XE...Q..#.P...I..N.L..P....1.L1..7J...>{.....@.??......:1...R..~:7...H.b.ILP.t.s.>...=...@;.I...}..2Y......u.2...{=...).~...y..X..s.g.........a..c...7....\|..1.$)=.y..4..}..-q...K.d..d./.M0...xl..e....>H'..z...CX.b./N>.=.}....9.)9.j\|e.a.@>2.U....7.F..(..E...\|.....X9z...5.>.~~v9`..E+P...[..#.-..........z...5.G.xM......c... ..._L..%...../!.......Nv05d...V?.He..GS7.}...u...~.&...c.]2...Y~o.:V./. j......e.s^..S..n#.;...D..n...h.u./q."B.y_.....W...H.....~...J..,,F..8iov....0iv...;.}....;_..D....u.NI.Xv]u..+...2..+!T...!.m.{......b...0........cM.1.....\..pk......"...O.G.\..?$.!.....G>.@.....".OGg.x?KS..M}.X.V@fM.>.....W.@3..\|..M....O.XR.....?w..........k}..n......V.mO...9..F..4.Bh..A..Y...L.>q9=..P...t.W........zdo.I.^~.#..4)j.}._.9.1J....3..u..%y....ho.$.....T.".]H...u.....;......P.49....l.......".Nu.a........}...\|..1.y...ZP..xFO......;/....j...$..i^...G.z...[.=.u.......f.p...ZF./.MfG....vF..P..f...a._+

C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	270354
Entropy (8bit):	5.577126278135345
Encrypted:	false
SSDEEP:	6144:rL2httRs2D2MD9eeN2NOfaYT6BD5tBAPOwi:8xN6Mv2NaS5tKOwi
MD5:	0A70BDD8C0EFC740818BDB82993BAB85
SHA1:	D84B6092664894F42E1AFE042ABC946A3E0D2E65
SHA-256:	21FA942A5F4F26996396F0D84807B6F8C01AFD5809E2DA33487BBECD0A6D13EF
SHA-512:	085C21045F8FEA63A80678069AF61E4273420BB6645A833319D58248E61ADEEE3CFCA23EDCB7ADFC2DD59621184035E3F9E252DB8D5840E6F6727E0E05B5FD63
Malicious:	false
Preview:	............e....h....i.....j....k.....l.....n.....o.....p. ...q.&...r.5...s.F...t.O...v.d...w.q...y.w...z.....\|.....}..............................................................................#.....3.....:.....y.........................................................1.....A.....X.....\.....g.....w.....~..............................................................'.....T.....g.....k.....s...........................................................................(.....-.....5.....<.....B.....K.....V.....s.....z......................................#.....D.....M.....V.....`.....n............................................................................................!.....,.....Q.....~.............................................(.....,.....6.....;.....?.....O.....i.....x.................................,.....A.....E.....L.....W.....i.....q.....~... .....".....%.....(....*....+....,.....-.......0.../.>...0.G...1.z...3.....4.....5.....6....7.....8...

C:\Program Files\AVG\TuneUp\locales\en-US.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 270354
Category:	dropped
Size (bytes):	73246
Entropy (8bit):	7.997300178779712
Encrypted:	true
SSDEEP:	1536:dobgkm5y6LefDYfBb23uMp25+bZ9/HnEc3u+l4c+mvxadr7ERuQtUmlM:doKLeJT0+bnHnEg3UUAdqtQ
MD5:	4B222AA36377AAE277C568AFE6446D18
SHA1:	8CDCA74ED17388F65606E69DF71CB45A3F547CEF
SHA-256:	EB3B6D2B3AC03AE67115CFF2A7608DE86721FCDF1EFF01BF7456FCD2F42ACE40
SHA-512:	238950ED209D5B851B51170372D3E46F575FE150A7FB0016F79717E39D89D459EC650F4224892F2B2A0A9F1615E29F0A184F5F06F5074D9DF46C3EB33B6AD977
Malicious:	true
Preview:	]..@.. .........6......pMe.!}..0B;.Z..R!..{..u.MU.?.....F..a.p..)}'...(.z.....;...F..C.\..8.3.b..M........?\|.n.h/...6..[~..8W"Nk.tUm{B.A:....:.!AM..9_D..s..KL......U..)..w.q$.#AU..x....hC.p.....9....^2.....J&.UP.@C./..N.I......\|K...!...C./......p...VP...ZsQ.V.D..D..mpWI..'..,..Q.....Ju..,...uV.O$B.{..I9......4}j(\|...d+..K.".u....s(.Nz.'Y].....D.....\.C.G.,.{Y$...my..{.X.l..r:.;h..j....`/r.o..f.\.!W"[r..@.G..OO.+..."...u..'.._.y".9..>C..+....f......2.9cy.x..'.b....j..q../.m...`.6."9.~...7B0.......zm...E...R....I...>x.zh0....Z#.S.Ct.}..Ma\.. ..b...2.....\..1Zd..D.."..<.[a._.?.......}._..&.u$.{.-N......\|.A\<.V..i..(.V.30..~@...D..O[.r.HE.Vp@.V$.g.#.......z.D...$.}.u._...\.\|....C.o..u.3.I6.v..Dh.b..m.Qk..<.-..Y,.$.....;.!M..hR......N.eK....J3C...-F1.$.....Zs.C.p.i..........[+ -...o $j.....].>.(...\|_k...e......S .U..}.F-l....!\.Ep..q..p.......A..pA{..;3...H...zl...Z..K..?c... d.wnW..%....uo8..d.tu.&.W..."...7#_aG....zZ..F;...$...vCI..,D.

C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	320359
Entropy (8bit):	5.410261851479677
Encrypted:	false
SSDEEP:	3072:0/fZwh27x8fi1hjHNCOTybcvXbj3pSM2SdL5NlQsICrsOBjmp/6:0/xwE7afiNHLR5TICrsujmpS
MD5:	4861CFBE34644B1AA3A62E0B8A955B28
SHA1:	66497635946E50BB17483DB226D9D9FA0E80DB7C
SHA-256:	EF0A523BCFA4D3A1B7472947A1F2A0A68E24C628386F7F0056CA4404D82481F1
SHA-512:	162069B7B670D7BF68BA8276D2CE0B042A4CB0F19F2F66EDBC8AF00DBD97E084EA9A755B817A82D77E83E63D97E79D7E50EABAF67C880B4AA85B3B6AF0CCE20D
Malicious:	false
Preview:	........Y.:.e.....h.....i.!...j.-...k.<...l.G...n.O...o.T...p.a...q.g...r.v...s.....t.....v.....w.....y.....z....\|....}......................................................................C.....U.....d.....y.......................................3.........................................................-.....;.....I.....v.................................................%.....f...................................................................D.....h......................................................#.....+.....9.....o.....\|........................................!.....3.....Q.....T.....e.....x.......................................................................I...........................9.....Z................................................. .....4.....L.....t............................-.....3.....;.....I.....k.....v......... .....".....%....(....*.....+.....,.....-.C.....m.../.....0.....1....3....4.....5.....6.f...7.x...8.....9.....;...

C:\Program Files\AVG\TuneUp\locales\es-419.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 320359
Category:	dropped
Size (bytes):	78650
Entropy (8bit):	7.99759521235771
Encrypted:	true
SSDEEP:	1536:eXmsmHwf+CTWGsC0ThfLjBuRam9TixTfTZWX4kdbvOBQW85Y1S7zol:0SHpCTW60ThDjBrmyToXbUptyzol
MD5:	F7B68411611CBA8A44A08FC3CDCD708A
SHA1:	EE3506364554AFC63BF0386B258A591556FA3000
SHA-256:	D51426D3765074451E1A09C9BB506E5F9E0EBAD0DEE21D0A47785B48D17C9E77
SHA-512:	F00E3A4D95F9982B80FF34A0380BFCD68C76FB8B6F7A65C6860BFD6AD60FB8BCE0489E96EBE9E76AA5560561D71AF6A2AFB0B0D8D9A62C1D0B756FDDE3E753A9
Malicious:	true
Preview:	]..@.g..........6...Lyd...K+<.:.#......o...@...;a.`5Ht..f{....t,.,$y..hf.Y...%.]._.7AP.5..4AKP..2..9....R.........n.......b...X..y..'6......-p...X8.Z...C<.UmyW.O %.!#.'..v.F2..q.T..T\.../v....f...<.y....G...H.w.U...:..._...k...-..<.zHb ..}=..6..x..y+.Gv.].....r.X.........`.a.......N......)~nSi..e.2l...>9W.~....sW.O..9.....]S5.. 7...(.....a..o..b%.. .2......`.vJXR..JiU.......g.O"..X4.HP.`.C--...=.h.G...T!.K....a.^..y.I.....W..{{$....Z@.`..U..9B..1.b+.%..L....MZ....K<.....f.AI.I..!#..G#M.(...(.'....+.G.{.!...8.)..^g...J.....S#M..0..~p~.r.........7.'..e.M.p....w..0.~ad/~=.;...D!....e....^.$!..K-..wx...9..k.A./.I....A.&.(J0l...(E[}.8...K.$.<....z......t.W..R..Bd....0..5R=.,...~.\|.0......VzFe...<...\|WU#...T...}..c..U.\|BH........;6.R.T.D.......~m....0.....i..6X....y....P3d..d.. 9.N.......w\|@i6n..^.#..1.Lw..}.?Gx.r2..!V.u..2".....`!".....~...xQ?..H~)..7{\|.:W.....i#.z<(.U\...2.....%.L0....0ml...0)...M5F....I.u..of....#.0..7.yY.kh.4`.L.m.M...rM,

C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	323061
Entropy (8bit):	5.394693094684189
Encrypted:	false
SSDEEP:	6144:lPQRa8OfYg9wuzgwGYnGlLz55ENY5PQk8ibX:NQRV5gwMGc+5CNqP7X
MD5:	44C080E276C1C44CDE4DEE4C576A4358
SHA1:	217C766A2ED03B9A9F2F4D1E2C148F10D836CCA3
SHA-256:	85862323A3128490A2C1BE66A36480F7EB73A2294D62EF4FF38AE868C034DB4F
SHA-512:	333ACD81C4B1FB5F24F0B0B2F5192175586FDD455895BDFD7092425CD877A844AEBE3E74AA37060C849C5821FC5174A2471D7DB95A6E7098E43E177DB70EF92D
Malicious:	false
Preview:	........Q.B.e.....h.....i.....j.....k.+...l.6...n.>...o.C...p.P...q.V...r.e...s.v...t.....v.....w.....y.....z.....\|.....}...................................................................;.....N.....^.....s.......................................0.........................................................).....7.....D.....g.....w.................................................C.....\.....b.....o....................................................).....L.....p....................................................................Q.....^.....w.............................................6.....9.....L....._.....r...................................................................D.....................-.....H.....i................................................1.....F.....^..................................+.....1.....9.....G.....i.....t......... .....".....%.....(....*.....+.....,.....-.4.....^.../.x...0.....1.....3....4....5.....6.Q...7.b...8.w...9.....;...

C:\Program Files\AVG\TuneUp\locales\es.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 323061
Category:	dropped
Size (bytes):	77980
Entropy (8bit):	7.997311022925452
Encrypted:	true
SSDEEP:	1536:hCAGyxvoi/iHJiAo9P0CS5crqWR9LdlBdE71JEOz5TJCLJHdJgnED0DVFPkv9cr:4ANxvoi/iHZo9P0FcrqO95lHOdtCLtcv
MD5:	002E5B86033F5553A16C0CDB2159E138
SHA1:	23E70471EA5CBD41F2EBB6A24AA262FE322DC75C
SHA-256:	67C036251F8F2600203E3FDD4E2E616B2EDD79AE642600F8D15D133D805927D4
SHA-512:	64FA8B20585AE5713F792518EFE8E2A7547195545B187519F28A832F4B7D27281BC05D99B597591D07059E3D35BFA2B39687573DEAF6C3179CA3C99A693DAB66
Malicious:	true
Preview:	]..@............6...Cq.1.\..U.......1.:.rm7Iw.mW.J.......Iatb7:........l.....0.XT(.-.P.S..$......\3..%....d.......M.@....".N(G...b.l....d.w..D........._.....A.......bS{-..;...O..]0.Q>...~>..Dr..H..0....y........p...9......w..y].9t.6X\NN.Y{.e...2Q...a..qi..9./Y.5..!.....nh...[d.,.......z.(....{h....q.r..[..]...R.-.b.e.-.i.....h..v..5.r....C.'.....!R8..L....-.......app.)[.....2.&.`....+r.%.j....E.!3;........Z...a.^...g>..i.VY...@..V.s...........Bu.?`.}.S....8...B.W.\.x..D.R.....R.a?..",......b..F....{w..v..>..\|.KV.......,.N...`.Jd..g...~\|..62..l..g..........^Pvx2=..z....s.\.m...../..Oe.u.ic....~..7.5NF..I#H....0....f..J.D.p..\.c..z.V...\s.t....QZ.r...K.[a..;..h.{.A.'.QJp=...b... 2N.e@.x....N&.0......I..L......"wc14DI.....Hp.yO...].8"W0%..f....\|....u"....3..... ..RIN.q{.......z.p....,.-...*..F#..F......Q..{.b.[...w.kN.0...=kX.d.Y.,.....6.9.f;"..o.Tt...)...L...S.$...S#...xLR..}..!].#.<....rd.....l.m"..d........}......0..Sc...A.&..........6....

C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	289677
Entropy (8bit):	5.514336651299086
Encrypted:	false
SSDEEP:	6144:ToCsLgohOgZKwXiRJTAzQhdi+14r5l4xvJLqo0PQh:zzPhw1hr5JW
MD5:	D045AF9A8B85C6AC73F60E9FDC16590E
SHA1:	874293F1B5D1B6E2641D9DBEA59B4E1B8F377752
SHA-256:	241F3E5286B25864081F50EDB93C4693BF001F04D7C7B98F5C4921F768CD7E94
SHA-512:	B8F9F59F6519C5839D4DA668A16062100BE75317C4275BBB50E1AFC4B6B66ECAB7268054682BFDD63C5A71DAE8AE00E80EFF3EAAB161C2E35A3651988AD38413
Malicious:	false
Preview:	........e...e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v....w....y....z....\|....}...............................$.....+.....2.....9.....:.....;.....=.....o.........................................).....3.....I............................................'.....3.....?.....N.....Z.....e............................................................./.....E.....K.....R.....b.....r.....v.....y...................................................+.....0.....8.....?.....E.....Q.....h.....~............................................9.....M.....Z.....f.....t.......................................................................................%.....0.....i.....................&.....>.....W.....................................................................>.....`.....q..................................................,... .6...".I...%.q...(.....*.....+.....,....-........../.+...0.8...1.a...3.l...4.....5.....6....7....8.....9.....;.1.

C:\Program Files\AVG\TuneUp\locales\et.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 289677
Category:	dropped
Size (bytes):	77693
Entropy (8bit):	7.9976145429450725
Encrypted:	true
SSDEEP:	1536:1e5bsSJrP3zqLQHj/6l9qemcjBac28vMkSNpuaOEBZGW8b9nUCOmabCko:msSJTmcHj/i9tAc2cMkslBZQR7Fiho
MD5:	770F7FD6CE4DD6DF3D59588886345D09
SHA1:	5A385C4C8F565F2CB5309A7299E2E908607ED37B
SHA-256:	83250EBD862074C47A85987E463B7030D31F0638A1F9D51521AE09A22D81746A
SHA-512:	131CD96316DF3D9AF4BF133634477CA3692C033A1B89752AEED55CD8A31E7A210FD78E95B0EEF4E08045C78176B21C20CC473D53FD93667BC924EA3D8A1C5EAF
Malicious:	true
Preview:	]..@..k.........6...Z..C.....S?8..k.A...O...;.I....7..v.....z.3G_.X8.L..z..BTA.[....DE.'5....D.8.h......j...Y.._...A....$.=-..g.B....lZ...z..9,.N.PWn.q,J.m.v...k.:+.hM..L.#.f.l3$P..z.{..u.j`.z...\..HY%...f...I.JM....#....g...h.:BT..R^.. .V..4...+.'.W.Hk.'Y.V.u...=..[O....?..a..s.V.d}.=E...)(..p.....Q..0nNp.4....8w......r-._.3.../..e..Lx}i..p9..zX'......s..l...n.5....k#......+rI....j.}..(;,.,yQ.14h..j.Y.P..[en,qqd..P...N.o.t....#.A..[$.B.o.._....tT..;.24^...WT.....z.........3e..>.......$..Hl.v....O.D.e..e.....TA.[@g.. W..`,.....{...u%e..GH..48.!...R...p)/<..>..i...V..s....t..x.....O_..Tf..P..G+Re.IL$R..P)Nk8........b....ij>A.IE...N.R\...#B.y.;7....m..}x..;.nW.E.......aIi.fye...`.EK~."...Z]E......\|.y.c...u"..0....Hi{.t..g..%......x.XU.[^..x..[....;.X.*.#%:yDC...b;.x....z.h3./.....\..M. .p.P...O.(..^<./. ,.+..b.'.yo...Bz..q..G..t.....~.....oH.;...A.wW...v..7.....t......w..v.-.HG.<...@4iI}..ih...R.3.....~...Iw....(.....Im3...O.gh@C?. ..[.

C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	468288
Entropy (8bit):	5.098788070902361
Encrypted:	false
SSDEEP:	12288:m3gX9eA4aSmaOMN3w0L7UO9fcQdjaBINEhiEblWLuZ+ZQJ2eDtCBdzZEjxWpw+/I:OBA4aSmaOMN3w+7UO9fcQdjaBINEhiEh
MD5:	78C7ADF045B3D8A05C6F6519154CDEF0
SHA1:	694FD63B612FBA0267E1DEAB41B8A87EE0649DC6
SHA-256:	05A98B8DC3B6D5E3A224E17C144D873C3B84C6E704FD2B8DD659E2099789F9A3
SHA-512:	CEA96BD1621550C6108695D51A317BAD4054BAC9B564E45F2B0A16CEA328BE15475CF2EC033C33106A184215FE7180FDBBBFAB709B782F43919F68B976D8CB99
Malicious:	false
Preview:	..........z.e.....h.....i.....j.....k.....l....n....o....p....q....r.....s.....t.....v.'...w.4...y.:...z.I...\|.O...}.a.....i.....n.....v.....~.................................................... .....J.....Y.................................l................................8.....g.....m..................................C.....^......................................R.....w.................................................6.....U.......................).....D.....L.....T.....[.....e.....v...........................).....@.....]............................1.....@.....Z.....p.......................................+.....H.....O.....R.....c.....t....................................................q..................................&.....9.....E.....Q.....}.....................+.....Z.......................,.....6.....<.....V..................... ....."....%.....(./...*.r...+.u...,.....-........../.....0.)...1.m...3.\|...4.....5....6.?...7.w...8.....9....;....<..

C:\Program Files\AVG\TuneUp\locales\fa.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 468288
Category:	dropped
Size (bytes):	83616
Entropy (8bit):	7.99780595559194
Encrypted:	true
SSDEEP:	1536:je/HkfPa+HjPULSqtfj8XPv8pmt1hjuGdUSIq1fN5ifdhIEetibfN:6c2LSqtfAX2KaGdbIEfN5i1kSF
MD5:	1BD3E72597BC10AF07A0C9463AB53B4E
SHA1:	6A65A843898F1F40559E96F491DA53B61D7B651E
SHA-256:	C161D90FE0963F52575999A2F14A0FDE6E99F1BA77466359B62EFB22D5D66FF2
SHA-512:	F2AFC0622CD8A557041C53F15F74BC95BAAF137050B1F141C39D34A4FF74A84951FE1D603A867238A1CAC195BF21E2091E2EB05BBDE2DBB2244C97D7EA9E629D
Malicious:	true
Preview:	]..@.@%.........6.........0HQ.[z.7.d...>.{...QV.-......!...4..2ne0....p...;.G.#......8g...e..9..P...=/..i.n<.M u+.....A...5..=..h=...'....<}4<8.=.G...&V..h.%..&.R.U.o.....C.......r...F.4....S..T....$.[).^...qYY..$R...<..n..M.R.).l....KG.w.......Bp.<K.6../zGX.`..H\|.u.37s%..b>u..0...9.K......E`..L3-.N.U...r..p......l.......G..n.o...?4...9....Jn.L).P.~.i..r.EE.}M...5..XS.......P...r...I@\|......ll6<2..c.L:.....n...P.....Q..0..3.....#A.2.:.xc...+...l'@0[..~sO.a...%I...9.......H.p~.Oh.UT..m...k..f..)...\|.K.....:Cs.)]D.t.$....UW..n"a.s...u\uFg.i..%.`.........-.n.kz..L.i...r&...-...m.v.c.(42....W.H......I.......J..t.OqW.b.-+wi.K.Y..'NH..Y7..H."d..@cS.<_..$..4.......S.9.q.3......C.3.......u{aW.oQXnJB.......U2...r.".....~...o3k..~F7.JCb.a.XVA........`.._Vx..,\|.J.\....[%v..js...w.H.D2\|.@^..$.3<.l...0u..k.8...vs....L.........!.4...G]..*3.J$Fe...s].bN.....'.0&.....8{..G).I..sn.R.,-..u.`@...uxP.....L......a..Q1.'.H..!.......Zi..Od@..6..g..k.2..n

C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	298130
Entropy (8bit):	5.465045918141521
Encrypted:	false
SSDEEP:	6144:LgtwWo6+FvZpPQeOEgkx/aX35fo70E018njdQsulX1w9T:LsM5B6kG5foIE018nbuoT
MD5:	59D49AB548B74D85BAE165B8CC15B073
SHA1:	D1946469AB92270BC99B7ED863AC723CF676F050
SHA-256:	FA171DCC44BAF46CD4331D0A833172185FF6A166A31AB4F9890EB0832E15CBF2
SHA-512:	40B9018EAC2F55828F3CE3B50E6428ED545F8453C51B193614137C035AB9853F63AE9C82C2ED1D6F9A4AEE265238478BB46F468B08442D6CD4D0D49C9E1576BF
Malicious:	false
Preview:	........#.p.e.....h.....i.....j....k....l....n....o....p.....q.....r.....s.#...t.,...v.A...w.N...y.T...z.c...\|.i...}.{..............................................................................................".....n.....w..................................4.....6.....:.....b.....y........................................................".....2.....8.....<.....G.....S............................................................&.....<.....Y.....s........................................................................?.....M.....b.....r.............................................................@.....O.....^.....q.....x.....{.....\|.........................................=.................................$.....3.....C.....J.....V.....i.....m.......................................".....E.....o............................................ ...."....%.....(.-...*.M...+.P...,.n...-.........../....0....1.....3.....4.3...5.M...6.....7.....8....9....;.....<...

C:\Program Files\AVG\TuneUp\locales\fi.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 298130
Category:	dropped
Size (bytes):	78021
Entropy (8bit):	7.99753660799495
Encrypted:	true
SSDEEP:	1536:3/WNuxpHI7DIPzFe1iaW5h3995dzcw8U/D7q249erewPoXMt7T4E06:OOpHSIPz4iaW5ht9Lfq2gw2M1cq
MD5:	039C3CB87B3CBDFEDE259CACFE64B9C7
SHA1:	69F8F1DB5CDD042BA3AFA25447F80F01B6B3842B
SHA-256:	49E272E8C13EDD1B252F0B1CCBF5CEF15FA09FE6A88D6417F4ECB91E3DA7CD0D
SHA-512:	CF550E244B90B29A78B1C99DF4A31BFD79EA66F50B49078633C1AAD55F5533CBE0DCF91037DBB0E5B7DA639EE10492CB108AB9026FAD84B6B015D13F405A7BEC
Malicious:	true
Preview:	]..@............6.....uJ.p.2.5..s-1x6+.y....+.a.....}_.BC.c..m../.I`"..1.Q...v.~.`...r.zF.-.....(....._i.6.u.8d...JlH..J.......,v#]@..B.>.$..-.\|j........R"C.......;\$.S]r.sF.Ty.8.%.<w.\|<.Z.rC..Y...gc.C....^0_.".<ZP...@../R.n...e/...![..f\.......~.R.8.@...X.....Jh....._.}....I.L..2...]....6.7...s.~....m'Ks....>...S..f.1.B.+.)....N.....Xw.X.w].;.#...+.s6....=.p7AT.(.TD%.....v.;.1H&\|.4;.....}I......t..k.....J..(..R...,....2./m....[U.=.".b....L......h~cPt.Z...(.)..h6=.gI.........../j...-.Q+.=...d.t..T.........'.?....V...V...j..r.X...guN......Hr..!....=.^?&....W.g.c#(?a....xh.0@..W.....).t\|.i...Vw..s.....;...G......l.......2y.\|...p.n.)nv..5>3.....=..4.*eq......S......<U.e..U4.t;.)T......eb......$.SO..y.5.}.......z..&1u....c.FFn.^d...........I.N.O....!E....mv.\|e..o..x..P..R.W.3Y.....H"MS.X.c..jP..;OG...\....}.b.\|...;.4.R.Ye....$..F..(9...".<....;.t.L...j.uUW.qW3..g,.....2..........(.......>..D.Yr...Y...X......CT.][..[E.+...&S.^........C^...L....M..

C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	333460
Entropy (8bit):	5.244033092086581
Encrypted:	false
SSDEEP:	6144:EADu1lTMm+GIyM7DQacg20dxKc0GnPZ315yayAH7SZS:DiEZrJ2M35vV
MD5:	2DC3F1409E7F6A3FDB3AA55C1BCEAFCF
SHA1:	76FDDE6EE054A19F7C76046BD41390004BC6AC41
SHA-256:	FAB8B112187FCF9BA5102FF0AAC2F5EEC63A646C8BF808FC5A2E4E08B9C62A83
SHA-512:	5EE1981AC59456A623297DE3257219B69BC053AEA71FA4AE1486BB6F0689F7ADB5E78DAA17D8D338755EADB7164B7D7F50BD6BBC004C80D00EC4FE56603750C0
Malicious:	false
Preview:	............e.....h.....i.....j.....k....l....n....o....p....q.....r.....s.....t.....v.2...w.?...y.E...z.T...\|.Z...}.l.....t.....y.......................................................................................Z.....c....................................................:.....M.....j.....p.............................................$.....7.....?.....I.....[.....t......................................!.....).....,.....2.....J.....^.....w.........................................................'.....5.....R.....].....}................................1.....Z.....j.....x..................................................8.....S.....Z.....].....^.....h.....r.....z............................2.....x...........................&...........B.....F.....S.....].....c.....\|............................#.....B.....b...........................................'... .....".>...%.k...(.....*.....+.....,....-........../.....0.$...1.X...3.i...4.....5.....6....7.....8...

C:\Program Files\AVG\TuneUp\locales\fil.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 333460
Category:	dropped
Size (bytes):	78304
Entropy (8bit):	7.997684517604338
Encrypted:	true
SSDEEP:	1536:o4hmz1fd0nomBQeCK+WFzt8CB93cPgx8vqbM/mQKjYbrO/XSmBx2:FhmMnVeeCK+WFzS+Fx8vrxK0rKLf2
MD5:	25AB4A713FFB1982DB5C083DA94474A8
SHA1:	9B38D31C3E994C7BFE0DB92F33D366D6918D9E06
SHA-256:	9E35499EA0990A9334D2276269D51ACE69905D51BEB8B58DB19BD7315C2BA454
SHA-512:	C159C6C68D02827E536F62CC385FC8C6718B310EA9C97A8F653A917813E7DB848AD6FAA1E7A99BD631FB43248E0CE77B7586CB5963F13748CAF43CD842AEC710
Malicious:	true
Preview:	]..@............6....:.LMd..zff.$.;..v...U?.;.s..u^..2.Ob.f.-.o.:0....-&..5B1x..~.9V2..L!..%..8.l..z.u.de....z...%c5?.%LD...~}...h.......&.3!...@...ZL..L..I..}....{.....R...W/:.OM...j.?.8.nj..Q.d.N...9.............@,.C....R!."........B..+Y...l.....J..B....t..8k. ....r...!.r...R..........<...I.....-e..2C.4.uU..3.jmSn...$0S.........j).I.M...?.]..M.......wG.u....YW6...)..cL.f.?.3..$b.n...CQ....K:Q..u.....[n.P...Y.....I..B=^0`.+....9e.k.G/....E.3s.c....U.3...5M...p..?/...nn.w>.d.......Z.N.....[.'.zO..>.e....U.6.%.N.v!G...K...".[...!.,.p..p....6a...wx5.%Z..q7.Mt..LuT.0....._v.'U......w.I.i.I.[...n.%.A..1Pm..5C!..'...4..tC}<......k...@.{t..N(.....?......mq.a'K.;t:.k:.....Q...........L.....`.Anx...P...&.d..Wm...6..9bC-.t.8..{#..>.8"..O."'...9........-.f.c[..w...k...C..\(..k......-..GX....o.Lq1.d....3*!.I...+.Z...{.sQ..+.c+.xa..P.he..K.T2W.@~~.=.....K.Z.r_........5.A8@B.KH.U..`H.l.DK.W.4`..8...a....q.S.....^.1.....v&.pk......}

C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	351123
Entropy (8bit):	5.421350465456534
Encrypted:	false
SSDEEP:	6144:vZBBVV8yTsLY5Ihc7ny9tQVm9xr6QuhV5zErwnY2+20MYnYbpSC3K1sF28knxRVZ:v6XNhfr6QuhV5z10MYnYbpSC3RFZknx9
MD5:	39DF7277C2854D60B4B61BC11ADD4188
SHA1:	865DB185756772DF35AF31DCDF78DAB7FB9F8549
SHA-256:	1FFB04BA6986F4A25F5191DA50939CFE48D1581388148B7F64D3C10A124439D8
SHA-512:	DE627A69981B4A4604A587A610B59A022F6FC4715CBAD7BE59CB444DB7B42E0337CBBC42E9C0A5FEA84BFF066BE3273A8EB251C578E5457A9DDF19F90A8C71E0
Malicious:	false
Preview:	........E.N.e....h....i.....j.....k.....l.'...n./...o.4...p.A...q.G...r.V...s.g...t.p...v.....w.....y.....z.....\|.....}..................................................................".....2.....@.....R.....]......................................e.....t.....v.....z..................................................K.....c.....u......................................'.....?.....E.....R.....f.....{.....~.............................................-.....Q.....c.....i.....q.....x.....~.............................................).....C.....W..................................................).....@.....X.....o.....................................................................d..................................@.....J.....b.....i.....s.....\|......................................N.....y........................................:.....D.....S... ._...".x...%.....(.....*....+....,....-.......1.../.V...0.d...1.....3.....4....5....6.>...7.O...8.g...9.}...;...

C:\Program Files\AVG\TuneUp\locales\fr.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 351123
Category:	dropped
Size (bytes):	81931
Entropy (8bit):	7.997849686110429
Encrypted:	true
SSDEEP:	1536:7ddaQ5nB6i0DONbmxE4FUq0g9aUoHuVcWmSiH/pViXVoZ87aYepLDLO2JREM0wR:7d75iNERjgToHPW0/3GatpLO2d0M
MD5:	1479FA73FEA263E9F031CA7B269BB5E1
SHA1:	BF8EE99C49489DDA053399D3C169A887C1EEF152
SHA-256:	B8F9C00B4824C40560CD1C96402308B242D552562DCDF3851B04A39A0ABE5D14
SHA-512:	98FA9C59F984BC46807C84C10291F085E10C056D0448AFCA257C9A2EA32899DD8483A27F45E09B9E11C6CC02057C84BCB4397703DEB8414400D5845DCC974E69
Malicious:	true
Preview:	]..@..[.........6...5..(....j.....Q..Nz.3.}S......&.)..........t.7^...>..O{...._...}...8..t.f........7..b.adr....A..2..X....._.....]6s.W...%u....y........r............'bc.A....n6...E...../.#4...X.".4T......tA4'."4c#....a'......,..{....O..3F0......c..A\|..._..y..6(..`..R...c.../.<..J~]..&:.(.. C.j..._4...'..6..m.,.A.R.8.O......UK.(.~.....R`...T.h..3.i72...........GH.......L%.0..(.......^..:.?3...o. .l4>.2..v...4H.k.w,,]_.."....#.....F..SBZ..Gxf1;.L..l.....rr....E9..Y..zM).>(..B.r.y"qm....6.]#`...(\.Ef...y.....w.{....p.DM..?J....Qj.9x.MI........4~..k.x...(........w...._..!L..L.)\|-.MA._U..s...c...[..M..KE!..%xHL.....!.>....G.r..:$p....`E7."I\.!z.n7-I,.e..........%.(.Sl@.D....<X....e.....j-.}.]....7i....-Fw.T?6F..._f`...U..'d..d....F....b.\..........a6.^..6`...k.r.{.H!..#./]'p....l...........J........+1..u...3...q..-m'(8..7'\.......;zZ.......k.oC...Q..K.....}....O,.Gnc0/.f;.'?=..,...R.A..d...J...A..O.....3B.+.+..<F......)N....=PQ.l..W.F.k@.

C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	660273
Entropy (8bit):	4.380086522036239
Encrypted:	false
SSDEEP:	3072:lcEF/w+Sy34n/GQoyLuOj0T4MsLbJ3DBeQ6B+rMaWM1xwsMWbuoYZ510Nn9k/xwo:/rawe2vK5OSMH
MD5:	349CA76D987C9E2C7FB00966AA034357
SHA1:	3BBA7EA00E4F4D9768DD2311EC1AC59CC8239652
SHA-256:	79FA0F068F09ED239A8E0C3F1DA0B35FA1F86622F9FA47721E13656696184E88
SHA-512:	330488349B8A7D9503DF180611D97C4D449788284304F4BD231EC97C77D5C2221ADECBF6A9486D2A8BEE37B6E2C72AD22CEA3937E95C1C3178C9DC6C522A52D8
Malicious:	false
Preview:	........Z.9.e.....h.....i.4...j.@...k.O...l.Z...n.b...o.g...p.t...q.z...r.....s.....t.....v.....w....y....z....\|.....}..........................................%.....,.....-...........3......................1.....F................:.....B.....W..........5.....m.....o.....{......................H..................................>.....a............................#.....L.....h..........).....5.....N.....s.................................:.....e................>..................................................w......................./.....a................T............................5....._.....b.................................;.....B.....E.....G.....`.....y......................d...........x...........).....o.................A.....a.....j............................2.....^........... .....x................L.................................8.....E... .K...".y...%....(.....*.W...+.Z...,.x...-.........../.6...0.^...1.....3....4.....5.F...6.....7....8.7...9._.

C:\Program Files\AVG\TuneUp\locales\gu.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 660273
Category:	dropped
Size (bytes):	89118
Entropy (8bit):	7.998023873732979
Encrypted:	true
SSDEEP:	1536:mHJk0ErDrZl6xUktREHqKRKRTs+HBL+Dq+RGTJ1TMXDVneo0UQv+wQ+w0:6kfXkm1KRJR+LRGTLgXDVn1/M
MD5:	49D555979C14B1BA05924B1DFA669483
SHA1:	70C273389E20DB3906E84945B128B1FCBF27712A
SHA-256:	8405F80DCD4023343C3FC943737249510F3103A3388F5673587C3DD805CA0113
SHA-512:	05CB418975F35F59C31E2C8D8F5B91B8EBBC0D08DA174647C4DDD48C662CC9177C1AF69890700CE4BAD1C6AD9F7F45AEFB976AE2B5BF5DCBFAA0728F940B4576
Malicious:	true
Preview:	]..@.1..........6...M.T.>..o.+<.C&;..A.a.68v......g]_.-..{.Y...b....qX.mu..l.y...\|..#.!...=...d.w...dgg....1.Y.]......o....9<..J..`_.B.........a:.H5.H....P..?..%d.....G"...A.c......g...L..}..2k..J...Iz..D...VD...a"?....._or.V./.G.....%..f..~.-.]]C.?.F7.l...H...EJ..c@..9.g8..'xy/..H...d.>...B...8fpg..O.c.......g./;.H.C`...O..6...Hk.....J.+.............'z....G...e..\|...T..b].P..;.0B....1.;t.b...@@..,.:..>..r.6..q..8.f].%p.b...^...s.Y....7B...:.Zn..z.#`R!}.?MC.v.7..z..^E.....Uc...o.tLN.A...N8.e.....ni,!.HG..-....u...G4{..tXD..c/...9..>e..[B.S...F..x.b.Cfi$...=.....of.B...........k..l.73..p...$k.P.)....4>.)..^.&kW...(..pVHEW......C.M...h$..jK......iY[>..W.....\N.....S\...3...9.G...P.2!.z..P....;.q.3...5t......I.Q,......p...<R.@.U.H.8..SD..`..P....d.9...Hq.E[V..{.b2....&.eD.g0.B...+.(;.7......+.......O.....`F..30]..........P.M..x.ia..$.:......6{....}%$...0~N..,..2&MZ...........5.Zn..jR..2q.#,.c......./...c..W.....yQ..B.......

C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	406759
Entropy (8bit):	4.737080164799603
Encrypted:	false
SSDEEP:	12288:J5GjpEZDdpzA0MQZZvS602AEhh54kTD5in9Dnw2Ohw+j:J5Hv5t
MD5:	EA6C8DD5FB4007B5B5A692B857693D46
SHA1:	E142738F399BF5AA7C19D478A7DEF3D270E61851
SHA-256:	7652D063F1630E33228809834F71E6E2FFEC75C472EC66B6ED767BD98886F928
SHA-512:	A77FEC4EA0FCEA2DE4863EED319ABE2F4143B5FD345AA951C94068F862BCECCFE16575271BD423BF09B7116C6BBF7FAF4DAA59BFD0025797AE9202A311637E1F
Malicious:	false
Preview:	..........t.e.....h.....i.....j.....k....l....n....o....p.....q.....r.....s.....t.$...v.9...w.F...y.L...z.[...\|.a...}.s.....{.............................................................................1.....J.....]..................................0.....o...................................................:.....S.....l.......................................&.....;.....Q.....b................................%.....).....:.....B.....p............................@.....q.........................................................#.....^.....q............................B.....W.....l.................................................1.....H.....O.....R.....S.....].....r.....\|.......................`...............=.....[.....y...........................................&.....`.....x............................J................................................. .....".7...%.h...(..........+.....,....-........../.4...0.A...1.~...3.....4.....5....6....7.C...8.X...9.l.

C:\Program Files\AVG\TuneUp\locales\he.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 406759
Category:	dropped
Size (bytes):	81504
Entropy (8bit):	7.997625347569088
Encrypted:	true
SSDEEP:	1536:2eODJhEkZO/cEJJ3EDsknc2o3W+/WPrNIcYkG8jIKoUdKLU2lJ:jEO/cEJJ3EDhVL+/WpYkfFoxU2lJ
MD5:	C1CE87A2672C0B1CD5940509F096A9D4
SHA1:	DF5D0D995B31481E1875EDC58B23546657CA68B9
SHA-256:	2550F91FC191B9EDAD79BFC8A7AD9FAD7DF1EEE072D5BD0D07E73E3CA6FEE471
SHA-512:	416C2F04C5177491BDAB0837CA8798E5F0DA04FBB2D6335CBDC33A4310AC248D5E09A88D283CB4E9CAABB2AB41F684614C1892E45180E74EC1437B419126B67C
Malicious:	true
Preview:	]..@..4.........6........0.[.[z.e......yN2...H...q.F0..O.Of......}.....#g.]....5.7.....3..`5.................c.d....Ak....J....e/$r.........F.i..........9..()#.x..+..Y&D..+..c}....SB.w$dM%./di.......N..m....c..gbr.{..vG.E.z...-..&k.u..\|D.+.Z.i....s..\...8....'.'..IG.QP.MdG..K...L.c!.f.....%...au1>....K...E2#..a.`6..?..0...\.80.....m..j'.%.s.wN...F...ma..O.....U..0...$..&f_......u.o..16.....yB.;......i.bB}....^..]..&.V.....8......j^8...g...1Bs..%.y.!...o.,H.b..u.T4.B7"V......lvX.O..G.FC...f.u...?..7......)..V..r.s8....FN..>.c%.4..^...".w...K.gzF.....[...FR.V..X.V\|.....UB...q...3.<.y..}.h>..A..u.kr^.....,t.`. ..g.......g........,..o...0........c.G.A\|.g5$........7..... [.#...BH...V.(.sM.........y..Y<. :A.9.}.....9.q.BJj...........b>...b...+....i...B.)nu...:x&.d2d....M...-.....'....C.<.KG.p.K0.......&T...~.......#H5:..i.R..2.zh.Uv0m%2L.@.a.y'....... s....~v..P...K..3..d...F^..;}..DnPGa..:......L......s.\.\36A..ei..q$H..p..g.N.

C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	684588
Entropy (8bit):	4.35515748058532
Encrypted:	false
SSDEEP:	3072:WifICgHWhTV3mY0G+/Ryxw3kw3Sb8BshvyGR32h7u7pNQXoV8hwsdNT599eGMWcT:5BgSCO5/EAvfZ
MD5:	E7506EA783C56CF5432618080371868D
SHA1:	91F7C1C26A7EADA6AF72089252C2A0153066FC03
SHA-256:	2418A772D39E45FBEA52182965A901364DDCD5459A920C8DCB56C2844954E536
SHA-512:	4B4D90E2FCC913C061DA046B4AD7256C1DBA78959D08DEE67A471690177DCC8561650E3E0397446FBCB4B9BEC89A345B4F2911BBBA6A88444EE9B135FECB49B2
Malicious:	false
Preview:	........;.X.e....h....i.....j.....k.....l.#...n.+...o.0...p.=...q.C...r.R...s.c...t.l...v.....w.....y.....z.....\|.....}............................................................................................................................j............................@.....o......................'.....:.....p................'.....x............................+.....V..........,.....E.....T.....\|.................................\......................s........................................7.....W......................\............................x.....................E.....n..................................O.....y............................................./.....P................2.....H.................Z.................................;.....M................(.....t.............................w............................/.....N.....k... .w...".....%....(.!....^...+.a...,.....-........../.t...0.....1.....3.*...4.i...5.....6.....7.@...8.....9...

C:\Program Files\AVG\TuneUp\locales\hi.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 684588
Category:	dropped
Size (bytes):	91294
Entropy (8bit):	7.998126506568537
Encrypted:	true
SSDEEP:	1536:3Y3Tn/tCwBgp9p9XxFn85+vDP8WXzqRaS1n20T7XXNcHSCiebMew9Uhb2jel7pUv:3oT/Emgjv++vYIqn20TbdcHnb7wChp5K
MD5:	324CDFF214093095BF4807320F822D88
SHA1:	15365E00EC55E3EE42518D0834DE3C4FA1BB56E3
SHA-256:	CD080B060EB505B86965BE39129B5DC6CBDC8C37FA56B298D676719F9756AFC0
SHA-512:	00781F5FC4BF70BF0B4B80512A4CF51F08089A073F72D0C10E9AD8D15CAD4294739201C832835890D20DFB90F941F8F52B02C4DE6AEDE0C8B3CFA86D1D62A9E7
Malicious:	true
Preview:	]..@.,r.........6...p.U.{.#5i.N.N..3..Yo.=n^2....j.Dm..y&.D.'hi../ .U.&.A..c.o..g.._^......z=E.h....3.0.....'.<.^.547.v.`...e.l..7.....h......O.J.....z.3......9j.9..qG....3:^..rZ[.....O.....e...!.Q.+D.%P...v~x#..7.G..E\|._5N.7l.}.bBK.)..>..3.%..-...o.u(.yJ-...t.3.f.V{"..."iD.NzG..e....EbE...........159>]..T\|&.....$g.E.../#dI.V.........!~z.~...e.6..y^.m3.Q....?.4.._."b......^\Rj.!.NJDj......c....u....9R..O.../r...R(x.H....@ ....s...e.~f....g{{%..2....b&.~!....i..^0.....>W}...7..A.....'k;.$.................!e.#..&S...G......."......\|F.........=.M..s@..8..oO.Z..p^.9..@aW.)~j.............K.k........u.y.i.G..5....H)."....6.....8l.'.;h..M..r...D.G...o...^.Fm.X.."..t`..-ET-Z@..a(._y.n.\F..u..apD.{t.k@....}]. .V.n.\|..:.....^.\|..E.`...y.L..;?'.obFH...e.....~..kvs...T.n]./e....#$..<......o..\EU......r.\|~.]&(...='...F...M....n....J...}q...n/\.b.T.+3...l....e..#.Z.#..U[.88..}.r.."U.JS.f:....$jI.@.z:rK]..e.N..o.=... '.I..qr>.P..+=.3..[.3.W......54.&....&I

C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	320821
Entropy (8bit):	5.562645613016878
Encrypted:	false
SSDEEP:	3072:IvXr9k1GELtZ8jSsAOSPF0uPJGht6WI6DkioKbexU8bVsC0+xE7TttJzt2Q/pguz:IvR2XfvstrQ5zTTMKS
MD5:	5AB62A807B85BF1B75C741ABBA0E9F98
SHA1:	641B2360699DFC465A86C0E10B51B4739BC3C770
SHA-256:	B967887C6313FCA79A82168645C1FEBE43C949F01E0EFF3BB8413A04B590E16E
SHA-512:	D53895053EB4AA230BF9285E1CF0FD46704A9658065F35A265496610C951D09C2436071F421217D3DBE54423624D216D357471763BBEC069D3D0D938557FA291
Malicious:	false
Preview:	........g.,.e.,...h.4...i.E...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v....w....y....z....\|....}......................... .....(...../.....6.....=.....>.....?.....A.....j.....v............................................../.....T...............................................................".....1.....S.....e.....t........................................................."..........7.....K.....P.....S.....Y.....m.............................................. .....(...../.....7.....C.....Y.....m.....t.....................................&.....M.....Y.....j.....u................................................... .....'..........+.....6.....B.....G.....O.....[.....................2.....~.............................................4.....:.....O.....y............................ .....:.....l.......................................... ....".....%.....(.9...*.X...+.[...,.y...-.........../....0....1.....3.....4.1...5.O...6.....7.....8....9..

C:\Program Files\AVG\TuneUp\locales\hr.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 320821
Category:	dropped
Size (bytes):	81648
Entropy (8bit):	7.997448369075807
Encrypted:	true
SSDEEP:	1536:GaByBysRnbJoozF1nZjBCwbJS4YssvzTdSgbFutqIgeR9nIeOyXn5R:GysxeYF13CwbJSFsWzTdvHeRRIenf
MD5:	80EA3DE214A18721DC1E49EB32A4C6E0
SHA1:	B50FCB7991D0FC0C7FB835337E28E6DB58BC1509
SHA-256:	D1BAE488AFCC949661F7FF160C9B9C1CA9C8D3502619EF94A5EF5AAF37A03067
SHA-512:	9A632F06A42AB01B71428FEFE8DCCA891F5E9305517BDF8C050E054375F5A0F1D2DF6BF2892786848FB6D917413B820AB4BC6991A9601267BC0060F1A3C7BCE2
Malicious:	true
Preview:	]..@.5..........6...\F\|.0.......F........V.y.H.....h../.........w_....oO..U_..p.E.;/...{@e.;....n.0... <..T`<.Y..,P.1..).2.K.....<1..Wg.y...qB;....j.\.;T.bd..2j.><FQ...go...D^....4Q..G.6f0b.~.ay....7^....wn`.,.\|..t..].'..q.m....j.!O......Z..f8.ou7g&R..c.U[:B.=.K.......5s..5.gl..P.H..p.......\....g.A.@....w.Z...o..........=.MV..._NZh.\8.O.(ZQ.,..-.7. B.........z.s.&..NIw'`^.}..,...l.f?..h.R.....Z...pI.f2.as.4..d`.....A,..EFxv.. .......\.....R/..h..u.4......tx%.AV<....Ban....j..f+.....8.U.S./..:mc.s......CD!{.).D.+...I ~..........P..@Q.?jc.8D$+0......o..j.:o..=... ...S....j5Jkr.S..s...x.\|..{.{....}......c.f..R..I.%..8...].l.9..;.U.#NB.r..O.......$.eQ..-.yt.y\.;JA..3.l..f....\]..D.$R+.r.x\P>P.. C.......1...$....d..f{...f.`>....WV0.$.9_.<:.0.'5x.Z..\|).....I...{i.-s\.5.T....U..........2Ul...9(u...n.k.....x'.wj......`...8.w..my.....I(v.r.e.RQ..-r..'...o.l+...O_N.tFt.H..P.........}(........#...Xh..qa.......=.9#.SP..+..#.....+..

C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	344321
Entropy (8bit):	5.687219162686163
Encrypted:	false
SSDEEP:	6144:cCSQ82DaOfOnVQGRO4sJuzMcql5ut5iGkDyUBYdpEUJ3ICx:VrDabnGlRl5ukDr4
MD5:	AE54CF32C7E5BC9B75615225C5FAFFEA
SHA1:	25C6ECEE303925F6A273A8D0818A79FF80A74298
SHA-256:	12949111BF85A2236F071A294A508D99C90587A97B9BA7F61DC8D70E36F5761B
SHA-512:	EB12669CEF9FE09D8F53094AA5DF2AC71C8EA334BE474A2DACB5F2E8AB56BB56BBB188AAC10509873FB7DD3EBB6278D69A050A700CEF6388A5CAA22736813932
Malicious:	false
Preview:	........<.W.e....h....i....j.....k.....l.....n.....o. ...p.-...q.3...r.B...s.S...t.\...v.q...w.~...y.....z.....\|.....}.................................................................+.....;.....Q.....f.....v.....................$.....+.....Z.................................................../.....B.....I.....P.....~.................................................%.....g.............................................................,.....b.........................................................5.....N.....X.....k......................................9.....I.....W.....g.............................................'...........1.....2.....<.....I.....Y.....c.....z..........I.......................).....=.....o.....\|....................................................4.....k.......................+.....B.....J.....U.....m..................... ....."....%.....(......<...+.?...,.]...-.n........./.....0....1.....3.....4.(...5.J...6.....7.....8.....9....;..

C:\Program Files\AVG\TuneUp\locales\hu.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 344321
Category:	dropped
Size (bytes):	85003
Entropy (8bit):	7.99776224308517
Encrypted:	true
SSDEEP:	1536:/g3sPL2Cks8qJWC1ZMoAeNvMEcPrF4zC/ExoNPDaN1EZPQtp:o3sTX11AzEEF4zC/ExpN1Eip
MD5:	CDBA4E0EA746722C9B285C77C6047742
SHA1:	0F2FA8B74E6680568950179D96F12B77652FBDA4
SHA-256:	511B2105D6162BED43E23A3AA0C59F1B0328955CC6AE2F85154C891C432CE930
SHA-512:	96049B2DEF2252395ACC270D57CA8DA1039B469327C7DCAC1D3F210D5644E4584F5BA7B0D069C25C8240444F56F72B74FC2368B62CA15EB9155A8C96AAA3882B
Malicious:	true
Preview:	]..@..A.........6...+.....{..i.M._..t.k...gw....F~g.N....Q...w...<.UA.">[=..Nj..lg.r.qa.~x,h....'i.b...,.i.4..s.e.nY.[....n.....5..X.:;.z[.......Y...,.a...<&..X.4..X}._g.LU.&B.@q.s...:.8.&4.I.<w..y(.\..i..hS...%....:..w#.\^.I.....Q.}.P..P{.KpB~......B...z.1@...w..z..-x.Rx..7~.u. .Pi.l<u..V.3..w.......3.xG......R..-..L1c.v....@.C....].d+....R..k...a.o..H..)..E.'.l.!e.Ie.......u.].&m.+.3..z.....K...=?.....V.{.......x!..f......<.b..M..I.J.Zw.i...'.D.>...I..2W....(.?..L..#9.}Y....\a...{H.....,....K.@6.(X.h5...../o@g-7.g....{]C....q...x..s.....N.........l6.o...u.R../.~0..V.....^...~_c....!...a...W.[.w.%....U..J.r....6.W...Btcr.&)..@./K...;....H.46..M<I...z..f.....q..^..GR.<.."......irq/.B..A../...R...a......`..A.....oL..4\g...U.E>^...I.1=t..E.&=A._..p.\5..&.;...F.i..KM&.LSc.\|Iy}W&\|H.~W..qa....^JDD...p.....l.(..3....=g.8<.7.......y<.......\|$J.....m2:Z...C..E.".\|.BW.........lB.......X.....}..P...G..28.<...6C.d..h.........,...G.J'.A.DMw.n@..<...aC.i

C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	286613
Entropy (8bit):	5.41304864844887
Encrypted:	false
SSDEEP:	3072:QDUKFuviTxKm1D+kf28PU95UTB/9EkLWvoyRkVvGUJAQ/cazXCjoYfjOcSmP08kd:2Z2gU9ktBchVfjYmP7kVO5lvtrsEa4c
MD5:	556874DF87F3E62BC9F2BAA6353C5D73
SHA1:	6E79085ED28FC54399BF7B91A09E69AEC0E21E2D
SHA-256:	60E0F7533DD163DA804AC5445F2A80FBDA26BC58CE26D8D2DE7E2BFD4E5D039C
SHA-512:	884045476C84C3C18CF41C7A0F4EF98C9DF5333284A8D9F27757FA5C19A8C8F07A821B613F7D0FCDFD594FC23FC78ED5D133E2E1E5C965794376E69903F20F8B
Malicious:	false
Preview:	........L.G.e.....h.....i.....j.....k....l.5...n.=...o.B...p.O...q.U...r.d...s.u...t.~...v.....w.....y.....z.....\|.....}.........................................................................<.....I.....Y.....`..................................... .....2.....4.....8.....`.....p.........................................................#.....0.....7.....<.....O.....].....n........................................................................7.....S.....p....................................................................4.....I.....X.....s............................................+...........9.....J.....Y.....p...........................................................................9.....e.....i...............................................................+.....G.....W.....n.................................%..........0.....=.....X.....c.....p... .s...".....%.....(....*....+....,.....-.......-.../.<...0.@...1.t...3.....4.....5.....6....7.....8...

C:\Program Files\AVG\TuneUp\locales\id.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 286613
Category:	dropped
Size (bytes):	71403
Entropy (8bit):	7.997596561467367
Encrypted:	true
SSDEEP:	1536:uV+ubqpwEmeNKmn0JKH5VWZhqYKaJY7GCAE1hkOUmCV/pgWwksrI:uIubqpwElNKmQKZVx2JiGzOhbT8//wkL
MD5:	F14725008F0950956244926E018C3A7F
SHA1:	A980AEDDA137252C222C785D7F36EB8CFC459FAD
SHA-256:	F0BF8974C69C509A1F676AA88D740EF47366864931E2D0F5BE4333DE48BA1286
SHA-512:	E1B19EE1920B1015615FA322390FAD5C9D851624F06EBE32A52E14D284BF3B52606F352B3E617535AB595617D0177B79B9551592975CA4985EFED0949C4723D0
Malicious:	true
Preview:	]..@.._.........6...=.<....Q ..../.#...ah.j...H.MKG3...vX......A...#..Y.....R....@H.L..7'!..R:.2b..bVV..z:@...d-.a..m...4..).........^. W....{z.^.F..a}....S.}p.s.m.B..6G.Y.V.................E.%..4...8..GX..ADt..B..=........Y..v?...us...uF.N.}.y.-4"J.j:.OQ.".>v.=........q.q$......r"{..h..eqi...th.!f.&V...Wl\|?.t..w..X9S..+.:Y......%[\...\|.4.O.f...j.w.a.".w.v7.....h/.h2k..u.A...3.....1......G.$..sl..."...W.pQ.....j.%.n#.,2ZQ......._:...z..^...z=?\\|..._......9...qp.....2.4l2..%...2v..M..!>.8K5.m}.\...e.L..:..c+......N`...N.5sE:...[O.J...3r......_@...e.....H....]b....~..g....92b"...(s...(..(#..r...yY..h&..;..r....V8..4.-D..p..T.R....0.gyZ...U...c.t.p...ZL.4..G2Q.+`......Fcj.Ko...b.<g.....d+.....y..3.}.%.IF.V...t..c.u..H.h...b..F.~.UYA.n6..us(v$..@...Y....'c..us..0O..l..q....O.Z.. B...td4..1.p....G.k... .V....B..=y......7.aG...5 ..1..J=.2J.9d..~...P..4P...r..7.:O(.Y.6..p...?....DQZ.n!....g4.'..t.... .=.......`.U.c...Ba..!>....esv.

C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	316116
Entropy (8bit):	5.3401787565448995
Encrypted:	false
SSDEEP:	6144:9RNE1lVtj225oSrqRRhsO1XGT9TESGaKZA1jw8X68zrJfhmkp/9w6jjveDpLOW5i:q1VZ88pf37W5sHkU
MD5:	AB258570CFDDE79A3595B9DEEB6CFF01
SHA1:	4563FC47D20D0A2AD81E7BD9298A5AECD11DDCDA
SHA-256:	5FEF05D02E5C971E8D3F6B5584720EBEED7C7E6E5214320F09CA6F7D84FFA993
SHA-512:	8A7EF6AFF2682A96511E2130DE62989E5E3A9AE35B8DB66173F7EE0102B1E5F5E0EE7CE2A6F06588BA6E4C577C6D5D5767D0A23F1FA1BCE3C2D4B08F7BCC90CD
Malicious:	false
Preview:	........X.;.e.....h.....i.'...j.3...k.B...l.M...n.U...o.Z...p.g...q.m...r.\|...s.....t.....v.....w.....y.....z....\|....}.................................................... .....!.....#.....N.....a.....p.............................................).....t..............................................................%.....E.....U.....g.............................................-.....5.....@.....T.....h.....l.....o.....v........................................@.....P.....V.....^.....e.....j.....t...................................................H.....o.....{.........................................................#.....;.....B.....E.....F.....T....._.....i.....o......................Q.....W...................................................'.....,.....A.....a.....t..................................Q.....c.....h.....p........................... ....."....%....(.....*.#...+.&...,.D...-.U.....{.../.....0.....1....3.....4.....5.3...6.....7.....8.....9.....;....<..

C:\Program Files\AVG\TuneUp\locales\it.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 316116
Category:	dropped
Size (bytes):	77078
Entropy (8bit):	7.997495607428304
Encrypted:	true
SSDEEP:	1536:u+G0IHdiQVN21yPCXO/j6L9IRPmJKpPuBiN346+W5HUPUEg5amTOvG69:uGqLVIAKs6L9I04pP1pvHUyxAG69
MD5:	8071CFAB547B0CA2EDF7E55A243D9E6F
SHA1:	D80903F51F4AC68D957B52D93648EC904B82A967
SHA-256:	970294DE64157CE000CC90A8CACD4CF5B5D98E801464EAA215D90091C68251B8
SHA-512:	2BD06C259ED5BE8C90CCB55A89893D8DD8EFA2A6A9C990B33DB03566F0C68B0AA3F53621FADB816563886D8C44CA54D515CBB1E150276F27CC17A9CC11FFAC85
Malicious:	true
Preview:	]..@............6...KXu$...F.S.'..5..@.<..l..[...)..Oyk.....s..A...y.-..\|w.Z..;^...]._P@.g.bO.C8>g.6m.[.I.4>.....x.=..U.sS%.(.J..I.......V.h.......n/......h~}o..D:pQ2.".T..]N8k.4.......U...`..B.O.w.l.;m1E.T.q..'6E.Lq..>G.i....X.....<..#Ac@.@..v..?;A9..6[.O.h..~...8...Z.....Y..(...}:.[...G4.Q...............5G.UMaZ.....C.u/:..Sj.Z$J....7..Q...N..<Vl...p+....Y.....D.\|/.T....EE2...A..6.$...=P8jJ.[CT./.d4.T.1I.._...]....d.`.~;v3.S;pw..so.0..K3...E9!..:......r..........F.]9..\|...x..g.4HZ..~.8.....oN......bE.6.....eK.a.G..a$..Jn.....-brx.x...'..`........./.+.\]#1...,....@..xA..n..\.ar@>(.z.M.bb#.4.4.).\..f.....<..M...?o...k..N;...,c..t....;3....4.S.(...#6...!\|......Z.W..-.......~. ..`X.z......z.?...<.....N.c..v+.........r...I.....$...F`=..S..K.A....7d{....,v...c......M....x`t.{.:.]..p._L.....:.....+fuT.20%}...od....U..p....I.oz.o..Fj`.:<.:Z..M.}.G......-......f.n..d=}..[.M.;.H....'[^q5..b........u{H3l..+.)/...s..H...zm+..B/../..:...u....

C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	389447
Entropy (8bit):	5.763701710041059
Encrypted:	false
SSDEEP:	3072:yiHbFRaQBV41q1Dorcty+2yDrE6RPkwQQc9NH7rbeCE5/A6cXAX+3FrMaNp4SVES:yIFyMo4ty+2U9h5v6DVV
MD5:	017796CEC4DCAE8064F6303F2E3174AC
SHA1:	1709C22B0A24A74B690DEB61DACE383484C08BC4
SHA-256:	8B8407CA872711857C1EFE032F0C71DF17FBE8D82107A09953E812A20497E582
SHA-512:	E469F0A63BC649126E0A191DD17C1F5DB6E1BBDE4B4CEC63FE4DFE7C821FF5F1919980BA5BD4962095C0F8C4698AC659693B6ECF1A5FEB2832936BC3C47A3AF5
Malicious:	false
Preview:	............e....h....i....j.....k.....l.....m.....o.-...p.:...q.@...v.O...w.\...y.b...z.q...\|.w...}..............................................................................%.....>.....\.....}......................#.....8.....J..................................>.....h.............................................!.....<.....].....x.....~...........................&.....J.....P.....b...................................................Z....................................................0.....@.....g.....s...........................f...................................................8.....M.....y.....................................................k..........A.....G..................... ...../.....J.....S....._.....e.....n........................................7.....n................................:.....@.....M... .V...".h...%.....(....*.....+.....,.2...-.N........./.....0....1.....3.....4.@...5.g...6.....7....8....9.....;.....<.A...=.]...>...

C:\Program Files\AVG\TuneUp\locales\ja.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 389447
Category:	dropped
Size (bytes):	75741
Entropy (8bit):	7.997796210304585
Encrypted:	true
SSDEEP:	1536:W+ocL9uKNryUAI+E31gBNzBrmL09GnnhbfcjiOoMZBJ4aVPch:NRLNyUAIm3Bg/uO/QJ4KPO
MD5:	528615E2B17F866DE83D84090EE511B8
SHA1:	B0315D98F7554276EFAA3F49E52CA43F24D9D782
SHA-256:	FF6419F6A4AC5C05911F2021F7370AFEEF21BFFB35CF4217A63219236F1121A2
SHA-512:	DDC723D5BA5A92EEE7CA2D77130B043C1BDAD347EC64D58C8A955050E96CB9B96E459812663A1D6B9332E184928A172FAAD404977A7B14696278FE8B67849339
Malicious:	true
Preview:	]..@.G..........6...XUj%$...X.Lah....j..^....:?.z9Qj ....f`........'..g.-B...W?.X..5C...s....!.i.j7.xy.........^.m$.3.....Bh<..i..GJ.O-P..7.sd..4.]....D.....$..2...H....>-...N....uT6.]a.Q>d....q.:....hc..>.....z.....g.k..dV\.(.X.....-.H.{.).?f.D..9.......x.<..Q...p...RJ.i...5.w(L....&.{..20si..9.1!.EH...;2.u...#.r%.qV...jQ...7J........`.#.io..]..........j....C..7....q.5.MF.z....CE1..\|.N.f.7...l........K.....=BY..E.o...i...R..@..B.Q.<.+...M..A=N..q@..R.@..:.A..q<.....@..... ....y..H..k.&96%U.R.u.0..k.4...^...{..#..v......%......K.A.g'U[pD.F.P..u..z.".S.....&..y....i...%.hG..;q!dT..%..;K=7.....Ws.+6..z..t~.P..g..8.Q~.!....T......e..Z....]%)....'..b..$.8...K.....L.c..X..Sz.....r.o......oCKQ`G......k".2...........2.G.......U...`{.G.W.C\|...O..`....?y.....t.{..c...R.$).r...f~q..Z...~...Z..[.fs....q.R..<.Z.QA...}...5.."....6....w.C....^,._....k.B.\|.$.....;....r..b.u.....r)..-..........L=[.7.....1.F...7'........2.E7...$z.....K..x?

C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	766454
Entropy (8bit):	4.281374863836473
Encrypted:	false
SSDEEP:	6144:gAEjQbGY20MgcQ5HRriE4NlFlGFfGLGq03unRth/PkxVweREsjkUqmhnHMM04YnK:dC8OlFbAhpcxOy5c+zeCFjY
MD5:	3A998B7D9C41DAC3B2896685116AB994
SHA1:	8C7A3272E79FA27017C24905F2B598499A62623B
SHA-256:	5EACA86A3792D40DB18E7D1CE39683471BED1E8B169D716101808930728E1EA0
SHA-512:	E1E7E49D4F47C6338E9530B0089C1B78F96FD8E088D7EF2EDB013C8A503B86F803EC074DCB8EC3998CA981A5373FC37936C102C9D8C971ABC66C6233C6758EB0
Malicious:	false
Preview:	........m.&.e.8...h.@...i.Q...j.]...k.l...l.w...n.....o.....p.....q.....r.....s.....t.....v....w....y....z.....\|.....}...................$.....,.....4.....;.....B.....I.....J.....K.....P................P...........................................................b.....d.....p.................).....D.....................4.......................T..................................................#.....T...................................O.................M...........".....P.....h.....p.....w......................(.....=.....l................8.....v...........,............................-.............................+.....h.....................................(.....F.....Y...........#...........N.....i...........,.....T.................................(.....4.....l................b.........._......................................L..................... ....".....%.....(.....*.....+.....,.,...-.]........./....0.....1.....3.....4.....5.V...6....7.....8.U...9.....;..

C:\Program Files\AVG\TuneUp\locales\kn.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 766454
Category:	dropped
Size (bytes):	90436
Entropy (8bit):	7.998179348050111
Encrypted:	true
SSDEEP:	1536:DzEY6jeOUQVT7PtKaCOxNT+kDSLN4dMTwgUxcWxP9jc0DULKOxUvYgfZJ26J:DgXbUQBbtJT9WLN4dM0g0c2vaxUgg7b
MD5:	9DE49DDC764DC68F4C12AA67B01B546C
SHA1:	CCD75FD15995697D49A77CBADC17ABBB2F34F106
SHA-256:	D57ED2F0D27582BDA438382F8B28B8D99A2955CAB1B0488C33CCD08CEBC9004E
SHA-512:	EA93FF098FA8EF69EEAF9B59F578D5756719AD0F89215B51D71FA951081A469C66F9F116B08691AA61F3EA0DFAC8D0D4D7225A9A3A708AE16CF95ED14B0FF542
Malicious:	true
Preview:	]..@............6...c.....\.t....hG\o1..L.(X.d4`f...^..I.9XID...f......G)w..l..A.i..q.=..X,..r...ea[)+..?.....2.._t......~....6.?O../..D..^9x.)):....q.....\.R.....yj..Z..q.qfQ...BM.....1...>](.w.]"..yt...A.?/D..\X...m.R..FqXVu....^...~.i..o.Ss......]s...'...M.....-..8.../.h{R..4.Z.c*....9....Z7.........a.3.....\|8.o.......K...f..]...$%.Li...O..8...m...C...]BT....t.D.......@N.'.........gaP......V.....q....@?.6_.CF........./Xq..........)+.Ld..eb......i....-.C....../...^.../(8J...`..L."....-cN.,.).F.P.m.Qdurpe.FN`O..p.......BcC..vk,."..G.G.1..C..n..e....b!84#E4........ .Y.7...z...8..e.....a...$.R...q...W...c.0`_..Tj...s).9.q.Y..@NsL.{^.s.=Sv9......\Y.....2..U..Jj._x..^e...+y.!.1g.....{..N.....ya.FB...5{k...}..w,..k...4#(...$.....i.)? 6...F....7.h.}..t(..>:.e.p...4.8z].{.T...O..S....2.{.k...4I...M.N..r..i..2T.K.&.........Sf>Q.....G.....3..N...[5..H.....(.e.{...`F2..Lj:.W../.Cw`.`..[..;.!..5D..".N..$\|...F......=2.7.

C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	327055
Entropy (8bit):	6.132560395373177
Encrypted:	false
SSDEEP:	6144:MQPWU6+FxbqiJsIcicaHOiSnZN4eI7pcL/7cFivhgF9my4mbKqNQNuq+5L7c+tGi:+UHx2iJs3gJZbKquNN+5L7c+t7JEHC
MD5:	D324469BD2D6E373AB875328C95322EE
SHA1:	8C4D3D7E0BB3DF9D4028A49B64182D016B47443F
SHA-256:	549B190C3722D4774CC7A8A2730F858DBA66F063840469799ADB449184056F9B
SHA-512:	10A2E751D95422FBC24F5618EDAC8589D033F19106EE500C83830FB839D639D30F25F2B49EE017767325DFDF833A6E1F9EAAF0C1081C1D339233DFEDA9876AE8
Malicious:	false
Preview:	............e.....h.....i....j....k....l....m.....o.....p.....q.....r.....s.,...t.5...y.J...z.Y...\|._...}.q.....y.....~............................................................................-.....6........................................O....._.....a.....e..................................................0.....=.....P.....d.....t.....z.....................................................0.....C.....I.....L.....R.....s..................................".....9.....?.....G.....N.....W.....d.....{.........................................A.....^..................................................&.....6.....C.....\.....r.....y.....\|.........................................{...............].....p......................................................'.....>.....j............................#.....,.....2.....H.....Z.....g.....t... .w...".....%.....(....*.....+.....,.C...-.Y........./.....0....1.....3.....4.:...5.b...6.....7.....8....9....;.....<.....=.....>.#...?.4.

C:\Program Files\AVG\TuneUp\locales\ko.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 327055
Category:	dropped
Size (bytes):	72771
Entropy (8bit):	7.997515566292017
Encrypted:	true
SSDEEP:	1536:6sPrpQquCvIuXN/VitlDhBpOKM7h1oJXqeqhJqrhthXPRcYU+jSMwY:rSqZ/uPBpDWgae4qrhthXyFMwY
MD5:	601F0E1F5C33191FA513BA5504975016
SHA1:	530F99E289010C5289BEEE04033AE19CB94C5BD2
SHA-256:	A0A3259F8760CF43C52F0B793E50351A65306C99E7ECAB3A82C0B6A6230CA811
SHA-512:	59BEDC405BABA6B7317C462B2EA395E2D2C90769B1C9F4FC06774B6DB8BC7E11CA18679696B0E4942ADAF02A83746EC53D95F8D0CC4FEC6FB6F6F32D3CD85441
Malicious:	true
Preview:	]..@............6....E..$.G.t.w..T..e..^T.n@.s..(....'..Z\.'..9.Q...-{{.h.P..73..l....9..r.......6..q.j../w...7..............lY....U..f...Z...IWT..%Y%mH,..6V....<:.W...W]i.....Tf.mM.T)......6+.H..(....7[....&.tq5.8a)RA.a.P.L..g..NW<JXP.,..zcJ.U.4.$n1..@..=.....1.......G.$0.....{I....9...;Bq...7.W~,.xd..8$E.+.....~.e......a...<..}D..47.\..l.x..\|.^. ....~.;...E.B.?.qT...j.m.+.2..)..-./e..A.^p...cUs..j..;..C...._a..K.q...^.....NyP.:mA."..a.&mU.mV.....8p.(.j....^.u.?.=M5'<O..`.....X]S..?.3.C....#....Z}o..jF.......O5}...0....`b..."L.aA\|....O+..)...b...5.....Z.0X...w%..%W..Ar%c^e./Q.....\|...).^s.B...d).u..k.AU.}B5.N..i..H]...)..5.....F9.....9f....9+..:.6.T....H\3...Zd..b.....n.&8...k.>\..y..U.D...c.w.c(.1.Bx.F.>........B........odd.p.......W...8.-......l.?.y..x....^...z.1....Fy`.n..9...Z..^.....fv864......."...F.n............@TI..`Oo..}....w..Tq\.b..r{...v.......$.2Y.2.Z;4<.&.T....E...W.?......E........g.f....h.......(-.K1)...V}.....mj.t..^

C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	344788
Entropy (8bit):	5.677051600778146
Encrypted:	false
SSDEEP:	6144:7/GN6HQg4cIgOrUCFsTAfhGEWpn572aAy/brXdELF6SN:7/o6q9U9M5GEWn573/Fi6SN
MD5:	96406518A17835D2C08EA09F6A4F5269
SHA1:	63F2B8AC41ADABFC0F58BDE2EA02AF3EA830CEE4
SHA-256:	336B6BFE35680A19B02D583F332DF5D0F5DC6FA5729C2910FB1AA6659E6AAAB6
SHA-512:	342A9D97FA6747B52E462E302CC865E8EE6018AA65AC3D517D4625CD31CEF68412E4DF9D28AC10E39ED73801342455635AB99A6E167BF7527AC7ACD62BAB733B
Malicious:	false
Preview:	........X.;.e.....h.....i.'...j.3...k.B...l.M...n.U...o.Z...p.g...q.m...r.\|...s.....t.....v.....w.....y.....z....\|....}.................................................... .....!.....#.....Q....._.....l.................................&.....;.....Z.........................................................-.....=.....Q.............................................................A.....W.....\.....f....................................................?.....e......................................................7.....J.....X...................................................(.....3.....D.....\....._.....u........................................................................&.....n......................m.......................................8.....<.....C.....\...................................=.....c.................................................. .2...".B...%.a...(.....*.....+.....,....-.......$.../.?...0.B...1.s...3.....4.....5....6.....7.>...8.^...9.r.

C:\Program Files\AVG\TuneUp\locales\lt.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 344788
Category:	dropped
Size (bytes):	82892
Entropy (8bit):	7.997644573281015
Encrypted:	true
SSDEEP:	1536:nA+meXgKafERGHYQO11RHQThpEsrC61Mnqbcn3p5ksXJsv7GtFw9fm/ZXPX2+RUs:A+7afEQHbWIh/5SnH3DksSjuqOBXf2+l
MD5:	A45AA8A3FED9C20405920B6B0DF9E560
SHA1:	472F8AAAD4A4F8C898479C37718D2CE06FD2F218
SHA-256:	635C239C22B8E2FC4CA359BA384AEB503504BEE0C03C653A170C9A52685336E4
SHA-512:	391430D1A790B7A4DA3D2113F56AA0FB5958225B99024407853D5EB09105E4EB4DFF5905ADDCB65D467241D25B7E81C4D9254FD3AEB21F924A085E8F90CE3820
Malicious:	true
Preview:	]..@..B.........6...KXu$...F.S.'..5..@.<..l..[...)..Oyk.....s..A...y.-..\|w.Z..;^...]._P@.g.bO.C8>g.6m.[.I.4>.....~.{u....+o.v.PTK.T#5.)...O..%..q..9.G\|5x.s}f..c;.D.n..7`o...7 .]..{).`8..dHn.M.O.f..)6b.<...w...]...p.w...8..V...7-..$.6N....TvJ.....X...\.I....E1.0.N+.i.h3bx. ..fU..........l..h..0..%....a5;6...A\|L.A7.@..P4...#.y...L[$.!.Or..i.IErA...7.....G+T.....]...1[,.cW.....z..>>....x.P..../Qtz8.<..j.K-,. ..z)..........!..U."K.,=l."^.=y.o>pG;...........8.....%.e...x /..v........"sS.Pt.....5..r.....s........~....%..bb.D...Otr....7.9...[..i75'.......iZj.8d.....wa3...Fc.....1 .F...o...Yg....G+...w..<C..3....d..@P0-.......\.W............kU....'.j....$.....6.a..x.X...&4.v..H/...@h.q.W.'.....C...YJ.3.p:..>JX.0...#+G..;..Zn.v.=@..<...6F..``.5.:T(..X.......L.).y.8{v.M... \.....(;........o..&....y..[.XiKE.....8.O@....p..D....`95q..$..E...(..Z...8Xp...z^....`y"...=.m^q.H.`.E.aj)TS2O..f..m.....*.".{oc.N...\|..t_.d,`/V..L.O..

C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	343222
Entropy (8bit):	5.666747766573952
Encrypted:	false
SSDEEP:	6144:g3MTT14nI7EItVF5ym7PVT4ohC2ug5i7lIlg3eJaoBx577:WMTZuIRTP94YCfg5zRBP577
MD5:	A9F1FFB1E215B45AFFFE7E454DCC082A
SHA1:	BCC32731F6FD700496D4445545366CBAA2565220
SHA-256:	A9CFF7D778289B25BCA696FF4873E45F098BE21F8F4FA3105AE7E2B9B1EF95DA
SHA-512:	C8E692B0ADE3DAE78B1BCB7D8E3C821FE4D5FE0759180F6F44E603ECDA341A8A925CAE5986584E98829007BC56A4744EF0082D1FEAB42781261A6FF7B7B65676
Malicious:	false
Preview:	........Z.9.e.....h.....i.+...j.7...k.F...l.Q...n.Y...o.^...p.k...q.q...r.....s.....t.....v.....w.....y....z....\|....}...............................................#.....$.....%.....'.....L....._.....r.............................3.....=.....E.....m...................................................&.....6.....A.....S.....{.......................................................Q.....c.....k.....t..............................................................3.....H.....a.....i.....q.....x.......................................'.....7.....O.....i.....s.......................................>.....A.....R.....e.....w................................................................?.....................5.....V.....v................................................+.....?.....V............................4.....I.....P.....Y.....i..................... .....".....%....(.....*.....+. ...,.>...-.a........./.....0.....1....3.....4.....5.:...6.u...7.....8.....9...

C:\Program Files\AVG\TuneUp\locales\lv.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 343222
Category:	dropped
Size (bytes):	83422
Entropy (8bit):	7.998060317071943
Encrypted:	true
SSDEEP:	1536:KgA/798KlnDz07sPxXhyPp6U9PkK6T0W/9K2BB1JnvmnFgVp:KgG8Kl3ysPdhKX9x6T0W7B1ne+Vp
MD5:	ED9E8FB7D185E60D93FDAEF84122AF69
SHA1:	2A5F6E2BACEE53AAC76BEB087F367F00AD260D63
SHA-256:	175661F46FDD141D19DDD139033AB51664824F015528CEBAED2269376059C773
SHA-512:	50127A5B21E873CE4DEB3136D9454C6318542C0563F2D262C38284F15C224276767D9B13A32345B72F774953E4EF4F0944C7E8D20FDB4996311CDDF967354C6C
Malicious:	true
Preview:	]..@..<.........6...M.T.>..o.+<.C&;..[..tU...........p..Y,X.E..9.....P.8h...65.....#J..j.+..d.Z.D)Cr.6...."........&.z. 0....q.'...[B.....`....e..E9Y..3&o.mi.....Y=Y.6..L......f..E!&.#.........7.....6o..../.8...k.Xw.v...nU&........~...............HP.^.[..G.iQ.=CM%@.:......R....h8...u....B..)D.pH.........M...P^.&k...@.Z.+...x.23..1......v.e+.....7#.i....+..RR...[X.t......],!.....(b...x.....Q.}..m.....,..K.tE.."..v(m.o_{'.(....r..C..d.e..".....Y?..$.PX.M.?.......'_)v"....O.\|.c(F\..T..N..F.u.;U.pAW^.I.E......T..........k.XA....16.O...v.T..9......p.+X.~..U.~...... ........>@t.hqy..."^.........0q.W.~.\....P..1....x.....u.z6..@....:...~.[.....O?..!.w........."..F.C..LA..YH.....=.e...~...n.~..az.>..h...^lt...K.K.a_%=t..D..b....P.^.Q.L........\|L...r..Y...+k....M#..:.jK.:..+7.Xg.. D...4Y^-....E...^.c........x.&.4...N[0.....F............W.u.C..<.O..?...M...!fui.4Y.]....g.<..D...p.0g.........Z.DQA.4....u..].rd.hp1...S.-.4.>..Q.MN...%-Ku.9..do....K.

C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	803351
Entropy (8bit):	4.313478306040615
Encrypted:	false
SSDEEP:	3072:/rWvK4p0QUbbjJI1lCn3fATVH6xnR4JQua9bX0F5sXyrpuW52HUsd6tTx03DVEt:/rWi+0v/JVATVquJNOISwIW5yUBx03qt
MD5:	5434E2C549029AA898A97F78A65AB13F
SHA1:	0361686F5D38363FDC5F67AA5980B6729FEDD4A1
SHA-256:	990B6559FB32E86DF8045CDF8687FE7176FB810C18B2032FBB1A093D9B2C901A
SHA-512:	D05D6E89E0F313622692B2173F715C4C84F80A7FAE2CA9BC8B1ECDB02B090E5189D40F5777B647E97344AC65A84C284209256A7E1FB45016D170FDE0EB7270C9
Malicious:	false
Preview:	........`.3.e.....h.&...i.7...j.C...k.R...l.]...n.e...o.j...p.w...q.}...r.....s.....t.....v.....w....y....z....\|....}.....................................!.....(...../.....0.....1.....6................!.....a.....\|.....<.....d..................................k.....m.....q......................E............................x................Y...........................+....._..........6.....T.....{.............................5......................u..........,......................................#.....K.............................................:..........,.....f.....................:.....=......................7.....j........................................-.....I...........1..........z...........7.................{...........................&.....5.................d..........Z................q...........n......................%.....U.....b... .q...".....%._...(.....*.....+.....,.>...-.r......../.....0.+...1....3....4.%...5.....6.....7.g...8.....9.%.

C:\Program Files\AVG\TuneUp\locales\ml.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 803351
Category:	dropped
Size (bytes):	92934
Entropy (8bit):	7.998002572988739
Encrypted:	true
SSDEEP:	1536:23upgqRH3seOBaKdCkvIphMyft2PN4S4UuPCABflO5DXizTB+cyvHPe8riZR8:Y2gYXA3yft214xP5E7/fW8l
MD5:	828E1D0BD6747CA39296B804A3B0CEDF
SHA1:	431CE736E6EF736F32CE692C2D82CE7390400DF8
SHA-256:	C4067927D89C1117368BFA2BF001009BF88FA49F0C6D08676912256629B01713
SHA-512:	FFEF9835642711240C821DD32A6E12C39EE68B43A13356547BCE288F731DF6E926EB0BED38C2D5A6BFA335020150054E0A8BEB0592615A7CBDD850007B9614CE
Malicious:	true
Preview:	]..@..B.........6...T_.drR&J5..Z..".{...qeDy.Z.Q..f....>.I`....U. .....,B.xsAPf\.6.~&.5.=.`...6...4Gq&e.;'..(6.qu.;A.C.^....o...o..4=..c...P4wO.....1.5.By.<s:..".`.j..h./!.4..J....N.....e.6..%..~...h8%..p.V.h......Jc.....K..........w..{.d...@m..8.V"....S...t1$.D...3. @.Ovy.E"...i.?...`oN.^.V.J..{...vNH(.....=G.5...N6H_...L.8V..$.^..2>L9L.......! .....H.P....M.h..s..+..........l>.w....[..>.q...Y....G......8.l..^......d?....U6.6..fk...[.@...6f}ned.;.i...U...>[N..p..6G..X1K.P..N..8q[...g....?.....s.u}.[.cv#WF..+D...i...,CV...<...UE..%yn....N..+......[S.,.\|.R.1}...o:....vU(.3C.F..Jh...cL....Wc^.rg............ .y.K.<h9#..gG.>...6..'.G..Q...$oV.S...?}..d...t....?e.(...].....D.,[.8...p....Uk..0......a.i.t.C..<-.m..4W../...^..N...;7........h.`.R..w0..L.&e.$.I.n.?...(....A..,.w(.%E....no.......lY.H.i..b..nS.......NrHq .I.?N......,......U6.1.@ a.qp...7C.).V..@5.Tyz...zrua..O.F...SQ).!.n. ..q.3.qF.W....V..........eM.v}R.B....^4<.aA..

C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	646502
Entropy (8bit):	4.365874297930105
Encrypted:	false
SSDEEP:	3072:1JarOh5zHtsDkLySpM6O2D/lRs3RXuoei24s3/3mHwwN5Pj1FJbBVyXIc30tDzQn:yrurtsUPwHw+c5KbA
MD5:	9AAB1DC6721AFB63ADA134D9D1BC2DC0
SHA1:	F0E309E0570E1595709CFFC570A799E013A2431F
SHA-256:	27BAEBB27C345E367F27B2EA8EB5895C2DADADEA282A0FA94A1B2057859736A5
SHA-512:	9E04AD79A36FE4142544B6D360C0A5227CD7C48E2B0B091085E8D3A011504522DA4584460E5234D705D1A9E1FDF695902102E005A30ED2CB2E021B19CD58A708
Malicious:	false
Preview:	........4._.e....h....i....j.....k.....l.....n.....o.....p.(...q.....r.=...s.N...t.W...v.l...w.y...y.....z.....\|.....}..................................................................d...........................Z.....v.......................(.................................A.....t......................".....W......................>.....].....y...........................s...........................$.....-.....0.....L.....v................!.....d......................./.....7.....>.....J.....m.........................................................................0.....S.....p.......................................R................................................................B................................+.....D.....d.....m............................ .....U.................p................Q..................................:.....G... .b...".....%....(......Q...+.T...,.r...-.........../.?...0.L...1....3....4.....5.P...6.....7....8.:...9.b.

C:\Program Files\AVG\TuneUp\locales\mr.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 646502
Category:	dropped
Size (bytes):	87427
Entropy (8bit):	7.998053811505288
Encrypted:	true
SSDEEP:	1536:JvUULAOK7yAnzC/YP4ZfRobO/ArejlhlYeFOxFoQ6kXlKmyCxV069:JvUOMeAn2EofRapebOekCQ6FmyCxVz
MD5:	862B4199783C09B5A60175BCFC96BB9E
SHA1:	4FCAEC3938EEF952E56C607479E67E3363BCA22D
SHA-256:	C6A58CE8C830D121AB4C28C3992A4446A299A61169E83CC4E1D5E21AC1360D7E
SHA-512:	26B4830A1446FEF8789C96A2F4A4C385EAB3083421469547C5D69FE7DF905AAC2B1E0A221AEFB4960769C30197B7BB4588FC220AF4FEFA7F2B87836DF9DAB2D5
Malicious:	true
Preview:	]..@.f..........6..."J..\|3C........h..;.m;..k.?..8..e..W!.......^V.$....T..J....$..J..]...^9).D'....F.......qZO.....v......V..U.\|.(...G.6..9............%...IH...8\|.7.1..L.<.]. .fL....P..#oS.b.A5;b\ZX..o._.g...tX.....](.6...-y.G..]m...m.1..e&..y...g..:...Z.TuJ..8.......4_......?...h...`.[...N.......K....A.!.0..a.@.t.?........4...0Vo.....~..A...'.....@.i.V?=...zc..D.{..T\\.+......2A#.....w...]...@.i.8...I.,....8. N....+.$~.3a .T..F.Cf].hV...R:...=.,/...D.c...C.j....f....4.s.5.9P.s}^...W%9.[.X"...Z....B.9.`..g.G....+.V&.S...l.n0.>.;.gg............F.Ktf....J+.o.Q.0..;.....'.4..Gd.qL...5x8..(.{.....W..,M..-._.\|.Py.X...@...B.!_...mV..W.5.19...N..3............U^e/..#...?.....nEpE. .+.7O..8..H+...Ig..Da......9?.a>....B...R)g.Qg..w.V....h.c^+.o..mR...01-#..v4`.@...+.a!....Mu.i..l..G.a....B... ...o..gG..........P..BI*...%...OF...@.."OL..qr.g..q...#..G@.;<.....5.=.Z........w......B.U6=,. ....9.<.G....fp..................U.&.(.T.@#^.X.z#}.{u

C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	299590
Entropy (8bit):	5.295212104404845
Encrypted:	false
SSDEEP:	3072:FgKoIP7kvkg/RpJvoo3jWyxKt+sBbg98cukR4KaMF2ex5TW8BPfBSHJoe260p8u1:FghvbBlxi+/KcuENaMD5Tpoo1
MD5:	A5D5CFE69299D29812C9DC473C9CEB72
SHA1:	768D505EA7678AA2D7F7ABA46822DE231F1A94FA
SHA-256:	26457724F3431E3383AC833CBD990834DDA8E5E76B961FF931D171ACA4221626
SHA-512:	C8A8E30E67E003720C2FD20150140370E9E8498E2C385BF7E6CCE8406B7ABAFC20FA249F7C3EC92DEB5D86145D59717D17D758350BB732F8196129CA82B1E110
Malicious:	false
Preview:	........d./.e.&...h.....i.6...j.B...k.Q...l.\...n.d...o.i...p.v...q.\|...r.....s.....t.....v.....w....y....z....\|....}..................................... .....'.........../.....0.....5....._.....r.............................................,.....O...................................................$.....5.....?.....T.....p.....\|........................................................+.....2.....9.....K.....X.....\....._.....j.....{....................................... .....%.....-.....4.....9.....E.....S.....n.....u......................................%.....B.....P.....Y.....d.....z.....................................................................#.....-.....8.....@.....F.....R...........................1.....B.....S.....u...............................................................4.....P.....d.....\|.............................................. .....".....%.I...(.b....\|...+.....,.....-........../....0.....1....3.7...4.V...5.i...6.....7.....8..

C:\Program Files\AVG\TuneUp\locales\ms.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 299590
Category:	dropped
Size (bytes):	72362
Entropy (8bit):	7.997442401792673
Encrypted:	true
SSDEEP:	1536:GIzDAjJRJa0r/RnxhyVlDV1zEE6igp5GJ8nPsmrEym:HzclRJlr5nWVlA1igjGcB/m
MD5:	F08A5F4C999CDC6BC9F5DAD55B0C0F3D
SHA1:	56A281E59D04CF1DD637C9782A3693B77AFFCF50
SHA-256:	682489692CF4D061579017942C37F56FCB5110A4EE56ACEFC4917EDA92D2858B
SHA-512:	D09F6B27C0B34EFE69F91CD416B2530A8975C473B2B6864CBFE571F4DDF10A1B39F08299A5060A43F5F2A45CDD24A904094F5067185435450890B9B749CE3470
Malicious:	true
Preview:	]..@.F..........6...X.\..A!.....G.........8.M..P.......l.a....6...!5...ZCV........>.. ,..E.$j. ..%...X...UDFB.7.S."..^.PX.~...r..S.F..1h...._.n[R#...\|.L...d...&..k....6.B.':...g^...R.:.K7..7.)na..0@.....4.y........DWO.......e.69..G.L...<...ui..pi.\...Ez.k.)I..Nv..t=...{.\|,...@...5.{.........z...O....u%...G.;<....3....U.?......gay.y..~.pB...........9_^..W..H....f.Lx.<....?oj.....d..+u+N.%...o..!....~.I*....o!rM..<.p.\......+m...p......-FV..\....!.......f ....g.`{k........K.8..?...r.=0.....7.....` ..,....8OW}....C.e.....=?..Z....p.......W..R..EyR..f.t..q].;...u..D.4...$......,.`.$..p...Q.8.'.@.S......W.k......;.1..'l..bS.<....Z+.l....D....LQ.U.....X.!K....[PR...~.K.v-"}.U.....\.....'c...HlQ.?go...dST.vil.....~....a....I=.:.yx.Y........b....f.`.a..*..mSkJ%._....V$.w.H..i..j^.........;_U{.,...4b.....C7.=..&.o.....`.1..u..hjv..L.....Y.3..N..c..<... .9.........K.Ma}o./..ay...y...)p.eZ.....DO..Eb.9.7)...B.E[...m$.g.v[...AJ.b...so....Q.8

C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	295358
Entropy (8bit):	5.497984815333492
Encrypted:	false
SSDEEP:	6144:DJkWx4hTpBpHQqibpTKffdQg18i51wR5HqxOqeP:N5xoHpHQqibpTKffdvXm5HqIqU
MD5:	4795132DC7086E139A2AF75A69FA4F63
SHA1:	E8ACBD586CCB9CA0686C7CBF90F0BE5CDA48228A
SHA-256:	8EF002C7EF1D7207B5B41038F16FEF198D2343C0539F14090960D6F1295D8C7A
SHA-512:	466F4A0EB01D2F8D8359016FBA96189F152FDDCF5C041B05A62C5A7B14B3D93B3F2A4C7EBA7E292EB8ACACB65AFA68B9E9ADF4843EF78C410F3D5296656911DE
Malicious:	false
Preview:	........F.M.e....h....i.....j.....k.$...l./...n.7...o.<...p.I...q.O...r.^...s.o...t.x...v.....w.....y.....z.....\|.....}..................................................................,.....7.....F.....Y.....a......................................7.....N.....P.....T.....\|...............................................................L.....[.....a.....g.....v...................................................................7.....J....._.....\|................................................................. .....-.....].....h.....r..................................................................7.....B.....T.....d.....x..........................................................(.....Y.....]..................................%.....7.....A.....E.....J.....[.....x........................................k.....~...................................... ...."....%....(......5...+.8...,.V...-.g........./.....0.....1....3....4.....5.....6.F...7.]...8.y...9...

C:\Program Files\AVG\TuneUp\locales\nb.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 295358
Category:	dropped
Size (bytes):	77044
Entropy (8bit):	7.997524784631874
Encrypted:	true
SSDEEP:	1536:k1bQr+/fYZnxoinBreGdC0lftnEO+L5icrfF06OD7DN3CaZi6R:k1d/gTh7dJCOE5icp0H7DN3Cr6R
MD5:	37577B2FEE820FA1066B0849A6D6E2F8
SHA1:	47CEA4786C13A96CE5885AAA3496680C4F486AAE
SHA-256:	998F4840C4AC106AFA1479C814F24F944A211B459AE3F2195A2D4551E891A53E
SHA-512:	753A7AF1496A21B0D9C68C9412491CDD844E8F2B5DA50E08F5E84E0724ECDE78C67359BBD99C59B4DCA3E3844A8F6EED687C086D5896B1032756F50D1297070F
Malicious:	true
Preview:	]..@............6...7.....@..o.k0..w^...@3P...x!..`p.....@..~.H..o.;oV...((.0.Q.b"A.5B.^.j..N....Y....&..v.Q...^U..O....&Y....C3?4j...g.\..2..h.....E..XK."A..B..-lt\pWu..].[.'.!\....`.\|d......J8K;.u.....y$cT7..9.+..h.To:.L.Q.z..y...P..ol\%%...O(.@....WOhK.... CE.....yT.....PZ.....-...`.I5.G../....s.D.aXo..G..I..{..=.\.d.8...0..K2.ZVB..%...S.3....pA..<.r...:.Us-..L.^9(..I....q.W%S.q".g..gtZ....2S...`/m.......%....L.c5.......>.9E..K...n.;..$...1o....\..:...\|._Eq..Q.\.EI`.j(\|W...x.6.@!c.`.j.m5.i(..67.`.z....'.gP...%.~48..7.......w...w...0..^..a.^.P.W....6sjr.3.p.~4G...._..z^.k....l.Q.Y..t+2N..f.f3]N.q.......^.h<...B.(..1.r./..n0_...wu...veC....d.....w....>...v..K?%..r..W.....d.'...]........R..Up.X...Y4.....^.]....F.pJ.qi...O.......,...<.?!..E....!q....7.]0X..Y..W.....T...wn..:..).o...!....n...1r.G.+B...~A....T.G@N.En=...iP-g.4 &n.e......LC.....n.DX.SF.L..m-.-....n:....f..M...i...BG9_.\|f.g.b.d8OV..4L.:k..Mw........ .........6.b...R......H9~...<..

C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	303424
Entropy (8bit):	5.411136949841051
Encrypted:	false
SSDEEP:	3072:UIcbuybfY3OwqeYpobUHStgOYnswKdNl6+4YO9HO5ocqfZ3t6TuBc6fZlrkB0jaj:UIcHQBtgAH5bqu2Rn59PLKq/kBLd
MD5:	CDAC79EA10A58CF43EC1E5452C5FAEF5
SHA1:	35BEE3062C54F83CEBD26C50718081186023C0B8
SHA-256:	AD97F1708909BA1C2D6119DE7536448805F00275273A8B33E743DBF2E7AB2456
SHA-512:	D9B907C229742808561E87FAE306B8E65948ED60B21E90981DE1761F162CEFDFB95705EDF375BF686CEC15F7766ADA2969FD7428F5AC4334EE83D7D1FA8B4947
Malicious:	false
Preview:	........F.M.e....h....i.....j.....k.....l.)...n.1...o.6...p.C...q.I...r.X...s.i...t.r...v.....w.....y.....z.....\|.....}...................................................................-.....9.....I.....Z.....c......................................'.....9.....;.....?.....g.............................................................J.....d.....i.....r....................................................0.....4.....7.....B.....Y.....n.............................................".....)...../.....=.....M.....d.....k.......................................=.....P.....`.....j.....x.........................................................................7.....A.....K.....\......................".....^.....s......................................................#.....6.....S.....v..............................................+.....=.....E.....R... .V...".`...%.\|...(.....*.....+.....,....-........../.....0.'...1.a...3.m...4.....5.....6....7....8.....9.....;./.

C:\Program Files\AVG\TuneUp\locales\nl.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 303424
Category:	dropped
Size (bytes):	77250
Entropy (8bit):	7.997951491581257
Encrypted:	true
SSDEEP:	1536:PhzkExcUC4CUZLuH5uYkk5+UdlNRP5tH/c1TYicilkd4m:PhYEx0pUwZuBkgUdlVtHE1be4m
MD5:	637C7F488631E9C6F86BA4B34D870F04
SHA1:	E824740A1F90B13687AA62FFEABD494714425A94
SHA-256:	FDB73DE0B120333682C943F592F167BD148FEB5BA03920186D4EDA8D1F8EAC5E
SHA-512:	134592EC02C84F271B398DA86D7703F1744BEC90C7D2992320D0E65A4406E59474BC8C291FD15005A5053749B3885F9BA4F89983CCB74A0794456D4ACA98D2DE
Malicious:	true
Preview:	]..@.@..........6...7.....@..o.k0..w[....`.......f.,...9...So....S.....w..UN...z?.......D_....4P.Z.;M..LB......W.q.j.<.......X..s...9..Ft...`"Y~.r\|.frt.2vCR.~.m....E............pR.<P.....!......\|$......l.eW.N...X#HwG..;<[.Ka.....Gu..-A.8.?..8..m.mFY..8.....+.@..#X.9.\|/HM..Q!:..\|....&........Xd......s..G.6W.Rus..jr.2;s^O..6.2.R.[.6.0X...6.6$.z(.+4..4.Y.>.b\|P....7i..."&.. ...B....J..i..lCae.:..PIbk{.............,......3.J",o.w\.Y..`D.!...w....\|.i.u"..`... ....J..,.Y.......\../\.:...>.$.<....v...fF#I.........e...;.....{A...I.s.1.k.r:...1..@..p=n/..^..3DQ..]...V.D...C.{.?./...:P...@8w.....a..ys<..MD.P.lwC.....W.....2..q.z..J_v?....A........V..V8....#.i\..!.......ra..}.......JZ.......=).F%.....].....3./.V.C.....t..xr.'2.....m.9.vm.K...LN.....D'.hc4y.Y/.\|j.C...dT+...^,.)..d.l..R.J......<Y...[9......oy....r\..qN..H..?.F.....<._..Py8p^w..`0C....Z....Z......y.Q......7@}a..aW..+._...9.....dk.J...[...".J....6h.Q.r...[...3..6..T7....Q..-Q....;.Y.

C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	333313
Entropy (8bit):	5.80290027820408
Encrypted:	false
SSDEEP:	6144:lhse1/aLQCiOKbKpXvBCUd4UsGmNA1QhP5bm4tP7uL:lp1CkCiOKbKpX5CUd4UxmNA1QhP564t+
MD5:	419E3F381B0E0F080EC230A9F1B80E66
SHA1:	C279FF058F3F3EF086715EA2206F24CF7AA75818
SHA-256:	A5FDCD13F711D4665D1960F512F1BD229DBBACB24C86BBB3773A905E2DD24B33
SHA-512:	D7896CE61B64AE92F5AF2774F3A996516D24E89D7CC6F84429CBF3F70AA3D87404FCA8C6D242B5A088BDC1A7A73E229628CA7DBEC81D6976734632CB5291E9B7
Malicious:	false
Preview:	........I.J.e....h.....i.....j.....k."...l.-...n.5...o.:...p.G...q.M...r.\...s.m...t.v...v.....w.....y.....z.....\|.....}..................................................................3.....B.....P.....e.....n......................................X.....m.....o.....s..................................................2.....=.....L.....e.....v.....\|..........................................................(.....-.....6.....;.....P.....e.....z.........................................................#.....1.....C.....N.....^.......................................4.....>.....O.....X.....h.................................................................................'...........?............................t.......................................&.....0.....5.....J.....o.....~...........................(.....e.....\|..................................... ...."....%.....(.+...*.K...+.N...,.l...-.........../....0....1.....3.....4.>...5.\...6.....7.....8....9..

C:\Program Files\AVG\TuneUp\locales\pl.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 333313
Category:	dropped
Size (bytes):	84378
Entropy (8bit):	7.997883201947334
Encrypted:	true
SSDEEP:	1536:GoUtlNAXHNY2LzNK50G7/p6Jo6KHR52vasgUrPOcOPromHA:zolNA33zYXbwXKx52yerPOcOzoP
MD5:	1CF629BB08B0E032544561FC45022F01
SHA1:	B584528232F41ACDB0AE15F2E888067BCC739FC9
SHA-256:	2D34A7C0C94D707348D50FE6A7C8027EC6F2820DD81031F34BA76B327674F721
SHA-512:	C80C70E651D4C6E42AF668B7CE7ADF692B158CBC001841DB473EA8555AC2D8ECCA4D6C32164681D1E9E9E9C893B6659A844E84E0F7956C89336AA9E4077E7ECD
Malicious:	true
Preview:	]..@............6...:jm..L......f......... e....Ictu.....6b..q..........x.y.E..X..Q.;...{.-V9.....&..NA.P....N..."..5/k.. 7R../Qy......F~X..hp...I...9)sU...y..Ro....{..M....y.......D ..>..].2...4..r...9..A...f{n..\|I.%C..I~<..\|..eG#..QQ.vY.........5.R.w.N....E....'Z?.5iD..G.Y..A.#.U[s,;b..#.:].FBu2...#.GX...s....1#}Z.\.BP...;.......p.4aO\sz..._.....>...o..Ze..!.t.~{M........[.j...Y.+.D..L8;.v.t...k..-.....\|...+<.?.I...,./G....w....b8.-m.>9..Jy.[;...ce...<&.Q...j.s...X..$..%......g....@.d._...4...=......<!.C../.A.l.v.q..$..P^.J.s.tk4...G..ed0.g.Y...n.M......'+....P.>.,...q...nXx......38].c...H.p....}.0U\|.at'.#...Jo...`....r4.N.(ufe.@.B".G.....U.Y..nP......2+..S@r...T.....yq..o{+....l...>j!"N..O.O..n.PYS...e.>..Qc.9\|.X7C^.....W.{..k.T......l.i..T...=,..O...E.....$.dy..u.......v8.hC...L..N\Zv%..k.!...V...L<..6..P4..[......K.+]..E....z% ....4e.+_....0.?..'y.%.@...g`3H.M...N]..<.....Za....-D.l-..O.i@.n.u.>..S........B.?....vr.J......2...z!.f

C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	dropped
Size (bytes):	316456
Entropy (8bit):	5.472702559802684
Encrypted:	false
SSDEEP:	3072:KZFnTvQrCdVjSFt/SWHMPl4cxdfqwNBZBLV1+bxSW7n5OOTcYAyVxJB8V4HQ5NNW:KZawNGqnNBZBLub9Gn8w5N8jJLNZ3
MD5:	3A4F9D62B91BC0EEAB11F0865D4BE286
SHA1:	C56A98F46B9F0EF8C5180D176CFB7773A05CE941
SHA-256:	3051442A3E905DFDFB8F17F49D12A3722C511FAF9ABA0FC86D577DAC90E3B654
SHA-512:	39A81774C90476E4E8AB80B0784A8923C698040F51CD6ACD08A50B5D2F90A7A22242296CA5793CE39CCC93120DF3F40EB2ABAF6317FFED8AEBB986FF28946081
Malicious:	false
Preview:	........g.,.e.,...h.4...i.E...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v....w....y....z....\|....}......................... .....(...../.....6.....=.....>.....?.....D.....l.....~...................................%.....1.....9.....c...............................................................#.....1.....T.....m.................................................H.....a.....g.....r...............................................................+.....D.....W.....].....e.....l.....r.....}...............................................).....X.....z...................................................................E.....L.....O.....P.....Y.....b.....k.....r.......................<.....D...............................................................'.....E.....Y.....m............................5.....N.....T.....\.....j..................... .....".....%....(....*.....+.....,.%...-.6.....^.../.r...0.{...1.....3.....4....5.....6.1...7.E...8.]...9.p...;...

C:\Program Files\AVG\TuneUp\locales\pt-BR.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 316456
Category:	dropped
Size (bytes):	77958
Entropy (8bit):	7.997688339553165
Encrypted:	true
SSDEEP:	1536:fwS/L/RNadnsU+H8Z4Pi3insFCCjmXkSLpDCJygk+KlVJct53r:IE/n+KJZSdqXhmJygylVJw57
MD5:	824A595BED60BDFBC625BE3E0820D2C4
SHA1:	B682A192A73CAFD4927ED7F62688FABAECB6A511
SHA-256:	FD4BD884BC2E0E08DD206CECBEBF4CBB56BB3F84FB0EC4264FD3AD784CAEA3F7
SHA-512:	408262D8282412B3622463D465CC018F04398FD8FC0E87D2A440917EAA32C716B82FE22860AA330C5A032B57554FCA024302AFD3F04930D8A9E773D460E95D6E
Malicious:	true
Preview:	]..@.(..........6...\F\|.0.......F........V.y.H.....h../.........w_....oO..U_..p.E.;/...{@e.;....n.0... <..T`<.Y..,P.....?..D.bfG.\...>Do;.c.....[...?.8..&.G..!..a.}..)pzs...o$5..`%..(..\|.@....4x....!.JY.(O.~7b.u...Py.$..b....M...?..%.bH~...~X.&...D...,a..&2)s.%m..F...{....M.G..N...;....pvR..\...X.,.cS.,Gd...,...z.....+..i.7...0 ....c.&G=i..Rq....L}gx...K.m,...^..H.J.8..v.9.yD?>.}^oV.c..N..S.q....._\.....K...B0......!6&.@.n..<.\|...o.=.......G...$. .h4<)...z.#....Y....P..W.I.9>H..`..Z.f.Uw....S...c.....tXm.z.y...!.0M,X%...jgC.......3.$.ZW_....95.qI...0..S.q3.N.....5b...Y.s.........5.... ...h./.<M..5.J^.....O.....}..TJ..{<..9...?N.t.....Z.v..(e.3...4)....J.7.h..d.i....t..]./.+i.-..\|....z.w..M.V....,...v....Q.YE...s@.8%..s...Y.\|.$..V....u.}>4~H.+...;."a....\..H\|\.}r.(...%".o$.w..\u ...h>....j_..0$y. r..ca.....:.... +V...nh.O...Pm.._.4K.o1d.....[<.?....M.`eC..jY.b.z.*.......cg.......r?})..Y..;t.....A..@3..s[......p.C..h.)!y'.`g.o........

C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	data
Category:	modified
Size (bytes):	320833
Entropy (8bit):	5.443001510995313
Encrypted:	false
SSDEEP:	6144:zfA76D8xoYXx3eJnJJxU2Tade/u5dazF6:7A7iwJX12TU5Mk
MD5:	4FBEBC23D7A0AAA6DCD426777898BFE6
SHA1:	959CE4FA97C24143C3DC28E9420E6D6C76A7266E
SHA-256:	3CDA10980A23DE97163A2C06B31829CCA1EC3DA63B0BB0A246126F402C19B16A
SHA-512:	A1C4052A40059DD5A417D87935C9700C3CD127B63AB9191CA62E448B09109762906638C5D80ABC0565711425F52C5EC3FFFEED87AAE70C0888199C45A4374880
Malicious:	false
Preview:	........k.(.e.4...h.<...i.M...j.Y...k.h...l.s...n.{...o.....p.....q.....r.....s.....t.....v....w....y....z....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....u.........................................0.....<.....D.....e....................................................................8.....\.....l..................................................8.....Q.....Y.....d.....t.........................................................(.....L.....\.....b.....j.....q.....w.....................................................%.....4.....a...................................................................A.....U.....\....._.....`.....i.....r.....{............................G.....O...................................................!.....&.....=.....^.....s..................................S.....l.....r.....z........................... ....."....%....(.....*.....+."...,.@...-.W........./.....0.....1....3....4.....5.6...6.}...7.....8.....9...

C:\Program Files\AVG\TuneUp\locales\pt-PT.pak.ipending.a168df30.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 320833
Category:	dropped
Size (bytes):	77545
Entropy (8bit):	7.997769355093935
Encrypted:	true
SSDEEP:	1536:XcpW9Etc/069JCiIAQjijtVCUHkHwpcJ8jHmVZ305AFJNmr1STEcVjRP:XoW9Ei/1JPIAcEzHWrJuHmbFJNgITEc/
MD5:	F0274A4B1B65343C7F95CCE48608637F
SHA1:	7D1EDB0149B7E255A6C29E54DB7BE6694240008D
SHA-256:	78DF550675E3B1CBDA4B9501BF4810B62FC053BF95DE611B4C733D2F9B4DA9C5
SHA-512:	9BFA410C94DB5A03CBB731D139A8C9A0C631A06E88C77CCC0D4FE257721F9A5F143931864D3D0CFEDB806F4A83B98AF4B29E8E420713990CD6BFC04CAE11F6F6
Malicious:	true
Preview:	]..@.A..........6...`.;x...4.Z..pk/Q]v.......N.(.7...e..>gw...H .x.T..m.J$b..%?.Mz.@...p.....S.... )..v........`.b..M....n.^...N.>.R.Ag+.[.S.....q.{jz.B.$[...K.[W....a..ki..H.b.S....<.L...y8.E(.?%.jO....}.....M,.M...a....>.^E.<...K..a! D.(..d.@...bt.. G..T....I.Hi)...X..!.j.0?."..(.}...~.+2..J._4.{.Z<..}..~...:2J..dj9...7.L.......e.[zNp.+JT.R...P...6.#.5.x..=L....-.WT.....$w..'..`.:+..8.....)?.-s.0....<.q..q.)..{....V.J....[.C.../...%...A.h..$.!zbG...T=..........p:9".]II9...A.....K....T...B..F.<..g4,...m1....uq.Z.zBv.HwU%...A.@_.wdO..W.~S.......K..?T.Rd=.;f.g.[...O....o?T..QV.w... .....,..V....dK..]...9/].1./..t...%y...G....Vh..W.YG.$...S.M..C.w..".ve....U2..Gc...m......i...S{.... .Y..g.@.......@......h.oc...5.}...[Gs\.3-V"....TY...,.y.Cj...y.!w...C.S.f..~[.2..$w.\|.B..^d..0.U3...X.ap..T......r.+.7.c.\|I..$[.`...n..,......F..W..q..m._)x.J."P!X...8..!.......p..\.F.f..k.Z........G..}k......l.e:d......4e.)0..;K....2..W..n>..1.k.t.v.......8G...

C:\ProgramData\AVG\Icarus\Logs\icarus.log

Download File

Process:	C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (412), with CRLF line terminators
Category:	modified
Size (bytes):	671474
Entropy (8bit):	5.30392970289658
Encrypted:	false
SSDEEP:	12288:dhBt5uqD3FDIc9CO4D+EFOFOe+hxrhhhc+Su2+muS4umih3kWKcG2QOeuKgRTWHP:dhBt5uqD3FDIc9CO4D+EFOFOe+hxrhhx
MD5:	07D4084E9407D2EB091B1388355062FE
SHA1:	1E6EDF52D41C226D2A6889A1E9395936C9BB5CC6
SHA-256:	974B77EB2FA2CCBA963203227DC3B36D222CFB16B06AAE13D6F0F88821E92830
SHA-512:	8FF4574ACA98765354E9401F56352CA5246660DBD33347AA9EC8CB26A56DC529A6521A60AF97BC2D7D115EBBED90EE80C9851D2F85C1BD4B2DB88682009A145E
Malicious:	false
Preview:	.[2024-07-28 22:53:51.486] [info ] [entry ] [ 2700: 1936] [D7F617: 36] Icarus has been started...[2024-07-28 22:53:51.486] [debug ] [settings_lt] [ 2700: 1936] [618A66: 190] generic accessor for scheme registry set..[2024-07-28 22:53:51.486] [debug ] [event_rout ] [ 2700: 1936] [95598C: 49] Registering request fallback handler for event_routing.enumerate_handlers. Description: event_routing_enumerate_handlers_handler..[2024-07-28 22:53:51.486] [debug ] [event_rout ] [ 2700: 1936] [95598C: 49] Registering request fallback handler for event_routing.enumerate_handlers2. Description: event_routing_enumerate_handlers_handler..[2024-07-28 22:53:51.486] [debug ] [event_rout ] [ 2700: 1936] [95598C: 49] Registering event handler for app.settings.PropertyChanged...[2024-07-28 22:53:51.486] [debug ] [event_rout ] [ 2700: 1936] [95598C: 49] Registering event handler for app.settings.PropertyChangedNull...[2024-07-28 22:53:51.486] [debug ] [event_rout ] [ 2700: 1936] [95598C:

C:\ProgramData\AVG\Icarus\Logs\sfx.log

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (1462), with CRLF line terminators
Category:	modified
Size (bytes):	25429
Entropy (8bit):	5.514224885291865
Encrypted:	false
SSDEEP:	768:CHHU1ofUyFD+9Dik/DwuuZOh9oe8G4We/aywMd:CHj4sXgUyMd
MD5:	DFC43E98AA1C9465F6FFEE6290578558
SHA1:	8FDD2631C4965B09B245D2EFB47AA26C65CCE96E
SHA-256:	23084277B848244881C37464941C945D20D66BF427A089BA7BA79A51A87B661C
SHA-512:	DB7F274568DC52FB8D9DFF7BE97EE7F87E33A016FEA7D38A700E0C0FC820388C8CE69E319E0B3F537B201B14291D3B46D3C7DA136CE337C10EDF9A8D37E222D8
Malicious:	false
Preview:	.[2024-07-28 22:53:31.780] [info ] [isfx ] [ 2860: 2500] [EB791B: 171] * Starting SFX (24.4.7245.0), System(Windows 7 SP1 x64) *..[2024-07-28 22:53:31.780] [info ] [isfx ] [ 2860: 2500] [EB791B: 172] launched by:'2580-C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp'..[2024-07-28 22:53:31.780] [debug ] [device_id ] [ 2860: 2500] [CBE04A: 70] Storing the new fingerprint..[2024-07-28 22:53:31.905] [debug ] [isfx ] [ 2860: 2480] [2B0518: 61] Sending report data: ({"record":[{"event":{"type":25,"subtype":1,"request_id":"39c55626-dc49-41a3-bdc8-ab79825826a5","time":1722207211780},"setup":{"common":{"operation":"install","session_id":"78b8c4d8-8a48-430c-af87-73be15d899e4","stage":"sfx-start","title":""},"product":{"name":"sfx"},"config":{"main_products":[{"product":"avg-tu","channel":""}],"sfx_ver":"24.4.7245.0","trigger":"2580-C:\\Users\\user\\AppData\\Local\\Temp\\is-HKSI3.tmp\\Team Fortress 2 Brotherhood O

C:\ProgramData\AVG\Icarus\avg-tu\icarus.ini

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	157
Entropy (8bit):	5.048201944549032
Encrypted:	false
SSDEEP:	3:tv+psQ4VKIuCoVENjpbrikf6EI85ZdIQLvgaRIBLICy:tmpx4NQVumkiEI85fInaRIBLpy
MD5:	E9A9820265B43966271C2B3F0144F267
SHA1:	51CB985F02F69A1AD6583D24C9BACC4244CE0C57
SHA-256:	CFCEA0B0BF38A02AA9E8DA9C9387537778F9C912D9CAD5A804B9EC699CDB52D7
SHA-512:	382C19FAE97FE9849117D8D96658CAB4812077FBE70DE796B1532A3A0F6AD01E527844970C1DAA03E56C47661DC3DCBC4E136B8827610823436EAA7454D5E3E0
Malicious:	false
Preview:	...[avg-tu]..company-install-path=C:\Program Files\AVG..company-reg-key=SOFTWARE\AVG..product-dir=TuneUp..product-reg-key=TuneUp..program-data-dir=TuneUp..

C:\ProgramData\AVG\Icarus\settings\proxy.ini

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.4584396735456933
Encrypted:	false
SSDEEP:	6:Q9oPdKwo/e7nwY0ow+lGUlYlUlulnvm4HflKmaGHfltNv:QCFKwh7CaI/VJNKKHNX
MD5:	B8853A8E6228549B5D3AD97752D173D4
SHA1:	CD471A5D57E0946C19A694A6BE8A3959CEF30341
SHA-256:	8E511706C04E382E58153C274138E99A298E87E29E12548D39B7F3D3442878B9
SHA-512:	CF4EDD9EE238C1E621501F91A4C3338EC0CB07CA2C2DF00AA7C44D3DB7C4F3798BC4137C11C15379D0C71FAB1C5C61F19BE32BA3FC39DC242313D0947461A787
Malicious:	false
Preview:	......[.P.r.o.x.y.S.e.t.t.i.n.g.s.].....A.u.t.h.o.r.i.z.a.t.i.o.n.=.0.....A.u.t.o.m.a.t.i.c.E.n.a.b.l.e.d.=.0.....C.o.n.f.i.g.U.r.l.=.....F.a.l.l.b.a.c.k.=.1.....P.o.r.t.=.8.0.8.0.....P.r.o.x.y.N.a.m.e.=.....P.r.o.x.y.T.y.p.e.=.0.....U.s.e.r.N.a.m.e.=.....U.s.e.r.P.a.s.s.=.....

C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Team Fortress 2 _65d97015fd99e809576c135c79dc4d5958fc5_0d9e78e8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Windows Error Report
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0617446637616301
Encrypted:	false
SSDEEP:	96:jdZbrVzx5Vr7p5QXIQcQ3c6+cEFcw3pNl2KzvlWmvbPgITIM7QrAnkjYPi7MbFYt:RKHJ6PX5zvpXVtKQvLLi
MD5:	6374C5609A67269739D0D2113C84E3F1
SHA1:	B97948FFF66CA2380F82D936F16AF48ECD64ACC8
SHA-256:	8917CB203108D6B3F4B8CD2F5E81C1B208A611F85AD2BA853981BE216BD3EB6E
SHA-512:	B37ABEA39C7863A01F22DC5C6096841E29BDA2502FC93441283F07147353004356BF0015BFA32A7903CAEDC12418C4E141CC42CAE77705D4EE43ADF2CB9D9D93
Malicious:	false
Preview:	V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.6.8.0.8.8.5.8.9.9.2.5.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.6.8.0.8.9.1.7.0.2.4.3.3.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.e.e.4.b.a.5.-.4.d.3.4.-.1.1.e.f.-.8.f.3.8.-.e.c.f.4.b.b.b.5.9.1.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.e.e.4.b.a.4.-.4.d.3.4.-.1.1.e.f.-.8.f.3.8.-.e.c.f.4.b.b.b.5.9.1.5.b.....W.O.W.6.4.=.1.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.I.d.=.2.8.8.8.7.5.8.0.7.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.T.a.b.l.e.=.3.0.4.1.0.3.1.0.8.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.T.e.a.m. .F.o.r.t.r.e.s.s. .2. .B.r.o.t.h.e.r.h.o.o.d. .O.f. .A.r.m.s._.a.e.z.-.L.U.1...t.m.p.....S.i.g.[.1.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n.....S.i.g.[.1.]...V.a.l.u.e.=.5.1...1.0.5.2...0...0.....S.i.g.[.2.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .T.

C:\Users\user\AppData\Local\Temp\6358C710-B89F-46B9-93F2-F6CAC44F5286

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	3.866567407921031
Encrypted:	false
SSDEEP:	24:V98uCQe0jF+aOPP8Fssv8FhOtgqQKGYrA4fmbEsL6aIvnqvVcTW8TA:V98uNMavF7QlaA4fmb/uaQn4KTPA
MD5:	68D492BC5F73F514EA48359F518A2E5C
SHA1:	CFFFF4A680793F233D70C78237DCA756102D1EB7
SHA-256:	D988628EDAC4EFB1B98F4B96349FE0ED25DA53548C5E2C778FA2D505402AA146
SHA-512:	539FC8E601A3A7DA0373ABD276F21EB4C2C200DB91183E4BE7CBD669DB885C62A5C83D9C7BBCB35058DEAC3530FA26E5C5A50F1E7F9A99093160A4994245001F
Malicious:	false
Preview:	A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.1.D.L.+.Z.a.9.o.s.E.G.Q.2.f.Q.W.q.A.w.p.f.Q.Q.A.A.A.A.C.A.A.A.A.A.A.A.Q.Z.g.A.A.A.A.E.A.A.C.A.A.A.A.C.t.e./.i.E.y.C.h.J.g.6.z.F.c.W.B.E.Y.z.o.x.L.3.4.i.N.m.D.r.K.7.R.5.C.U.I.s.f.a.G.W.h.w.A.A.A.A.A.O.g.A.A.A.A.A.I.A.A.C.A.A.A.A.C.f.K.i.f.C.E./.B.+.j.I.x.C.9.0.8.I.8.8.o.r.x.r.m.X.F.m.e.O.J.j.d.N.p.o.w.u.A.q.b.4.k.c.A.A.A.A.C.V.C.e.q.X.0.0.h./.L.f.0.a.i.r.F./.S.B.y.Q.a./.a.n.v.F.v.l./.z.l.y.b.8.5.A.x.s.g.S.Y.W.A.x.t.0.1.v.T.r.t.Y.y.9.m.l.e.O.8.z.5.9.E.H.E.v.j.N.H.C.f.H.S.T.t.e.H.k.W.+.n.A.F.b.w.W.h.y.m.W.s.8.z.g.R.w.j.+.d./.f.f.x.a.O.V.l.H.Q.d.9.H.0.x.P.A.y.k.0.D.X./.P.k.u.l.8.2.P.J.h.A.Z.E.P.F.O.x.J.v.L.P.n.q.K.U.l.C.1.J.Q.W.v.l.d.u.k.V.t.P.3.m.o.8.2.l.3.G.Z.K.T.X.z.U.n.H.J.h.k.0.A.y.V.M.f.t.n.N.4.p.P.l.B.O.v.J.Y.F.N.b./.Y.P.u.F.n.c.i.N.U.+.J.X.1.X.M.w.y.p.P.a.c.T.M.3.9.p.m.J.E.m.5.0.J.W.n.B.t.8.K./.o.b.H.8.N.z.Y.I./.K.D.N.e.t.A.A.A.A.A.8.g.9.+.y.S.R.K.H.a.h.n.N.w.O.f.J.K.n.b.G.V.L.n.a.q.l.T.R.x.r.M.P.T.J.V.M.o.X.W.M.z.7./.

C:\Users\user\AppData\Local\Temp\CSCA4C8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.127625715476284
Encrypted:	false
SSDEEP:	12:DXt4Ii3n6E+AHia5YA49aUGiqMZAiN5rry+1ak7Ynqqr6PN5alq5e:+Ro+ycuZhNz1akSr6PN8qM
MD5:	7BAAEFC2CCFB20FA9133338AF58A39BA
SHA1:	FBB86E050B8772D809149CE4286488B65ED93E79
SHA-256:	5BFAC813222D0351775CC9620E2647F85BE5E40B79A5BDB19EA103A6352474E7
SHA-512:	488A41044CC25CF7DD8936240F81B0EB5E96CC0ECD158F67E1AD40D12572318E3A70B426B90DB03D20B7B66FEFAA4EE6263B865D5247FCAB1E69457FA9EF8653
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....1...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.q.g.r.c.b.u.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.q.g.r.c.b.u.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...1...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...1...0...0...0...

C:\Users\user\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	2.8278195311147836
Encrypted:	false
SSDEEP:	3:jlWlPaXljlclsXlalm3w8nz:olPUjGacJ8z
MD5:	5AD9A4BCAD812E0207F4B254733AAD98
SHA1:	3D22B9D48770F814E18BE353E50F7C8CEF0855A5
SHA-256:	7E9DE03D0E86614B70F8042E9BA296D1F7749986E3734A2BFB5544EA91AA9FB7
SHA-512:	BC500A6E05EC708BA26459780D2A56936C6F062AB8EB04A83F0DBDE9D7731677187D2F7713DA8FB7672D24CAB3401E97474F7F569637EFBF718024D90770B30D
Malicious:	false
Preview:	8.F.3.0.9.1.9.2.2.3.D.1.9.A.2.0.B.C.B.8.B.7.D.7.E.5.1.8.D.8.A.9.

C:\Users\user\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	2.8540015217893404
Encrypted:	false
SSDEEP:	3:5lTcKtdeSlRlxFq+3PBSlVKblSlXen:7Tc0ESn53PUloBSgn
MD5:	2259983193F7BE30C9917FCA4652AFB8
SHA1:	8E24E47BA2C169EE84B98B23D22F7FCAB5F3570F
SHA-256:	8DC2D34DF2B8FC99C15D8656517BDD4BD8F6F332455194AAC15BAB990CDE28EF
SHA-512:	3B7E46F24E9F20C3F1E5389D56C801FE9A6AD3215F53A480DB329C0147ADD6C115F7F847DB7B432D4871E7BF974AAB70E0CF420AC5B60358059BF7862551B564
Malicious:	false
Preview:	1.b.6.5.4.d.9.1.-.7.2.2.a.-.4.e.1.8.-.9.7.4.d.-.2.0.d.6.c.0.5.d.7.2.d.9.

C:\Users\user\AppData\Local\Temp\RESA4C9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x406, 9 symbols, created Sun Jul 28 22:53:59 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	3.658177352512091
Encrypted:	false
SSDEEP:	24:HxJ9YelUn0XdHYUnhKbo+ycuZhNz1akSr6PN8qGtd:melU0tznhKbVulz1a3r2FGH
MD5:	044B3A5009CC59C177E2AE0D0B7EE186
SHA1:	C18FCF5A06534247985C0A5033DB6F24F01F13FC
SHA-256:	172DE5B1DD5A59A10E002466D0A3BC40B3A92D3C035DE6A6638A1D9A99A363F4
SHA-512:	97D393AE0C95B951D629FC6F8891E4EBA9954A8154BF96B3CE116054E65F9F498B47220FAFD6D1B7DF3ADC569C956AA4B0715C34B68C5102D063D29C1A48389D
Malicious:	false
Preview:	L.....f.............debug$S............................@..B.rsrc$01........X...T...............@..@.rsrc$02........P...................@..@......../....c:\Users\user\AppData\Local\Temp\CSCA4C8.tmp................{..... ..33...9.......c...4.......C:\Users\user\AppData\Local\Temp\RESA4C9.tmp.+...................'.Microsoft (R) CVTRES................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....1...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.q.g.r.c.b.u.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.q.g.r.c.b.u.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...1...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.

C:\Users\user\AppData\Local\Temp\WER7022.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3716
Entropy (8bit):	3.7028110230527433
Encrypted:	false
SSDEEP:	96:Shz4tU6o7VxBt3uhPgHR4adnmGx3SHlMj3:Wl7LBNuhPgx4InmGDD
MD5:	DA281E73FA4DC5500D58BD13709BF65D
SHA1:	0A33B27698CBDFB6F05816FE5083B498D9D50F3F
SHA-256:	D12E94A3F015DEAA679A18C23BBE31F359F9990B6981E5E1B2530E6C97405AF1
SHA-512:	C668317D5A9B0F55598904A4A012C5B9088D46B7851E78217EBEAC10D156DA96B8328C8B5E16D5C035CCCA60BDA8B9DC273436D7B41432A298975147DDC0508B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.a.r.e.n.t.P.r.o.c.e.s.s.I.

C:\Users\user\AppData\Local\Temp\cqgrcbua.0.cs

Download File

Process:	C:\Program Files (x86)\WeatherZero\WeatherZero.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	21196
Entropy (8bit):	4.621163126493091
Encrypted:	false
SSDEEP:	192:Fb/klKRnWh5mbyV/Z0TAFyeda+1qRzXd/ceB8wqp48/zc8z:1cmRO/NfqRRceB8wqp48/zc8z
MD5:	E9AEF2DDF04B3A404B79E36A6EE8080E
SHA1:	656255902D018E7FD77BA5C7A752977AB66581A3
SHA-256:	E24FCBFDC73B76213CBDC309A1952C191A4B052D49193F72572B1634BE057D15
SHA-512:	80CF41AFF53B49CCA964CD3A32B2E89476D38869901148C1DA2D2F05E1C9EB1FCE175E0D885368952F43A07F77AE3D8C4858D1D6B932D53E0BBC300639686B28
Malicious:	false
Preview:	.#if _DYNAMIC_XMLSERIALIZER_COMPILATION..[assembly:System.Security.AllowPartiallyTrustedCallers()]..[assembly:System.Security.SecurityTransparent()]..#endif..[assembly:System.Reflection.AssemblyVersionAttribute("1.0.0.0")]..namespace Microsoft.Xml.Serialization.GeneratedAssembly {.... public class XmlSerializationWriterWFSettings : System.Xml.Serialization.XmlSerializationWriter {.... public void Write5_WFSettings(object o) {.. WriteStartDocument();.. if (o == null) {.. WriteNullTagLiteral(@"WFSettings", @"");.. return;.. }.. TopLevelElement();.. Write4_WFSettings(@"WFSettings", @"", ((global::WeatherZero.WFSettings)o), true, false);.. }.... void Write4_WFSettings(string n, string ns, global::WeatherZero.WFSettings o, bool isNullable, bool needType) {.. if ((object)o == null) {.. if (isNullable) WriteNullTagLiteral(n, ns);.. return;..

C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline

Download File

Process:	C:\Program Files (x86)\WeatherZero\WeatherZero.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (400), with no line terminators
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.554311127745738
Encrypted:	false
SSDEEP:	12:p3rfyAlvBvgOknoT7z5dz0rHc9ow16P1F:VLyfOkn8zrzKW1c1F
MD5:	C39D9B28E876FE6DCC967B8DBCE14AA0
SHA1:	397AD1CC45EBA73890A564B79D1F29C02A8C8FDD
SHA-256:	0138E88AEDCDA131D97945C483AEE56185175E189D868F39E01EE5FA48A9989D
SHA-512:	10A84BD2C17971A16645E26B449C4BDFC11AB10AB690DBBF3D9CA089F4FB5F02B31D05A95E2405B1FEA2B33B62A29038540211B6A9295C969980BD2C917F2FE4
Malicious:	true
Preview:	./t:library /utf8output /R:"C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /R:"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll" /out:"C:\Users\user\AppData\Local\Temp\cqgrcbua.dll" /debug- /optimize+ /nostdlib /D:_DYNAMIC_XMLSERIALIZER_COMPILATION "C:\Users\user\AppData\Local\Temp\cqgrcbua.0.cs"

C:\Users\user\AppData\Local\Temp\cqgrcbua.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.902419272796792
Encrypted:	false
SSDEEP:	192:4FMuSDpPn4x3i9k2XMIczjqcOAmHXryONVRYX82/cCEnT:duSlP4D2cILNpPYM9COT
MD5:	8B172C41427BCE923F994129AD1EA146
SHA1:	F414305C677A12D97F6B5A851132C7B8CF91BAD6
SHA-256:	14A620FEE68401CE4C1DE38BB0EC580B0001056FAAA97A7604349C5775875477
SHA-512:	8710B7108DFD2E7FBE813FD07320A19E6BECA128E6F73128A233EEA55AB9A549F5B02B17D1F2A4DAE8E1F974EAEEE23926BDE6C1CB19DE7C3FDBD07119E46278
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f...........!.....(..........>G... ...`....@.. ....................................@..................................F..K....`............................................................................... ............... ..H............text...D'... ...(.................. ..`.rsrc........`.....................@..@.reloc..............................@..B................ G......H........-..<.............................................................(.....-..r...pr...p(.....(.....r...pr...p.t......(.......0...........-...,....(......-..o...........(........(....z......(......,..r...pr...p(.....r...pr...p.o....(.....r)..pr...p.o....(.....r7..pr...p.o....(.....rO..pr...p.o....(.....rY..pr...p.o....(.....rq..pr...p..o....(....(.....r...pr...p..o....(....(.....r...pr...p.o....(....(.....r...pr...p.o....(.....r...pr...p.o....(....(.....r...pr...p.o..

C:\Users\user\AppData\Local\Temp\cqgrcbua.out

Download File

Process:	C:\Program Files (x86)\WeatherZero\WeatherZero.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (477), with CRLF line terminators
Category:	modified
Size (bytes):	684
Entropy (8bit):	5.585402893547907
Encrypted:	false
SSDEEP:	12:xKnzR3rfyAlvBvgOknoT7z5dz0rHc9ow16P1gKai3jtEKIMBj6I5BFR5y:AnzdLyfOkn8zrzKW1c1gKai3hEKIMl6v
MD5:	CCBCA9ACAAB07EBAE1A59430B1521F65
SHA1:	EAE99D0F45483E089AF6FCCC02C2465178DD37CD
SHA-256:	D28E95C57999946C9B0D6D9F328302450776D1FE338B327E24992F3F4CA37707
SHA-512:	3A2A09B31C1C96008133AB9154F6C40678517009E396E12FD6FC00186F63D43F77B035BA03E82ECBD5F78FCC7CCEFE827F1624F1E576BB97BDC294FBD82A6523
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /t:library /utf8output /R:"C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /R:"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll" /out:"C:\Users\user\AppData\Local\Temp\cqgrcbua.dll" /debug- /optimize+ /nostdlib /D:_DYNAMIC_XMLSERIALIZER_COMPILATION "C:\Users\user\AppData\Local\Temp\cqgrcbua.0.cs"......Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.5483..for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727..Copyright (C) Microsoft Corporation 2001-2005. All rights reserved.....

C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Download File

Process:	C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3025328
Entropy (8bit):	6.402854637996419
Encrypted:	false
SSDEEP:	49152:bLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvfa:ZwSi0b67zeCzt0+yO3kSo
MD5:	67BCDCA0E7E60025269D8C14094BADCE
SHA1:	3B17A191A5F8E27A6741B64CC58C536CC5EE132A
SHA-256:	C784F3A8CDBD73E28881289B1547225264B55A5388C59EB8AB8A5E7C49260A41
SHA-512:	DF1C96C9CE92D3F0026EE64E969687B50AAC8AA2D491E4308ABB3FEDCA914BE935CAD161E01F1BED51BB4D18580551F2F885660CDE33C922016166FD799947DB
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.p.............-..+....................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...p.....-.......-.............@..@......................-.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\AVG_AV.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	53151
Entropy (8bit):	7.982330941208071
Encrypted:	false
SSDEEP:	1536:GcHlp3vMusTtWEgKqx8zHom+GChNPDViFKWUyG:Ggz3kTNgKq66VcFKW9G
MD5:	AEE8E80B35DCB3CF2A5733BA99231560
SHA1:	7BCF9FEB3094B7D79D080597B56A18DA5144CA7B
SHA-256:	35BBD8F390865173D65BA2F38320A04755541A0783E9F825FDB9862F80D97AA9
SHA-512:	DCD84221571BF809107F7AEAF94BAB2F494EA0431B9DADB97FEED63074322D1CF0446DBD52429A70186D3ECD631FB409102AFCF7E11713E9C1041CAACDB8B976
Malicious:	false
Preview:	.PNG........IHDR...#............B....pHYs.................sRGB.........gAMA......a....4IDATx.......y...u.}...W."..(s ........p.........Q...?ql=...'.8....E.l...Y.-ah..FP.w.......__uUwuw.r.3X.z..........jcppph........O.appp..........n ..qph..88.......pd...y...!..888.##...._..C.8....Cn82...,.8...40....!7..qph..GF.2.........C.h....q#.........!7..qph.O..../_..p......B....K...`.XF.n}........S/b.._..?.XH.2q...i.}..y....c...8..b\|~:WY...8....a......o...v..!.~.+8z...P.....y......2y^....!.w..C.=..'.J]..v. ..}./o..q....M...........<$.X.<)..g.gp......'.Y.I...'.x......D.(..C...m.. .:.#....$. .LdD.E...*..a..}..eih.A.....AyR...7a..2..N##DD^....Tg...;>$..tZo.....m......3.A..p....$MM.".hF.......qpX....7..F.=.k..e".G/...G~E.........4..kA.{....yN.dH)~.s...........#.W...lD.:..W}...#...kP.&...;....n......?..d....oH.....#..'a..s..D.....<.......h...y.....D..!.^...G....4.........c .;?$..6...@.....O c.......~.u...1.7......c.\|..'...?/..#;.z&....T.M4.w.."....7W....

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\AVG_TuneUp.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	45092
Entropy (8bit):	7.973018455276646
Encrypted:	false
SSDEEP:	768:9am/zoB6/mZint8wIPIR2iEVSYRmdqLleQj+0LAWpgC5oCTQc8ylPO:9a6zP/8int8wIgRPToh1jFlvoGQwl2
MD5:	6E2A379F09DECCA92DBBABEC56CB748A
SHA1:	201D2B6D49D5845A7A4E55E0DEC20D18CB8CD9D3
SHA-256:	3BC26B4679DC68D084CA948698F6EE483A53387E7AB42B8249C30A49EDC1CB1D
SHA-512:	EC49DAB8709E78F6913DB02BE465A811477D4B741E375ED445547E1F19B58DDAFAF1D0133834201AFFB3BA5A257FCF7B3F794C0BA847B2836EBEC9C62D9790E6
Malicious:	false
Preview:	.PNG........IHDR...#............B....pHYs.................sRGB.........gAMA......a.....IDATx.......y....sw.......I..%.....x!.-;C0.=.'...x2.K....GN....e...._..$N...Kb;.LP.6...%Q.)........w...=...........s/......].}_UW...._-....P.....C.~.....C..........p....Cq.........r........C:jppp..GF........C.<o........CQ.p...i`....Cn82..P.MGF.2.....Bpd...(:..an...........r.....xdd..{.u.....C!T........6.e..-... ..>q../.;....C1...0.7..o2.$...c......b\|nWY..S.....iA.C.<..o..a;v..).\|..8\|.......}......ia.v...u.'E.uP... ..?,.Be..C..=..3ay.......P...88..v.`..!..2`.w..c...oa..~..._..?z$...IqL...}..`....... ].#....O..A...HP............%,+@@2H..Q....}.....;6....v..!"......I.L.........:..A.z........p..>.I....h....P...88.......(.}X".).98\|.m.;.wD....}<....~.. ......'yr...............EDb.L#....:..3!........ ...A....@.*Q.5:.....?..m..7.A....g.AH..t.:!..#<W..y./....@i...E...w..s..X{-..7.....pcF..ZE'./.@.]w~R.>.8. .Ao.&.>..y+e=...4.!<.to.1"...CF;Dj(...K...........M.t....

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\WeatherZero.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30586
Entropy (8bit):	7.919646221064304
Encrypted:	false
SSDEEP:	768:Fk7fJC9WjOI1DaGmnitN039DODp56Ys+9S/IUM+:FktpB4FiQ3qd9S/BN
MD5:	9AC6287111CB2B272561781786C46CDD
SHA1:	6B02F2307EC17D9325523AF1D27A6CB386C8F543
SHA-256:	AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
SHA-512:	F998A4E0CE14B3898A72E0B8A3F7154FC87D2070BADCFA98582E3B570CA83A562D5A0C95F999A4B396619DB42AB6269A2BAC47702597C5A2C37177441723D837
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...w.IDATx....]Wu.5....$...U....!...t.H"...#9.yI'...30H........$'a6...D..NwB...4.tB.$...'......0.d.z}W.+/-.3.[u.=....S..{X{.i.}....B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!D.1#.I....C.g.~.....1...3_r....OB.!..bJ...2k......;..~....q`.f..ov.B.!...!.w.....<..S..w.}?f.^\|..w.s.=o.i..M.!...&2.&...~..mt.a;`.>h.....o.}........n.u..?...B.!D-d.N2../...3g..5k.o...<.....s..7C.I....3f._I.!..B.B....n.i.......f...[..}.........;b...........k.Gg.{.....v...fa...^x_.B.!......dFFF0:....Uf.>...,<{..6..C........g.s.=.f.....;<<\|8.!..B.Z...$..../8~....h]o...8.Q./.../..?OB.!...cd.N....^j...;........N.....\|......B..`.....W.............1..#....C........ ..C...X.\|.U.....^...;.x...w../..;6.a....W-Z..$..B4.3t.mpg{{..6;.[.z.8...t..!3t....<Xg.....p....F.o.\|.+_y.y.>k..........=.IO.&....Y..a.c....k...[....{$.!....

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\error.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2444
Entropy (8bit):	7.881258656866732
Encrypted:	false
SSDEEP:	48:/Cw1dpDYxwCWOVhQJqdZq4Q3TGaTmdTBZB31HqucFOpZ:/Cw1fk+OVhQqdZvQ3TGBjlH/
MD5:	8303E7651CBD01CC413B0026ED537E6F
SHA1:	85542365101CB85656F018CA63C894C3C56F1C01
SHA-256:	696782A8DA306783593128B669F9E2C709030FDE555BB2703244E81CE17A31AD
SHA-512:	11A3D9EAF8413600AC2636A1B18DCDFBF8BAA05ED7DE60AF300BC34B709DECB78D87C51F3C35484FCE7A803F7370CA45C105C0FC3066A6D6BFE702F253C36228
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.....sRGB.........gAMA......a.....pHYs..........o.d...!IDATx^..pTW....]6..l~..._..e.........X..Ic[.v......FTH;4.......A....8)..:B:.3.D.8L..SB6.&l.d.l.]...dM......m>3.{.y.~.;..s.}O.%..[..{^~.X?4t..._..}V....O.....(.Q.\|.........N..ii...S...././.h..;...+WVJ...R .e....R.$..$.%`0..(-m.nk....9......z......]....!~3j2.b..u.5!.v./7..o..Q...&.....G...t&.....1o.!...i..6..c.[.+..?.3/....>..P...}...>.P_../.t.?k......l....13j...>.{.F<..P..nl.....))1.Z.M.....Mc.i...Fu...-15.oaa.......iz#..\|V.#..n.[......W..dSj .p.hN...(....x.u..Gk....../e.>....!..M.zT..R..............y...nz..j.......!M`.....\|z..&.D.+...8...vZ%9Z.M..s).&@....s...s{...11Z..j:r..o.9?...lR.k$#.\|..jR........\|.F....a6'.....^Wy.wq....`g.A..@.y....p.jJK.?^.....Iy.b...4...3.../..w~3..E].]w....N .<#fs..zB0.h1.........i..w(3.!..[..78.....'....UFv.-c.+9* ..e...&..'..5..VE.9.b....;.8.D.@ZI3..l..+..j....O.R\.3....*D.q6E..^...\....0..%\..h.5.......S.h.;0.....wu.\|v{5"........

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\finish.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2298
Entropy (8bit):	7.901998893489053
Encrypted:	false
SSDEEP:	48:KqqJYpZPlBqNTopskOg2btpLDCxGBVUQJCEVgvt4E5JUl2uW6:Kq6Y7t8GCPg2f9V/kJa2u
MD5:	1BDB17B59DD0FC8360B30C5CE46762A0
SHA1:	70CD6AD40F2BB14822FF1DCA766BCE6B02AAA8D8
SHA-256:	49911E40F4E80C8342524034A6A96907703EF9EF4ABDB6175AD6F93824DF6CBE
SHA-512:	2684FE9F5DF2AC2783B6413572715E4BCCBC771590686E75FCCC80733990E68FBE468E0FB0AF78B03DB4CCD6277028564CC8CCF91DB5E65122F06FF80F20432E
Malicious:	false
Preview:	.PNG........IHDR...@...@......iq.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[.l.W..{vm.v;/I..v..MT....UiK..U.I..GD.1i].!4.4..&.?..J5m0..MB.$..!..nJ...&.5......n.Y.......l...;..W.}.....}.{..{....T....}.g..-.....S.......:..B..r..j.i.]B....!..7..........m..,W.T...N...W.....W....D.y....[(.!.TU=.R........FU..6...X.=.N\|]7.{u.e'Q.2G.P.>..7..^...z+.jS..>...Y....9.G...Z..W..`.ea.O./'.?m..A.B.........p.....-.2...l=.Cw.n^....I...d..........d...ei.x.[..5.x2.M.....@{)...p..x.G...;Wo.%q...6..-.J]..)...u.+..~.V..N.7.c.q8.^z.....#...wD.,..3...;..m4..^..v.r....a..<.M%.......7A...pt.y.7./.p.....I[.lQpFM...2-.X#.[u...H.9$-....>....>.F......Xl.`....."...x...6...2.X...m#-r..\,]N.g.a......xj..0Z..}......k.7P.#..:..X.'.!j.$3.o&...M.N!Y.-.bq<..t.'\..\|..jx.L9..g..0....~.'9......Q...Ly;.VjF2....z.U-& ...w.^..n.^..: cW.q..f$3...LY..`.... ....._..[n....I..bL. E..u..q=...=X.>..8..~......xQ...C..c....=....1y.:1.R.c.GROf.....e>=?..e..&..\|i...Q.........Kn..

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\is-AMR2I.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30586
Entropy (8bit):	7.919646221064304
Encrypted:	false
SSDEEP:	768:Fk7fJC9WjOI1DaGmnitN039DODp56Ys+9S/IUM+:FktpB4FiQ3qd9S/BN
MD5:	9AC6287111CB2B272561781786C46CDD
SHA1:	6B02F2307EC17D9325523AF1D27A6CB386C8F543
SHA-256:	AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
SHA-512:	F998A4E0CE14B3898A72E0B8A3F7154FC87D2070BADCFA98582E3B570CA83A562D5A0C95F999A4B396619DB42AB6269A2BAC47702597C5A2C37177441723D837
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...w.IDATx....]Wu.5....$...U....!...t.H"...#9.yI'...30H........$'a6...D..NwB...4.tB.$...'......0.d.z}W.+/-.3.[u.=....S..{X{.i.}....B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!D.1#.I....C.g.~.....1...3_r....OB.!..bJ...2k......;..~....q`.f..ov.B.!...!.w.....<..S..w.}?f.^\|..w.s.=o.i..M.!...&2.&...~..mt.a;`.>h.....o.}........n.u..?...B.!D-d.N2../...3g..5k.o...<.....s..7C.I....3f._I.!..B.B....n.i.......f...[..}.........;b...........k.Gg.{.....v...fa...^x_.B.!......dFFF0:....Uf.>...,<{..6..C........g.s.=.f.....;<<\|8.!..B.Z...$..../8~....h]o...8.Q./.../..?OB.!...cd.N....^j...;........N.....\|......B..`.....W.............1..#....C........ ..C...X.\|.U.....^...;.x...w../..;6.a....W-Z..$..B4.3t.mpg{{..6;.[.z.8...t..!3t....<Xg.....p....F.o.\|.+_y.y.>k..........=.IO.&....Y..a.c....k...[....{$.!....

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\is-C4LCD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	743635
Entropy (8bit):	7.997835041806618
Encrypted:	true
SSDEEP:	12288:ZeobKRkKAvierqwhp0X3dM6qjZPShx9C25T6OkZyN4T2NyDp817xPbIbtIlL4OEE:ZeNRklnq4qvyZal6NyNY2NvxEbtIlcOP
MD5:	F564F8AD7811B03E66A97C3F560EB20D
SHA1:	405070B1D49B27C81B208309036ED62E299C7158
SHA-256:	3D7354CCB0CF7729BF132A0974BB38929B4595798927F338DE3C0C41BC286354
SHA-512:	D49E94C018448E707A18A19BDF12FD2AD77DC7BA5F379E9B24915258EC2090FF7DDA5381F6569E4077C24C03E33D72C850B313D285CA71A46A59417BCCC4421A
Malicious:	false
Preview:	PK........ ..XG.J..X..P%......avg_tuneup_online_setup.exe...xS....m...$h.u..Z...6..V..uP..ZP^.....B..Y..w.;.M67...m8Q._MiI...XhA...o.J.`.4..s..i...l\|[..8.?..........cB.......av2.......0..v.`v..h.N...,.xh.y...?\{.......Z.0.Xi^..2?.e.K.o~x..+'..>."..<A...M...".........}..G.y..Rr.qw>9...>......Y...?.s.......}D.......x.y.G...wW}..w...m...=<...x>.......{.iOy....].v....1....m5L.......,...'m.g.a..\4..9z..0a.W93...1..2Aw.............!....x5cZ...e.....y.0.......g..0..M.V.H..).....f4.9.I....p.q5K.".j.a. .....a..C....3....I.....p....(...p...\|. .f.i...y;...uk..k....9.st .+W....}TW..xMw.Y.../m!..E.;,.~...>.6_......Z>I./.....qe.$k..BN..W2..U.V.;?...j..ec<.s......e.v.....Y:M......1[..5m\..=...k..1e.._.x.m.h:.2....,.f.D..c.U4.>...}^E..1jv._U4"}44[g_P.0.hT?..!.....?[.x..(..7.{...}4>.Z.hD.h....#..)>..\|....1>.?...?.hL.....q....}?._q......F...T...7c.q p.........\|..90..R......z.C.@..J.HH,5.v....'1...BIL.'...K.D...Fq.._P.....?:1...q8..=....S....4

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\is-H9I4M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	6227973
Entropy (8bit):	7.999704627939555
Encrypted:	true
SSDEEP:	98304:ppxj2IwVGwxnd+P0fY8eHeM1euEuR+HW84l7mKN2Yjwov3I7qs4zLGGlFtSNNkoo:ppxZ7k00fxeHejFHW3l113I7d4zLGGTL
MD5:	7CC0288A2A8BBE014F9E344F3068C8F1
SHA1:	EB47D401AE30A308DD66BDCAFDE06CDD35E25C94
SHA-256:	200E9BC4FCF2C6682DDC8C7F172A0D02BEFECD25CA882F66C6ABC868A54B8975
SHA-512:	869F0A01EF0BCBBFC501C1786E14BFFEAA2DAAA00210C312874FC67A724C77EF61394BB5854B9A02AF654CD045C4D39AE30D73F1B4EC8AA9E531DFEEA1714476
Malicious:	false
Preview:	PK........v..U......_..._.....WZSetup.exe.}xT.7..+...{..F.....R4`.Ct..!X.&.....Bp.#......l6c9.zlk-.=.-..Z.....IP..Q.Bk.T.8Q..a.....g..y.{......?Np.^..Z.^..Zko=...Y8..".:...?7...u!................77......uk7m....-l.6.n.TX..Wx_....99YE)..z...q..p.].G.,^yt!K_}.#<..x...../?..t. .O..+p.".....%k.y..o.6ep..$...$.[...!L5.F.(.P.=._..%&....a.........@....pU....\|..\.....9.i..]<C.....Z......$..B.[3.a.Z...>.3...z=7..aT......R..O..glJU.......S...u.3..7\%.-_...?#......F..W.M.^,.o..I9rU.S.68.S..^]r.C..z...n.>..q>.:{&..s./+Z.".v.S.GT.3..6....:aM.m....r)......FS...h..c......z....(.F..........S_G.Z,..;.P...-8-...{.........'.q..Y..B....C.....t)O?&....I.w....r].....U..m.....2.:.>'..)hv<..E..oY......:;.H@?aL8X.z..,....v..@9..x2P...w..i....'.......#..G.......l.:`..D.c.]....q....CT..0.U.P.,Z.$&...(..%.Cba.9.sJ..;%....J.Q.m.....]..<`..Vk.X./7.Q.:..Pr.r&.x..B....Y...8...yJ....Q...........gRy.GV.T...II.4m(..-.0<.3.6<.H$]6..v7.R...:`..aN<#7%91C^lw'>V

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\is-HHL44.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	53151
Entropy (8bit):	7.982330941208071
Encrypted:	false
SSDEEP:	1536:GcHlp3vMusTtWEgKqx8zHom+GChNPDViFKWUyG:Ggz3kTNgKq66VcFKW9G
MD5:	AEE8E80B35DCB3CF2A5733BA99231560
SHA1:	7BCF9FEB3094B7D79D080597B56A18DA5144CA7B
SHA-256:	35BBD8F390865173D65BA2F38320A04755541A0783E9F825FDB9862F80D97AA9
SHA-512:	DCD84221571BF809107F7AEAF94BAB2F494EA0431B9DADB97FEED63074322D1CF0446DBD52429A70186D3ECD631FB409102AFCF7E11713E9C1041CAACDB8B976
Malicious:	false
Preview:	.PNG........IHDR...#............B....pHYs.................sRGB.........gAMA......a....4IDATx.......y...u.}...W."..(s ........p.........Q...?ql=...'.8....E.l...Y.-ah..FP.w.......__uUwuw.r.3X.z..........jcppph........O.appp..........n ..qph..88.......pd...y...!..888.##...._..C.8....Cn82...,.8...40....!7..qph..GF.2.........C.h....q#.........!7..qph.O..../_..p......B....K...`.XF.n}........S/b.._..?.XH.2q...i.}..y....c...8..b\|~:WY...8....a......o...v..!.~.+8z...P.....y......2y^....!.w..C.=..'.J]..v. ..}./o..q....M...........<$.X.<)..g.gp......'.Y.I...'.x......D.(..C...m.. .:.#....$. .LdD.E...*..a..}..eih.A.....AyR...7a..2..N##DD^....Tg...;>$..tZo.....m......3.A..p....$MM.".hF.......qpX....7..F.=.k..e".G/...G~E.........4..kA.{....yN.dH)~.s...........#.W...lD.:..W}...#...kP.&...;....n......?..d....oH.....#..'a..s..D.....<.......h...y.....D..!.^...G....4.........c .;?$..6...@.....O c.......~.u...1.7......c.\|..'...?/..#;.z&....T.M4.w.."....7W....

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\is-IM3M6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	125405
Entropy (8bit):	7.996684823256823
Encrypted:	true
SSDEEP:	3072:U7Uc8cJ1YuWatSIyY6NCW23L2XEYL02BmusGPCeoDhL8oLvoLH:WJ1zWuSNYJWCGEK9BmPCkhfL4
MD5:	56B0D3E1B154AE65682C167D25EC94A6
SHA1:	44439842B756C6FF14DF658BEFCCB7A294A8EA88
SHA-256:	434BFC9E005A7C8EE249B62F176979F1B4CDE69484DB1683EA07A63E6C1E93DE
SHA-512:	6F7211546C6360D4BE8C3BB38F1E5B1B4A136AA1E15EC5AE57C9670215680B27FF336C4947BD6D736115FA4DEDEA10AACF558B6988196F583B324B50D4ECA172
Malicious:	false
Preview:	PK.........XQW.a..............avg_antivirus_free_setup.exe.].\|TG........Mj.RH-V..6.@.....Z.....%@-....;@K(..,..STPT.T.GT...H.%..BBQ.6Z.&...4.wf.......OZ..........}.}l..,I...#.I........4I....GK.7...Z..........~...Og>..g>.Y_...,..&...HA.?....F..9...>.\|.\sJ.....N.L~.OY.......)5.......;...,~7.&...LJ6?... ....w~.\|.7.>..Kx..d.{J./....j..>....."i...6..%..t.i.M.H...&...~.oV.qO...!Qy.)......&.8......I..../&I.83Y......%K%. .'Y..+I%?H.J."...g.&/)A...^...I.]..}.'6..l.%.../.?..W..1.cH.1..}<...'...G`..t"..#.<\|.\...$x.9....\.....q..'6.U..Wi..u..`.X.+i..K./...O..p.............s.G........3y.Hz.V...=-.I..\)..}.S.WW$}.\I....n.H.IR.E.{...C0...s..X'.z...W.J.iL..........i...l..$..........A$=.2=...4[J6.(..l$....f....y.g...o..:m.B...$....&...".}.r{......n&./.xdBA~d.D.....5p....g..... _Z..-b...jg.o.wMA$.2...=..5.&x.....,?..MF...2QVO,V.N..........R.^..o..o..4.hd.H..LE.SBE,.8\|Eo&d..D.Vq..NK.[.[.g.K.v..D".....og.m1....x..C....b..`?2...L...t..O.t.U..l..02.v.A.G2

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\is-KP2QU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	45092
Entropy (8bit):	7.973018455276646
Encrypted:	false
SSDEEP:	768:9am/zoB6/mZint8wIPIR2iEVSYRmdqLleQj+0LAWpgC5oCTQc8ylPO:9a6zP/8int8wIgRPToh1jFlvoGQwl2
MD5:	6E2A379F09DECCA92DBBABEC56CB748A
SHA1:	201D2B6D49D5845A7A4E55E0DEC20D18CB8CD9D3
SHA-256:	3BC26B4679DC68D084CA948698F6EE483A53387E7AB42B8249C30A49EDC1CB1D
SHA-512:	EC49DAB8709E78F6913DB02BE465A811477D4B741E375ED445547E1F19B58DDAFAF1D0133834201AFFB3BA5A257FCF7B3F794C0BA847B2836EBEC9C62D9790E6
Malicious:	false
Preview:	.PNG........IHDR...#............B....pHYs.................sRGB.........gAMA......a.....IDATx.......y....sw.......I..%.....x!.-;C0.=.'...x2.K....GN....e...._..$N...Kb;.LP.6...%Q.)........w...=...........s/......].}_UW...._-....P.....C.~.....C..........p....Cq.........r........C:jppp..GF........C.<o........CQ.p...i`....Cn82..P.MGF.2.....Bpd...(:..an...........r.....xdd..{.u.....C!T........6.e..-... ..>q../.;....C1...0.7..o2.$...c......b\|nWY..S.....iA.C.<..o..a;v..).\|..8\|.......}......ia.v...u.'E.uP... ..?,.Be..C..=..3ay.......P...88..v.`..!..2`.w..c...oa..~..._..?z$...IqL...}..`....... ].#....O..A...HP............%,+@@2H..Q....}.....;6....v..!"......I.L.........:..A.z........p..>.I....h....P...88.......(.}X".).98\|.m.;.wD....}<....~.. ......'yr...............EDb.L#....:..3!........ ...A....@.*Q.5:.....?..m..7.A....g.AH..t.:!..#<W..y./....@i...E...w..s..X{-..7.....pcF..ZE'./.@.]w~R.>.8. .Ao.&.>..y+e=...4.!<.to.1"...CF;Dj(...K...........M.t....

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	125405
Entropy (8bit):	7.996684823256823
Encrypted:	true
SSDEEP:	3072:U7Uc8cJ1YuWatSIyY6NCW23L2XEYL02BmusGPCeoDhL8oLvoLH:WJ1zWuSNYJWCGEK9BmPCkhfL4
MD5:	56B0D3E1B154AE65682C167D25EC94A6
SHA1:	44439842B756C6FF14DF658BEFCCB7A294A8EA88
SHA-256:	434BFC9E005A7C8EE249B62F176979F1B4CDE69484DB1683EA07A63E6C1E93DE
SHA-512:	6F7211546C6360D4BE8C3BB38F1E5B1B4A136AA1E15EC5AE57C9670215680B27FF336C4947BD6D736115FA4DEDEA10AACF558B6988196F583B324B50D4ECA172
Malicious:	true
Preview:	PK.........XQW.a..............avg_antivirus_free_setup.exe.].\|TG........Mj.RH-V..6.@.....Z.....%@-....;@K(..,..STPT.T.GT...H.%..BBQ.6Z.&...4.wf.......OZ..........}.}l..,I...#.I........4I....GK.7...Z..........~...Og>..g>.Y_...,..&...HA.?....F..9...>.\|.\sJ.....N.L~.OY.......)5.......;...,~7.&...LJ6?... ....w~.\|.7.>..Kx..d.{J./....j..>....."i...6..%..t.i.M.H...&...~.oV.qO...!Qy.)......&.8......I..../&I.83Y......%K%. .'Y..+I%?H.J."...g.&/)A...^...I.]..}.'6..l.%.../.?..W..1.cH.1..}<...'...G`..t"..#.<\|.\...$x.9....\.....q..'6.U..Wi..u..`.X.+i..K./...O..p.............s.G........3y.Hz.V...=-.I..\)..}.S.WW$}.\I....n.H.IR.E.{...C0...s..X'.z...W.J.iL..........i...l..$..........A$=.2=...4[J6.(..l$....f....y.g...o..:m.B...$....&...".}.r{......n&./.xdBA~d.D.....5p....g..... _Z..-b...jg.o.wMA$.2...=..5.&x.....,?..MF...2QVO,V.N..........R.^..o..o..4.hd.H..LE.SBE,.8\|Eo&d..D.Vq..NK.[.[.g.K.v..D".....og.m1....x..C....b..`?2...L...t..O.t.U..l..02.v.A.G2

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	125405
Entropy (8bit):	7.996684823256823
Encrypted:	true
SSDEEP:	3072:U7Uc8cJ1YuWatSIyY6NCW23L2XEYL02BmusGPCeoDhL8oLvoLH:WJ1zWuSNYJWCGEK9BmPCkhfL4
MD5:	56B0D3E1B154AE65682C167D25EC94A6
SHA1:	44439842B756C6FF14DF658BEFCCB7A294A8EA88
SHA-256:	434BFC9E005A7C8EE249B62F176979F1B4CDE69484DB1683EA07A63E6C1E93DE
SHA-512:	6F7211546C6360D4BE8C3BB38F1E5B1B4A136AA1E15EC5AE57C9670215680B27FF336C4947BD6D736115FA4DEDEA10AACF558B6988196F583B324B50D4ECA172
Malicious:	true
Preview:	PK.........XQW.a..............avg_antivirus_free_setup.exe.].\|TG........Mj.RH-V..6.@.....Z.....%@-....;@K(..,..STPT.T.GT...H.%..BBQ.6Z.&...4.wf.......OZ..........}.}l..,I...#.I........4I....GK.7...Z..........~...Og>..g>.Y_...,..&...HA.?....F..9...>.\|.\sJ.....N.L~.OY.......)5.......;...,~7.&...LJ6?... ....w~.\|.7.>..Kx..d.{J./....j..>....."i...6..%..t.i.M.H...&...~.oV.qO...!Qy.)......&.8......I..../&I.83Y......%K%. .'Y..+I%?H.J."...g.&/)A...^...I.]..}.'6..l.%.../.?..W..1.cH.1..}<...'...G`..t"..#.<\|.\...$x.9....\.....q..'6.U..Wi..u..`.X.+i..K./...O..p.............s.G........3y.Hz.V...=-.I..\)..}.S.WW$}.\I....n.H.IR.E.{...C0...s..X'.z...W.J.iL..........i...l..$..........A$=.2=...4[J6.(..l$....f....y.g...o..:m.B...$....&...".}.r{......n&./.xdBA~d.D.....5p....g..... _Z..-b...jg.o.wMA$.2...=..5.&x.....,?..MF...2QVO,V.N..........R.^..o..o..4.hd.H..LE.SBE,.8\|Eo&d..D.Vq..NK.[.[.g.K.v..D".....og.m1....x..C....b..`?2...L...t..O.t.U..l..02.v.A.G2

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	234936
Entropy (8bit):	6.580764795165994
Encrypted:	false
SSDEEP:	3072:y2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhh3K0Ko:y0KgGwHqwOOELha+sm2D2+UhngNdK4d
MD5:	26816AF65F2A3F1C61FB44C682510C97
SHA1:	6CA3FE45B3CCD41B25D02179B6529FAEDEF7884A
SHA-256:	2025C8C2ACC5537366E84809CB112589DDC9E16630A81C301D24C887E2D25F45
SHA-512:	2426E54F598E3A4A6D2242AB668CE593D8947F5DDB36ADED7356BE99134CBC2F37323E1D36DB95703A629EF712FAB65F1285D9F9433B1E1AF0123FD1773D0384
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v jU2A..2A..2A......9A......LA......*A..`).. A..`)..'A...(..0A..`)...A..;9..3A..;9..?A..2A...A..;9..3A...(..?A...(..3A..2A..0A...(..3A..Rich2A..................PE..L....m6d.........."..........\...... ........0....@.................................V.....@........................................................Hl..p)..........p...p..........................`M..@............0......T........................text............................... ..`.rdata..`....0......................@..@.data...............................@....didat..L...........................@....rsrc...............................@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	6227973
Entropy (8bit):	7.999704627939555
Encrypted:	true
SSDEEP:	98304:ppxj2IwVGwxnd+P0fY8eHeM1euEuR+HW84l7mKN2Yjwov3I7qs4zLGGlFtSNNkoo:ppxZ7k00fxeHejFHW3l113I7d4zLGGTL
MD5:	7CC0288A2A8BBE014F9E344F3068C8F1
SHA1:	EB47D401AE30A308DD66BDCAFDE06CDD35E25C94
SHA-256:	200E9BC4FCF2C6682DDC8C7F172A0D02BEFECD25CA882F66C6ABC868A54B8975
SHA-512:	869F0A01EF0BCBBFC501C1786E14BFFEAA2DAAA00210C312874FC67A724C77EF61394BB5854B9A02AF654CD045C4D39AE30D73F1B4EC8AA9E531DFEEA1714476
Malicious:	true
Preview:	PK........v..U......_..._.....WZSetup.exe.}xT.7..+...{..F.....R4`.Ct..!X.&.....Bp.#......l6c9.zlk-.=.-..Z.....IP..Q.Bk.T.8Q..a.....g..y.{......?Np.^..Z.^..Zko=...Y8..".:...?7...u!................77......uk7m....-l.6.n.TX..Wx_....99YE)..z...q..p.].G.,^yt!K_}.#<..x...../?..t. .O..+p.".....%k.y..o.6ep..$...$.[...!L5.F.(.P.=._..%&....a.........@....pU....\|..\.....9.i..]<C.....Z......$..B.[3.a.Z...>.3...z=7..aT......R..O..glJU.......S...u.3..7\%.-_...?#......F..W.M.^,.o..I9rU.S.68.S..^]r.C..z...n.>..q>.:{&..s./+Z.".v.S.GT.3..6....:aM.m....r)......FS...h..c......z....(.F..........S_G.Z,..;.P...-8-...{.........'.q..Y..B....C.....t)O?&....I.w....r].....U..m.....2.:.>'..)hv<..E..oY......:;.H@?aL8X.z..,....v..@9..x2P...w..i....'.......#..G.......l.:`..D.c.]....q....CT..0.U.P.,Z.$&...(..%.Cba.9.sJ..;%....J.Q.m.....]..<`..Vk.X./7.Q.:..Pr.r&.x..B....Y...8...yJ....Q...........gRy.GV.T...II.4m(..-.0<.3.6<.H$]6..v7.R...:`..aN<#7%91C^lw'>V

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	6227973
Entropy (8bit):	7.999704627939555
Encrypted:	true
SSDEEP:	98304:ppxj2IwVGwxnd+P0fY8eHeM1euEuR+HW84l7mKN2Yjwov3I7qs4zLGGlFtSNNkoo:ppxZ7k00fxeHejFHW3l113I7d4zLGGTL
MD5:	7CC0288A2A8BBE014F9E344F3068C8F1
SHA1:	EB47D401AE30A308DD66BDCAFDE06CDD35E25C94
SHA-256:	200E9BC4FCF2C6682DDC8C7F172A0D02BEFECD25CA882F66C6ABC868A54B8975
SHA-512:	869F0A01EF0BCBBFC501C1786E14BFFEAA2DAAA00210C312874FC67A724C77EF61394BB5854B9A02AF654CD045C4D39AE30D73F1B4EC8AA9E531DFEEA1714476
Malicious:	true
Preview:	PK........v..U......_..._.....WZSetup.exe.}xT.7..+...{..F.....R4`.Ct..!X.&.....Bp.#......l6c9.zlk-.=.-..Z.....IP..Q.Bk.T.8Q..a.....g..y.{......?Np.^..Z.^..Zko=...Y8..".:...?7...u!................77......uk7m....-l.6.n.TX..Wx_....99YE)..z...q..p.].G.,^yt!K_}.#<..x...../?..t. .O..+p.".....%k.y..o.6ep..$...$.[...!L5.F.(.P.=._..%&....a.........@....pU....\|..\.....9.i..]<C.....Z......$..B.[3.a.Z...>.3...z=7..aT......R..O..glJU.......S...u.3..7\%.-_...?#......F..W.M.^,.o..I9rU.S.68.S..^]r.C..z...n.>..q>.:{&..s./+Z.".v.S.GT.3..6....:aM.m....r)......FS...h..c......z....(.F..........S_G.Z,..;.P...-8-...{.........'.q..Y..B....C.....t)O?&....I.w....r].....U..m.....2.:.>'..)hv<..E..oY......:;.H@?aL8X.z..,....v..@9..x2P...w..i....'.......#..G.......l.:`..D.c.]....q....CT..0.U.P.,Z.$&...(..%.Cba.9.sJ..;%....J.Q.m.....]..<`..Vk.X./7.Q.:..Pr.r&.x..B....Y...8...yJ....Q...........gRy.GV.T...II.4m(..-.0<.3.6<.H$]6..v7.R...:`..aN<#7%91C^lw'>V

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	6261520
Entropy (8bit):	7.998950113701314
Encrypted:	true
SSDEEP:	98304:O/KXgWUBu+NlRk9OfK2GTyYX+eyaB135PSuXTm0LuM74eL3o1+ykb5io5dtWx9eJ:O/KXNs6OfxGTyHwnXZB3o1jkb5ioPtE2
MD5:	3C17F28CC001F6652377D3B5DEEC10F0
SHA1:	EEB13CF47836FF0A0D5CC380618F33E7818F9D75
SHA-256:	FA352552306B80F3F897F8F21D8579AE642C97D12298E113AE1ADC03902C69B8
SHA-512:	240B31F29D439C09A56D3BF8D4A3EA14F75C2286E209E7DF3F4FF301BFA3AD8228D7BEBE01ACEA6F2F702A0BA7ECDB5583B97372725C77EF497E749740F644B3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L...<.Oa.................f...\|.......3............@.......................... ........`...@.................................D...........HD...........2_..Y...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8U...........~..............@....ndata...................................rsrc...HD.......F..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	743635
Entropy (8bit):	7.997835041806618
Encrypted:	true
SSDEEP:	12288:ZeobKRkKAvierqwhp0X3dM6qjZPShx9C25T6OkZyN4T2NyDp817xPbIbtIlL4OEE:ZeNRklnq4qvyZal6NyNY2NvxEbtIlcOP
MD5:	F564F8AD7811B03E66A97C3F560EB20D
SHA1:	405070B1D49B27C81B208309036ED62E299C7158
SHA-256:	3D7354CCB0CF7729BF132A0974BB38929B4595798927F338DE3C0C41BC286354
SHA-512:	D49E94C018448E707A18A19BDF12FD2AD77DC7BA5F379E9B24915258EC2090FF7DDA5381F6569E4077C24C03E33D72C850B313D285CA71A46A59417BCCC4421A
Malicious:	true
Preview:	PK........ ..XG.J..X..P%......avg_tuneup_online_setup.exe...xS....m...$h.u..Z...6..V..uP..ZP^.....B..Y..w.;.M67...m8Q._MiI...XhA...o.J.`.4..s..i...l\|[..8.?..........cB.......av2.......0..v.`v..h.N...,.xh.y...?\{.......Z.0.Xi^..2?.e.K.o~x..+'..>."..<A...M...".........}..G.y..Rr.qw>9...>......Y...?.s.......}D.......x.y.G...wW}..w...m...=<...x>.......{.iOy....].v....1....m5L.......,...'m.g.a..\4..9z..0a.W93...1..2Aw.............!....x5cZ...e.....y.0.......g..0..M.V.H..).....f4.9.I....p.q5K.".j.a. .....a..C....3....I.....p....(...p...\|. .f.i...y;...uk..k....9.st .+W....}TW..xMw.Y.../m!..E.;,.~...>.6_......Z>I./.....qe.$k..BN..W2..U.V.;?...j..ec<.s......e.v.....Y:M......1[..5m\..=...k..1e.._.x.m.h:.2....,.f.D..c.U4.>...}^E..1jv._U4"}44[g_P.0.hT?..!.....?[.x..(..7.{...}4>.Z.hD.h....#..)>..\|....1>.?...?.hL.....q....}?._q......F...T...7c.q p.........\|..90..R......z.C.@..J.HH,5.v....'1...BIL.'...K.D...Fq.._P.....?:1...q8..=....S....4

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	743635
Entropy (8bit):	7.997835041806618
Encrypted:	true
SSDEEP:	12288:ZeobKRkKAvierqwhp0X3dM6qjZPShx9C25T6OkZyN4T2NyDp817xPbIbtIlL4OEE:ZeNRklnq4qvyZal6NyNY2NvxEbtIlcOP
MD5:	F564F8AD7811B03E66A97C3F560EB20D
SHA1:	405070B1D49B27C81B208309036ED62E299C7158
SHA-256:	3D7354CCB0CF7729BF132A0974BB38929B4595798927F338DE3C0C41BC286354
SHA-512:	D49E94C018448E707A18A19BDF12FD2AD77DC7BA5F379E9B24915258EC2090FF7DDA5381F6569E4077C24C03E33D72C850B313D285CA71A46A59417BCCC4421A
Malicious:	true
Preview:	PK........ ..XG.J..X..P%......avg_tuneup_online_setup.exe...xS....m...$h.u..Z...6..V..uP..ZP^.....B..Y..w.;.M67...m8Q._MiI...XhA...o.J.`.4..s..i...l\|[..8.?..........cB.......av2.......0..v.`v..h.N...,.xh.y...?\{.......Z.0.Xi^..2?.e.K.o~x..+'..>."..<A...M...".........}..G.y..Rr.qw>9...>......Y...?.s.......}D.......x.y.G...wW}..w...m...=<...x>.......{.iOy....].v....1....m5L.......,...'m.g.a..\4..9z..0a.W93...1..2Aw.............!....x5cZ...e.....y.0.......g..0..M.V.H..).....f4.9.I....p.q5K.".j.a. .....a..C....3....I.....p....(...p...\|. .f.i...y;...uk..k....9.st .+W....}TW..xMw.Y.../m!..E.;,.~...>.6_......Z>I./.....qe.$k..BN..W2..U.V.;?...j..ec<.s......e.v.....Y:M......1[..5m\..=...k..1e.._.x.m.h:.2....,.f.D..c.U4.>...}^E..1jv._U4"}44[g_P.0.hT?..!.....?[.x..(..7.{...}4>.Z.hD.h....#..)>..\|....1>.?...?.hL.....q....}?._q......F...T...7c.q p.........\|..90..R......z.C.@..J.HH,5.v....'1...BIL.'...K.D...Fq.._P.....?:1...q8..=....S....4

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1582416
Entropy (8bit):	6.772112933049821
Encrypted:	false
SSDEEP:	49152:uWUMv5De9/yG9/ooooERQr0tb6H8RlOuQhRe4/vR:uWUMqyGB0Z6H8Rl4yW
MD5:	F3B23C42A4CF4CA9F0C48F93B121CB41
SHA1:	A219F4DE23BC4296BEBEA4B87E9391500D6D3408
SHA-256:	8788D60626C60D762FD58333B2403DD9C636B91B3C28E7967112A3C785FC9C11
SHA-512:	8E296382CB9A223D1557164C050EEFF27B9674C0DE95511F8E00083DBAF6043D4DC38B4A40517FDD80FDCE8167C88F3CD0E9A3A641FBC180723DF073FE2786C7
Malicious:	true
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........_H..>&..>&..>&..L%..>&..L#..>&....>&.."..>&..%..>&..#..>&..L"..>&.BP"..>&..F...>&..K#..>&..>&..>&..L!..>&..L'..>&..>'.l?&.../.z>&...&..>&.....>&..>...>&...$..>&.Rich.>&.................PE..L...$..f...............&.............A............@..........................`......#.....@.........................0....................r..............@)..............................................@...................\........................text...z........................... ..`.rdata...1.......2..................@..@.data...`....0......................@....didat..T...........................@....rsrc....r.......t..................@..@.reloc...............,..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23891968
Entropy (8bit):	7.236497962515903
Encrypted:	false
SSDEEP:	393216:NKsbm0ApvEqrGtYHviInnmC0dGpZFE6ZFERnsW4j2SDXdfD5X3vcMiWqMDi49QLu:hqr8NInmCgltTSDX59RidMm4uu
MD5:	22A34900ADA67EAD7E634EB693BD3095
SHA1:	2913C78BCAAA6F4EE22B0977BE72333D2077191D
SHA-256:	3CEC1E40E8116A35AAC6DF3DA0356864E5D14BC7687C502C7936EE9B7C1B9C58
SHA-512:	88D90646F047F86ADF3D9FC5C04D97649B0E01BAC3C973B2477BB0E9A02E97F56665B7EDE1800B68EDD87115AED6559412C48A79942A8C2A656DFAE519E2C36F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.<%4.Rv4.Rv4.RvG.Qw..RvG.Ww.RvG.Vw..Rvf.Qw*.Rvf.Ww..Rvf.Vw..RvG.Tw2.Rv4.Rv!.RvG.Sw..Rv4.Sv..Rv..[w.Rv..v5.Rv4..v5.Rv..Pw5.RvRich4.Rv................PE..L...Dx:b.................t.......... g............@...........................n...........@...................................Y...... d..V....................f.....pzN.T...................h{N......zN.@............................................text....s.......t.................. ..`.rdata...p.......r...x..............@..@.data.........Z..j....Y.............@....qtmetadv.... _......T].............@..P.qtmimed.....0_......Z].............@..P.rsrc....V... d..V...Hb.............@..@.reloc........f.......d.............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\zbShieldUtils.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2060288
Entropy (8bit):	6.6115241916592735
Encrypted:	false
SSDEEP:	49152:ewyBp/wFOX9xRo3HVCEd2ynjsfAXBpAK0A8BFuXJFotKLCs:eRDwIN3o3UEd2ynjsoRpAK58BFuXE
MD5:	59D3C3A9180BA792AE2DAD18B6903CDE
SHA1:	C8CD105D3A0E99A54D1D16F0D1F60000FA3DCA8A
SHA-256:	DD01EDBD4368EF227693723C5E427A48B264CB57BBD07D81210D6E633E0B1B2E
SHA-512:	D6B6358E5108654931FCB3B7920DF65C4AE65D48F9EA012C3F821BB571F821E815D86FEAB85CD55A8CE767F2F7342A512E55D03EE4041AC0BAF4FF13AD238699
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./}..A...A...A...B/..A...F/..A...E/..A...D//.A...G/..A...@/..A...@...A...E/..A...B/..A...D/..A.%.H/..A.%.A/..A.%.....A.......A.%.C/..A.Rich..A.........PE..L...+o\f...........!.....f...N............................................................@.........................@..........T........A..............................p...............................@............................................text....e.......f.................. ..`.rdata..NL.......N...j..............@..@.data............Z..................@....rsrc....A.......B..................@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\INetC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.666921368237103
Encrypted:	false
SSDEEP:	384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
MD5:	2B342079303895C50AF8040A91F30F71
SHA1:	B11335E1CB8356D9C337CB89FE81D669A69DE17E
SHA-256:	2D5D89025911E2E273F90F393624BE4819641DBEE1606DE792362E442E54612F
SHA-512:	550452DADC86ECD205F40668894116790A456FE46E9985D68093D36CF32ABF00EDECB5C56FF0287464A0E819DB7B3CC53926037A116DE6C651332A7CC8035D47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....T.[...........!.....8...P......I?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data....<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\WeatherZeroNSISPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	711952
Entropy (8bit):	6.021498979818168
Encrypted:	false
SSDEEP:	12288:1WNrNNNifmpPFyCrHQnfYWiWJHA7LeLJRHRNJOYHQ93AjN:1WNrNNNifmpPFyCrHQnfYWiWJHcLeLJ3
MD5:	2EAF88651D6DE968BF14EC9DB52FD3B5
SHA1:	1C37626526572FDB6378AA4BEDBF7B941886A9A1
SHA-256:	070190292DF544DA87F84DC8CF8ECC0A0337085A3FE744FA60CE00A6879B6146
SHA-512:	15754A8F097F9C8D7BDA65FB881720AF5E4C4DB1E35F555563B9BAFE6426A6A0E50953A47F628FE3DC0F461E48ABBF77DB7C997902FF483CF33396D0D8E2CD17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S...S...S...G...^...G.......G...E.....\.....F.........G...V...S...:.....V.....R.....N.R.....R...RichS...........PE..L.....b...........!.........f.......n.......@............................................@......................... H.......H..<........................Y......x,..(+..8...........................`+..@............@..h............................text....,.......................... ..`.rdata.......@.......2..............@..@.data...\|#...`.......D..............@....rsrc................T..............@..@.reloc..x,...........V..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\qBittorrent\logs\qbittorrent.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	5.170489155494202
Encrypted:	false
SSDEEP:	3:wVXR+O+jXOFdfXRky5sR+OwcD7WtdFGWKypJsKEx2PnjXOov:gBWjXOFdfmrF7mdfF/sKEQPnjXOy
MD5:	08673873F60D20EBC678DA34C21EEF16
SHA1:	DDB52CCD4DA18FD0E1C041B4737D686A30CBA14A
SHA-256:	D30A35ED181380CD1B7F6C26606A1134D330EB446390D302D463073694657496
SHA-512:	F09387AB1AFB827614047DBF89F4C1396893F4354144724974BD2EBAFDD710A4672A1077BF7DB568EAF1CA2916AE402BD997C33C0C88151DCACD0774E3CA63D9
Malicious:	false
Preview:	(N) 2024-07-28T18:54:39 - qBittorrent v4.4.2 started..(N) 2024-07-28T18:54:39 - Using config directory: C:/Users/user/AppData/Roaming/qBittorrent..

C:\Users\user\AppData\Roaming\WeatherZero\WeatherZeroConfig.xml

Download File

Process:	C:\Program Files (x86)\WeatherZero\WeatherZero.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	479
Entropy (8bit):	5.419116240626006
Encrypted:	false
SSDEEP:	12:MMHdDa8iPiRmRFgnrRXZlpqaijj/XEO9FXE595Ajub:Jd+8GsrNkaijj/XE8FXE59x
MD5:	3B31236E715AEBDF5AEE674FC761E8BE
SHA1:	B74339E7F0629D9A682A335AC852F18125B65EBF
SHA-256:	79429CED0BE249774516F3D71C7E9AB504C08A38E1F1F05296C48A9E8CC13486
SHA-512:	6A7A471AE51D407FD052DAFECCFC4A55D59A99A0AD6A5CE02A25808AF9CDA166035651E9F17E62D5751B00B99966C9009CC303B730497DCAAF18803022E321CF
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-16"?>..<WFSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">.. <WeatherCondition>None</WeatherCondition>.. <TemperatureUnit>Fahrenheit</TemperatureUnit>.. <LastQueryDt>0001-01-01T00:00:00</LastQueryDt>.. <igi>DDFD1E983F83B350CD251831739BBC54</igi>.. <CloseToTray>true</CloseToTray>.. <StartUponBoot>true</StartUponBoot>.. <AppClosedByUser>false</AppClosedByUser>..</WFSettings>

C:\Windows\System32\icarus_rvrt.exe

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50976
Entropy (8bit):	6.695978421209108
Encrypted:	false
SSDEEP:	1536:6fMVFuX7Y1C7X+oAiZ8uMX07F9Kx24Zza:WMVFsSC7+K8ua0qm
MD5:	97F5D0CAAA1988C95BF38385D2CF260E
SHA1:	255099F6E976837A0C3EB43A57599789A6330E85
SHA-256:	73EE549578DED906711189EDCEF0EEDBC9DB7CCBD30CF7776BD1F7DD9E034339
SHA-512:	AD099C25868C12246ED3D4EE54CEF4DF49D5276A5696CA72EFA64869367E262A57C8FF1FB947AD2F70CAEF1D618849DBAB2EC6161C25758D9F96733A7534B18F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................r.............../......./b............../......Rich............................PE..d....>_e.........."....%.N...(...... ..........@..........................................`.................................................\u..(.......8.......P....x.. O...........l...............................................`.. ............................text...)L.......N.................. ..`.rdata.......`.......R..............@..@.data...............................@....pdata..P............l..............@..@.rsrc...8............r..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\avg-av\config.def.edat

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	ASCII text, with very long lines (2186), with CRLF line terminators
Category:	dropped
Size (bytes):	21189
Entropy (8bit):	5.68730380776495
Encrypted:	false
SSDEEP:	384:DMJ7eXHtHcV2g2Ji0YblA3V4H3p+aTKBG1srr7dl9D3eJc8oaKAg:M7e9HrJiMF4H2BWw/D3em8orAg
MD5:	8B374B550ADBF0E900F081394490E8A6
SHA1:	C99DDD3CD3C107624D891901704DA201B6C34975
SHA-256:	F3B71692FDBBCD129B14C8CEEDDE570D7F15154DE92BAFD0FBFC5914C7AA3B3D
SHA-512:	8357BFDEB55C29292CDABE56B1AFB6AA0A5C0E8F8E60C0BD6F0A2A5E95AB24142745A9B595DD557372AF52945F5A567A8741224C10B2329E2ABE2F2D2BEA4AB4
Malicious:	false
Preview:	[RemoteAccessShield.Setting]..BruteForceMaxAttemptsPerDay=60..BruteForceMaxAttemptsPerHour=40..BruteForceMaxAttemptsPerMinute=30..BruteForceMaxAttemptsPerTenSeconds=12..[Settings.UserInterface]..ShellExtensionFileName=0..streaming=0..[WebmailSignature]..GmailEnabled=1..MaxRequestSize=16384..OutlookEnabled=1..YahooEnabled=1..[WebShield.NXRedirect]..Redirect=0..[WebShield.WebScanner]..VpsFileRep=1..[Offers.GoogleChrome]..DefaultState=0..ShowInComplete=0..ShowInIntro=0..ShowInPaidBusiness=0..ShowInPaidConsumer=0..ShowInPost=1..UseTryOffer=1..[Offers.SecureBrowser]..ShowInIntro=1..[Settings.{D93EF81A-B92F-27FE-AF54-9278EA8BF910}.const]..ScanAreas=*RTK-SUPERQUICK;QuickStartup;QuickMemory..[AntiTrack]..Enabled=0..[FileSystemShield.FileSystem]..EngineLdrModuleFlags=24..[Fmwlite]..License_check_interval=16..[PerfReporting]..AvastProcessesWprCaptureInterval=0..[Components]..ais_cmp_fw=2..ais_shl_spm=3..[GrimeFighter]..info2_licensed_period=3600..info2_unlicensed_period=3600..LicensedClean=1..Us

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\avg-av\edition.edat

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Jn:J
MD5:	9BF31C7FF062936A96D3C8BD1F8F2FF3
SHA1:	F1ABD670358E036C31296E66B3B66C382AC00812
SHA-256:	E629FA6598D732768F7C726B4B621285F9C3B85303900AA912017DB7617D8BDB
SHA-512:	9A6398CFFC55ADE35B39F1E41CF46C7C491744961853FF9571D09ABB55A78976F72C34CD7A8787674EFA1C226EAA2494DBD0A133169C9E4E2369A7D2D02DE31A
Malicious:	false
Preview:	15

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\17a64dba-bdd7-4795-b641-ff87d107af54

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 15288
Category:	dropped
Size (bytes):	9567
Entropy (8bit):	7.977755483295916
Encrypted:	false
SSDEEP:	192:JyDUuA9epZXFLBZ3iajsRAzqxeQZuKEj6NZi/P4qJaHiOkN:cAMZXFLLSaxGxeQZu3+iXD4CJN
MD5:	1FF7130AD9EC4C06EB4E8615CA76DEE3
SHA1:	E5D0D6D31CE65BA9682885C676B72EED0493C2AD
SHA-256:	12C6750E615036DD1DE45811E8FDF25EAFDB6A687C13D0EC0440777E90B9832E
SHA-512:	A807BABAD54D66F329E8189EA12DC2B868F09FDCADD0551B1E16B4F8300175DE9CDDA097DCBAF460B9315C5E9E45B1967E2ED19493BE6A914261FDEDF4DAC162
Malicious:	false
Preview:	]..@..;.......&..p.........../D.\|.........{...cl..KN......TS;...p....."...gW.....~...~....oF~;....L.c.Jc..k_....P....u....E.~.Y.......0....\.!/M.k.sc.[y.5.....Kf.vb.#.W...@..O.?~..X.x.Lv..R..3.J.^...N..^..=ryC../f..Px%...k..\|.U.M.^..C...Z..}~.T").Y=z.2...S".v^./.^..G.J.?.}....\.?..1..mE..X..m..j.....8D.['.]/B.'......k....._..f..U....N...`...... S...].t.3k..C.4j8...{..x9........]..V....J...q'.b.I.B.v.k.1}.l..8.a..u>-.Rb.E.g'>l..`..?.SLz..>.....CD.........W.M`b.........~..b?...w.?.$.J..`X...r\|[0U?..../.i..._.Q._h^:.......F...)....b.......sG-=....hef.+."..~B;.r..5O}U.z.$iiw.....).^..Rs.}.)KO..:<@....Gi.sw..9.o.....+. .\...l..@=.9..=.S....\|"....Z.!.!..a..(.5./..]tp.r.......\|)).`.j.......M.UU`.<..K/......x...)XP. zq.H'.1A%..JCu...#.!).S.`....&.......jN..)...C...6y#...{.f. b.e.o......5....A..M....z......j..e.......)...A....b8s...>.eN.p..uw....K...A..\|..92....c.^......<.u...W...Z.....2.P....E`6b.. .._._.4..Y.......s...Q..l./0D.ib..E.

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\61d8eaaa-d1ef-4ef3-a7b3-fe99c71f4a10

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 8064960
Category:	dropped
Size (bytes):	2429015
Entropy (8bit):	7.999910064841778
Encrypted:	true
SSDEEP:	49152:wD66xgP9Jr2nsAC94p1rbeuU/u88bEM4TLIpSTsGp20vPFlkTqTxhXv:wnxE9Jr2nsB94brKFmaM4/Ip4lKqb
MD5:	40FC4AABBFED90B01F551E8573FD8718
SHA1:	96DB0976B3F55BEEE3265398D140738FF9D4DB8B
SHA-256:	08DE05D0963AFD0716E2CEFA2EB24BB4CA012CEAF4E2258FA09236453AEA1D34
SHA-512:	68E461D7E8FAF45CC4714B3AAF012A3BB54F7BB686781B3BEA82E17321D1760E18B85630387A1952CDF16DCFDC05D28808C6151770D6F6F959AF77937BCEAEAE
Malicious:	true
Preview:	]..@...{......&..p.........../D.\|......I0..y.]n.u......i...7.....B]......F2$1..../e.Y.....f~3.T(.O...?....Q.wr.(w..7...]l.(1..}.....y..Y.Q..4{.........?.xnN..AxZ....P..]X"y:.......B.....{e.Y..y....{g]Eg..)..CR.v.W]bv:....p..V.l.........>..mb....e...t^........W...}...].4"..c....Z..m.l.O.5.7..r.....:.e.5..)2.K....Rr#.v.2.O..Tk..\|.OD.}.H+.."F!.H..3.y..o-@...<.G.....Q....p.....47..<8...[......w.T9t.h.U...L..y...}.X....g.K.#.....v..Z.....<.UF.).#.~%..(.-jd.QB..V6.A...4.l.@i....C.ea..f.%T.....K6............y7..aT.%.&.'....l...+T.-`1>$I ...oB....X1,....E:...3nm.)Y.#...D.1......>.....A.0.{..o...5.Yxt.O..R$.u.<C&^.....}O.6..y7.R.$.Bl.k....'.;.F.$..=.Y...W\|9ma......X[...-9.k.D<....m.....(0s"..i..../.].@...D%le.S.\n.6.y..H.hf ..$.H.}.w.....sU....(0c.V19.u..VCS......S0S_.-...a....9..$f..XP){..^>l:G.G.T...h...a.e......\.#N.P.........&..9...d.J4..<.*.l 3.....9A.Y.p...%.&D..z.#I....f.{..[..8.5....b..r:)g>w.-...gt..`Q.....Pw.v.sq.....6...j.CS.me

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\801d32c9-f423-434d-9ea6-5b3548e0dcd9

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 4961208
Category:	dropped
Size (bytes):	1474732
Entropy (8bit):	7.9998807573071335
Encrypted:	true
SSDEEP:	24576:24tfIMbwwiCsnzBPW4xmh+cQnDIvh0rb6EQ9s/UEOA5b2c0f:jxkBtfIvurPUTc0f
MD5:	0261C917EAD57EF33534536C40AAEF4B
SHA1:	85E9FEAD9ACB4619004B4282B437C2B3009458D7
SHA-256:	828D450367EB05B67F9E25A466A387D827D8E73C4E22F2CACE22D95489DF4C92
SHA-512:	83ACCC840F33A5498216CC17D06CA22DE23F98B97A058CADBF40A9129B1A20421EE2F18C30CD565F520385D361BDBA7901A9BCAC204B504330C55974A1C4E23D
Malicious:	true
Preview:	]..@...K......&..p.........../D.\|..y..:.}.._..G...5mA..aQ..c5t ..+........w.uRl.,E.u9....r....dV...9....pN.[]..._....H...-...M;z. .!!..6&.i./D..Q.a.t.y..q...y.d.K.Jj.TP...U.i.He+.n.....u.v.D....8......:..75.r.`/B{:>%.8Z....i.^&..s...S..Y..T..T5....8..1E.$z..,C..G.].{p.0lU=.....J.....e...R........Bj.....s./.}.....1..~~.H..d!q...:.._.qHk....x.'#...? .?.;4X...:.3...'Uz.../1.c<.I;..~...3.h.......r.Z.M.j....N..]..<..WX.nQ....\|$..s...\b..D..e_Aiu.5.jg/.s.8.:...d.Z7~..p...z@E%B#..<..Y.......[LE....7...u...X?d.G..1.U..J.=.Z....9.u..).4..g2......(.!2......../7lY.=..n^.E.zU.n=oW7..}...;....n.H.~.T......}).3.R_....."&(0..h&....W.m..w.X.E<8g..?4.l.~..cv.....u.^nU.....<.x......E..^.p...nn...?D.....4.KF..RMu9".(R....p..&..I..k.q&x.'\,.N.b.h...^e!....VF]..~.....v.g...)./U..`...P.L.....U.X..@...~..>r.r.Y..#...$.x.....!.B.4...)h.PN90_.h.S.. ..K.Y.o..ts.?..Q.~....@.A..hRb.{e.......8.F...E.....M.b....P.......P.K.\|.I.....0..d.y!.....Y.....^......u,..B.

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\9738121b-21ca-4ba5-a71f-2e2877cdee90

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 390756
Category:	dropped
Size (bytes):	396250
Entropy (8bit):	7.999533685597223
Encrypted:	true
SSDEEP:	12288:sCjirXnWAOtWu2gFIOqaRO6N7w1hy41BSXZuxe2J/yu:9irXWAOtWUIGbzkUZuI2
MD5:	25CD565EE87CCC5D35397B2F515C4D20
SHA1:	69B664CE87B51307BA42420B364A6389E135FD66
SHA-256:	2CD6919B51EF9EE59565D6A0551E59CC6CDF4E65CFDAA08B48E69FC2F02967E6
SHA-512:	3366BEFDFC8CEBA6C17D7077AAD9B6C1796B56A67F731C802E22E91DCAD6E69C4E34C7C9BE526F4428E2CB9E4B64AA573811D8DF00E72301C026F52F179A1FFB
Malicious:	true
Preview:	]..@.d........~..E..8... .rZ.~0.eg6....p~...$..r7.Y........Z...-.a..I..z....4N...s==.Z.'.Q;.%=3`6.9..{P..+..g.......Pi%..M.d..._.].[a..)...R.@..B.....x~!{..4.v..4....... .-...q...N.`.......xf.N~..9..0.5.e..r.G....T.......g..; K...3..^....-......H......-.]..um..Q....v6.M....%.f..q<...[!...i......U...X.o-b..{~.].c+$..E.....Pp....5.r.oz}.,s....=.V.A.l....8...m]7..7<.C.s..W9...r$O...U.u.JM..F.%V.....N....c.E..+.2Es......../G8. ...e..+.....r....h.j....pu??!.......;......L...n\|.]..?..#>.'/HZ.,.Sa.?K.o..l...e.r...O"mb..../..z._n1.W..4:jV....I=.j........l..(.bN.K....?.......,h..#?:^....M#.b.(r....j.9<}t..2...Q..b..$..n...mj..../.,A......FR..V]:]N~?.~W.....2......8....F..t..%.......0s....xL.....U...K...$..#..P.V._.pY...A...#..-n....(x.Bx..6t8.....3w.. .4..^....>...c:M.on..lP_.....O.w.. ...G..F."h=....q.KF..+~c...;Z....W?;...,h.E'..3.2. ......I....Y..p..9......x4.-.>4zX.uS.+..(.=.u..qn..@....F0..M._*..{.-.o...B..I..bF........P.Ms...

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\bug_report.exe

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4961208
Entropy (8bit):	6.519714047453427
Encrypted:	false
SSDEEP:	49152:kMLnHQldkoh7BxR44RNA5ud8RG4I80/m6ck5eGSljF/D1wxQ55fxGLnm7MM+MxkE:uR4f5udV/m6ckLS1Z7zxkOjT0JbnG
MD5:	31E948AD14E9E68685C69B3D46D71B38
SHA1:	9136C6B0E0F266132E9E802D3E5E9F510EA608FF
SHA-256:	5445A6AF3BF675FB142D6DD3365C3D1F65967338BFDCE8596543C1BCC1A88A46
SHA-512:	B20FAE2A75B757A502C7F261571A6AE1FF1BF98FB0719ABBA8A3DE27685DFFD4E7564C06624FBE2B51D2EB7C39BE6DE76F88026276128710D7E26BE7C2D12043
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$...................Y......Y...T....?........................Q...........@.......H...................@......Y......Y............................=.....U...........Rich............PE..d...iy.f.........."....&..2....................@..............................L.......K...`.........................................@.A.....(.A.,.....L.......I..a..H.K.p)....L.(g....:.......................:.(...@.:.@.............2..............................text...<.2.......2................. ..`.rdata...G....2..H....2.............@..@.data.........A.......A.............@....pdata...a....I..b....H.............@..@_RDATA........K.......K.............@..@.rsrc.........L.......K.............@..@.reloc..(g....L..h..."K.............@..B................................................................................................................................

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\c7b0a936-4fe4-4810-a524-cc4085ddf539

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 12255680
Category:	dropped
Size (bytes):	3974468
Entropy (8bit):	7.999953089153007
Encrypted:	true
SSDEEP:	98304:0qcefz/a3QZyI4xsg67R/qMgqPALj9wD3w9Z6pjR:KXQZ5gz67RCMvIjw3DR
MD5:	747E5A35924EA17748255C07A66791D8
SHA1:	ACC83C8FF114B84D4FCAA58BAD677C88647FAF52
SHA-256:	45F465ECFD79E1960F0AE66FE90BBBBAE880CC99811C23A65E1D42E9ED61549A
SHA-512:	69CFA7313A60BAA5C6D109A0A61152B7CBAEEDE39C29840F3EE47EB01CCE3B153A72F3C0F9EE7FD2F821A66C2CBE2D44B2DBD33BF3200D66B46009431D981CD3
Malicious:	true
Preview:	].............&..p.........../D.\|......e.F<w.,...vY.Ta.....NE..1E...V..Z..m9..^../:Y!....y....eg........~f..%.Ql..\|:\.L0<Gv...r.k.8}..W..TG{.@4t.....e.j....~...zdI..)...d.Bg.....N.E.......l..S...=..gF.&?%. #...5i...fy.9....r.G...n...s.$.....AZ`..aS..8...#.3.w.(....[.P....EI..sJ2{.....,.9.=L...n.j....&p`K..?l2...z.M....o.....pc5.p.6..I....I.9..{..<.K(.u.F..Co^2....K.4n.s.Np9...I.c...hO.TR......U.H...+C..Dvr..\|..n....:...Nm{...$....V..(..&...s[<.....8.....7..9..............4....-E....v...?.L.R.Y{......sd[.6........j.a...#!.T..R.W5......... x.Nd.2....=.....U/.E.4....YuE.....uB.jND*e....}.\|..n .uC.c.2tD._.U..%BO..M+p.R...Hq.n.j..?.C.{m.R%.....+j.Z.^.vk.....F-t..YK.R.B,N2.....5......Z..25...Z...H%^......q.+.t.,.#L.c.....g..+......z{.c.t....j.S..........X...\...U...=-B.I4..B:.u"..`.op../+.w..?....dT.v..w.a.d.s.%g.h.2...>.Xi.R..n..+4.i.z.......PE..?.B:.b....~.....{ .u..h.PM .s..:.....Zpf.-.KU........8hZ..N.K...hVt.o..I.7.ad.......)..q.....

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\dump_process.exe

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3497912
Entropy (8bit):	6.525245802927742
Encrypted:	false
SSDEEP:	49152:LJFbzxEFOMW6HEjWovQYPIW2KkZnWn/+/vgrsN5hddlArtYtPt+aJM1cTyynJBqW:LDbq5iQZGHrgGJb0dxzo
MD5:	B31E22903A16D20D86A80FEBF8007AAE
SHA1:	110207BBA3F797E6DB6256AB9146475BA95C57EF
SHA-256:	BA2F161B7F85A9D2DB0A6D624B45543FE2D25F58419B588D2AF767A571FEA7BD
SHA-512:	28040932CD268FD064626B9C078F33E28D5F63806066AF342F6752A86DBC4D6A3DF26A0C4D4BE63626E9BDE5DDF9138248F5E4DCC0C588141369049C485AE39D
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........Il..Il..Il.....Bl......l.....Ul..O.s.Jl..O..[l..O..]l..O..=l..@...Kl.....Hl..Il..Nl......Jl.....Pl.....@l..Il..m..#..l..#..Hl..#.q.Hl..Il..Kl..#..Hl..RichIl..........PE..d...Cy.f.........."....&.. ....................@..............................6.....FA6...`...........................................+.......+......@4..Y....2.t...H65.p)....5..U....&.......................&.(...0v".@............0 .@...0.+.@....................text...\. ....... ................. ..`.rdata.......0 ...... .............@..@.data.........+..4....+.............@....pdata..t.....2.......1.............@..@.didat..P.... 4.......3.............@..._RDATA.......04.......3.............@..@.rsrc....Y...@4..Z....3.............@..@.reloc...U....5..V....4.............@..B........................................................................................................

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\e8088771-abc5-48f9-aa6d-457c51e9bbfd

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 3497912
Category:	dropped
Size (bytes):	1018909
Entropy (8bit):	7.999836338135886
Encrypted:	true
SSDEEP:	24576:WJnbYcKWQUPWzSrL1XD9LxJruhb9R9qQz3jya1NnOeu5md:657xbp9Lx5uBNzPNnOeimd
MD5:	FA05699443553FAA439D67A5C2B943BA
SHA1:	CC99FBA829DD91A0ED9C9644507222E763B74BBD
SHA-256:	AE21D2BA9FDB661E44CA128596606C6A9985612C589AE62A1B31129B301522F5
SHA-512:	486A8C974D49F378A07A54E7A76A810087E45AE131473441343468B25E9C72B49186ECD8FADAB2BE620160A09059F2D8FF2EDA23B0978399B0DCD71185645B7A
Malicious:	true
Preview:	]..@.._5......&..p.........../D.\|..N...mx...6.`....U....U6.2..}.a.Ys..NY..T..:D.0Ww..N...X...ax...$Z./R#.V;.u.N.4..r........jXd..f........7...u....y....Z......+.."h...v9Ah....XE:.a~..3s.....XT)^d.E.(....O$f..........UAf...:a_.f....=..K\|.<..n".IR.....0J..a..V^.E.GX...4......N.TS....Q....9!2K.2..r.n..,De..~...z6...#.<w.....R6\|.f..\.)..3.....Y...@..y.Je..5v2}6.z....\..n.$N..c..f\F....T..7:..X.bg/N..36..\..\|.\|....,.B.Q.tA).>Z..g.AB.>$j......",F...,+..%..:TW9..!..%.I......2.elN^0J....41.u....;#...._..3....K...u...8HK....>Y$.].a..\P.....N_..J..W`..6...T...T."..?.....~.}{..@..>.c.gZ..,o..A..T.^Vm.{.f1............=i.U.o.9..?.Q..._&..}..q\|.+.T."..U.M.h.8.>Y..O...2....Dat.;...=.T..........{.M.[....gp[(...#.........}.>.yR+?..V.&.Y....-.........u9~.!.{1.u......I..n6u...`^}....../..Uv#/.\..d....>..[* ..eN.7....y..45...v.....A3..J26}s$....".l......g.~.uK....F.&..:.q...z...R.c../^.^.."T._.M....az@..[`}V....`.S...g.....5[.w.4.[JY.^....W..&........@...j..

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\ef6e8662-6145-4554-a04d-055f864f0810

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 1320261
Category:	dropped
Size (bytes):	143080
Entropy (8bit):	7.998566983723096
Encrypted:	true
SSDEEP:	3072:TuTFJOFvsLTU1x5Brs1Pg88A5prYM8Pi1N8WPFspMas9qtwgDM:TuSsU1TBrm8OyPqPZ9yjM
MD5:	C9BAA9F9FBD36F20983C43436EF6B75F
SHA1:	7FF99E4912F88BEBEE227A7BE0BC20F4198F1643
SHA-256:	DF1FD59373A68967AEE77E193B0021809CCDAC21C4DC1D24D896FF4FD51A00D1
SHA-512:	828E4DAD45ECE44F49587C2DC7F5838129914472CEB15263448796A3E00D22FC4EDDE94EC80C1C9E499CA919E1A8001E8FDA27AFD246D950EEE5D394645D0E1F
Malicious:	true
Preview:	]..@.E%.............f......{3....&.7d..>$....`K...H.......4...^.a.)....0C:.6..n.f.c...j...$Px...........X.PMf$5.B....O..DN....[.d..s..s..M..:B..(.N..L.?7=~Rg.[...N!."..8......1uW.#....;u<Q..MC..Kl.#.9!U.3N..N...^....Gp..a.@....-.m..Q...c.6.....]..vK..I..(.<..s.1h.r..)y.]!J9%.../.(]X...%."....Y.,.J.......Z..T,....u1.&......n..&.!E$Dn<..;."....@..90H$Jk4..{i%.@^...q;.%.t!......Md..fJp) m.0..>3......hs...Y.4..<...Q8.$.@.n...u..N..X..ia.f..o.."....b<...^X...z.U;..[..[....A.`.W.0.X..l...v.GfM.9..y..q... $.....4E..Xd..[l.>..R...z../KjCd..9J...!.O..U.^.l..].S).zLS.[90....O."0...kX[$V!...b{...1&.@a{....\|.Bg.....d0K.KGS.....r.h.]m.9..}.>Y.Ha..Sh.\.UgmX.......Hm.!8.?..k..r)..z.M........bc0:...N9?Qf.w78.....j.C y...;...V8.8..'....HE.Ur..A.,.4.....k.:'Vm.M.J.`..V.....`.U#...\.8.G.`:......7...P."~.T....\|...n......qsm.\|..a....L......M580...............e...c1.9.8B.i<..@..~...5..&......kl@..<%8./H..R.),.\.G....0...G....NQ.~O....T.s.p...w.....KjX,

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8064960
Entropy (8bit):	6.450676060748482
Encrypted:	false
SSDEEP:	196608:6ot4R9uUCqHwCthYiX5+RNpqqVTrUGG17gL3zK:vc9uUCqHwCnYiX5+RNpqqVTrUGG5
MD5:	0CD5718F7F5F8529FE4FF773DEF52DAC
SHA1:	9BA08A6246011359F5493856AD5FC0355E0DE4F5
SHA-256:	D52114B057504439DF11368ADD0A66B037622F24E710731B1366EFE271C9DF78
SHA-512:	A2218DCD6F0A0E676C23106BD717B5EB22614B3900BEE5D47EA80E1ACC4B87859E6F6DFB63C0D3CDF3EC4F37C12407EF56C2C7964AE141B393C7E94368CA820A
Malicious:	true
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......4z/.p.A.p.A.p.A.iD..A.v...\|.A.v.E.c.A.v.B.b.A.v.D...A.iB.`.A.iE.V.A..uB.r.A..uE.x.A.yc..r.A.&nE.j.A.nE...A.nE.s.A.p.A.}.A.&nD.t.A.iG.q.A.i@.U.A.p.@...A...H.v.A...A.q.A.....q.A.p...r.A...C.q.A.Richp.A.................PE..d....y.f.........."....&.^U...%......./........@..............................\|.....r.{...`...........................................l.......l......`z.......v..W..H.z.x)...p{......:b......................=b.(.....Y.@............pU.....`.l......................text....\U......^U................. ..`.rdata..b....pU......bU.............@..@.data...@.... m.......m.............@....pdata...W....v..X....u.............@..@.didat..p....@z......Vy.............@..._RDATA.......Pz......Xy.............@..@.rsrc........`z......Zy.............@..@.reloc.......p{......\z.............@..B................................................................

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_mod.dll

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15288
Entropy (8bit):	6.953429300839112
Encrypted:	false
SSDEEP:	384:wOYgk0sW4IYiiftEdAM+o/8E9VF0NySR:izWhYiiedAMxkEk
MD5:	934C0E7759E708657C2F77EB75902AE0
SHA1:	43A6ABED472CA7D8D002E045031F900C4A67F9C7
SHA-256:	B9CA3D2E44AF8CF61696AB10DD5BBD16ADA02A32207E4CA454A4B9DE6E472F2B
SHA-512:	2C34F98A5020496D1BA7529C5A1A36D6F0938EDDDB02D75A189E83BE02DE22BBB563A586BF8C3E090B510C0F24E586447AB237BFFF09B166F49ACCA052D71E07
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................*........Rich..................PE..L...ux.f...........!...&..................... ...............................P.......P....@E........................ !..\....#..<....0..............H...p)...@..(.... ............................................... .. ............................text...U........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus_ui.exe

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12255680
Entropy (8bit):	6.582045469175903
Encrypted:	false
SSDEEP:	196608:tCyhvUYCXWmkCL/pQTumd72K75aMdrqNEg:t1hvTCL/eCO7xAOrqNEg
MD5:	CF058EAA95EAD820532B59B686023E53
SHA1:	49709CB9B40FA558E67E24357251DFE9041FC6B9
SHA-256:	66DC1DDC009EEAC0DA023172A5410A05D44324907F91FE4258420A9D17F7E859
SHA-512:	6B93B0F4C8B487CCFE6B687C47555B2124636D216CBB38CAB0F387A1C51C19392EC026C60F023B3664C03D0414D663A5935060BD223344DF3ACB7DBD6971BC6F
Malicious:	false
Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......}.u.9...9...9.......$..........?7.0...?7..-...?7..J...?7../.......v...-......-......0..;.......8...9...>...o...:.......;.......)...........9.......S7.....S7..8...S7.8...9...;...S7..8...Rich9...........PE..d....y.f.........."....&....,a......T.........@..........................................`................................................d..................p...H..x)...........>.......................A..(...`=..@...............`............................text...`......................... ..`.rdata.../%......0%................@..@.data...`n4..0......................@....pdata..p..........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\product-def.xml

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1320261
Entropy (8bit):	5.391575493962356
Encrypted:	false
SSDEEP:	6144:Pk0OrSmXIqx5qDRe9swL2SkIVPwF5SCBkB9ys2JQoYrJ3ecZwMzKg:Pk0OrSm+ReiwKSkIVPc/kB9MDYpYMzKg
MD5:	7536A42465EAF94530982F592EE00F1F
SHA1:	2C812DD88F83498F4A7FD9F1F801FB776DD2AD76
SHA-256:	2D97B73E44EDDCCBEA3BC8EDD9C1F3D2F2F242B4EE9D4792BE50A0370C31FC46
SHA-512:	E045C2AE75A203C0771566050144F8BD63FAC7098B0F24D02FE25DFAEA3C08F640552D22F66F0D36B2FB4D5CE02D5BE01694B7BA61B39DABE4843D74F6746B1C
Malicious:	false
Preview:	<?xml version="1.0" ?>.<product name="avg-av">..<product-defs>...<config>....<install-folder name="Antivirus"/>....<program-data-folder name="Antivirus"/>....<registry-key name="Antivirus"/>....<full-name name="AVG Antivirus"/>....<languages>.....<lang>en-us</lang>.....<lang>cs-cz</lang>.....<lang>da-dk</lang>.....<lang>de-de</lang>.....<lang>es-es</lang>.....<lang>fi-fi</lang>.....<lang>fr-fr</lang>.....<lang>hu-hu</lang>.....<lang>id-id</lang>.....<lang>it-it</lang>.....<lang>ja-jp</lang>.....<lang>ko-kr</lang>.....<lang>ms-my</lang>.....<lang>nb-no</lang>.....<lang>nl-nl</lang>.....<lang>pl-pl</lang>.....<lang>pt-br</lang>.....<lang>pt-pt</lang>.....<lang>ru-ru</lang>.....<lang>sk-sk</lang>.....<lang>sr-sp</lang>.....<lang>sv-se</lang>.....<lang>tr-tr</lang>.....<lang>zh-cn</lang>.....<lang>zh-tw</lang>....</languages>...</config>...<vars>....<var name="%V_PRODUCT_PREFIX%">.....<desc lang="en-us">avg</desc>....</var>....<var name="%V_AV_SVC_MODULE%">.....<desc lang="en-us">AVGSvc.ex

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\product-info.xml

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9649
Entropy (8bit):	5.271801858833516
Encrypted:	false
SSDEEP:	192:24GzDBLvmNC0u1chcnipUzIoH7VuPNv70JbbezBIAJro3RzWtW4/shvO:2LxLmNk+YJpWs/ezSIc0WqyO
MD5:	BBE3743AEB4C47FECC4C94B9D5CF7D27
SHA1:	067C289E203FAB588AEE2AA5DD2F3791E791ADB3
SHA-256:	70C4B4989BCFF73809711CCCA4AC1BD0459C0814929398C23B6239C04C680F77
SHA-512:	72D231E4AA1D07F898470147F319DC011368DD89BC2AAEFF19F27690BB4FF408E61C3855EEAC8D9CDB5DB910144C4F7E27A8983116598C0D5D8B705C98BF05DE
Malicious:	false
Preview:	<?xml version="1.0" ?>.<product-info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="product-info.xsd">..<name>avg-av</name>..<version>24.7.9311.1966</version>..<build-time>1721331953</build-time>..<setup-files>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<name>icarus.exe</name>....<src-id>69c9de9f0cc9cc846d44e8b9a42de17d93f4cde9ffcf7a10d1dff69c4cef0c1f</src-id>....<sha-256>1a74ec107a0724fa270c9517727e69456e337659e5bd5bf1b143dca3aef69a09</sha-256>....<timestamp>1721331924</timestamp>....<size>7167424</size>...</file>...<file>....<conditions>.....<os platform="x64"/>....</conditions>....<name>icarus.exe</name>....<src-id>cfab5808bd7503ee1aff23b54d5a98a557524fa453762afa10b90e4b7ca6af95</src-id>....<sha-256>d52114b057504439df11368add0a66b037622f24e710731b1366efe271c9df78</sha-256>....<timestamp>1721331925</timestamp>....<size>8064960</size>...</file>...<file>....<conditions>.....<os platform="arm64"/>....</conditions>....<name

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\setupui.cont

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	XZ compressed data, checksum CRC32
Category:	dropped
Size (bytes):	390756
Entropy (8bit):	7.999498919202024
Encrypted:	true
SSDEEP:	6144:NELOfcuJDeG36sYbO1ma4cSfxatdAsVJxCpvEgZbtWnqYTk1XJwuIhJezmJ4u6/:NELAFJD53TYbmmJDZaZVwcabtYlw1yu7
MD5:	1A91F1DB1B66709AAF1A7373860791C0
SHA1:	AAF8435A3379AEA3272172A9D1B5C4D75B111E05
SHA-256:	4C3E3FD5B5731973696377D11D8B11553B039E1FACBE1D652477178599DED37E
SHA-512:	65E4F888ABEB06F84D885B31CA830EEDBFFBEA5FE3F0E30DFBA6FB47C8CFED18AF61B726858281885FDD74B408E5F9587A267B114F9D35DDB3074ED02A7303F9
Malicious:	true
Preview:	.7zXZ...i".6..!.....F.;...2.7].0...?..Lm.K%. .6.X.....L.@#........EG.t..r.%.S.T......1<.d...X.T...%.Yb..q..U.v.....U+...7..BP.I..Teur.V}...b0....L.C..Y)....q.N.........!...c".\.....M.}.;...fb-..#.......-P.).{>(..#h_..D..0FU..R...0).[.E=Vz.......+z3M....eqZp...h!.....P....._..C..bQ..N......b=.....>^B..O...m..K.I...-...Z...X{.N.]..^.....x`...."...Dao....vA....;..Zk.....Ppn~G..H.n.t..d.(.gv..k;.0&A^b.n.C.........e..ee~....5Q.0.Z.FO.J.r..J..A<N.+E..6$..XJr^t.m..V...V'.ET;1r.B.......G...a..G.]gcG.....f.....!r..w.....3.kZ...X.&:..?...pOO]t.kb...e......b.uI>..SA..7..es2.'...........Wq......M.RX.f.@.W/...:..q..lA..mk.6e.%..y..p..R....Q.....~...p@m..O8'..$.ek ..P....@...-`.b....Q.I.y..]..:.7z.C......}}._...x..o....._.....Q.. .a......]....V..>C....Du6~...1..:....[{AH+..q..1z,...&~.y..h..}.....v*...#[..%...f....yP.........6.g.d..Ff.%V...vz65....p {U;.-....p..0vV...W.w.N..{#.....t..uK.........\)L...>4....s8...y........kah.$a..."Z.7.3-=.....3

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\ecoo.edat

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.422577995321604
Encrypted:	false
SSDEEP:	3:1HRcMK:5RU
MD5:	3F44A3C655AC2A5C3AB32849ECB95672
SHA1:	93211445DCF90BB3200ABE3902C2A10FE2BAA8E4
SHA-256:	51516A61A1E25124173DEF4EF68A6B8BABEDC28CA143F9EEE3E729EBDC1EF31F
SHA-512:	D3F95262CF3E910DD707DFEEF8D2E9DB44DB76B2A13092D238D0145C822D87A529CA58CCBB24995DFCF6DAD1FFC8CED6D50948BB550760CD03049598C6943BC0
Malicious:	false
Preview:	mmm_irs_ppi_902_451_o

C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml

Download File

Process:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1962
Entropy (8bit):	5.393154312803131
Encrypted:	false
SSDEEP:	48:cEYpUPUb4n682A+heczD/ZVBnpX1U5VR732lEksM:0q8Y6E+heaD/ZNXC5V132FsM
MD5:	D1B71EA9F6C78AA53471E3A252DF1810
SHA1:	1B1061CCABF89003C068ADC98D62C7B317AA41C8
SHA-256:	BA282D25DD8AD6BE6BB78E0933D911DDFDD52D1A451D8F0D00E5458CDE612A77
SHA-512:	1776FFEDEE2B4446BC2F24AE61386C61178667D759AB3C612AC8DB9E38CC7EE4C322ED4E75357C6544E0F4D1D1F5A892C750C9D32632C1FA9C6AAD7DAE28D504
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.<icarus-info xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">..<file-mapping-sfx>...<handle>134</handle>...<size>1631120</size>..</file-mapping-sfx>..<file-list>...<file>....<alias>sfx-info.xml</alias>....<sha-256>b94383d8d890427d3339f75d396522964ae17bc4316fb03c4725543d30173498</sha-256>....<offset>1610822</offset>....<size>717</size>....<timestamp>1721892466</timestamp>....<flags>0</flags>...</file>...<file>....<alias>avg-av/edition.edat</alias>....<sha-256>e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb</sha-256>....<offset>1611616</offset>....<size>2</size>....<timestamp>1721892466</timestamp>....<flags>0</flags>...</file>...<file>....<alias>avg-av/config.def.edat</alias>....<sha-256>f3b71692fdbbcd129b14c8ceedde570d7f15154de92bafd0fbfc5914c7aa3b3d</sha-256>....<offset>1611698</offset>....<size>8283</size>....<timestamp>1721892304</timestamp>....<flags>1</flags>...</file>..</file-list>..<sfx-dir>C:\Windows\Temp\asw.8bb23e66

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\bug_report.exe

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5015992
Entropy (8bit):	6.517030644364324
Encrypted:	false
SSDEEP:	98304:g3RtfC55vGOVqNs0r5awsay0hVqeZyQ59T:g3ffC55fwpyqVTd
MD5:	0C0F0CA2BB49DFA3743E9D4156007C70
SHA1:	042FDFBA346A89A83F0C782117038A82B29A28D1
SHA-256:	0E1865702916AE47AAFC54C6199E3A73ACB735AE888F9A8DD7BC4656268EF9EA
SHA-512:	E15F826CE67D4D5224CDCEFC3194A5A9144E152AD16136F5774D2CA29484FC11E778E2E9D114AF80AD2A99907BD4999E6EEF95C7B7DBBE6A7829D67C1B6BBC92
Malicious:	false
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$......../b..N...N...N...<...N......N.......N...:...N.......N.......N...<...N...6...N...;..tN...;...N...N...N...;...N...<...N...<...N...N...L.......O.......N......N...N...N.......N..Rich.N..........PE..d...X..f.........."....&..2..&.................@.............................PM......7M...`......................................... .B.......B.,.....L.P....`J..]..H`L.p)....L..j.. .:.......................;.(.....:.@.............3..............................text...l.2.......2................. ..`.rdata...=....3..>....2.............@..@.data...`....@B..f...&B.............@....pdata...]...`J..^....I.............@..@_RDATA........L.......K.............@..@.rsrc...P.....L.......K.............@..@.reloc...j....L..l....K.............@..B........................................................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\config.def

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	549
Entropy (8bit):	5.443032726347192
Encrypted:	false
SSDEEP:	12:2AcW1OPqygANI+xzYN/qb0a3Uk7oMQuROfzZM5KWPoGJ7Ulk:rVAJI+dsqNUk8MQuALqw4ck
MD5:	3E9C87EF79AEC6EF3AF203B32B003198
SHA1:	82D9DBECBB20FF8160439D9F7D8B87466BCDFBEF
SHA-256:	E3E8CBE0A09239F7C977BFC7D283C32E1A8DACD5FADC2F6643724E4E68CB8489
SHA-512:	88E65718A1D7B538C14822CBFE1EEA21DD8C102C9B3C0C4B6DFF719EC0F74E3C5C5B83B630F4C8506049B1E793EC2A1F4AED279BC44F904CA8355A0E1C4BFDC5
Malicious:	false
Preview:	[ui.offer.actions]..url=https://ipm.avcdn.net/..[ui.offer.welcome]..loadtimer=10000..url=https://ipm.avcdn.net/..[reporting]..disable_checkforupdates=1..report_action_ids=RID_001,RID_002..[common]..config-def-url=https://shepherd.avcdn.net/..report-url=https://analytics.avcdn.net/v4/receive/json/25..[ui]..enable_survey=1..[updating]..conceal_hours=1..fraction=100.0..updatable=1..[Signature]..Signature=ASWSig2A0839A62016BD5ADC618C81BD649502F9846A4D7C56363532F6617DE20034C5FB42DDCB5BE37254EFE49170A8C56892BA45C951678781E3138DF47450818061C8ASWSig2A

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\dump_process.exe

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3598264
Entropy (8bit):	6.520841302015252
Encrypted:	false
SSDEEP:	49152:LYGojXSePZJcCGNfTWdHTGnVH172ZUCLfEn7OwMmmUxCLXoEOqVlp8OzvuLJ+h1M:LZo8lVb7pKUALDC+0o
MD5:	C22D80D43019235520344972EFEC9FF2
SHA1:	1A2B4B2A52D820F9233CA0201BE9EE7F6D82ADBC
SHA-256:	5841A3DF4784E008B8F2C567F15BB28CDB4CB4CA35C750F1108DFB1CCB6011F0
SHA-512:	F1CADBC3077379A6D7E36B8CF3BC830F44B5E668D4A6C0CE6B62BDE292498C4F41C6588C5EBA2599AA67524ACFD125B7F23C419AE2B4A8E4AFEA7708AAD83EDC
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........B..B..B.....N...........^..DD%.A..DD.P.....K..DD.V..DD.0..K.K.@.....C..B..E.....A.....[..B.....(D....(D.C..(D'.C..B.O.@..(D.C..RichB..........PE..d...K..f.........."....&.. ..........<.........@..............................7.....5.7...`.........................................`.,.....D.,.......5.`Y....4.H...H.6.p)... 7..Y..HH'......................J'.(...@(#.@............. .@....,.@....................text...\|. ....... ................. ..`.rdata..D..... ....... .............@..@.data...@>....,.......,.............@....pdata..H.....4......l3.............@..@.didat..P.....5.......5.............@..._RDATA........5.......5.............@..@.rsrc...`Y....5..Z....5.............@..@.reloc...Y... 7..Z...d6.............@..B........................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8064448
Entropy (8bit):	6.4559444404051325
Encrypted:	false
SSDEEP:	196608:tf9w/E1sQFkFH9NReunBZH++6/mLCWCgj:tFw/E1sQFuH9NReunBZH++6/mjdj
MD5:	97856AB19BE2842F985C899CCDE7E312
SHA1:	4B33FF3BAEBA3B61EE040B1D00EBFF0531CC21EF
SHA-256:	2569A72D3A55EA7AD690D708907245C221664C5C88CADBC19E1967135FA40514
SHA-512:	B2F57FD7C482977EBF52B49E50E57F60F1BF87BE5BBF54C0DCFB3038C0F46B89C70F10161FAB7585D01B90C4FDC00B86932444F32528FED04B514C6746BFF29F
Malicious:	true
Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.........j............................................................C......C................a........................................[......#...........................Rich...........PE..d......f.........."....&..T..@&......./........@..............................{.....%.{...`.........................................@il.....$jl......Pz.......v.\|Y..H.z.x)...`{. ... .a.......................a.(....-Y.@.............U.p....el......................text...<.T.......T................. ..`.rdata..~.....U.......T.............@..@.data.........l..d....l.............@....pdata..\|Y....v..Z....u.............@..@.didat..p....0z......Ry.............@..._RDATA.......@z......Ty.............@..@.rsrc........Pz......Vy.............@..@.reloc.. ....`{......Xz.............@..B................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_product.dll

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1273280
Entropy (8bit):	6.566378775529578
Encrypted:	false
SSDEEP:	24576:qXV+cQ+bppQ4hBfGPfUkBuveGUfcq9vqZ9qrHis+WuaDgkIh0lhSMXl92Jj:qXzAUkBR1fcq9CZgLisuM
MD5:	2F8931C51EBBE01D0C1D87D5AD2D652F
SHA1:	A322FEC62BBFE4D8B46199BC9001B4AF74BBAF93
SHA-256:	ADD1DD3FB660DFB534317CB29E18A37E82F4E27000004EF29213914A6B6D5CFD
SHA-512:	2018CBF3179DB624DE67860370B80C46D8DBF59C9286E24C89E4EDBF348720E38080AA1C5F8C6519593960057EB7FB3FA19B490BDA5BC5FCAFED2654DBB57890
Malicious:	true
Preview:	MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$........Sx..2...2...2...@...2...@...2.....2......2......2......2...@...2..[\...2..[\...2...J...2...G..t2...G...2...2...2...G...2...@...2...@...2...2...0......Z3.......2......2...2...2.......2..Rich.2..................PE..d...0..f.........." ...&............................................................o.....`A........................................./......./..........h...........HD..x)......................................(...p...@...............P............................text...<........................... ..`.rdata..............................@..@.data........P...V...4..............@....pdata..............................@..@_RDATA...............&..............@..@.rsrc...h............(..............@..@.reloc..............................@..B................................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_product.dll.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 1273280
Category:	dropped
Size (bytes):	468897
Entropy (8bit):	7.999632353449746
Encrypted:	true
SSDEEP:	12288:5dJOxbQ71WCWYR3L1ZQqnCpPvXCqtyPdsVg9KyTYI:5debQBWCWYR3JVcvSqYsOYyTh
MD5:	45F0C85573ACCC5E6C704337A1C09467
SHA1:	C4C4C53190CA8EE86F9C1062035D0C1D8E03705C
SHA-256:	9F8B78C9063C3B7A841883540FB307BED75FEAAE1A886809F6BDD77BAA2ACE35
SHA-512:	C72895E1347F5FF194831D7F88A2DADA3998A1CBEEFF6EDD672C6F79F8D7F4773D11FD0267DB24C98B14485EE20906EA5E0BD95AD7928FA90BED0BCA0AF4D405
Malicious:	true
Preview:	]..@..m.......&..p.........../D.\|....o.e.F<w.,...vY.Ta.....NE..1E...V..Z..m9..^../:Y!....y....eg.Jp.....#)b..q1...B_...Mm.Bx..s.........5...m.^D..;..8..j.^..v....K.m.Z.;...C...G.X....I0..nFg.i.3{Y.R;&......o.........j.n.....a...x..U"Q.l...!.......=....!i..mhuvMCQg..."....T...x.2..z.......#.yh.`k.......#.\|/.u..:......80...I.+.r..q.]...m..n...}g?3SB...Vn..\|.{..luU...rB.9.[c...My.dh...d.~.D.&...kqr(+.;.^...{G.T...GG...cg.J..7#......3c..x&....wc......F..&A..{.L..Fj.....].&.R.$....G...........F..c......_:.....#..s..a.......>.Zob.if..X.....r..h.&1....%3Ww...7...@..9A.2.D.n...TP..#y.(......,.....5.;...E#[m*..v...E.<2%......&..n]V.J.Ql.....Sjl)/.z..L.L...h..N~..Zk.A....,;.. .=$....R..u......-.C.I.?.......u..Wj..'.{c.-....@0K..5!.]...j..C......r.I..b.E......B.J........P{...S'..Z.....Q...i:,....M2.D.Jt..i...(.Q.J....j....5...I.D.N0.....+..=...\.50......}.../v.]...5.....J. .6.EJ.3.\|................XbT....4%..t....?..n.N>.R:...1..PZ....{...zD.

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_rvrt.exe

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50976
Entropy (8bit):	6.695978421209108
Encrypted:	false
SSDEEP:	1536:6fMVFuX7Y1C7X+oAiZ8uMX07F9Kx24Zza:WMVFsSC7+K8ua0qm
MD5:	97F5D0CAAA1988C95BF38385D2CF260E
SHA1:	255099F6E976837A0C3EB43A57599789A6330E85
SHA-256:	73EE549578DED906711189EDCEF0EEDBC9DB7CCBD30CF7776BD1F7DD9E034339
SHA-512:	AD099C25868C12246ED3D4EE54CEF4DF49D5276A5696CA72EFA64869367E262A57C8FF1FB947AD2F70CAEF1D618849DBAB2EC6161C25758D9F96733A7534B18F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................r.............../......./b............../......Rich............................PE..d....>_e.........."....%.N...(...... ..........@..........................................`.................................................\u..(.......8.......P....x.. O...........l...............................................`.. ............................text...)L.......N.................. ..`.rdata.......`.......R..............@..@.data...............................@....pdata..P............l..............@..@.rsrc...8............r..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_rvrt.exe.lzma

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	LZMA compressed data, non-streamed, size 50976
Category:	dropped
Size (bytes):	26032
Entropy (8bit):	7.992977293575329
Encrypted:	true
SSDEEP:	768:dXkqelTjZK0JgHW7tbzdiH2P6AdRo7+lmAg:dEfJJZtwH2PJbuUg
MD5:	F13E71BDBBA9A80351A786C44272F737
SHA1:	DC8F9B86B56684F3A7BD7DBB16DC27B436735E97
SHA-256:	7E7DF8B8EF9226E9E916199D8721E52D8737654D6EC5A8A3B11B49CFA6633D34
SHA-512:	2D8BF0BABE54618CD81212990BA9975CEA64C5E51172DAB95004364229B0A35190F94DF2E37FC70E93DF2A24EBC2339BD0A8801411ABE1F98915E6873562E7FC
Malicious:	true
Preview:	]..@. ........&..p.........../D.\|...G'_..z.-~A..\..~kHy54......<.....=......6......! o..- 6Y../.e+.Y.1~...~y. .....}..N..H.)G'P0..K....?.."...c.\|..p.z.m!..D...P.X..@~..E.B.T....5.7o..Y[C.......1.f..]?...............W....z.V.b}.H....h0......>./...w.K..}.o..Tm....V\|.2.,f.U.......C@.]..e_.&....3....5NC.:.Tm..A3...:.q'Pj2}.m...1k.s.T....O. .....sq.&PaB...=.F.f.F]..;..'...W....{i8......Ki.u.i..2#......L.........F......~..x.W..@.J..X...'....0t.g.B....b....Z...@~<...8QZLR..2>_.X....=q...%..r....oP......B.&..wjV.........`..-..K.=.&r........Mi...q..{!..P.aF........-)D.9...r.iE..3..Q.....}.'....o.VL.3.].fW...,......R....<.P.l./.>.%3...{K>...=0..m.B.....f.=...E.^3...."n{.kw..-./-.,..D.d0..$...rq$...=...g...._n~...H.....p.I..e..U..(._.5.W..y.7.r.^......?\|h..\;$.IW....E..N..$.....>..:..."....v.`Jya.MF.\.>.N...\.....I.m.e.+.Ut....._...xo.[$.M.Q..V_..X.~.XO..'M;..(.@....X.d.{..g...0Lx.C....*......`w.o].....O5.'..Y..........y:}..w.....$.b.{....b..IJ..

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus_ui.exe

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12340672
Entropy (8bit):	6.582477512432413
Encrypted:	false
SSDEEP:	196608:lUGsaMjm/7a85bbNF2wqFO2Sb57ZSwXeBHIrqNtEF:eGVMjm/p9CwwO/b57ciwHIrqNtEF
MD5:	7EBAE16A6EA514E55F7160C3539261CC
SHA1:	AE74B3AF4926B6932AEA68A32C7C8727D53A94E7
SHA-256:	F27F92F003505DBCA839513D233198211860DE0EF487973A5CE0761D8E8EBFB9
SHA-512:	F7C7C084517785F21AE0BD82509DDC31E985EDBE9E07F275414806AFA3F696037340EA0E6091221A5D81250ADF170CA0FA4345915D000EABA6034A9DB0F61369
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$......../...N...N...N.."<...N.."<..&N.......N.......N.......N.......N.."<...N...1...N...1...N...6o..N..3;...N...N...N...;...N..k ...N..k ...N.."<...N...N..}M.......N.......N.......N...Nk..N.......N..Rich.N..........................PE..d...f..f.........."....&.^....b..... ..........@.....................................7....`........................................................................H$..x)... ..h.............................(...`..@............p..`............................text...@\.......^.................. ..`.rdata..>n%..p...p%..b..............@..@.data.....4.....Z.................@....pdata...............,..............@..@_RDATA...............J..............@..@.rsrc................L..............@..@.reloc..h.... .......P..............@..B........................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\product-def.xml

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	234048
Entropy (8bit):	5.373585448662843
Encrypted:	false
SSDEEP:	1536:OfwE6w6yLzOyLaz9IeNtF4VHHcPcz7oAisHMwIznC+B92/JCJkLIrcdKEsj/HTFG:T0NpIBO7yMHAOL/XKaA5Et07IRH5T
MD5:	DE073C40E435A5FFC9585A6D78938308
SHA1:	7C6E120D7CC5000BCD6F8D3E0B1F7043CFE6EC2E
SHA-256:	07022184E42D54CBB24724A4EB40BBBF469129808AC442BBF81D6D5D76EEE569
SHA-512:	DFFC32C7EF98B897E299C660C60EF22134C4AC7AF37CB7C8366B5E1504407AD6E039524B8C09944AAE7DAF5DB9A31971DD43DD9753AE6EA34CB7E67CE93E7FE7
Malicious:	false
Preview:	<?xml version="1.0" ?>.<product name="avg-tu">..<product-defs>...<config>....<registry-key name="TuneUp"/>....<install-folder name="TuneUp"/>....<full-name name="AVG TuneUp"/>...</config>...<vars>....<var name="%V_PRODUCT_NAME%">.....<desc lang="en-us">AVG TuneUp</desc>....</var>....<var name="%V_PRODUCT_NAME_LONG%">.....<desc lang="en-us">AVG TuneUp</desc>....</var>....<var name="%V_SVC_DESC%">.....<desc lang="en-us">AVG TuneUp service</desc>....</var>....<var name="%V_SCHED_TASK_NAME%">.....<desc lang="en-us">AVG TuneUp Update</desc>....</var>....<var name="%V_COMPANY_FULL_NAME%">.....<desc lang="en-us">AVG Technologies</desc>....</var>....<var name="%V_UI_MODULE%">.....<desc lang="en-us">TuneupUI.exe</desc>....</var>....<var name="%V_UI_CLASS_NAME%">.....<desc lang="en-us">CleanupTrayWndClass</desc>....</var>....<var name="%V_SVC_NAME%">.....<desc lang="en-us">CleanupPSvc</desc>....</var>....<var name="%V_SVC_FILE_NAME%">.....<desc lang="en-us">TuneupSvc.exe</desc>....</var>....<var

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\product-info.xml

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6209
Entropy (8bit):	5.294016449927192
Encrypted:	false
SSDEEP:	192:Lxk6929qomNNOHUzdoHW2wjOyxTfHMIF98:LmnpmN3qOT198
MD5:	4937ABCF6CC46FF862947AD60206F048
SHA1:	61ABDC48ACCC5C9ED57A06EAFE99CC7FC30FD925
SHA-256:	80507EA06D4EDB56153E9FCE935CF6F561415F34835B83DE5D8BC1DBF42C84B7
SHA-512:	0C2744BDCD430B510A0CEC32251A5300676EB9E9B4F09735AB45CF75741B1C933747CF042013188C28901A1CEA85E6EA1CA1203C25BEAB214ECF83BE51C59E32
Malicious:	false
Preview:	<?xml version="1.0" ?>.<product-info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="product-info.xsd">..<name>avg-tu</name>..<version>24.1.16424.9662</version>..<build-time>1720435448</build-time>..<setup-files>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<name>icarus.exe</name>....<src-id>69c9de9f0cc9cc846d44e8b9a42de17d93f4cde9ffcf7a10d1dff69c4cef0c1f</src-id>....<sha-256>87604f45a91f9f3d3a1f4f3af23533fd508fe79b65aafc3686a86f4471143a10</sha-256>....<timestamp>1720435442</timestamp>....<size>7155136</size>...</file>...<file>....<conditions>.....<os platform="x64"/>....</conditions>....<name>icarus.exe</name>....<src-id>cfab5808bd7503ee1aff23b54d5a98a557524fa453762afa10b90e4b7ca6af95</src-id>....<sha-256>2569a72d3a55ea7ad690d708907245c221664c5c88cadbc19e1967135fa40514</sha-256>....<timestamp>1720435443</timestamp>....<size>8064448</size>...</file>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<condi

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\setupui.cont

Download File

Process:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
File Type:	XZ compressed data, checksum CRC32
Category:	dropped
Size (bytes):	263792
Entropy (8bit):	7.999305108377485
Encrypted:	true
SSDEEP:	6144:VtxqOwIxsDmCs77JqOYsfZpjHKp7NV5q/Gk7ck0CcKufE0:VtxqNDmtffrHs36GOmh
MD5:	C95DC978812B51E1B9AA38C27FAF3B1A
SHA1:	70DEE9E4F828652F6BE927A193BE6938BC175CE4
SHA-256:	4BAFB54CD8637586DBFE316EA6E7F9F50010FF021F813128490D2A9C34A89BF0
SHA-512:	5202548902634EE28CE8FDAB32F1FB8797881E3643B74D892DA0155C3E90CBD98E837A85069C5BF1B06518E8355660486E63ABEFE41B2A484B4683F29FB1F0D0
Malicious:	true
Preview:	.7zXZ...i".6..!.......2>.5..].0...?..Lm.K%. .6.X.....L.@#....\..p.e............/._.....$b....#]..T.nn.....^y...o.t...L ....6Q$..s....E,DZY.H...Li.y.p.g<.?l..s..,Q.-.h.`.g\.K..H1..'..!....BY.m_V...lkCq..<2[.P....,..:..}.;b..0.L.L.7.p..`......W^....6.>:....X...P-...u..%.S.r..R..R.3I.a......Wt..=..1.tQ.c...."!.F....o.H.T.7O..s....c..Cvj,6.q9.JS-..U. ..PG...+..#o^.T.0...G$.`"....t..ue..F9I..d...{..M...fj..1..UQ.=V.. 4M"...:....2.8<..f..j.......,.Jk.C...'cj....#7./.kRt...?3.r.D./].$..8..........1>..Yb.=...Y.qO.CD....Z.t3.{...E.....4W...@r.I..y._z7."...o...D}.Q48.!iR..b...S.~m..$3....e.>.`.....9bf......wT...M..\,;.....Q..F.....i..{...d..eL.pc.fc.n7w....]=...GF.(..]J.(.."..D.....,.#..9........".TaE.....d...hYP.3.. ..Z.~.s.N.......7.....a.n....U.....7..S..... .A...t.m..I..%....7..~)...dqU)$W..{...D.+....Z...".4.H4.:...]p....D!....U...g........N1.0.5e.af+.9.>.j..@H..K...b&...a...n.P>.]P........,:.(3.T+:./.z..UL..qY..I...q...dLt.<.bM0.s

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\5dacf77e-50a0-4da1-8d1e-4762ff9b06ca

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 263792
Category:	dropped
Size (bytes):	267520
Entropy (8bit):	7.99926090239666
Encrypted:	true
SSDEEP:	6144:dVpX88Qk+kU85eo2qLLgKCfbKdOqukgaoTJOgc5X1N:d8HND8YXqLofYOqzgasC5b
MD5:	1FE8D97BCF483CFC8A374DC169D08FC0
SHA1:	A2A553559FF14A5510847243E97217E24E523097
SHA-256:	0AD9DC9B29E2EAE73DF8AFB1070C641E2734040464CADF3BC2EF7180ED90ABB1
SHA-512:	6D4C6B0BFCB22F7F36EE31D56BE20A663E16DD86EEB700FA3A6005AC83C19DB625AD0B34F4464BA65BE4E3772D888EEA9B8054C8457EB2F260237BC2FEEFFCE9
Malicious:	true
Preview:	]..@.p........~..E..8... .rZ.~0..i..2......I...?.I...........f....u.Bk...r....\|.M.9.OW..d...$...+2n...m...k.U.p....?Ej.............-.CI.cW..R..7{.<QY.'Q.8,....z...._$..3.=Q.......g..g.......c......8En..N....8....$p.J.EO ...(.2t8..v<..]..)W....Hx_..@....(.{q8.nN.+U...w&.<#.+^qC....x.L..u..[A6EM0(`.K.54.f..[.j.c3....3$.....]oCn!....8....#.....X..M.oc.....k...9.fQ.,[...>__...4...@.~A.iF.e.,.?.........-.....K...g(.@!A...p#...2c.a\.a..'M_.>..x.q&...>+..{:.f.~....6F...RW.v.\|.I^..........D.;.]!..0...G\|.t..W...R..J>...[j.....t..p.d=.....8..{..L.H....Yw..e.m..JX=....k..S....Jy.....K.....<...sm.-.....C.l&CbLh...52%.R.>.....&o.=l.7.4.....k,E..2..<.......U0..f...U..;..~..(.Pf.... .. ..H`[.."Vw.r\...o......k(t[....KN.~.Hr.........rq.!x p.....#U.."I...~B..d.PL...qG.%.Cj...@.(R{.....o}.. ...B...guW.x.6.<.`].W.3..,.... ..../.....d.W....8.........>....LVI#1l......34]0...d......J.eY.I.'`.tV..0.:.Z..y...4?..a..99..Dvy_S.Z.m1.V.. q.de..Q.j,.d

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\7110876e-c707-47f5-a964-c0235bc1063e

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 3598264
Category:	dropped
Size (bytes):	1027350
Entropy (8bit):	7.999812826320062
Encrypted:	true
SSDEEP:	24576:q+Rfm7p06l2+FsvFsDhpMNxdQ6vnW1GkN9ylFHS7l:qAeo+NkdQcnWvVl
MD5:	2028515833D859B77391C8B2676F6FC1
SHA1:	88ECC448B2C99C008B2B9CE557CA0274659B7403
SHA-256:	E53A0A643C082C3A1DC7B53BADA4E902F998AEAABDE838607D104866DDBC2B7B
SHA-512:	CB22D2F9E18DD273626DEDDF5AA1C7BEB9F9992D54E2B4340231D87A94EB643F4C6CC7886EACF9D04EDEA32B032C45ADF07ECD802778396534E8AD312E4B2FBC
Malicious:	true
Preview:	]..@...6......&..p.........../D.\|..N...mx...6.`....U....U6.2..}.a.Ys..NY..T..:D.0Ww..N...X...ap.l~.0^l...5.r.[1M...j......^E....z.Uc.....?f"ZW.+.y.A`.q.hu....`.1...M"@6=I..mraS...3...O...yNKJ.*......=..N..f...FM....)...7I.....V+.L.R7:$..........F...1. ....}...f....N.....k.G.FG..-.w]..`...X..S,..FHa..r.......d........$..<.+..k.......C.H$h&..s.C$L.KT."...,.......6...../.....8.y+.T..k..!....F..AU.pj......D.@.RQv.......p......x....!.bS....S... f.XU......@...W.{....@..W.L._...X:..w......;....... .n7.....~....AC. .......Nd..~......F.'...tr.......c@.?.g..,...6....vh..6..u.sYU..2...U:.DX...4.8...o...m.1....(....p..I....^...aN..........$.c/...w.L.$..gu(.= \L......hh,.....6m.HQ^.....Y3eb... .........-c-.f........gQN...E.2.C.]mE.. .......D.0:.O.S..fW.>T...hh'F=..@..m..@.RFsv.L.{[qY.J5.~...A.(.$.:H.5....D.VWK...Itm.....A.........C...[..8.C.....l....\|..A{......:GD.^x5.....Y2.Mj........(..!._.B..vDmT\u{.q]...X.'...I..Tm..1.lmH..A.B@...iy..].S..[..8..

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\bug_report.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5015992
Entropy (8bit):	6.517030644364324
Encrypted:	false
SSDEEP:	98304:g3RtfC55vGOVqNs0r5awsay0hVqeZyQ59T:g3ffC55fwpyqVTd
MD5:	0C0F0CA2BB49DFA3743E9D4156007C70
SHA1:	042FDFBA346A89A83F0C782117038A82B29A28D1
SHA-256:	0E1865702916AE47AAFC54C6199E3A73ACB735AE888F9A8DD7BC4656268EF9EA
SHA-512:	E15F826CE67D4D5224CDCEFC3194A5A9144E152AD16136F5774D2CA29484FC11E778E2E9D114AF80AD2A99907BD4999E6EEF95C7B7DBBE6A7829D67C1B6BBC92
Malicious:	false
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$......../b..N...N...N...<...N......N.......N...:...N.......N.......N...<...N...6...N...;..tN...;...N...N...N...;...N...<...N...<...N...N...L.......O.......N......N...N...N.......N..Rich.N..........PE..d...X..f.........."....&..2..&.................@.............................PM......7M...`......................................... .B.......B.,.....L.P....`J..]..H`L.p)....L..j.. .:.......................;.(.....:.@.............3..............................text...l.2.......2................. ..`.rdata...=....3..>....2.............@..@.data...`....@B..f...&B.............@....pdata...]...`J..^....I.............@..@_RDATA........L.......K.............@..@.rsrc...P.....L.......K.............@..@.reloc...j....L..l....K.............@..B........................................................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\c071278f-9a17-4f4c-96ee-d32ed61047ee

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 234048
Category:	dropped
Size (bytes):	41075
Entropy (8bit):	7.995940325841756
Encrypted:	true
SSDEEP:	768:jEAnslrkuKXPFgXfX7bLJtzbhj0bL1iNyDlP59VemtGpo7t7jw+i1s6bEVJY5NaM:jEBfKXPWfXVYMNyjemtGpoB7jw+i1s6z
MD5:	ED60E64B87A01D47AC70C7F14FABABA7
SHA1:	858841814B303479DFDE2CDB7195F13B5831F193
SHA-256:	0E841CCF60A66D42AF81294986A9DEC02DEB5BDAE103DA0BCC23D848B54FF4B5
SHA-512:	CDBA56CEBE5DF88364376C927873BB70E713FF44842BB267A83E3FFDA8C220196F4D72C75E0EB88F94F5C4C00A52791F668DC79E21E33520052BD581A569EA32
Malicious:	true
Preview:	]..@.@..............f......{3....&.7d..>$....`K...H....0V........>0.\....#....O...[.l...O..j.y.....E..5..........m......2.P9S@a..D4.?.ro<Z=c.6..S..S.-.)u.R..&....$.E....,....N\|.=...n.......v.r...MQ...u..@..E...w.h\.t.........W2.\|..w..{..{.C..3.>q.!.8...K....I..).m.W...4.5....5.W.... .-..5O!....qf.._.....c./.\....Xc..'7sO..v.AU.......{...i...2.vf._aW.Sq.5d...h....9..sK.c2.....;6.0s...t.@c.\^.....Y..@.g..?......`.{GQJ.P0.@z.FY...#v..9...~3L!\..r....wZ.e..V....z..\|.P..j..$../..p)..~..#......:.H&.\..c+b......cGc..3.7..OP..MoU]..i...I.Z).m.l.e.lJ`5@...X..L&.."T..j'.X"k=.s@.R..=D.i..p...Y..Kd..p/..hB.d..7Q....P...........!i.9.<...(E{.Kd...p.9......fM<D._.O#?........VAs.7..g........O.@.94..:.E.h...7..JA7..F.A@U)....P A..W..y.9....jU&.P..\|L.t/7.@.L...:.....0.......v..Be.y.2....i..h..)....S.B.Q.p8\+."..Ih.{......{.:m..>..k3..J...:Iv...%.X....l..y.N`b......0...U.U...q.... [4..\.>......bSG........2.....`..R...M.b.@.D..D`..I.*O\|r.Q...ro.t..@o^.."..m..X..

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\d09e1dba-8496-4c81-9749-124976617f15

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 5015992
Category:	dropped
Size (bytes):	1465464
Entropy (8bit):	7.999871255742867
Encrypted:	true
SSDEEP:	24576:M0jDloNMAEP+Wb0jE5fa9nLuC/w3W/eLk/XrH86iOT05MoRArcFld5MGD:pydcKjE5funLzYm/eLgbYA4AwFldiGD
MD5:	C6323B8FEDFD3EE0ABBE9317E9B27AA3
SHA1:	06FA504223B00F361C779587FF023C39BC804928
SHA-256:	DF43EFDEE7CFB84F65F57FC232CEF8F078C29BF2687B851CC60234EC3830BF4D
SHA-512:	4A9FBA83556C47A362F6123B046382D0A8B35BFECEF155B12F66B972C7B185F54AE4A92813F57CECA14FB8814F7008563FB304F77042155942FFBD7AF0889EB7
Malicious:	true
Preview:	]..@...L......&..p.........../D.\|..b..6>..p.}#......G...)p{` ..i=`...k.<....G..7.p..C..K.N............O.B.......^.9.J.y.yk...?..t.p.RO.q=.Bj.,t..h..'.].LkB..R..>...s6..<.....;..8".....:dD..xq....?.+$7.K..4..~."...s......-g.T...kH...{.N..s.!n....[G..zZ.s.... ...C..._..9.../.bI.:...U.c:.Y.....=+.p.O\|.i...U[..y.(m.hA{.8.B..mK.KZrn.....:.w.).yf.XWCSu...h. ...W...u..Te.iO .N...ce....6~$...n..b..`.Fy{...z...;.....?..)d"U..`..,w..~.......~f..0.....SD.!..........t..a...H...p.....U.....9...2.5g.U~....%..n...&s......m..M....V&.2E.~...-..mj%.ZBV.A...k'..5..9..s./...._HW_.-..t....{...l ..{7.....Xp....F.2d!.@..T.&..$.s1M.3..r.$$...e..8.....n.....ST..`H6Kv.u..j.$.....X[6C..8...r.......d ..Au.h.../2...yd.0.[G#v....X7...%...5...;8\|d..r....-.FG.....T$lg..n..wE......C....r%..n..L..m...U..v.7..z.3..R..A&..,.in..'..:]1.,.8..n......4.0..&.u..BT..8...fx.=..C..;.3..H.......W".v{.........R........L......r...L...T\.^i....}q.....Xp..........;.....N.~q-...5

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\d41e33d9-e901-404c-9720-50ce3e8b93b7

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 8064448
Category:	dropped
Size (bytes):	2411647
Entropy (8bit):	7.999928137986042
Encrypted:	true
SSDEEP:	49152:5m636qV+XZQ2A8UV80Z85j+ShERGasx7i4lmBLsfXbwUG+6:5t3r+fA8U6u8N+ShcsxinBLmKx
MD5:	B1DA394894B0EBFA0AE7401846E7045B
SHA1:	D58003BD8C90AD238DC75BB7107DBE42528B45B0
SHA-256:	8E3029BB9D4E329D3B4D2FBED8B5B3C4056EB979A5855BB793157DFA3DDA89F5
SHA-512:	E9C08942C7ED43BAFCE93AFEA5095538F4439D6FB2B1D18186471741D2B1CB7F6A651AAD5C0CC391DDEEE43C7CF539AE351AD46CC3CFC5E0E699E965B91DB50D
Malicious:	true
Preview:	]..@...{......&..p.........../D.\|......e.F<w.,...vY.Ta.....NE..1E...V..Z..m9..^../:Y!....y....eg...&.m.42.........(a6.U.T..Rk![.....a...k~.j...zP0l..CJ....h.1.CR.y.\|.<..Y\|....V.......R.6....{....'......Vd...<...:>......1e.....r...5H..f<s...<'.....y..o.^./..}.jfa.....yH.......s.J...p..._....e.b.F.d.m...t.p..6. "@.3.. .{.5...^Z......k...e.... :.!......j[.&..2..+.../PV.....},..M....p....:}.P.p..>..3.\|..g....K..}....^Q..[.C..UyW.VeJ#s.y.P...o...}.<W..kQ..?..s.L...Y5\-0...MP......&G.U.$.'....$s..!R...\......[...M..W....e.{..N..hFW...<LD.+.N.d..&Y.._#.6..cq..8\|ho.X..;.7.+q....!G.+..^%..2Kt.r.Qp...z...{..e.k.lm..v.e.m.,J.............~..L.\|G.q^..!.>J........O.U..n.)..~..<..WmcT.{.....-,......)..>Ys.n!....S.._..#":...p._.<..W...M........>.<_w.t..uX.8M:.n.<'..=..N.....a..-.....?.W.9?{.....r...../..,g;...p....l.#...Xw..`m.)......XT0....@[7.r-.q..j.R.G.sm..:j.9...u.j...#?o....%.Z.Y.yV.>..9....c..GL../K...!+.......p......t.Th./..._..i..Q....v..^.

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\dc8799ee-a375-4c12-9fb7-0f0f1e0242ca

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	LZMA compressed data, non-streamed, size 12340672
Category:	dropped
Size (bytes):	3978605
Entropy (8bit):	7.999958554812208
Encrypted:	true
SSDEEP:	98304:3TveI4XLWM2oQATtYyY32ppFNtMrg74uqEyWNvP1UEsYwWWR15kye7/q:TenwuYyLLtMrg74rEDNnmEsYfC15mjq
MD5:	89F56339424B8B2A0D97B25D91EA9D1F
SHA1:	B82EE250605FB5256DD09BD4893CE1676893E1FC
SHA-256:	5E3DB7030A6280A83EAE3F3746DC0B7D7AAC7382BEFCF94F0F50F0B96320D3E5
SHA-512:	C1F516A25445AAA1A49AACA526653F5E8B10A68CB9C108608BEED132EA4253C5EF9DD422968C5BCB06848EB1F473278D3FCD6ED6892EAD5621E8754573B9C563
Malicious:	true
Preview:	].....M.......&..p.........../D.\|......I0..y.]n.u......i...7.....B]......F2$1..../e.Y.....f.';.@3.t..(h#!.7,.....V[wG.&.k.~.@..u.B..'..A>M.kZ..C...NP......2...SnP......=xJ.8.sG.8TK.:#(....y.A)>yZ..h..+`j....!...ae.R.s#E.d.{.Q&..~....Y:....a..Pbu+.uZ..4Y[XG.m.`.k......'.5.%...4....../...X.1e.2....\|....&w.9.f.V......a7...D....n6...........4.. .a..z.yw..@...e-J$.s.^.h.C....+.QIB.#.B...,...........{...k.5`d.\r&..t..su._c1_}N.i.N....x..F.c<..=.._.YMQ.Z.4....L..8.......]...Ne.....@w.[..i1l..v.. ....d8.$:..>....6&V~E...b.M..Cl...D...LX."g...P/......BO6.....9..v.j.5....F;...Z..$...Y.K@........!.G~#.U[F..>.O...?.d.f.8.>d....y.....Us./..P$R.p.....z`.M....u5...4..t..5\-..+.h).....gm.}/S76#..c...y.C.7..S..j..h..l.....c_{...O-.....A.1..Q.,.c.v_...L.l(.....h%.T......x.a.G..P..{+...#.YG%...s.wd9...["....5.v...L.l_.....On..5vq^..0rAD^...%./..0...^........zs..{}.z.4.,.)*.3..}mC.....<...g3..S17....~?....Z+`..U,v....]..t.y.oeQ...jA.S.-...?.\|c......q....s)/!.y.

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\dump_process.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3598264
Entropy (8bit):	6.520841302015252
Encrypted:	false
SSDEEP:	49152:LYGojXSePZJcCGNfTWdHTGnVH172ZUCLfEn7OwMmmUxCLXoEOqVlp8OzvuLJ+h1M:LZo8lVb7pKUALDC+0o
MD5:	C22D80D43019235520344972EFEC9FF2
SHA1:	1A2B4B2A52D820F9233CA0201BE9EE7F6D82ADBC
SHA-256:	5841A3DF4784E008B8F2C567F15BB28CDB4CB4CA35C750F1108DFB1CCB6011F0
SHA-512:	F1CADBC3077379A6D7E36B8CF3BC830F44B5E668D4A6C0CE6B62BDE292498C4F41C6588C5EBA2599AA67524ACFD125B7F23C419AE2B4A8E4AFEA7708AAD83EDC
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........B..B..B.....N...........^..DD%.A..DD.P.....K..DD.V..DD.0..K.K.@.....C..B..E.....A.....[..B.....(D....(D.C..(D'.C..B.O.@..(D.C..RichB..........PE..d...K..f.........."....&.. ..........<.........@..............................7.....5.7...`.........................................`.,.....D.,.......5.`Y....4.H...H.6.p)... 7..Y..HH'......................J'.(...@(#.@............. .@....,.@....................text...\|. ....... ................. ..`.rdata..D..... ....... .............@..@.data...@>....,.......,.............@....pdata..H.....4......l3.............@..@.didat..P.....5.......5.............@..._RDATA........5.......5.............@..@.rsrc...`Y....5..Z....5.............@..@.reloc...Y... 7..Z...d6.............@..B........................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8064448
Entropy (8bit):	6.4559444404051325
Encrypted:	false
SSDEEP:	196608:tf9w/E1sQFkFH9NReunBZH++6/mLCWCgj:tFw/E1sQFuH9NReunBZH++6/mjdj
MD5:	97856AB19BE2842F985C899CCDE7E312
SHA1:	4B33FF3BAEBA3B61EE040B1D00EBFF0531CC21EF
SHA-256:	2569A72D3A55EA7AD690D708907245C221664C5C88CADBC19E1967135FA40514
SHA-512:	B2F57FD7C482977EBF52B49E50E57F60F1BF87BE5BBF54C0DCFB3038C0F46B89C70F10161FAB7585D01B90C4FDC00B86932444F32528FED04B514C6746BFF29F
Malicious:	true
Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.........j............................................................C......C................a........................................[......#...........................Rich...........PE..d......f.........."....&..T..@&......./........@..............................{.....%.{...`.........................................@il.....$jl......Pz.......v.\|Y..H.z.x)...`{. ... .a.......................a.(....-Y.@.............U.p....el......................text...<.T.......T................. ..`.rdata..~.....U.......T.............@..@.data.........l..d....l.............@....pdata..\|Y....v..Z....u.............@..@.didat..p....0z......Ry.............@..._RDATA.......@z......Ty.............@..@.rsrc........Pz......Vy.............@..@.reloc.. ....`{......Xz.............@..B................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus_ui.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12340672
Entropy (8bit):	6.582477512432413
Encrypted:	false
SSDEEP:	196608:lUGsaMjm/7a85bbNF2wqFO2Sb57ZSwXeBHIrqNtEF:eGVMjm/p9CwwO/b57ciwHIrqNtEF
MD5:	7EBAE16A6EA514E55F7160C3539261CC
SHA1:	AE74B3AF4926B6932AEA68A32C7C8727D53A94E7
SHA-256:	F27F92F003505DBCA839513D233198211860DE0EF487973A5CE0761D8E8EBFB9
SHA-512:	F7C7C084517785F21AE0BD82509DDC31E985EDBE9E07F275414806AFA3F696037340EA0E6091221A5D81250ADF170CA0FA4345915D000EABA6034A9DB0F61369
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$......../...N...N...N.."<...N.."<..&N.......N.......N.......N.......N.."<...N...1...N...1...N...6o..N..3;...N...N...N...;...N..k ...N..k ...N.."<...N...N..}M.......N.......N.......N...Nk..N.......N..Rich.N..........................PE..d...f..f.........."....&.^....b..... ..........@.....................................7....`........................................................................H$..x)... ..h.............................(...`..@............p..`............................text...@\.......^.................. ..`.rdata..>n%..p...p%..b..............@..@.data.....4.....Z.................@....pdata...............,..............@..@_RDATA...............J..............@..@.rsrc................L..............@..@.reloc..h.... .......P..............@..B........................................................................................................

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\product-def.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	234048
Entropy (8bit):	5.373585448662843
Encrypted:	false
SSDEEP:	1536:OfwE6w6yLzOyLaz9IeNtF4VHHcPcz7oAisHMwIznC+B92/JCJkLIrcdKEsj/HTFG:T0NpIBO7yMHAOL/XKaA5Et07IRH5T
MD5:	DE073C40E435A5FFC9585A6D78938308
SHA1:	7C6E120D7CC5000BCD6F8D3E0B1F7043CFE6EC2E
SHA-256:	07022184E42D54CBB24724A4EB40BBBF469129808AC442BBF81D6D5D76EEE569
SHA-512:	DFFC32C7EF98B897E299C660C60EF22134C4AC7AF37CB7C8366B5E1504407AD6E039524B8C09944AAE7DAF5DB9A31971DD43DD9753AE6EA34CB7E67CE93E7FE7
Malicious:	false
Preview:	<?xml version="1.0" ?>.<product name="avg-tu">..<product-defs>...<config>....<registry-key name="TuneUp"/>....<install-folder name="TuneUp"/>....<full-name name="AVG TuneUp"/>...</config>...<vars>....<var name="%V_PRODUCT_NAME%">.....<desc lang="en-us">AVG TuneUp</desc>....</var>....<var name="%V_PRODUCT_NAME_LONG%">.....<desc lang="en-us">AVG TuneUp</desc>....</var>....<var name="%V_SVC_DESC%">.....<desc lang="en-us">AVG TuneUp service</desc>....</var>....<var name="%V_SCHED_TASK_NAME%">.....<desc lang="en-us">AVG TuneUp Update</desc>....</var>....<var name="%V_COMPANY_FULL_NAME%">.....<desc lang="en-us">AVG Technologies</desc>....</var>....<var name="%V_UI_MODULE%">.....<desc lang="en-us">TuneupUI.exe</desc>....</var>....<var name="%V_UI_CLASS_NAME%">.....<desc lang="en-us">CleanupTrayWndClass</desc>....</var>....<var name="%V_SVC_NAME%">.....<desc lang="en-us">CleanupPSvc</desc>....</var>....<var name="%V_SVC_FILE_NAME%">.....<desc lang="en-us">TuneupSvc.exe</desc>....</var>....<var

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\product-info.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6209
Entropy (8bit):	5.294016449927192
Encrypted:	false
SSDEEP:	192:Lxk6929qomNNOHUzdoHW2wjOyxTfHMIF98:LmnpmN3qOT198
MD5:	4937ABCF6CC46FF862947AD60206F048
SHA1:	61ABDC48ACCC5C9ED57A06EAFE99CC7FC30FD925
SHA-256:	80507EA06D4EDB56153E9FCE935CF6F561415F34835B83DE5D8BC1DBF42C84B7
SHA-512:	0C2744BDCD430B510A0CEC32251A5300676EB9E9B4F09735AB45CF75741B1C933747CF042013188C28901A1CEA85E6EA1CA1203C25BEAB214ECF83BE51C59E32
Malicious:	false
Preview:	<?xml version="1.0" ?>.<product-info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="product-info.xsd">..<name>avg-tu</name>..<version>24.1.16424.9662</version>..<build-time>1720435448</build-time>..<setup-files>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<name>icarus.exe</name>....<src-id>69c9de9f0cc9cc846d44e8b9a42de17d93f4cde9ffcf7a10d1dff69c4cef0c1f</src-id>....<sha-256>87604f45a91f9f3d3a1f4f3af23533fd508fe79b65aafc3686a86f4471143a10</sha-256>....<timestamp>1720435442</timestamp>....<size>7155136</size>...</file>...<file>....<conditions>.....<os platform="x64"/>....</conditions>....<name>icarus.exe</name>....<src-id>cfab5808bd7503ee1aff23b54d5a98a557524fa453762afa10b90e4b7ca6af95</src-id>....<sha-256>2569a72d3a55ea7ad690d708907245c221664c5c88cadbc19e1967135fa40514</sha-256>....<timestamp>1720435443</timestamp>....<size>8064448</size>...</file>...<file>....<conditions>.....<os platform="x86"/>....</conditions>....<condi

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\setupui.cont

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	XZ compressed data, checksum CRC32
Category:	dropped
Size (bytes):	263792
Entropy (8bit):	7.999305108377485
Encrypted:	true
SSDEEP:	6144:VtxqOwIxsDmCs77JqOYsfZpjHKp7NV5q/Gk7ck0CcKufE0:VtxqNDmtffrHs36GOmh
MD5:	C95DC978812B51E1B9AA38C27FAF3B1A
SHA1:	70DEE9E4F828652F6BE927A193BE6938BC175CE4
SHA-256:	4BAFB54CD8637586DBFE316EA6E7F9F50010FF021F813128490D2A9C34A89BF0
SHA-512:	5202548902634EE28CE8FDAB32F1FB8797881E3643B74D892DA0155C3E90CBD98E837A85069C5BF1B06518E8355660486E63ABEFE41B2A484B4683F29FB1F0D0
Malicious:	true
Preview:	.7zXZ...i".6..!.......2>.5..].0...?..Lm.K%. .6.X.....L.@#....\..p.e............/._.....$b....#]..T.nn.....^y...o.t...L ....6Q$..s....E,DZY.H...Li.y.p.g<.?l..s..,Q.-.h.`.g\.K..H1..'..!....BY.m_V...lkCq..<2[.P....,..:..}.;b..0.L.L.7.p..`......W^....6.>:....X...P-...u..%.S.r..R..R.3I.a......Wt..=..1.tQ.c...."!.F....o.H.T.7O..s....c..Cvj,6.q9.JS-..U. ..PG...+..#o^.T.0...G$.`"....t..ue..F9I..d...{..M...fj..1..UQ.=V.. 4M"...:....2.8<..f..j.......,.Jk.C...'cj....#7./.kRt...?3.r.D./].$..8..........1>..Yb.=...Y.qO.CD....Z.t3.{...E.....4W...@r.I..y._z7."...o...D}.Q48.!iR..b...S.~m..$3....e.>.`.....9bf......wT...M..\,;.....Q..F.....i..{...d..eL.pc.fc.n7w....]=...GF.(..]J.(.."..D.....,.#..9........".TaE.....d...hYP.3.. ..Z.~.s.N.......7.....a.n....U.....7..S..... .A...t.m..I..%....7..~)...dqU)$W..{...D.+....Z...".4.H4.:...]p....D!....U...g........N1.0.5e.af+.9.>.j..@H..K...b&...a...n.P>.]P........,:.(3.T+:./.z..UL..qY..I...q...dLt.<.bM0.s

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\ecoo.edat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.041625614369223
Encrypted:	false
SSDEEP:	3:1HRR8:5Ru
MD5:	516E207480AC0CE0E1C241BF9ADB2D24
SHA1:	07C5E5BEBA9D585C10732E07ACEEA91FF070DB96
SHA-256:	9750765E3A22606EE034000B829FB1CAF6DBE306D7D4D4071094586BB2CACDEE
SHA-512:	4E599851F58AFAE4F0E1F7CC30D4DE94EA4870CEBF08A2B733C1DCA1A61025AE6F491A14BF58B24B2E9E5993D01190672CB914D4B34501275C5E21FDE5E3E38F
Malicious:	false
Preview:	mmm_irs_ppi_907_959_m

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\icarus-info.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1634
Entropy (8bit):	5.254781724970267
Encrypted:	false
SSDEEP:	24:2dP8A8kWeEgUSMDWB7I1Le/+kDWe7IEe/2cDWe7VGphwg2UUMhRB2IkoMXTDjt6m:cE9g2rkSWphVzUnHHjX/uaw0cM
MD5:	5F538A9F8F27D648825C79D05A1CB3E3
SHA1:	B30B56FB9F8A947DD37CA0159DFB50CCFF28FA29
SHA-256:	193E9DEF92DC34C21D79EB8FB1D3947AF97B7119D0C4A0C5C8D3B8EE8EA4261C
SHA-512:	0A10471F1789BA1EBE35B1F81AFFEEEA975AAC2755CDCDCA6152ED881896C12586B46FFC82846E9C51E39ED4688D8631D37BF0708C8CA8DA511CB636E3165E43
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.<icarus-info xmlns:xs="http://www.w3.org/2001/XMLSchema-instance">..<file-list>...<file>....<alias>sfx-info.xml</alias>....<sha-256>5666de8de7baab35f5674d3e2d33d09415d46a24da0b1a59a9900eb0cfe4644d</sha-256>....<offset>1570886</offset>....<size>657</size>....<timestamp>1717505907</timestamp>....<flags>0</flags>...</file>...<file>....<alias>trid.edat</alias>....<sha-256>9750765e3a22606ee034000b829fb1caf6dbe306d7d4d4071094586bb2cacdee</sha-256>....<offset>1571610</offset>....<size>21</size>....<timestamp>1717506965</timestamp>....<flags>0</flags>...</file>...<file>....<alias>ecoo.edat</alias>....<sha-256>9750765e3a22606ee034000b829fb1caf6dbe306d7d4d4071094586bb2cacdee</sha-256>....<offset>1571698</offset>....<size>21</size>....<timestamp>1717506965</timestamp>....<flags>0</flags>...</file>..</file-list>..<file-mapping-sfx>...<handle>118</handle>...<size>1582416</size>..</file-mapping-sfx>..<sfx-dir>C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2

C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\trid.edat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.041625614369223
Encrypted:	false
SSDEEP:	3:1HRR8:5Ru
MD5:	516E207480AC0CE0E1C241BF9ADB2D24
SHA1:	07C5E5BEBA9D585C10732E07ACEEA91FF070DB96
SHA-256:	9750765E3A22606EE034000B829FB1CAF6DBE306D7D4D4071094586BB2CACDEE
SHA-512:	4E599851F58AFAE4F0E1F7CC30D4DE94EA4870CEBF08A2B733C1DCA1A61025AE6F491A14BF58B24B2E9E5993D01190672CB914D4B34501275C5E21FDE5E3E38F
Malicious:	false
Preview:	mmm_irs_ppi_907_959_m

C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1631120
Entropy (8bit):	6.771142734865859
Encrypted:	false
SSDEEP:	49152:QN2OR9WF/G/ooooEYOKOhBVWKoJhymxwSe4v:i2FF/GYhBVWKoi3
MD5:	678507E1459F47A4D77AACE80D42D52D
SHA1:	80703904FFC940857EC8A10ACA910B4EB26C6965
SHA-256:	0DBC254FB42CCB7EAB3122EC98798233D83327B2D19E2A45706CB79101A843E1
SHA-512:	087D046DC4FB5E2BFB74BB16FA56E7D16C7F5AAD19E4F14992DC167590F270D2D1B8DA7E44172765999964A387488E0F64A813671E759D5A8BD958ED167FBE93
Malicious:	true
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......i.V]-O8.-O8.-O8..=;."O8..==..O8.+.../O8.+.<.9O8.+.;.7O8.+.=.DO8..=<.4O8..!<.(O8.$7../O8.{:=.,O8.-O8.+O8..=?.,O8..=9.8O8.-O9..N8.G.1..O8.G.8.,O8.G...,O8.-O...O8.G.:.,O8.Rich-O8.........................PE..L....y.f...............&.`...........Q.......p....@.......................................@...........................................@r...............+... ..H...(%.......................%......x\|..@............p...............................text...._.......`.................. ..`.rdata..`A...p...B...d..............@..@.data...............................@....didat..T............N..............@....rsrc...@r.......t...P..............@..@.reloc..H.... ......................@..B........................................................................................................................................................................................

C:\Windows\Temp\asw.8bb23e66c52bd2be\ecoo.edat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.422577995321604
Encrypted:	false
SSDEEP:	3:1HRcMK:5RU
MD5:	3F44A3C655AC2A5C3AB32849ECB95672
SHA1:	93211445DCF90BB3200ABE3902C2A10FE2BAA8E4
SHA-256:	51516A61A1E25124173DEF4EF68A6B8BABEDC28CA143F9EEE3E729EBDC1EF31F
SHA-512:	D3F95262CF3E910DD707DFEEF8D2E9DB44DB76B2A13092D238D0145C822D87A529CA58CCBB24995DFCF6DAD1FFC8CED6D50948BB550760CD03049598C6943BC0
Malicious:	false
Preview:	mmm_irs_ppi_902_451_o

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.984934454510564
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
File size:	14'472'880 bytes
MD5:	f3f16a12cdaf4e3fe51bece5dff8970f
SHA1:	e4bb36e12d8f566617f940c32764870e052a89b7
SHA256:	f1787b9553ce260b889cbb40b456d62f2cfa01b10f7e512a3528790c65640669
SHA512:	5b5837ee05f3a16c645613c5e0462b6d81d6e1dc183156b790e42cd8348fa6b391bdc84de43131cba4c568aba2be308d6e3020c829df0f11d44fd923f8cd827f
SSDEEP:	393216:MBBTeN30LpEiSCC9XSpIFwah3RuINhkU9he:ktwkLps9Xhrhhuahk7
TLSH:	33E6333FB2A8A13FD5AE0B3109B39350593B76A5795A8C1E07F0481DDF6A0611F3B726
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FB0F96E [Sun Nov 15 09:48:30 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/24/2024 8:00:00 PM 3/25/2025 7:59:59 PM
Subject Chain	CN=MECHA MANGA - FZCO, O=MECHA MANGA - FZCO, S=Dubai, C=AE
Version:	3
Thumbprint MD5:	1A2E39E8F90F5FF6D22AD9098F5518F1
Thumbprint SHA-1:	1F3CCE31883C9EF47711A1EE96294E479CE69CFB
Thumbprint SHA-256:	42B420F3B7BB52249C84BFDABF29C9D4B5978803163B451821B2501ACB042115
Serial:	3B1955CFEAA2C9C392292E00287D4A6C

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007F3B916664B5h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F3B91708BDFh
call 00007F3B91708732h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F3B9167BF28h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F3B916610A7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007F3B9167CF8Fh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F3B91708C67h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F3B9170F24Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F3B9167D884h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x47a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdcab00	0x2bb0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	ad6e46e3a3acdb533eb6a077f6d065af	False	0.3448639341051532	data	6.356058204328091	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	d40fc822339d01f2abcc5493ac101c94	False	0.544921875	data	5.972750055221053	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	4c195d5591f6d61265df08a3733de3a2	False	0.36097935267857145	data	5.044400562007734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xf36	0x1000	a73d686f1e8b9bb06ec767721135e397	False	0.3681640625	data	4.8987046479600425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	41b8ce23dd243d14beebc71771885c89	False	0.345703125	data	2.7563628682496506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	37c1a5c63717831863e018c0f51dabb7	False	0.2578125	data	1.8722228665884297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x47a0	0x4800	f0dece41c4e95e30e198078e830291b8	False	0.3183051215277778	data	4.520575122969339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc74f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0xc77e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5912162162162162
RT_ICON	0xc7908	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_ICON	0xc81b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0xc8718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5912162162162162
RT_STRING	0xc8840	0x360	data			0.34375
RT_STRING	0xc8ba0	0x260	data			0.3256578947368421
RT_STRING	0xc8e00	0x45c	data			0.4068100358422939
RT_STRING	0xc925c	0x40c	data			0.3754826254826255
RT_STRING	0xc9668	0x2d4	data			0.39226519337016574
RT_STRING	0xc993c	0xb8	data			0.6467391304347826
RT_STRING	0xc99f4	0x9c	data			0.6410256410256411
RT_STRING	0xc9a90	0x374	data			0.4230769230769231
RT_STRING	0xc9e04	0x398	data			0.3358695652173913
RT_STRING	0xca19c	0x368	data			0.3795871559633027
RT_STRING	0xca504	0x2a4	data			0.4275147928994083
RT_RCDATA	0xca7a8	0x10	data			1.5
RT_RCDATA	0xca7b8	0x2c4	data			0.6384180790960452
RT_RCDATA	0xcaa7c	0x2c	data			1.25
RT_GROUP_ICON	0xcaaa8	0x4c	data	English	United States	0.75
RT_VERSION	0xcaaf4	0x584	data	English	United States	0.28257790368271957
RT_MANIFEST	0xcb078	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-29T00:54:09.852207+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49246	80	192.168.2.22	146.185.153.16
2024-07-29T00:52:47.496764+0200	TCP	2053280	ET ADWARE_PUP Win32/OfferCore Checkin M1	49168	443	192.168.2.22	65.9.23.130
2024-07-29T00:52:51.895802+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49171	443	192.168.2.22	65.9.23.130
2024-07-29T00:54:41.673697+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49342	443	192.168.2.22	65.9.23.107
2024-07-29T00:52:50.640668+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49170	443	192.168.2.22	65.9.23.108
2024-07-29T00:54:08.635419+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49246	80	192.168.2.22	146.185.153.16
2024-07-29T00:53:01.237664+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49178	443	192.168.2.22	65.9.23.130
2024-07-29T00:54:33.429128+0200	TCP	2100648	GPL SHELLCODE x86 NOOP	443	49313	184.30.25.22	192.168.2.22
2024-07-29T00:55:28.857930+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49480	80	192.168.2.22	146.185.153.16
2024-07-29T00:53:35.072943+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49194	443	192.168.2.22	65.9.23.130
2024-07-29T00:53:05.628798+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49181	443	192.168.2.22	65.9.23.107
2024-07-29T00:52:59.901883+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49177	443	192.168.2.22	65.9.23.107
2024-07-29T00:52:58.574487+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49176	443	192.168.2.22	65.9.23.130
2024-07-29T00:52:57.086537+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49174	443	192.168.2.22	65.9.23.107
2024-07-29T00:55:27.692235+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49480	80	192.168.2.22	146.185.153.16
2024-07-29T00:55:30.043553+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49480	80	192.168.2.22	146.185.153.16
2024-07-29T00:53:02.783274+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49179	443	192.168.2.22	65.9.23.130
2024-07-29T00:52:49.169369+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49169	443	192.168.2.22	65.9.23.107
2024-07-29T00:52:55.465931+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49173	443	192.168.2.22	65.9.23.141
2024-07-29T00:53:31.647052+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49190	443	192.168.2.22	65.9.23.107
2024-07-29T00:53:29.697413+0200	TCP	2053283	ET ADWARE_PUP Win32/OfferCore Checkin M2	49186	443	192.168.2.22	65.9.23.108

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 29, 2024 00:52:46.028489113 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.028579950 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:46.028655052 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.030725956 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.030755043 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:46.839673996 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:46.839761019 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.845026016 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.845072031 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:46.845398903 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:46.907690048 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.907728910 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:46.907938957 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496620893 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496651888 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496659994 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496682882 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496692896 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496718884 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:47.496747017 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.496761084 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:47.496897936 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:47.496997118 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.497051954 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.497087002 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:47.497143030 CEST	49168	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:47.497154951 CEST	443	49168	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:47.663404942 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:47.663434029 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:47.663501024 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:47.663830996 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:47.663849115 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:48.531835079 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:48.531985998 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:48.535906076 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:48.535923958 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:48.536278009 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:48.543226004 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:48.543226004 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:48.543246984 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:49.169429064 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:49.169517040 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:49.169684887 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:49.169727087 CEST	49169	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:49.169742107 CEST	443	49169	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:49.243437052 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:49.243469954 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:49.243544102 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:49.243918896 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:49.243932962 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.009737968 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.009808064 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.014698982 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.014709949 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.015003920 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.017421007 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.017445087 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.017452955 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.640666008 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.640820980 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.640933990 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.641859055 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.641875982 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.641906023 CEST	49170	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:52:50.641910076 CEST	443	49170	65.9.23.108	192.168.2.22
Jul 29, 2024 00:52:50.685524940 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:50.685600996 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:50.685668945 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:50.686187029 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:50.686204910 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.466063023 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.466309071 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.470247030 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.470277071 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.470573902 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.472876072 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.472914934 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.472930908 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.895853043 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.895932913 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.896168947 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.896265984 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.896307945 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:51.896343946 CEST	49171	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:51.896358967 CEST	443	49171	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:52.718148947 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:52.718173981 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:52.718235970 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:52.719196081 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:52.719209909 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.527503014 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.527635098 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.535464048 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.535470009 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.535768032 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.548502922 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.592518091 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.848398924 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.860646009 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.860771894 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.860778093 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.860809088 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.860959053 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.943466902 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.943617105 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.943658113 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.943670034 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.943682909 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.964001894 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.964142084 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.964212894 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.964226961 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.964260101 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.966398001 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.966470003 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.966480017 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.966581106 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.966631889 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.966661930 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.966679096 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:53.966695070 CEST	49172	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:53.966701031 CEST	443	49172	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:54.022514105 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.022572041 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:54.022660971 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.023137093 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.023169994 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:54.818422079 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:54.818510056 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.822752953 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.822782993 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:54.823348999 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:54.826483965 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.826543093 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:54.826555014 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:55.465995073 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:55.466119051 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:55.466195107 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:55.466314077 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:55.466357946 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:55.466391087 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:55.466391087 CEST	49173	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:52:55.466413021 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:55.466439962 CEST	443	49173	65.9.23.141	192.168.2.22
Jul 29, 2024 00:52:55.557271004 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:55.557297945 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:55.557351112 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:55.557701111 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:55.557715893 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:56.356219053 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:56.356362104 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:56.360758066 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:56.360805035 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:56.361325026 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:56.363502026 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:56.363550901 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:56.363568068 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:57.086688995 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:57.086913109 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:57.086998940 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:57.087105989 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:57.087105989 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:57.087105989 CEST	49174	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:57.087155104 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:57.087187052 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:57.087205887 CEST	443	49174	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:57.139677048 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.139739037 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:57.139800072 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.140279055 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.140295982 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:57.938591957 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:57.938720942 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.942850113 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.942877054 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:57.943353891 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:57.960695028 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.960695982 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:57.960802078 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:58.574680090 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:58.574886084 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:58.574963093 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:58.575265884 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:58.575279951 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:58.575320959 CEST	49176	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:52:58.575325966 CEST	443	49176	65.9.23.130	192.168.2.22
Jul 29, 2024 00:52:58.629987955 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:58.630018950 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:58.630083084 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:58.630723000 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:58.630743027 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.474442005 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.474576950 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.480297089 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.480312109 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.480915070 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.484450102 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.484487057 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.484496117 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.901949883 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.902045012 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.902115107 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.902350903 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.902376890 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.902412891 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.902420044 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:52:59.902432919 CEST	49177	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:52:59.902436972 CEST	443	49177	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:00.020549059 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.020587921 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:00.020648003 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.021050930 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.021059036 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:00.811305046 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:00.811388016 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.815256119 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.815267086 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:00.816308022 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:00.818618059 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.818640947 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:00.818646908 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:01.237732887 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:01.237844944 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:01.237898111 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:01.238042116 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:01.238075018 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:01.238086939 CEST	49178	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:01.238091946 CEST	443	49178	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:01.351500034 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:01.351586103 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:01.351653099 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:01.351984978 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:01.352020025 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.153275013 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.153390884 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.156769037 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.156790018 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.157275915 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.159449100 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.159487009 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.159504890 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.783382893 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.783618927 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.783669949 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.783699989 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.783720016 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.783731937 CEST	49179	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:02.783740044 CEST	443	49179	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:02.832003117 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:02.832056999 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:02.832125902 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:02.832539082 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:02.832572937 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.609262943 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.609534979 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:03.613548994 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:03.613580942 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.613894939 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.616168976 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:03.656541109 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.968846083 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.981869936 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.981962919 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:03.981997967 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.982021093 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.982089996 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:03.982100010 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:03.982117891 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.060365915 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.060472965 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.060513973 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.060543060 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.060574055 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.060776949 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.060826063 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.060836077 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.060961962 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.061013937 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.061110973 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.061127901 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.061145067 CEST	49180	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:04.061151981 CEST	443	49180	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:04.107470989 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.107494116 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:04.107579947 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.107989073 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.108002901 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:04.945240021 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:04.945488930 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.949096918 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.949105024 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:04.949651957 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:04.952357054 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.952357054 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:04.952373028 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:05.628844976 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:05.628947020 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:05.629066944 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:05.629200935 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:05.629218102 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:05.629232883 CEST	49181	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:05.629237890 CEST	443	49181	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:05.668639898 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:05.668739080 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:05.668827057 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:05.669177055 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:05.669214010 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.450609922 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.450822115 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.455030918 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.455051899 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.455600977 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.457808971 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.500505924 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.787523031 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.787668943 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.787746906 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.787811041 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.787859917 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.787915945 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.787930965 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.867491007 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.867552042 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.867656946 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.867656946 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.867695093 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.891155005 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.891357899 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.891386032 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.891572952 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.891925097 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.891974926 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:06.892035007 CEST	49182	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:06.892050982 CEST	443	49182	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:18.461704969 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:18.461762905 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:18.461853027 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:18.462315083 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:18.462352037 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.246162891 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.246500015 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.249994040 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.250010967 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.250410080 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.252429008 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.296505928 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.565073967 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.577320099 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.577379942 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.577476025 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.577554941 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.577598095 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.577598095 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.658457041 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.658525944 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.658545017 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.658581018 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.658611059 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.680764914 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.680830002 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.680905104 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.680906057 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.680931091 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.745839119 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.745888948 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.745981932 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.746001959 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.746057034 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.746090889 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.746090889 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.748379946 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.748436928 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.748452902 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.748469114 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.748529911 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.751710892 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.751769066 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.751796007 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.751828909 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.751852036 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.797750950 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.797877073 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.797899961 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.797929049 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.797996044 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.798005104 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.837915897 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.838002920 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.838041067 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.838054895 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.838093996 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.838287115 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.838349104 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.838411093 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.838428974 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.838444948 CEST	49183	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:19.838453054 CEST	443	49183	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:19.940273046 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:19.940319061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:19.940382957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:19.940988064 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:19.941000938 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.726849079 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.727014065 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:20.731010914 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:20.731024027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.731558084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.733771086 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:20.776506901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.950123072 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.962907076 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.962966919 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.963136911 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:20.963166952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:20.963216066 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:20.963216066 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.043800116 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.043864965 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.044059992 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.044094086 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.044133902 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.067486048 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.067569017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.067712069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.067712069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.067744017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.131614923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.131670952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.131722927 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.131724119 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.131724119 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.131767988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.133327007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.133389950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.133398056 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.133404016 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.133443117 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.137224913 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.137279034 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.137300968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.137309074 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.137334108 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.157577991 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.157634974 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.157769918 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.157769918 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.157804012 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.221945047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222023964 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222182989 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.222213030 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222259998 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.222721100 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222769022 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222788095 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.222795963 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222807884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222832918 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.222862005 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.223668098 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.223721027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.223727942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.223735094 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.223778963 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.224940062 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.224993944 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.225006104 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.225011110 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.225044012 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.236154079 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.236203909 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.236227036 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.236232042 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.236244917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.236253977 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.236291885 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.236298084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.249346018 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.249403000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.249422073 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.249429941 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.249443054 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.259829044 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.259871006 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.259900093 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.259911060 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.259922028 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.280098915 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.280143976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.280286074 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.280314922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.312330961 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.312371969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.312521935 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.312521935 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.312549114 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.312918901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.312966108 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.312987089 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.312994957 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.313009024 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.313040972 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.313316107 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.313359976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.313380957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.313386917 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.313400030 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.316857100 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.316901922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.316920996 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.316929102 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.316951990 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.321821928 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.321866989 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.321885109 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.321892977 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.321916103 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.334932089 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.334983110 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.335020065 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.335031033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.335042000 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.347280979 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.347327948 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.347343922 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.347352982 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.347379923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.358186007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.358238935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.358272076 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.358284950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.358294964 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.403004885 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403050900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403152943 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.403175116 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403207064 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403222084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.403254032 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.403703928 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403747082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403769970 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.403776884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.403790951 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.404021025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.404067039 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.404081106 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.404088020 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.404129028 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.406105995 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.406150103 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.406178951 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.406188965 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.406202078 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.412561893 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.412596941 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.412648916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.412648916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.412650108 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.412666082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.412709951 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.425528049 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.425570965 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.425616980 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.425626993 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.425636053 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.438069105 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.438118935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.438146114 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.438155890 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.438169003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.451811075 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.451858997 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.451991081 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.452019930 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.452058077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.493659019 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.493701935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.493891954 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.493921041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.493959904 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.494302988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.494342089 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.494371891 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.494383097 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.494393110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.494884014 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.494925976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.494946003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.494954109 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.494991064 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.495690107 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.496965885 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.497009039 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.497035980 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.497042894 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.497059107 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.503200054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.503235102 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.503264904 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.503273010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.503284931 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.503288984 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.503331900 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.503340006 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.516045094 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.516087055 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.516279936 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.516279936 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.516288996 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.529007912 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.529062033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.529190063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.529190063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.529207945 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.542449951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.542498112 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.542524099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.542531967 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.542542934 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.584491014 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.584534883 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.584590912 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.584830046 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.584898949 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585077047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585119963 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585158110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.585158110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.585180998 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585211039 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.585530043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585577011 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585593939 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.585601091 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.585642099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.587306023 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.587348938 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.587382078 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.587388039 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.587397099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.588769913 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.588825941 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.588833094 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.593919992 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.593962908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.593982935 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.593991041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.594003916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.606865883 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.606908083 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.606935024 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.606944084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.607099056 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.619364023 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.619416952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.619436979 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.619445086 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.619604111 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.633166075 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.633207083 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.633424997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.633434057 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.674752951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.674801111 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.674930096 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.674930096 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.674942017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.675559044 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.675601959 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.675616026 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.675622940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.675656080 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.675712109 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.676014900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.676062107 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.676074028 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.676079988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.676110029 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.678457022 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.678503036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.678525925 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.678531885 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.678559065 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.685174942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.685210943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.685239077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.685249090 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.685260057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.685261011 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.685301065 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.685308933 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.698172092 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.698220015 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.698261976 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.698271036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.698419094 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.705326080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.705395937 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.705404997 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.715460062 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.715501070 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.715627909 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.715627909 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.715637922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765311956 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765352964 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765492916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.765492916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.765522003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765597105 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765650988 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.765650988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765696049 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.765711069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.765769005 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.766206026 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.766247988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.766271114 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.766278028 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.766293049 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.766571045 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.766613007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.766629934 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.766637087 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.766649008 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.766676903 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.768779993 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.768825054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.768846989 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.768853903 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.768868923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.775893927 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.775929928 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.775954962 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.775962114 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.775970936 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.775975943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.776021957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.776031017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.788901091 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.788942099 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.789002895 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.789002895 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.789038897 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.800726891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.800771952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.800931931 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.800931931 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.800966024 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.814738035 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.814809084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.814960957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.814960957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.814995050 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.856851101 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.856897116 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.856956959 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.857038021 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.857038975 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.857073069 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.857124090 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.857563019 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.857625961 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.857626915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.857637882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.857666969 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.858123064 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.858163118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.858177900 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.858187914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.858206987 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.859153986 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.860827923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.860883951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.860898972 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.860907078 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.860944033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.872189999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.872234106 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.872437000 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.872437000 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.872471094 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.886715889 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.886759043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.886778116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.886787891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.886806965 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.896716118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.896786928 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.896794081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.896806955 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.896856070 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.946604013 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.946649075 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.946724892 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.946754932 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.946794033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.947174072 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.947221041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.947369099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.947369099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.947437048 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.947489977 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.947675943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.947720051 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.947741985 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.947761059 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.947792053 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.947832108 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.948286057 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.948329926 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.948365927 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.948385000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.948414087 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.951853991 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.951900959 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.951976061 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.951976061 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.951993942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.963027000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.963068008 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.963116884 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.963139057 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.963162899 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.977550983 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.977596998 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.977627993 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.977655888 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.977680922 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.977704048 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.987432957 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.987477064 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.987512112 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.987513065 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:21.987534046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:21.987565994 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.037508011 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.037556887 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.037707090 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.037707090 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.037781954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.037940025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.037977934 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.038039923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.038039923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.038064003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.038618088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.038659096 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.038682938 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.038707972 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.038736105 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.039316893 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.039356947 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.039381027 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.039396048 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.039427996 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.042129040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.042175055 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.042188883 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.042202950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.042253017 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.053796053 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.053839922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.053853989 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.053869963 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.053898096 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.067934036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.067981005 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.067987919 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.068008900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.068037033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.068037033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.078104973 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.078149080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.078185081 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.078203917 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.078227997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.078252077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.144452095 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.144514084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.144575119 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.144576073 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.144645929 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.144925117 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.144978046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.144984961 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.145003080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145040035 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.145665884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145709991 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145733118 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.145756960 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145781040 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.145802975 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145854950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145872116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.145885944 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.145920992 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.147133112 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.147173882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.147201061 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.147214890 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.147242069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.147361040 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.153350115 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.153390884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.153445005 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.153445005 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.153460026 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.154088974 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.162610054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.162653923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.162702084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.162703037 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.162719011 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.168504000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.168555021 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.168581963 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.168598890 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.168628931 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.168859005 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.234947920 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.235004902 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.235033989 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.235061884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.235088110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.235582113 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.235622883 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.235641956 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.235661030 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.235692024 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.236120939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.236156940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.236177921 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.236197948 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.236227036 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.236907005 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.236947060 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.236958027 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.236970901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.237008095 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.237695932 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.237736940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.237751007 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.237763882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.237792969 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.241106987 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.244030952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.244072914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.244107962 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.244131088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.244153976 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.252677917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.254908085 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.254978895 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.254985094 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.255002975 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.255031109 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.259416103 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.259485006 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.259507895 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.259522915 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.259577036 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.326553106 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.326637030 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.326642990 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.326657057 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.326690912 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.327461004 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.327528954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.327531099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.327565908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.327589035 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.328044891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.328099012 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.328119040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.328139067 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.328178883 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.328768015 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.328824043 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.328840017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.328865051 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.328917980 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.328932047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.329677105 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.329730034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.329745054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.329763889 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.329813004 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.329827070 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.329952002 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.335272074 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.335340977 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.335352898 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.335365057 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.335395098 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.344465017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.344547033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.344660997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.344726086 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.350341082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.350405931 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.350419044 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.350440979 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.350482941 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.416410923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.416471958 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.416640997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.416708946 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.416758060 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.417546034 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.417593956 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.417618036 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.417642117 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.417666912 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.418040037 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.418086052 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.418107033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.418121099 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.418150902 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.418678999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.418720007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.418745995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.418766022 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.418792009 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.419760942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.419802904 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.419825077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.419843912 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.419868946 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.425899982 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.425944090 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.425970078 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.425983906 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.426016092 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.435352087 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.435424089 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.435440063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.435465097 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.435520887 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.435534954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.440474033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.440542936 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.440557003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.440584898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.440634966 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.440649033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.506833076 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.506882906 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.507049084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.507123947 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.507169962 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.507874966 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.507919073 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.507942915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.507962942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.507987976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.508012056 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.508038998 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.508563995 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.508608103 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.508640051 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.508658886 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.508690119 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.509125948 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.509172916 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.509187937 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.509203911 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.509232998 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.510031939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.510077000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.510097027 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.510112047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.510142088 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.516612053 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.516658068 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.516685009 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.516704082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.516731024 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.525760889 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.525804043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.525830030 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.525849104 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.525873899 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.531006098 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.531052113 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.531073093 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.531085968 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.531117916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.597567081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.597624063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.597860098 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.597860098 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.597930908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.598531008 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.598572969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.598618984 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.598618984 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.598649025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.598718882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.598856926 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.599400043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.599440098 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.599483967 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.599509954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.599536896 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.599879980 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.599925041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.599951029 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.599970102 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.599997997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.599997997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.600600004 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.600640059 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.600670099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.600691080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.600717068 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.601764917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.607223034 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.607268095 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.607314110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.607332945 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.607362032 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.616492987 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.616539955 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.616569042 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.616589069 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.616619110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.616619110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.621974945 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.622016907 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.622061014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.622061014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.622078896 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.688440084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.688500881 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.688647985 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.688647985 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.688718081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.689297915 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.689342976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.689502954 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.689523935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.689874887 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.689922094 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.689940929 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.689956903 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.690001011 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.690100908 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.690942049 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.690992117 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.691021919 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.691042900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.691071033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.691375971 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.691421986 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.691443920 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.691467047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.691494942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.691494942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.698086023 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.698131084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.698157072 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.698179960 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.698209047 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.698209047 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.707978010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.708019972 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.708086014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.708086014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.708103895 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.712687016 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.712730885 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.712760925 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.712780952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.712805986 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.712806940 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.719630003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.779041052 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.779090881 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.779290915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.779359102 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780062914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780112028 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780143976 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.780174017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780205011 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.780791998 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780833960 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780864954 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.780888081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.780915976 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.781230927 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.781282902 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.781305075 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.781318903 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.781347990 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.782023907 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.782068014 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.782099962 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.782119036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.782144070 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.788402081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.788450003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.788517952 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.788553953 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.788609028 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.798728943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.798780918 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.798803091 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.798823118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.798846960 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.803364992 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.803411961 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.803427935 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.803436995 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.803473949 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.869693041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.869745970 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.869776964 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.869800091 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.869826078 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.870590925 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.870639086 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.870657921 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.870671988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.870701075 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.871282101 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.871325016 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.871354103 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.871368885 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.871397018 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.871678114 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.871726990 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.871745110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.871757030 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.871787071 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.872703075 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.872745991 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.872771978 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.872792959 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.872818947 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.879051924 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.879101038 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.879123926 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.879147053 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.879172087 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.889385939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.889434099 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.889465094 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.889484882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.889509916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.894002914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.894057035 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.894077063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.894090891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.894119978 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.960408926 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.960455894 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.960714102 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.960782051 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961149931 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961199045 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961227894 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.961253881 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961277008 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961299896 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.961325884 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.961812973 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961860895 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961884975 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.961905956 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.961935997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.962410927 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.962455034 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.962482929 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.962503910 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.962532997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.962532997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.963419914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.963459015 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.963495016 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.963515043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.963540077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.965101004 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.969916105 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.969964027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.970012903 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.970031023 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.970057964 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.980164051 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.980232000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.980237961 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.980258942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.980469942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.984682083 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.984740973 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:22.984793901 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.984795094 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:22.984833002 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051239014 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051295996 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051460981 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.051461935 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.051532030 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051872969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051914930 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051935911 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.051954985 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.051985025 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.052531958 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.052577972 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.052601099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.052617073 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.052651882 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.053072929 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.053112984 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.053145885 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.053168058 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.053194046 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.054167986 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.054213047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.054250956 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.054270983 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.054296017 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.059741020 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.060344934 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.060391903 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.060416937 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.060435057 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.060462952 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.060990095 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.070610046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.070657015 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.070828915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.070830107 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.070895910 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.075262070 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.075309038 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.075345039 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.075371981 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.075402975 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.141916037 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.141969919 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.142005920 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.142079115 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.142118931 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.142627001 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.142674923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.142716885 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.142736912 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.142762899 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.143143892 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.143188953 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.143213034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.143229008 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.143256903 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.143871069 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.143918037 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.143942118 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.143965006 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.143990993 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.144022942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.144742012 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.144783020 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.144818068 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.144835949 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.144861937 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.151132107 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.151184082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.151205063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.151226997 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.151254892 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.161365032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.161421061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.161442995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.161458969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.161484957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.165848017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.165898085 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.165944099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.165963888 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.165987968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.232659101 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.232717991 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.232774019 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.232774019 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.232841969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.233340025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.233386040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.233416080 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.233452082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.233508110 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.233534098 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.233561039 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.234138966 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.234189034 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.234210968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.234225988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.234256983 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.234675884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.234723091 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.234751940 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.234771967 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.234797955 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.235382080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.235423088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.235470057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.235470057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.235487938 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.241652966 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.241698027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.241728067 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.241745949 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.241772890 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.252067089 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.252111912 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.252137899 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.252156019 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.252181053 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.256303072 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.256347895 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.256380081 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.256400108 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.256424904 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.323255062 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.323302031 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.323455095 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.323455095 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.323529005 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.323930979 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.323977947 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.324009895 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.324021101 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.324050903 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.324083090 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.324100971 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.324542999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.324589014 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.324626923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.324645996 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.324675083 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.325043917 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.325088024 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.325124025 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.325139999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.325170994 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.325902939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.325942039 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.325969934 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.325984955 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.326014996 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.326050997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.326883078 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.330307007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.330398083 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.338236094 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.338284016 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.338355064 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.338367939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.338448048 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.346569061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.346616030 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.346657038 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.346671104 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.346700907 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.381491899 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.381537914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.381690979 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.381690979 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.381762981 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.414374113 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.414426088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.414479017 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.414479971 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.414550066 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.414966106 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.415005922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.415040970 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.415066004 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.415096998 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.415684938 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.415730953 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.415755033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.415776014 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.415805101 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.415805101 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.416456938 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.416505098 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.416527987 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.416547060 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.416575909 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.416575909 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.420947075 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.420989990 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.421135902 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.421154022 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.428797960 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.428839922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.428901911 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.428901911 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.428919077 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.437395096 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.437442064 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.437472105 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.437490940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.437516928 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.472536087 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.472582102 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.472867012 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.472933054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505021095 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505074024 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505265951 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.505265951 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.505337000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505667925 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505711079 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505752087 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.505779028 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.505809069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.506241083 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.506288052 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.506318092 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.506340027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.506365061 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.506743908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.506793022 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.506820917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.506841898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.506866932 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.511497974 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.511549950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.511571884 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.511590958 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.511617899 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.519660950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.519706011 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.519743919 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.519762993 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.519788027 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.528022051 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.528073072 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.528100014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.528117895 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.528142929 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.563322067 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.563369989 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.563615084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.563647032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.595980883 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596035004 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596206903 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.596206903 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.596277952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596497059 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596539974 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596548080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596580029 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.596606970 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.596636057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.597134113 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.597181082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.597203016 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.597225904 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.597253084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.597254038 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.597634077 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.597673893 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.597702980 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.597723007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.597747087 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.602356911 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.602406025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.602452993 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.602479935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.602507114 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.610337019 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.610382080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.610419035 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.610436916 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.610462904 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.618798018 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.618858099 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.618906021 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.618920088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.618948936 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.655184984 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.655229092 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.655420065 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.655421019 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.655489922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.686635017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.686687946 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.686754942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.686774015 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.686808109 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.687273026 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.687315941 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.687349081 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.687364101 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.687391043 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.687661886 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.687716007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.687736034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.687752962 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.687781096 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.688215017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.688258886 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.688287020 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.688308001 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.688333988 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.693151951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.693208933 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.693240881 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.693253994 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.693285942 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.703331947 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.703377962 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.703430891 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.703460932 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.703495979 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.712455988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.712512016 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.712670088 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.712671041 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.712702036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.748971939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.749022961 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.749171972 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.749172926 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.749243975 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.778630018 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.778682947 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.778759003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.778759003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.778827906 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.779282093 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.779325008 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.779356003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.779373884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.779407024 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.780154943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.780199051 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.780231953 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.780249119 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.780281067 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.780926943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.780966997 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.780997992 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.781018972 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.781044006 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.785177946 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.785223007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.785248995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.785268068 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.785296917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.785329103 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.793996096 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.794049978 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.794086933 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.794107914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.794133902 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.807847023 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.807895899 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.807959080 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.807975054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.808006048 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.839757919 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.839803934 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.839888096 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.839914083 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.839945078 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869266033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869321108 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869452000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869657993 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869657993 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869657993 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869735003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869774103 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869801044 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869837999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.869884968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869884968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869884968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869884968 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869920969 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.869972944 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.875827074 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.875875950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.875922918 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.875943899 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.875972033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.884680033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.884735107 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.884826899 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.884841919 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.884893894 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.897917032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.897958040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.898149014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.898149014 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.898165941 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.930933952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.930983067 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.931025028 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.931096077 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.931138039 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.960434914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.960498095 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.960654974 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.960654974 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.960726976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.961198092 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.961241961 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.961268902 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.961287975 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.961322069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.961981058 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.962019920 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.962059021 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.962080956 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.962106943 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.962672949 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.962718010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.962752104 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.962769032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.962786913 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.966737986 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.966778994 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.966814995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.966834068 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.966861010 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.975492001 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.975536108 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.975613117 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.975626945 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.975678921 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.988982916 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.989021063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.989114046 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:23.989123106 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:23.989173889 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.021749020 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.021790028 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.021997929 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.022032022 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.050257921 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.050303936 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.050486088 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.050518036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.050904989 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.050946951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.050981045 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.050992966 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051011086 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.051670074 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051707029 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051742077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.051750898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051769018 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.051779032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051822901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051834106 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.051842928 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.051873922 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.055860043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.055919886 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.055934906 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.055960894 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.055994034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.065259933 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.065304995 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.065387011 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.065397024 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.065546036 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.078322887 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.078362942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.078412056 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.078423023 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.078438997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.110888004 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.110929012 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.111067057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.111100912 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.111156940 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.140741110 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.140779972 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.140882969 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.140914917 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.141346931 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.141416073 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.141427040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.141469955 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.141503096 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.142003059 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142043114 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142076015 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.142086029 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142097950 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142116070 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.142146111 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.142152071 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142627001 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142668962 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142700911 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.142710924 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.142724991 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.147102118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.147141933 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.147185087 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.147193909 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.147228003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.149785042 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.149857044 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.149867058 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.168862104 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.168901920 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.168998957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.169009924 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.169039965 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.169504881 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.169543028 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.169559956 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.169570923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.169601917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.169631958 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.231211901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231252909 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231445074 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.231457949 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231587887 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231621981 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231645107 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.231656075 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231671095 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.231710911 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231755018 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.231765032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.231945038 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.232470036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.232518911 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.232541084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.232548952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.232572079 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.232580900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.232635021 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.232645988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.232657909 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.233201027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.233242989 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.233263016 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.233272076 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.233285904 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.233304977 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.237808943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.237847090 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.237874985 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.237883091 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.237895012 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.240614891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.240675926 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.240678072 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.240705013 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.240736961 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.259470940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.259522915 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.259625912 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.259639978 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.259778976 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.260154009 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.260194063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.260209084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.260219097 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.260250092 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.260330915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.321696997 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.321749926 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.321890116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.321923018 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.321974039 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.322386980 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.322428942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.322462082 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.322474003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.322489977 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.323077917 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.323120117 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.323144913 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.323164940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.323180914 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.323519945 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.323556900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.323585033 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.323596954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.323612928 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.324322939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.324364901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.324393034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.324405909 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.324424982 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.331358910 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.331408024 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.331470013 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.331496954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.331526041 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.350205898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.350253105 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.350301027 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.350326061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.350344896 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.350661993 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.350702047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.350732088 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.350744963 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.350766897 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.412283897 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.412338972 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.412487030 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.412487030 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.412523985 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.412826061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.412864923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.412892103 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.412904024 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.412919998 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.413408041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.413449049 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.413470984 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.413479090 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.413495064 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.413542032 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.413935900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.413975954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.413999081 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.414007902 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.414026976 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.414936066 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.414979935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.415003061 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.415010929 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.415045977 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.415898085 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.421906948 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.421947002 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.422005892 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.422015905 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.422033072 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.423516989 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.440768957 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.440818071 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.440962076 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.440962076 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.440995932 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.441412926 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.441459894 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.441471100 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.441481113 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.441549063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.444658995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.503158092 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.503207922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.503245115 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.503274918 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.503292084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.503705025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.503751040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.503766060 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.503774881 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.503818989 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.504175901 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.504214048 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.504240990 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.504251003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.504276991 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.505014896 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.505058050 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.505083084 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.505109072 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.505121946 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.505151987 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.505734921 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.505775928 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.505809069 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.505831003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.505846977 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.512662888 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.512705088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.512743950 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.512758017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.512788057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.531563044 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.531599045 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.531661034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.531661034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.531673908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.532212019 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.532253027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.532275915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.532285929 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.532310009 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.593966007 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.594019890 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.594110012 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.594125986 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.594175100 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.594511986 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.594558954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.594594002 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.594603062 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.594618082 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.595004082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.595043898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.595092058 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.595101118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.595133066 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.595565081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.595613003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.595623016 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.595630884 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.595674038 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.595912933 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.596435070 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.596477032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.596523046 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.596549034 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.596560001 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.603095055 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.603140116 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.603281021 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.603291988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622097969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622148037 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622190952 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.622206926 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622229099 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.622498989 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622545958 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622559071 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.622569084 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.622617006 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.628557920 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.684602976 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.684668064 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.684847116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.684883118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.684927940 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.685038090 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.685086966 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.685098886 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.685108900 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.685142040 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.686043978 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.686084032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.686105967 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.686115026 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.686131001 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.686142921 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.686161995 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.686206102 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.686216116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.686223984 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.686264992 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.687128067 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.687170029 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.687186956 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.687195063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.687231064 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.687750101 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.693747997 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.693785906 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.693839073 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.693845987 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.693860054 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.712641954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.712688923 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.712831974 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.712831974 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.712867975 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.713138103 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.713180065 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.713197947 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.713208914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.713241100 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.715460062 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.775517941 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.775589943 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.775607109 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.775626898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.775646925 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.776092052 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.776137114 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.776144028 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.776153088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.776190042 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.776710033 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.776750088 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.776768923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.776781082 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.776799917 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.777012110 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.777055025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.777061939 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.777070999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.777107954 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.777893066 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.777932882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.777946949 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.777956009 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.777995110 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.784434080 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.784476995 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.784501076 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.784511089 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.784527063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.803462982 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.803503990 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.803570986 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.803594112 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.803607941 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.804107904 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.804153919 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.804162025 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.804169893 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.804204941 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.866354942 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.866400957 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.866497040 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.866497040 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.866520882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867057085 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867100954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867125034 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.867139101 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867153883 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.867153883 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.867573977 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867619038 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867623091 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.867634058 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.867672920 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.868505955 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.868550062 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.868561029 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.868578911 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.868616104 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.868957043 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.869004965 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.869014025 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.869020939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.869050980 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.871819973 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.875170946 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.875210047 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.875251055 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.875261068 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.875277996 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.877365112 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.893960953 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.894011974 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.894064903 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.894077063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.894114971 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.894624949 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.894674063 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.894682884 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.894695044 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.894726038 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.905899048 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.958281040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.958333969 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.958368063 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.958482027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.958499908 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.958818913 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.958864927 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.958882093 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.958889961 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.958914995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.959531069 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.959568977 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.959589958 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.959598064 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.959609032 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.960659027 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.960702896 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.960800886 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.960809946 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.961194038 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.961235046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.961249113 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.961272955 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.961298943 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.961499929 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.965778112 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.965818882 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.965886116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.965895891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.965905905 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.984752893 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.984792948 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.984863997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.984874010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.984908104 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.985402107 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.985440016 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.985465050 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.985472918 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:24.985486031 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:24.985519886 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.049143076 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.049182892 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.049222946 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.049233913 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.049269915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.049690008 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.049731970 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.049757004 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.049763918 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.049787998 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.050420046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.050457954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.050478935 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.050487041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.050534010 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.051652908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.051692963 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.051723003 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.051728964 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.051740885 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.052284002 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.052325010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.052340984 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.052347898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.052376986 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.056529045 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.056566954 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.056602001 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.056611061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.056618929 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.075357914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.075402021 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.075455904 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.075464010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.075503111 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.075988054 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.076026917 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.076041937 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.076049089 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.076076984 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.076085091 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.076123953 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.076129913 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.076232910 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.139827013 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.139868021 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.139944077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.139944077 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.139959097 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.140428066 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.140461922 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.140502930 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.140511036 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.140547991 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.140974998 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.141015053 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.141062021 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.141071081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.141112089 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.141922951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.141963959 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.141985893 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.141993046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.142004967 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.142651081 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.142692089 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.142723083 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.142730951 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.142752886 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.147186041 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.147228003 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.147281885 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.147281885 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.147291899 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166007042 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166047096 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166134119 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.166142941 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166636944 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166677952 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166688919 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.166695118 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.166734934 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.230537891 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.230586052 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.230652094 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.230662107 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.230671883 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.231132984 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231168032 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231204987 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.231214046 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231224060 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.231281996 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231327057 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.231334925 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231726885 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231766939 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231785059 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.231792927 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.231818914 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.232775927 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.232817888 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.232846022 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.232852936 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.232880116 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.233413935 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.233453989 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.233480930 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.233491898 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.233510017 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.238420010 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.238456011 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.238498926 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.238512039 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.238540888 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.238553047 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.238584995 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.256994009 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.257035017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.257097006 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.257114887 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.257148027 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.257575035 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.257622004 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.257636070 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.257642984 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.257669926 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.321289062 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321336985 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321405888 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.321422100 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321460009 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.321772099 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321806908 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321846962 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.321854115 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321861982 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.321901083 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.321944952 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.321968079 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.322313070 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.322351933 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.322387934 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.322396040 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.322407007 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.323326111 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.323368073 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.323391914 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.323400021 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.323410988 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.324110985 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.324147940 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.324177980 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.324187994 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.324196100 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.328553915 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.328588009 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.328614950 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.328623056 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.328630924 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.328635931 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.328704119 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.328711987 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348119020 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348156929 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348187923 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.348197937 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348206997 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.348684072 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348726988 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348747015 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.348754883 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.348767996 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.412004948 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.412043095 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.412071943 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.412081957 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.412092924 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.412547112 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.412589073 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.412612915 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.412621021 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.412647963 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.413167000 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.413212061 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.413227081 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.413235903 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.413245916 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.413264990 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.413880110 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.413923025 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.413944960 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.413952112 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.413965940 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.414643049 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.414680958 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.414709091 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.414716959 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.414733887 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.419235945 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.419275999 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.419310093 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.419318914 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.419334888 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.425539017 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.425611973 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.425616026 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.425663948 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.425740957 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.425753117 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.425775051 CEST	49184	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:25.425780058 CEST	443	49184	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:25.632976055 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:25.633002996 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:25.633141994 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:25.633481026 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:25.633501053 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.430449009 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.430599928 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.434093952 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.434101105 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.434379101 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.436503887 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.480504990 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.776921988 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.777384043 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.777432919 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.777478933 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.777478933 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.777504921 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.777568102 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.847584009 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.847664118 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.847676992 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.870186090 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.870233059 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.870246887 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.870256901 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.870291948 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.936757088 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.936796904 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.936846018 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.936871052 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.936871052 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.936929941 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.936964035 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.939189911 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.939232111 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.939258099 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.939290047 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.939304113 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.942492962 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.942534924 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.942570925 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.942595959 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.942625999 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.989092112 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.989140034 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.989253998 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:26.989270926 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:26.989312887 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.027400970 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.027443886 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.027481079 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.027513027 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.027539015 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.027646065 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.028430939 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.028475046 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.028498888 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.028510094 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.028534889 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.034791946 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.034828901 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.034840107 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.034857988 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.034877062 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.048857927 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.048911095 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.048954964 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.048954964 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.048970938 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.072345018 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.072385073 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.072447062 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.072447062 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.072459936 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.079505920 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.079551935 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.079597950 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.079597950 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.079608917 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.117630005 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.117669106 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.117703915 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.117703915 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.117721081 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.117743969 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.118680000 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.118722916 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.118774891 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.118776083 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.118786097 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.119328022 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.119374037 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.119388103 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.119395971 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.119436026 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.127058983 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.127101898 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.127149105 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.127149105 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.127160072 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.136902094 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.136945963 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.136991024 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.137001991 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.137048006 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.137048006 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.145188093 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.145231009 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.145277023 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.145277023 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.145287037 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.162736893 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.162770033 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.162817955 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.162848949 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.162848949 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.162863970 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.162933111 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.170020103 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.170058966 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.170116901 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.170116901 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.170137882 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.190489054 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.200058937 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.200100899 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.200140953 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.200172901 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.200212002 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.208992958 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.209047079 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.209062099 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.209084034 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.209110022 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.209584951 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.209631920 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.209635973 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.209645987 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.209688902 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.212413073 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.213293076 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.213335991 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.213362932 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.213387966 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.213398933 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.222877979 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.222920895 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.222965956 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.222965956 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.222979069 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.232801914 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.232839108 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.232882023 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.232882023 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.232906103 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.233012915 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.242465973 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.242506981 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.242552042 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.242552042 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.242563009 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.255052090 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.255089998 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.255111933 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.255151033 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.255162954 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.255162954 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.264157057 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.264198065 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.264244080 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.264244080 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.264255047 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.299633980 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.299674034 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.299696922 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.299732924 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.299745083 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.299745083 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.300208092 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.300244093 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.300283909 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.300291061 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.300291061 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.300299883 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.300381899 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.304063082 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.304100990 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.304156065 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.304157019 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.304167986 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.313163996 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.313205957 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.313286066 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.313286066 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.313301086 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.324801922 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.324841022 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.324911118 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.324911118 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.324924946 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.334028959 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.334072113 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.334165096 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.334178925 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.334213018 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.346440077 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.346519947 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.346554995 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.346565962 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.346596956 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.355015993 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.355072975 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.355120897 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.355139971 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.355165005 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.390357971 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390398026 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390466928 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.390476942 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390552044 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.390870094 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390907049 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390937090 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.390944958 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390959024 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.390997887 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.390997887 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.391011000 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.394901037 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.394939899 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.394970894 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.394980907 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.395318031 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.404067039 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.404109955 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.404135942 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.404145002 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.404170036 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.413957119 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.413995028 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.414035082 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.414053917 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.414067984 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.423645020 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.423685074 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.423712015 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.423721075 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.423732996 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.436125994 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.436163902 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.436197996 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.436207056 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.436229944 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.441710949 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.441747904 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.441781998 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.441792011 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.441823006 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.441864014 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.441864014 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.442024946 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.442024946 CEST	49185	443	192.168.2.22	65.9.23.141
Jul 29, 2024 00:53:27.442032099 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:27.442043066 CEST	443	49185	65.9.23.141	192.168.2.22
Jul 29, 2024 00:53:28.273334026 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:28.273360968 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:28.273413897 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:28.273864031 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:28.273876905 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:28.921353102 CEST	49188	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:28.926265001 CEST	80	49188	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:28.926338911 CEST	49188	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:28.926410913 CEST	49188	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:28.926444054 CEST	49188	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:28.931381941 CEST	80	49188	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:28.931422949 CEST	80	49188	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:29.061752081 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.061830044 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.067610025 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.067625046 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.068027973 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.071116924 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.071171045 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.071177006 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.391943932 CEST	80	49188	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:29.600173950 CEST	80	49188	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:29.600256920 CEST	49188	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:29.697487116 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.697644949 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.697810888 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.748637915 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.748637915 CEST	49186	443	192.168.2.22	65.9.23.108
Jul 29, 2024 00:53:29.748672009 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:29.748684883 CEST	443	49186	65.9.23.108	192.168.2.22
Jul 29, 2024 00:53:30.233481884 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:30.233552933 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:30.233612061 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:30.234136105 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:30.234167099 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.014086962 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.014163017 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.081635952 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.081677914 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.081967115 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.089883089 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.089942932 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.089951992 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.647059917 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.647157907 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.647244930 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.647413015 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.647459984 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:31.647494078 CEST	49190	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:53:31.647511005 CEST	443	49190	65.9.23.107	192.168.2.22
Jul 29, 2024 00:53:33.590126038 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:33.590217113 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:33.590284109 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:33.590332031 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:33.590390921 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:33.590447903 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:33.591264963 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:33.591299057 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:33.597172976 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:33.597182989 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:33.597235918 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:33.611653090 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:33.611666918 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:33.619179010 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:33.619250059 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.122080088 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.122226954 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.131735086 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.131870031 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.132425070 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.132455111 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.132803917 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.167262077 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.167284966 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.168376923 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.168445110 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.340513945 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.341217995 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.408584118 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.408721924 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.408747911 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.441288948 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:34.441390038 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:34.448071003 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:34.448082924 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:34.448492050 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:34.450757027 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.452379942 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:34.452462912 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:34.452469110 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:34.496498108 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.530924082 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.531757116 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.531977892 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.608975887 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.609146118 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.609167099 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.609235048 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:34.609306097 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.621186018 CEST	49193	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:34.621251106 CEST	443	49193	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:34.692956924 CEST	49192	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:34.693027973 CEST	443	49192	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:35.072837114 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:35.073025942 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:35.073298931 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:35.073965073 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:35.073985100 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:35.074001074 CEST	49194	443	192.168.2.22	65.9.23.130
Jul 29, 2024 00:53:35.074007988 CEST	443	49194	65.9.23.130	192.168.2.22
Jul 29, 2024 00:53:35.921865940 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:35.921889067 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:35.921948910 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:35.922384024 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:35.922394037 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.181462049 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.181524038 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.181586981 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.181978941 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.181991100 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.386264086 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.386336088 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:36.392335892 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:36.392345905 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.392808914 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.396167994 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:36.396198034 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:36.396207094 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.515135050 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.515320063 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.515373945 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:36.515405893 CEST	49195	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:36.515427113 CEST	443	49195	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:36.656280994 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.656536102 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.658335924 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.658364058 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.689497948 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.689554930 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.868263960 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.868338108 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.868370056 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.868421078 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.868427038 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.868442059 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:36.868467093 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.868495941 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.869051933 CEST	49197	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:36.869074106 CEST	443	49197	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:37.354337931 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:37.354438066 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:37.354516983 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:37.354911089 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:37.354939938 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:37.850192070 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:37.850275993 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:37.851661921 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:37.851690054 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:37.858019114 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:37.858037949 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:38.049870014 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:38.049992085 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.050077915 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:38.050132990 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:38.050137997 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.050174952 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.053833008 CEST	49198	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.053872108 CEST	443	49198	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:38.908179045 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.908233881 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:38.908289909 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.908593893 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:38.908608913 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.382895947 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.382998943 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.387136936 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.387165070 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.391609907 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.391624928 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.542551994 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.542742968 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.542809010 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.542865992 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:39.542887926 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.542933941 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.544526100 CEST	49199	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:39.544559956 CEST	443	49199	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:42.409106970 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:42.409145117 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:42.409204006 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:42.409511089 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:42.409524918 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:42.996982098 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:42.997029066 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.019596100 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.019613981 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:43.021603107 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.021609068 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:43.163639069 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:43.163712978 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.163728952 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:43.163744926 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:43.163770914 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.163785934 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.164400101 CEST	49201	443	192.168.2.22	188.114.97.3
Jul 29, 2024 00:53:43.164417982 CEST	443	49201	188.114.97.3	192.168.2.22
Jul 29, 2024 00:53:52.309319019 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.309357882 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:52.309406996 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.310940981 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.310955048 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:52.774900913 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:52.774987936 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.833513021 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.833533049 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:52.834059954 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:52.886634111 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.886780024 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:52.886795044 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.006038904 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.006268978 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.006520987 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.033508062 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.033555031 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.033608913 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.035233974 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.035279989 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.035340071 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.037606001 CEST	49206	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.037627935 CEST	443	49206	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.045356035 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.045371056 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.045983076 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.045994997 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.520333052 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.520423889 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.526947975 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.527160883 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.575648069 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.575670004 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.576837063 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.581792116 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.581823111 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.582241058 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.587204933 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.587264061 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.589080095 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.632504940 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.708551884 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.708780050 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.708839893 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.712953091 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.713089943 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:53.713139057 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.717294931 CEST	49207	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:53.717312098 CEST	443	49207	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:53.719535112 CEST	49208	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:53:53.719548941 CEST	443	49208	34.160.176.28	192.168.2.22
Jul 29, 2024 00:53:58.707123041 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:58.707174063 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:58.707230091 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:58.707818985 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:58.707839012 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.200093985 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.200155020 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.204144955 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.204157114 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.204438925 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.205749989 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.205780983 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.327301025 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.327394009 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.327435970 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.328273058 CEST	49215	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.328293085 CEST	443	49215	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.391486883 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.391547918 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.391593933 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.392493010 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.392515898 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.856760025 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.856858015 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.865346909 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.865385056 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.865683079 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.868129969 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.868165970 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.868215084 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:53:59.912512064 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.988545895 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.988720894 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:53:59.988786936 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:00.007648945 CEST	49216	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:00.007678986 CEST	443	49216	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:04.269881964 CEST	49236	80	192.168.2.22	208.95.112.1
Jul 29, 2024 00:54:04.274945974 CEST	80	49236	208.95.112.1	192.168.2.22
Jul 29, 2024 00:54:04.275043964 CEST	49236	80	192.168.2.22	208.95.112.1
Jul 29, 2024 00:54:04.275645018 CEST	49236	80	192.168.2.22	208.95.112.1
Jul 29, 2024 00:54:04.280592918 CEST	80	49236	208.95.112.1	192.168.2.22
Jul 29, 2024 00:54:04.762603998 CEST	80	49236	208.95.112.1	192.168.2.22
Jul 29, 2024 00:54:04.972218037 CEST	80	49236	208.95.112.1	192.168.2.22
Jul 29, 2024 00:54:04.972311974 CEST	49236	80	192.168.2.22	208.95.112.1
Jul 29, 2024 00:54:06.598525047 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:06.603358030 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:06.603413105 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:06.603485107 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:06.608802080 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:07.216691971 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:07.418653011 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:08.247884035 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:08.252954006 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:08.422662020 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:08.635418892 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:08.897279978 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:08.897393942 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:09.431579113 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:09.436491966 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:09.606753111 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:09.852206945 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:09.852241039 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:09.852294922 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:34.034779072 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:54:34.034862995 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:54:35.594903946 CEST	49188	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:35.783749104 CEST	49326	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:35.788610935 CEST	80	49326	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:35.788690090 CEST	49326	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:35.788918018 CEST	49326	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:35.788978100 CEST	49326	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:35.793658018 CEST	80	49326	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:35.794181108 CEST	80	49326	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:36.277153969 CEST	80	49326	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:36.488014936 CEST	80	49326	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:36.488085032 CEST	49326	80	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:36.540523052 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:36.540568113 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:36.540770054 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:36.541635990 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:36.541646004 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:36.965811014 CEST	80	49236	208.95.112.1	192.168.2.22
Jul 29, 2024 00:54:36.965857983 CEST	49236	80	192.168.2.22	208.95.112.1
Jul 29, 2024 00:54:37.026285887 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:37.026391983 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.031083107 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.031091928 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:37.031465054 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:37.136344910 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.136395931 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.136403084 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:37.255033016 CEST	443	49328	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:37.255415916 CEST	49328	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.948112965 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.948154926 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:37.948203087 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.958777905 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:37.958792925 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.448368073 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.448457003 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:38.454346895 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:38.454377890 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.454787970 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.457679033 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:38.457724094 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:38.457747936 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.581372976 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.581554890 CEST	443	49336	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:38.581595898 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:38.581665993 CEST	49336	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:40.254776955 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:40.254849911 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:40.254920959 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:40.255258083 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:40.255274057 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.045422077 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.045507908 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.049524069 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.049551010 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.049981117 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.053237915 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.053265095 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.053273916 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.673722029 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.673882961 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.673948050 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.674077034 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.674093962 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:41.674109936 CEST	49342	443	192.168.2.22	65.9.23.107
Jul 29, 2024 00:54:41.674117088 CEST	443	49342	65.9.23.107	192.168.2.22
Jul 29, 2024 00:54:57.027816057 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.027864933 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.027930021 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.028276920 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.028295040 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.261342049 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.261384010 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.261445999 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.261442900 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.261488914 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.261599064 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.270172119 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.270195961 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.270243883 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.270258904 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.496046066 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.496165991 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.502011061 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.502024889 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.502409935 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.505429029 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.505486965 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.505508900 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.627661943 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.627798080 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.627885103 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.639028072 CEST	49401	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.639054060 CEST	443	49401	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.756886005 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.756900072 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.756989002 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.757226944 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.762542963 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.762559891 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.762830973 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.767667055 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.767693996 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.771928072 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.771945953 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.772202969 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.774451017 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.816490889 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.890307903 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.890846968 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.890896082 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.897388935 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.897455931 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:54:57.900094986 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.950033903 CEST	49402	443	192.168.2.22	34.117.223.223
Jul 29, 2024 00:54:57.950059891 CEST	443	49402	34.117.223.223	192.168.2.22
Jul 29, 2024 00:54:57.950171947 CEST	49403	443	192.168.2.22	34.160.176.28
Jul 29, 2024 00:54:57.950201035 CEST	443	49403	34.160.176.28	192.168.2.22
Jul 29, 2024 00:55:26.829672098 CEST	49236	80	192.168.2.22	208.95.112.1
Jul 29, 2024 00:55:26.829987049 CEST	49246	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:26.834676981 CEST	80	49236	208.95.112.1	192.168.2.22
Jul 29, 2024 00:55:26.834785938 CEST	80	49246	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:26.852171898 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:26.857038021 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:26.857098103 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:26.857204914 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:26.862240076 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:27.476449013 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:27.692173958 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:27.692234993 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:28.484078884 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:28.489691019 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:28.663319111 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:28.857929945 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:29.669697046 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:29.674634933 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:29.848352909 CEST	80	49480	146.185.153.16	192.168.2.22
Jul 29, 2024 00:55:30.043553114 CEST	49480	80	192.168.2.22	146.185.153.16
Jul 29, 2024 00:55:36.502665043 CEST	49326	80	192.168.2.22	34.117.223.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 29, 2024 00:52:45.908561945 CEST	65510	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:45.923295021 CEST	53	65510	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:46.013231993 CEST	62672	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:46.027832985 CEST	53	62672	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:47.635998964 CEST	56475	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:47.647013903 CEST	53	56475	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:47.648998022 CEST	49384	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:47.663018942 CEST	53	49384	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:49.227340937 CEST	54842	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:49.234164953 CEST	53	54842	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:49.236212015 CEST	58105	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:49.243072033 CEST	53	58105	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:50.665887117 CEST	64928	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:50.672764063 CEST	53	64928	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:50.675271034 CEST	57390	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:50.685111046 CEST	53	57390	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:52.674598932 CEST	58095	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:52.695914984 CEST	53	58095	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:52.706649065 CEST	54261	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:52.713618994 CEST	53	54261	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:54.003262043 CEST	60507	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:54.010104895 CEST	53	60507	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:54.012061119 CEST	50446	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:54.022033930 CEST	53	50446	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:55.525516033 CEST	55939	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:55.542498112 CEST	53	55939	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:55.544399977 CEST	49608	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:55.556902885 CEST	53	49608	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:57.118280888 CEST	50568	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:57.129425049 CEST	53	50568	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:57.131972075 CEST	61467	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:57.139184952 CEST	53	61467	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:58.612921000 CEST	61618	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:58.619580984 CEST	53	61618	8.8.8.8	192.168.2.22
Jul 29, 2024 00:52:58.622426033 CEST	54422	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:52:58.629503012 CEST	53	54422	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:00.004359007 CEST	52074	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:00.011578083 CEST	53	52074	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:00.013428926 CEST	50337	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:00.020011902 CEST	53	50337	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:01.333595991 CEST	61826	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:01.340672970 CEST	53	61826	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:01.342839003 CEST	56329	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:01.351152897 CEST	53	56329	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:02.814986944 CEST	63469	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:02.822211981 CEST	53	63469	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:02.824348927 CEST	59447	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:02.831609964 CEST	53	59447	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:04.087044954 CEST	51828	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:04.098685980 CEST	53	51828	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:04.100799084 CEST	53406	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:04.107122898 CEST	53	53406	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:05.652388096 CEST	56345	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:05.659405947 CEST	53	56345	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:05.661485910 CEST	51870	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:05.668148994 CEST	53	51870	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:18.444158077 CEST	65009	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:18.451574087 CEST	53	65009	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:18.454366922 CEST	64956	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:18.461262941 CEST	53	64956	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:19.906627893 CEST	54521	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:19.913629055 CEST	53	54521	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:19.930293083 CEST	49750	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:19.937252045 CEST	53	49750	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:25.616250992 CEST	64687	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:25.623918056 CEST	53	64687	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:25.625730991 CEST	65084	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:25.632535934 CEST	53	65084	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:28.232536077 CEST	63373	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:28.239557981 CEST	53	63373	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:28.265194893 CEST	56207	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:28.272470951 CEST	53	56207	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:28.672914982 CEST	58971	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:28.731770992 CEST	51014	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:28.738210917 CEST	53	51014	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:28.911839008 CEST	60169	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:28.912473917 CEST	53060	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:28.918757915 CEST	53	53060	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:30.204407930 CEST	49949	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:30.211693048 CEST	53	49949	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:30.226556063 CEST	54027	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:30.233141899 CEST	53	54027	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:32.732800961 CEST	63950	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:32.980710983 CEST	58257	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:32.984186888 CEST	54738	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:33.466217041 CEST	49478	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:33.545975924 CEST	53	58257	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:33.546040058 CEST	53	63950	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:33.547784090 CEST	53	49478	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:33.580051899 CEST	49288	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:33.583565950 CEST	61598	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:33.589144945 CEST	58754	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:33.590035915 CEST	53	61598	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:33.596707106 CEST	53	58754	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:35.893623114 CEST	49226	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:35.901700020 CEST	53	49226	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:35.912895918 CEST	54695	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:35.921389103 CEST	53	54695	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:35.924642086 CEST	61601	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:35.934868097 CEST	54615	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:40.036878109 CEST	54950	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:40.057648897 CEST	64215	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:44.577294111 CEST	59604	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:44.775227070 CEST	49520	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:46.815984011 CEST	53031	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:47.047507048 CEST	53112	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:49.463015079 CEST	65080	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:49.474724054 CEST	50702	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:50.783530951 CEST	53089	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:50.792917013 CEST	51951	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:52.293020010 CEST	61549	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:52.299640894 CEST	53	61549	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:52.301961899 CEST	57998	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:52.308434963 CEST	53	57998	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:52.986387968 CEST	57999	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:52.991354942 CEST	58000	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:52.994241953 CEST	53	57999	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:52.999088049 CEST	53	58000	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:54.871273994 CEST	58003	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:54.875754118 CEST	58003	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:54.877764940 CEST	58004	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:54.877945900 CEST	58004	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:58.699789047 CEST	58008	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:58.706406116 CEST	53	58008	8.8.8.8	192.168.2.22
Jul 29, 2024 00:53:59.383740902 CEST	58010	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:53:59.390752077 CEST	53	58010	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:00.507249117 CEST	58012	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:00.508816957 CEST	58012	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:00.509274960 CEST	58013	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:00.509449959 CEST	58013	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:00.566642046 CEST	62439	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:00.598505020 CEST	59432	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:03.914788008 CEST	55910	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:04.149317980 CEST	53	55910	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:06.583704948 CEST	61564	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:06.598145962 CEST	53	61564	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:32.338200092 CEST	51384	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:32.348598957 CEST	53785	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:35.353851080 CEST	53786	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:35.375261068 CEST	53786	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:35.734827995 CEST	55277	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:35.741297007 CEST	53	55277	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:35.776182890 CEST	57027	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:35.783041000 CEST	53	57027	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:36.512608051 CEST	56156	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:36.519062996 CEST	53	56156	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:36.523921013 CEST	60971	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:36.529443026 CEST	56308	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:36.535655975 CEST	51268	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:36.539340973 CEST	53	56308	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:37.896230936 CEST	59475	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:37.904719114 CEST	53	59475	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:37.925990105 CEST	62930	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:37.947418928 CEST	53	62930	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:38.499629974 CEST	61008	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:38.510301113 CEST	59514	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:39.634474993 CEST	53077	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:39.666990995 CEST	53188	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:40.224226952 CEST	54333	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:40.234544992 CEST	53	54333	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:40.242660999 CEST	55388	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:40.254291058 CEST	53	55388	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:43.872931957 CEST	60624	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:43.883943081 CEST	58974	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:49.135546923 CEST	54154	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:49.145361900 CEST	53602	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:51.524020910 CEST	49263	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:51.535645008 CEST	60981	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:54.109863043 CEST	52129	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:54.118319035 CEST	64762	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:55.445682049 CEST	53063	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:55.454901934 CEST	60333	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:57.012542963 CEST	63036	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:57.018848896 CEST	53	63036	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:57.020945072 CEST	56243	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:57.027419090 CEST	53	56243	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:57.251806021 CEST	56244	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:57.251806021 CEST	56245	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:54:57.260464907 CEST	53	56245	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:57.260476112 CEST	53	56244	8.8.8.8	192.168.2.22
Jul 29, 2024 00:54:58.322911978 CEST	56248	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:55:26.842621088 CEST	62689	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:55:26.851665020 CEST	53	62689	8.8.8.8	192.168.2.22
Jul 29, 2024 00:55:29.597700119 CEST	62690	53	192.168.2.22	8.8.8.8
Jul 29, 2024 00:55:29.601969957 CEST	62690	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 29, 2024 00:52:45.908561945 CEST	192.168.2.22	8.8.8.8	0xca9	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:46.013231993 CEST	192.168.2.22	8.8.8.8	0xc2a2	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.635998964 CEST	192.168.2.22	8.8.8.8	0x334d	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.648998022 CEST	192.168.2.22	8.8.8.8	0x5a86	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.227340937 CEST	192.168.2.22	8.8.8.8	0xc67e	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.236212015 CEST	192.168.2.22	8.8.8.8	0x803c	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.665887117 CEST	192.168.2.22	8.8.8.8	0x2a5f	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.675271034 CEST	192.168.2.22	8.8.8.8	0x9f2d	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.674598932 CEST	192.168.2.22	8.8.8.8	0xc07f	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.706649065 CEST	192.168.2.22	8.8.8.8	0xdd16	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.003262043 CEST	192.168.2.22	8.8.8.8	0xc8e4	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.012061119 CEST	192.168.2.22	8.8.8.8	0x78cf	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.525516033 CEST	192.168.2.22	8.8.8.8	0x1bc9	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.544399977 CEST	192.168.2.22	8.8.8.8	0x50f7	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.118280888 CEST	192.168.2.22	8.8.8.8	0x35b6	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.131972075 CEST	192.168.2.22	8.8.8.8	0x8bc0	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.612921000 CEST	192.168.2.22	8.8.8.8	0x1459	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.622426033 CEST	192.168.2.22	8.8.8.8	0x17f1	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.004359007 CEST	192.168.2.22	8.8.8.8	0xe2cb	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.013428926 CEST	192.168.2.22	8.8.8.8	0x12d7	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.333595991 CEST	192.168.2.22	8.8.8.8	0xe16c	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.342839003 CEST	192.168.2.22	8.8.8.8	0x3817	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.814986944 CEST	192.168.2.22	8.8.8.8	0x6a9e	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.824348927 CEST	192.168.2.22	8.8.8.8	0xc163	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.087044954 CEST	192.168.2.22	8.8.8.8	0xfff4	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.100799084 CEST	192.168.2.22	8.8.8.8	0xcca2	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.652388096 CEST	192.168.2.22	8.8.8.8	0x38f8	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.661485910 CEST	192.168.2.22	8.8.8.8	0xce0e	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.444158077 CEST	192.168.2.22	8.8.8.8	0x2bd	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.454366922 CEST	192.168.2.22	8.8.8.8	0xd985	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.906627893 CEST	192.168.2.22	8.8.8.8	0xb421	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.930293083 CEST	192.168.2.22	8.8.8.8	0xd71d	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.616250992 CEST	192.168.2.22	8.8.8.8	0xc6a7	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.625730991 CEST	192.168.2.22	8.8.8.8	0x6ebd	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.232536077 CEST	192.168.2.22	8.8.8.8	0x7fc9	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.265194893 CEST	192.168.2.22	8.8.8.8	0x9635	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.672914982 CEST	192.168.2.22	8.8.8.8	0xaf6e	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.731770992 CEST	192.168.2.22	8.8.8.8	0xc7a0	Standard query (0)	v7event.stats.avast.com	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.911839008 CEST	192.168.2.22	8.8.8.8	0xf311	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.912473917 CEST	192.168.2.22	8.8.8.8	0x58b9	Standard query (0)	v7event.stats.avast.com	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.204407930 CEST	192.168.2.22	8.8.8.8	0xef35	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.226556063 CEST	192.168.2.22	8.8.8.8	0xcad	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:32.732800961 CEST	192.168.2.22	8.8.8.8	0x9ab	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:32.980710983 CEST	192.168.2.22	8.8.8.8	0x45d2	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:32.984186888 CEST	192.168.2.22	8.8.8.8	0x70fa	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.466217041 CEST	192.168.2.22	8.8.8.8	0xd4af	Standard query (0)	localweatherfree.com	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.580051899 CEST	192.168.2.22	8.8.8.8	0x5a10	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.583565950 CEST	192.168.2.22	8.8.8.8	0xabbd	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.589144945 CEST	192.168.2.22	8.8.8.8	0x7122	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.893623114 CEST	192.168.2.22	8.8.8.8	0x628	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.912895918 CEST	192.168.2.22	8.8.8.8	0x17c8	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.924642086 CEST	192.168.2.22	8.8.8.8	0xd301	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.934868097 CEST	192.168.2.22	8.8.8.8	0x2865	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:40.036878109 CEST	192.168.2.22	8.8.8.8	0xbecf	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:40.057648897 CEST	192.168.2.22	8.8.8.8	0x8fed	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:44.577294111 CEST	192.168.2.22	8.8.8.8	0x2e94	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:44.775227070 CEST	192.168.2.22	8.8.8.8	0x92bb	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:46.815984011 CEST	192.168.2.22	8.8.8.8	0xaed0	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:47.047507048 CEST	192.168.2.22	8.8.8.8	0x90dd	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:49.463015079 CEST	192.168.2.22	8.8.8.8	0x54e0	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:49.474724054 CEST	192.168.2.22	8.8.8.8	0xa3a2	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:50.783530951 CEST	192.168.2.22	8.8.8.8	0x4ce2	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:50.792917013 CEST	192.168.2.22	8.8.8.8	0x9e6b	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.293020010 CEST	192.168.2.22	8.8.8.8	0x5dff	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.301961899 CEST	192.168.2.22	8.8.8.8	0x4624	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.986387968 CEST	192.168.2.22	8.8.8.8	0x983d	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.991354942 CEST	192.168.2.22	8.8.8.8	0xedf3	Standard query (0)	shepherd.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:54.871273994 CEST	192.168.2.22	8.8.8.8	0xc648	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:54.875754118 CEST	192.168.2.22	8.8.8.8	0x84f1	Standard query (0)	honzik.avcdn.net	28	IN (0x0001)	false
Jul 29, 2024 00:53:54.877764940 CEST	192.168.2.22	8.8.8.8	0xc6eb	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:54.877945900 CEST	192.168.2.22	8.8.8.8	0x6692	Standard query (0)	honzik.avcdn.net	28	IN (0x0001)	false
Jul 29, 2024 00:53:58.699789047 CEST	192.168.2.22	8.8.8.8	0x214c	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:59.383740902 CEST	192.168.2.22	8.8.8.8	0xac32	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:00.507249117 CEST	192.168.2.22	8.8.8.8	0xda43	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:00.508816957 CEST	192.168.2.22	8.8.8.8	0x39d2	Standard query (0)	honzik.avcdn.net	28	IN (0x0001)	false
Jul 29, 2024 00:54:00.509274960 CEST	192.168.2.22	8.8.8.8	0x5f8d	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:00.509449959 CEST	192.168.2.22	8.8.8.8	0x1d6a	Standard query (0)	honzik.avcdn.net	28	IN (0x0001)	false
Jul 29, 2024 00:54:00.566642046 CEST	192.168.2.22	8.8.8.8	0xb95	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:00.598505020 CEST	192.168.2.22	8.8.8.8	0x4687	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:03.914788008 CEST	192.168.2.22	8.8.8.8	0x279a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:06.583704948 CEST	192.168.2.22	8.8.8.8	0x59e4	Standard query (0)	api.openweathermap.org	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:32.338200092 CEST	192.168.2.22	8.8.8.8	0xf80c	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:32.348598957 CEST	192.168.2.22	8.8.8.8	0x5d03	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:35.353851080 CEST	192.168.2.22	8.8.8.8	0x636	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:35.375261068 CEST	192.168.2.22	8.8.8.8	0x4f1e	Standard query (0)	honzik.avcdn.net	28	IN (0x0001)	false
Jul 29, 2024 00:54:35.734827995 CEST	192.168.2.22	8.8.8.8	0xd2c4	Standard query (0)	v7event.stats.avast.com	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:35.776182890 CEST	192.168.2.22	8.8.8.8	0x5f92	Standard query (0)	v7event.stats.avast.com	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.512608051 CEST	192.168.2.22	8.8.8.8	0xca82	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.523921013 CEST	192.168.2.22	8.8.8.8	0xfb7a	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.529443026 CEST	192.168.2.22	8.8.8.8	0x8928	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.535655975 CEST	192.168.2.22	8.8.8.8	0x8000	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:37.896230936 CEST	192.168.2.22	8.8.8.8	0xba09	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:37.925990105 CEST	192.168.2.22	8.8.8.8	0xafd8	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:38.499629974 CEST	192.168.2.22	8.8.8.8	0x366a	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:38.510301113 CEST	192.168.2.22	8.8.8.8	0x4667	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:39.634474993 CEST	192.168.2.22	8.8.8.8	0x433f	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:39.666990995 CEST	192.168.2.22	8.8.8.8	0x1e9e	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.224226952 CEST	192.168.2.22	8.8.8.8	0xec6f	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.242660999 CEST	192.168.2.22	8.8.8.8	0x9556	Standard query (0)	d3ben4sjdmrs9v.cloudfront.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:43.872931957 CEST	192.168.2.22	8.8.8.8	0x2119	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:43.883943081 CEST	192.168.2.22	8.8.8.8	0x3dd5	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:49.135546923 CEST	192.168.2.22	8.8.8.8	0xe04c	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:49.145361900 CEST	192.168.2.22	8.8.8.8	0xec77	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:51.524020910 CEST	192.168.2.22	8.8.8.8	0xa037	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:51.535645008 CEST	192.168.2.22	8.8.8.8	0xd49e	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:54.109863043 CEST	192.168.2.22	8.8.8.8	0x6d67	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:54.118319035 CEST	192.168.2.22	8.8.8.8	0x2837	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:55.445682049 CEST	192.168.2.22	8.8.8.8	0x5eae	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:55.454901934 CEST	192.168.2.22	8.8.8.8	0xd7aa	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.012542963 CEST	192.168.2.22	8.8.8.8	0x4778	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.020945072 CEST	192.168.2.22	8.8.8.8	0xe495	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.251806021 CEST	192.168.2.22	8.8.8.8	0x1638	Standard query (0)	analytics.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.251806021 CEST	192.168.2.22	8.8.8.8	0x589c	Standard query (0)	shepherd.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:58.322911978 CEST	192.168.2.22	8.8.8.8	0xb4d9	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:55:26.842621088 CEST	192.168.2.22	8.8.8.8	0xcae1	Standard query (0)	api.openweathermap.org	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:55:29.597700119 CEST	192.168.2.22	8.8.8.8	0xff17	Standard query (0)	honzik.avcdn.net	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:55:29.601969957 CEST	192.168.2.22	8.8.8.8	0x3565	Standard query (0)	honzik.avcdn.net	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 29, 2024 00:52:45.923295021 CEST	8.8.8.8	192.168.2.22	0xca9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:45.923295021 CEST	8.8.8.8	192.168.2.22	0xca9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:45.923295021 CEST	8.8.8.8	192.168.2.22	0xca9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:45.923295021 CEST	8.8.8.8	192.168.2.22	0xca9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:46.027832985 CEST	8.8.8.8	192.168.2.22	0xc2a2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:46.027832985 CEST	8.8.8.8	192.168.2.22	0xc2a2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:46.027832985 CEST	8.8.8.8	192.168.2.22	0xc2a2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:46.027832985 CEST	8.8.8.8	192.168.2.22	0xc2a2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.647013903 CEST	8.8.8.8	192.168.2.22	0x334d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.647013903 CEST	8.8.8.8	192.168.2.22	0x334d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.647013903 CEST	8.8.8.8	192.168.2.22	0x334d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.647013903 CEST	8.8.8.8	192.168.2.22	0x334d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.663018942 CEST	8.8.8.8	192.168.2.22	0x5a86	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.663018942 CEST	8.8.8.8	192.168.2.22	0x5a86	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.663018942 CEST	8.8.8.8	192.168.2.22	0x5a86	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:47.663018942 CEST	8.8.8.8	192.168.2.22	0x5a86	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.234164953 CEST	8.8.8.8	192.168.2.22	0xc67e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.234164953 CEST	8.8.8.8	192.168.2.22	0xc67e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.234164953 CEST	8.8.8.8	192.168.2.22	0xc67e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.234164953 CEST	8.8.8.8	192.168.2.22	0xc67e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.243072033 CEST	8.8.8.8	192.168.2.22	0x803c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.243072033 CEST	8.8.8.8	192.168.2.22	0x803c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.243072033 CEST	8.8.8.8	192.168.2.22	0x803c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:49.243072033 CEST	8.8.8.8	192.168.2.22	0x803c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.672764063 CEST	8.8.8.8	192.168.2.22	0x2a5f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.672764063 CEST	8.8.8.8	192.168.2.22	0x2a5f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.672764063 CEST	8.8.8.8	192.168.2.22	0x2a5f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.672764063 CEST	8.8.8.8	192.168.2.22	0x2a5f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.685111046 CEST	8.8.8.8	192.168.2.22	0x9f2d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.685111046 CEST	8.8.8.8	192.168.2.22	0x9f2d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.685111046 CEST	8.8.8.8	192.168.2.22	0x9f2d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:50.685111046 CEST	8.8.8.8	192.168.2.22	0x9f2d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.695914984 CEST	8.8.8.8	192.168.2.22	0xc07f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.695914984 CEST	8.8.8.8	192.168.2.22	0xc07f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.695914984 CEST	8.8.8.8	192.168.2.22	0xc07f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.695914984 CEST	8.8.8.8	192.168.2.22	0xc07f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.713618994 CEST	8.8.8.8	192.168.2.22	0xdd16	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.713618994 CEST	8.8.8.8	192.168.2.22	0xdd16	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.713618994 CEST	8.8.8.8	192.168.2.22	0xdd16	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:52.713618994 CEST	8.8.8.8	192.168.2.22	0xdd16	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.010104895 CEST	8.8.8.8	192.168.2.22	0xc8e4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.010104895 CEST	8.8.8.8	192.168.2.22	0xc8e4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.010104895 CEST	8.8.8.8	192.168.2.22	0xc8e4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.010104895 CEST	8.8.8.8	192.168.2.22	0xc8e4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.022033930 CEST	8.8.8.8	192.168.2.22	0x78cf	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.022033930 CEST	8.8.8.8	192.168.2.22	0x78cf	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.022033930 CEST	8.8.8.8	192.168.2.22	0x78cf	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:54.022033930 CEST	8.8.8.8	192.168.2.22	0x78cf	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.542498112 CEST	8.8.8.8	192.168.2.22	0x1bc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.542498112 CEST	8.8.8.8	192.168.2.22	0x1bc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.542498112 CEST	8.8.8.8	192.168.2.22	0x1bc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.542498112 CEST	8.8.8.8	192.168.2.22	0x1bc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.556902885 CEST	8.8.8.8	192.168.2.22	0x50f7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.556902885 CEST	8.8.8.8	192.168.2.22	0x50f7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.556902885 CEST	8.8.8.8	192.168.2.22	0x50f7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:55.556902885 CEST	8.8.8.8	192.168.2.22	0x50f7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.002764940 CEST	8.8.8.8	192.168.2.22	0xdd47	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.002764940 CEST	8.8.8.8	192.168.2.22	0xdd47	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.035687923 CEST	8.8.8.8	192.168.2.22	0x9680	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		212.229.88.3	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.035687923 CEST	8.8.8.8	192.168.2.22	0x9680	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		212.229.88.11	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.035687923 CEST	8.8.8.8	192.168.2.22	0x9680	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		212.229.88.27	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.035687923 CEST	8.8.8.8	192.168.2.22	0x9680	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		212.229.88.4	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.035687923 CEST	8.8.8.8	192.168.2.22	0x9680	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		212.229.88.21	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:56.035687923 CEST	8.8.8.8	192.168.2.22	0x9680	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		212.229.88.20	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.129425049 CEST	8.8.8.8	192.168.2.22	0x35b6	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.129425049 CEST	8.8.8.8	192.168.2.22	0x35b6	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.129425049 CEST	8.8.8.8	192.168.2.22	0x35b6	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.129425049 CEST	8.8.8.8	192.168.2.22	0x35b6	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.139184952 CEST	8.8.8.8	192.168.2.22	0x8bc0	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.139184952 CEST	8.8.8.8	192.168.2.22	0x8bc0	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.139184952 CEST	8.8.8.8	192.168.2.22	0x8bc0	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:57.139184952 CEST	8.8.8.8	192.168.2.22	0x8bc0	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.619580984 CEST	8.8.8.8	192.168.2.22	0x1459	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.619580984 CEST	8.8.8.8	192.168.2.22	0x1459	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.619580984 CEST	8.8.8.8	192.168.2.22	0x1459	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.619580984 CEST	8.8.8.8	192.168.2.22	0x1459	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.629503012 CEST	8.8.8.8	192.168.2.22	0x17f1	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.629503012 CEST	8.8.8.8	192.168.2.22	0x17f1	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.629503012 CEST	8.8.8.8	192.168.2.22	0x17f1	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:52:58.629503012 CEST	8.8.8.8	192.168.2.22	0x17f1	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.011578083 CEST	8.8.8.8	192.168.2.22	0xe2cb	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.011578083 CEST	8.8.8.8	192.168.2.22	0xe2cb	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.011578083 CEST	8.8.8.8	192.168.2.22	0xe2cb	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.011578083 CEST	8.8.8.8	192.168.2.22	0xe2cb	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.020011902 CEST	8.8.8.8	192.168.2.22	0x12d7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.020011902 CEST	8.8.8.8	192.168.2.22	0x12d7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.020011902 CEST	8.8.8.8	192.168.2.22	0x12d7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:00.020011902 CEST	8.8.8.8	192.168.2.22	0x12d7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.340672970 CEST	8.8.8.8	192.168.2.22	0xe16c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.340672970 CEST	8.8.8.8	192.168.2.22	0xe16c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.340672970 CEST	8.8.8.8	192.168.2.22	0xe16c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.340672970 CEST	8.8.8.8	192.168.2.22	0xe16c	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.351152897 CEST	8.8.8.8	192.168.2.22	0x3817	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.351152897 CEST	8.8.8.8	192.168.2.22	0x3817	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.351152897 CEST	8.8.8.8	192.168.2.22	0x3817	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:01.351152897 CEST	8.8.8.8	192.168.2.22	0x3817	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.822211981 CEST	8.8.8.8	192.168.2.22	0x6a9e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.822211981 CEST	8.8.8.8	192.168.2.22	0x6a9e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.822211981 CEST	8.8.8.8	192.168.2.22	0x6a9e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.822211981 CEST	8.8.8.8	192.168.2.22	0x6a9e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.831609964 CEST	8.8.8.8	192.168.2.22	0xc163	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.831609964 CEST	8.8.8.8	192.168.2.22	0xc163	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.831609964 CEST	8.8.8.8	192.168.2.22	0xc163	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:02.831609964 CEST	8.8.8.8	192.168.2.22	0xc163	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.098685980 CEST	8.8.8.8	192.168.2.22	0xfff4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.098685980 CEST	8.8.8.8	192.168.2.22	0xfff4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.098685980 CEST	8.8.8.8	192.168.2.22	0xfff4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.098685980 CEST	8.8.8.8	192.168.2.22	0xfff4	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.107122898 CEST	8.8.8.8	192.168.2.22	0xcca2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.107122898 CEST	8.8.8.8	192.168.2.22	0xcca2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.107122898 CEST	8.8.8.8	192.168.2.22	0xcca2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:04.107122898 CEST	8.8.8.8	192.168.2.22	0xcca2	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.659405947 CEST	8.8.8.8	192.168.2.22	0x38f8	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.659405947 CEST	8.8.8.8	192.168.2.22	0x38f8	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.659405947 CEST	8.8.8.8	192.168.2.22	0x38f8	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.659405947 CEST	8.8.8.8	192.168.2.22	0x38f8	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.668148994 CEST	8.8.8.8	192.168.2.22	0xce0e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.668148994 CEST	8.8.8.8	192.168.2.22	0xce0e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.668148994 CEST	8.8.8.8	192.168.2.22	0xce0e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:05.668148994 CEST	8.8.8.8	192.168.2.22	0xce0e	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.451574087 CEST	8.8.8.8	192.168.2.22	0x2bd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.451574087 CEST	8.8.8.8	192.168.2.22	0x2bd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.451574087 CEST	8.8.8.8	192.168.2.22	0x2bd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.451574087 CEST	8.8.8.8	192.168.2.22	0x2bd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.461262941 CEST	8.8.8.8	192.168.2.22	0xd985	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.461262941 CEST	8.8.8.8	192.168.2.22	0xd985	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.461262941 CEST	8.8.8.8	192.168.2.22	0xd985	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:18.461262941 CEST	8.8.8.8	192.168.2.22	0xd985	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.913629055 CEST	8.8.8.8	192.168.2.22	0xb421	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.913629055 CEST	8.8.8.8	192.168.2.22	0xb421	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.913629055 CEST	8.8.8.8	192.168.2.22	0xb421	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.913629055 CEST	8.8.8.8	192.168.2.22	0xb421	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.937252045 CEST	8.8.8.8	192.168.2.22	0xd71d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.937252045 CEST	8.8.8.8	192.168.2.22	0xd71d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.937252045 CEST	8.8.8.8	192.168.2.22	0xd71d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:19.937252045 CEST	8.8.8.8	192.168.2.22	0xd71d	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.623918056 CEST	8.8.8.8	192.168.2.22	0xc6a7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.623918056 CEST	8.8.8.8	192.168.2.22	0xc6a7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.623918056 CEST	8.8.8.8	192.168.2.22	0xc6a7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.623918056 CEST	8.8.8.8	192.168.2.22	0xc6a7	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.632535934 CEST	8.8.8.8	192.168.2.22	0x6ebd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.632535934 CEST	8.8.8.8	192.168.2.22	0x6ebd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.632535934 CEST	8.8.8.8	192.168.2.22	0x6ebd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:25.632535934 CEST	8.8.8.8	192.168.2.22	0x6ebd	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.239557981 CEST	8.8.8.8	192.168.2.22	0x7fc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.239557981 CEST	8.8.8.8	192.168.2.22	0x7fc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.239557981 CEST	8.8.8.8	192.168.2.22	0x7fc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.239557981 CEST	8.8.8.8	192.168.2.22	0x7fc9	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.272470951 CEST	8.8.8.8	192.168.2.22	0x9635	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.272470951 CEST	8.8.8.8	192.168.2.22	0x9635	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.272470951 CEST	8.8.8.8	192.168.2.22	0x9635	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.272470951 CEST	8.8.8.8	192.168.2.22	0x9635	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.681577921 CEST	8.8.8.8	192.168.2.22	0xaf6e	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:28.738210917 CEST	8.8.8.8	192.168.2.22	0xc7a0	No error (0)	v7event.stats.avast.com	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:28.738210917 CEST	8.8.8.8	192.168.2.22	0xc7a0	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:28.738210917 CEST	8.8.8.8	192.168.2.22	0xc7a0	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.918757915 CEST	8.8.8.8	192.168.2.22	0x58b9	No error (0)	v7event.stats.avast.com	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:28.918757915 CEST	8.8.8.8	192.168.2.22	0x58b9	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:28.918757915 CEST	8.8.8.8	192.168.2.22	0x58b9	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:28.921144009 CEST	8.8.8.8	192.168.2.22	0xf311	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:30.211693048 CEST	8.8.8.8	192.168.2.22	0xef35	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.211693048 CEST	8.8.8.8	192.168.2.22	0xef35	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.211693048 CEST	8.8.8.8	192.168.2.22	0xef35	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.211693048 CEST	8.8.8.8	192.168.2.22	0xef35	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.233141899 CEST	8.8.8.8	192.168.2.22	0xcad	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.233141899 CEST	8.8.8.8	192.168.2.22	0xcad	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.233141899 CEST	8.8.8.8	192.168.2.22	0xcad	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:30.233141899 CEST	8.8.8.8	192.168.2.22	0xcad	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.545975924 CEST	8.8.8.8	192.168.2.22	0x45d2	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:33.545975924 CEST	8.8.8.8	192.168.2.22	0x45d2	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:33.545975924 CEST	8.8.8.8	192.168.2.22	0x45d2	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.546040058 CEST	8.8.8.8	192.168.2.22	0x9ab	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.546040058 CEST	8.8.8.8	192.168.2.22	0x9ab	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.546040058 CEST	8.8.8.8	192.168.2.22	0x9ab	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.546040058 CEST	8.8.8.8	192.168.2.22	0x9ab	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.546571016 CEST	8.8.8.8	192.168.2.22	0x70fa	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:33.547784090 CEST	8.8.8.8	192.168.2.22	0xd4af	No error (0)	localweatherfree.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.547784090 CEST	8.8.8.8	192.168.2.22	0xd4af	No error (0)	localweatherfree.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.588542938 CEST	8.8.8.8	192.168.2.22	0x5a10	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:33.590035915 CEST	8.8.8.8	192.168.2.22	0xabbd	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:33.590035915 CEST	8.8.8.8	192.168.2.22	0xabbd	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:33.590035915 CEST	8.8.8.8	192.168.2.22	0xabbd	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.596707106 CEST	8.8.8.8	192.168.2.22	0x7122	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.596707106 CEST	8.8.8.8	192.168.2.22	0x7122	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.596707106 CEST	8.8.8.8	192.168.2.22	0x7122	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:33.596707106 CEST	8.8.8.8	192.168.2.22	0x7122	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.901700020 CEST	8.8.8.8	192.168.2.22	0x628	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:35.901700020 CEST	8.8.8.8	192.168.2.22	0x628	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:35.901700020 CEST	8.8.8.8	192.168.2.22	0x628	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.921389103 CEST	8.8.8.8	192.168.2.22	0x17c8	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:35.921389103 CEST	8.8.8.8	192.168.2.22	0x17c8	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:35.921389103 CEST	8.8.8.8	192.168.2.22	0x17c8	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:35.933027029 CEST	8.8.8.8	192.168.2.22	0xd301	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:35.942662954 CEST	8.8.8.8	192.168.2.22	0x2865	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:40.045504093 CEST	8.8.8.8	192.168.2.22	0xbecf	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:40.064567089 CEST	8.8.8.8	192.168.2.22	0x8fed	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:44.770570993 CEST	8.8.8.8	192.168.2.22	0x2e94	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:44.783911943 CEST	8.8.8.8	192.168.2.22	0x92bb	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:47.044631004 CEST	8.8.8.8	192.168.2.22	0xaed0	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:47.054227114 CEST	8.8.8.8	192.168.2.22	0x90dd	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:49.472825050 CEST	8.8.8.8	192.168.2.22	0x54e0	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:49.488179922 CEST	8.8.8.8	192.168.2.22	0xa3a2	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:50.790708065 CEST	8.8.8.8	192.168.2.22	0x4ce2	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:50.799884081 CEST	8.8.8.8	192.168.2.22	0x9e6b	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.299640894 CEST	8.8.8.8	192.168.2.22	0x5dff	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.299640894 CEST	8.8.8.8	192.168.2.22	0x5dff	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.299640894 CEST	8.8.8.8	192.168.2.22	0x5dff	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.308434963 CEST	8.8.8.8	192.168.2.22	0x4624	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.308434963 CEST	8.8.8.8	192.168.2.22	0x4624	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.308434963 CEST	8.8.8.8	192.168.2.22	0x4624	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.994241953 CEST	8.8.8.8	192.168.2.22	0x983d	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.994241953 CEST	8.8.8.8	192.168.2.22	0x983d	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.994241953 CEST	8.8.8.8	192.168.2.22	0x983d	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:52.999088049 CEST	8.8.8.8	192.168.2.22	0xedf3	No error (0)	shepherd.avcdn.net	shepherd.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.999088049 CEST	8.8.8.8	192.168.2.22	0xedf3	No error (0)	shepherd.ff.avast.com	shepherd-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:52.999088049 CEST	8.8.8.8	192.168.2.22	0xedf3	No error (0)	shepherd-gcp.ff.avast.com		34.160.176.28	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:54.880942106 CEST	8.8.8.8	192.168.2.22	0xc648	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:54.886548996 CEST	8.8.8.8	192.168.2.22	0x84f1	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:54.887432098 CEST	8.8.8.8	192.168.2.22	0xc6eb	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:54.887849092 CEST	8.8.8.8	192.168.2.22	0x6692	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:58.706406116 CEST	8.8.8.8	192.168.2.22	0x214c	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:58.706406116 CEST	8.8.8.8	192.168.2.22	0x214c	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:58.706406116 CEST	8.8.8.8	192.168.2.22	0x214c	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:53:59.390752077 CEST	8.8.8.8	192.168.2.22	0xac32	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:59.390752077 CEST	8.8.8.8	192.168.2.22	0xac32	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:53:59.390752077 CEST	8.8.8.8	192.168.2.22	0xac32	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:00.514482021 CEST	8.8.8.8	192.168.2.22	0xda43	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:00.516134024 CEST	8.8.8.8	192.168.2.22	0x5f8d	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:00.517442942 CEST	8.8.8.8	192.168.2.22	0x39d2	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:00.517904043 CEST	8.8.8.8	192.168.2.22	0x1d6a	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:00.575274944 CEST	8.8.8.8	192.168.2.22	0xb95	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:00.605494022 CEST	8.8.8.8	192.168.2.22	0x4687	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:04.149317980 CEST	8.8.8.8	192.168.2.22	0x279a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:06.598145962 CEST	8.8.8.8	192.168.2.22	0x59e4	No error (0)	api.openweathermap.org	eu.api.openweathermap.org		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:06.598145962 CEST	8.8.8.8	192.168.2.22	0x59e4	No error (0)	eu.api.openweathermap.org		146.185.153.16	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:32.346548080 CEST	8.8.8.8	192.168.2.22	0xf80c	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:32.357434988 CEST	8.8.8.8	192.168.2.22	0x5d03	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.362891912 CEST	8.8.8.8	192.168.2.22	0x636	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.385057926 CEST	8.8.8.8	192.168.2.22	0x4f1e	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.741297007 CEST	8.8.8.8	192.168.2.22	0xd2c4	No error (0)	v7event.stats.avast.com	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.741297007 CEST	8.8.8.8	192.168.2.22	0xd2c4	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.741297007 CEST	8.8.8.8	192.168.2.22	0xd2c4	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:35.783041000 CEST	8.8.8.8	192.168.2.22	0x5f92	No error (0)	v7event.stats.avast.com	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.783041000 CEST	8.8.8.8	192.168.2.22	0x5f92	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:35.783041000 CEST	8.8.8.8	192.168.2.22	0x5f92	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.519062996 CEST	8.8.8.8	192.168.2.22	0xca82	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:36.519062996 CEST	8.8.8.8	192.168.2.22	0xca82	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:36.519062996 CEST	8.8.8.8	192.168.2.22	0xca82	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.532749891 CEST	8.8.8.8	192.168.2.22	0xfb7a	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:36.539340973 CEST	8.8.8.8	192.168.2.22	0x8928	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:36.539340973 CEST	8.8.8.8	192.168.2.22	0x8928	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:36.539340973 CEST	8.8.8.8	192.168.2.22	0x8928	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:36.542599916 CEST	8.8.8.8	192.168.2.22	0x8000	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:37.904719114 CEST	8.8.8.8	192.168.2.22	0xba09	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:37.904719114 CEST	8.8.8.8	192.168.2.22	0xba09	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:37.904719114 CEST	8.8.8.8	192.168.2.22	0xba09	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:37.947418928 CEST	8.8.8.8	192.168.2.22	0xafd8	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:37.947418928 CEST	8.8.8.8	192.168.2.22	0xafd8	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:37.947418928 CEST	8.8.8.8	192.168.2.22	0xafd8	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:38.505923033 CEST	8.8.8.8	192.168.2.22	0x366a	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:38.516721964 CEST	8.8.8.8	192.168.2.22	0x4667	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:39.641315937 CEST	8.8.8.8	192.168.2.22	0x433f	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:39.673856020 CEST	8.8.8.8	192.168.2.22	0x1e9e	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:40.234544992 CEST	8.8.8.8	192.168.2.22	0xec6f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.234544992 CEST	8.8.8.8	192.168.2.22	0xec6f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.234544992 CEST	8.8.8.8	192.168.2.22	0xec6f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.234544992 CEST	8.8.8.8	192.168.2.22	0xec6f	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.254291058 CEST	8.8.8.8	192.168.2.22	0x9556	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.130	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.254291058 CEST	8.8.8.8	192.168.2.22	0x9556	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.141	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.254291058 CEST	8.8.8.8	192.168.2.22	0x9556	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.107	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:40.254291058 CEST	8.8.8.8	192.168.2.22	0x9556	No error (0)	d3ben4sjdmrs9v.cloudfront.net		65.9.23.108	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:43.881952047 CEST	8.8.8.8	192.168.2.22	0x2119	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:43.893460035 CEST	8.8.8.8	192.168.2.22	0x3dd5	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:49.143496037 CEST	8.8.8.8	192.168.2.22	0xe04c	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:49.153424978 CEST	8.8.8.8	192.168.2.22	0xec77	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:51.533310890 CEST	8.8.8.8	192.168.2.22	0xa037	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:51.546569109 CEST	8.8.8.8	192.168.2.22	0xd49e	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:54.116487026 CEST	8.8.8.8	192.168.2.22	0x6d67	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:54.125334978 CEST	8.8.8.8	192.168.2.22	0x2837	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:55.452692032 CEST	8.8.8.8	192.168.2.22	0x5eae	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:55.463762045 CEST	8.8.8.8	192.168.2.22	0xd7aa	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.018848896 CEST	8.8.8.8	192.168.2.22	0x4778	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.018848896 CEST	8.8.8.8	192.168.2.22	0x4778	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.018848896 CEST	8.8.8.8	192.168.2.22	0x4778	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.027419090 CEST	8.8.8.8	192.168.2.22	0xe495	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.027419090 CEST	8.8.8.8	192.168.2.22	0xe495	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.027419090 CEST	8.8.8.8	192.168.2.22	0xe495	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.260464907 CEST	8.8.8.8	192.168.2.22	0x589c	No error (0)	shepherd.avcdn.net	shepherd.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.260464907 CEST	8.8.8.8	192.168.2.22	0x589c	No error (0)	shepherd.ff.avast.com	shepherd-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.260464907 CEST	8.8.8.8	192.168.2.22	0x589c	No error (0)	shepherd-gcp.ff.avast.com		34.160.176.28	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:57.260476112 CEST	8.8.8.8	192.168.2.22	0x1638	No error (0)	analytics.avcdn.net	analytics.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.260476112 CEST	8.8.8.8	192.168.2.22	0x1638	No error (0)	analytics.ff.avast.com	analytics-prod-gcp.ff.avast.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:54:57.260476112 CEST	8.8.8.8	192.168.2.22	0x1638	No error (0)	analytics-prod-gcp.ff.avast.com		34.117.223.223	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:54:58.331821918 CEST	8.8.8.8	192.168.2.22	0xb4d9	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:55:26.851665020 CEST	8.8.8.8	192.168.2.22	0xcae1	No error (0)	api.openweathermap.org	eu.api.openweathermap.org		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:55:26.851665020 CEST	8.8.8.8	192.168.2.22	0xcae1	No error (0)	eu.api.openweathermap.org		146.185.153.16	A (IP address)	IN (0x0001)	false
Jul 29, 2024 00:55:29.606410027 CEST	8.8.8.8	192.168.2.22	0xff17	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 29, 2024 00:55:29.610682964 CEST	8.8.8.8	192.168.2.22	0x3565	No error (0)	honzik.avcdn.net	s-honzik.avcdn.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

d3ben4sjdmrs9v.cloudfront.net

analytics.avcdn.net

localweatherfree.com

shepherd.avcdn.net

v7event.stats.avast.com

ip-api.com

api.openweathermap.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49188	34.117.223.223	80	1992	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Timestamp	Bytes transferred	Direction	Data
Jul 29, 2024 00:53:28.926410913 CEST	175	OUT	POST /cgi-bin/iavsevents.cgi HTTP/1.1 Connection: Keep-Alive Content-Type: iavs4/stats User-Agent: AVG Microstub/2.1 Content-Length: 266 Host: v7event.stats.avast.com
Jul 29, 2024 00:53:28.926444054 CEST	266	OUT	Data Raw: 63 6f 6f 6b 69 65 3d 6d 6d 6d 5f 69 72 73 5f 70 70 69 5f 39 30 32 5f 34 35 31 5f 6f 0a 65 64 69 74 69 6f 6e 3d 31 35 0a 65 76 65 6e 74 3d 6d 69 63 72 6f 73 74 75 62 2d 73 74 61 72 74 0a 6d 69 64 65 78 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: cookie=mmm_irs_ppi_902_451_oedition=15event=microstub-startmidex=00000000000000000000000000000000CF6E00279D845352844A379868ABE8A3stat_session=387cb8e1-2902-4236-a6ed-c9fbfa800400statsSendTime=1722207207os=win,6,1,2,7601,1,AMD64exe_versi
Jul 29, 2024 00:53:29.391943932 CEST	96	IN	HTTP/1.1 204 No Content Server: nginx Date: Sun, 28 Jul 2024 22:53:29 GMT Via: 1.1 google
Jul 29, 2024 00:53:29.600173950 CEST	96	IN	HTTP/1.1 204 No Content Server: nginx Date: Sun, 28 Jul 2024 22:53:29 GMT Via: 1.1 google

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49236	208.95.112.1	80	748	C:\Program Files (x86)\WeatherZero\WeatherZero.exe

Timestamp	Bytes transferred	Direction	Data
Jul 29, 2024 00:54:04.275645018 CEST	272	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Host: ip-api.com Connection: Keep-Alive
Jul 29, 2024 00:54:04.762603998 CEST	482	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:54:04 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}
Jul 29, 2024 00:54:04.972218037 CEST	482	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:54:04 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49246	146.185.153.16	80	748	C:\Program Files (x86)\WeatherZero\WeatherZero.exe

Timestamp	Bytes transferred	Direction	Data
Jul 29, 2024 00:54:06.603485107 CEST	155	OUT	GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1 Host: api.openweathermap.org Connection: Keep-Alive
Jul 29, 2024 00:54:07.216691971 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:54:07 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:54:08.247884035 CEST	131	OUT	GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1 Host: api.openweathermap.org
Jul 29, 2024 00:54:08.422662020 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:54:08 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:54:08.897279978 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:54:08 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:54:09.431579113 CEST	131	OUT	GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1 Host: api.openweathermap.org
Jul 29, 2024 00:54:09.606753111 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:54:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:54:09.852241039 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:54:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49326	34.117.223.223	80	1992	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe

Timestamp	Bytes transferred	Direction	Data
Jul 29, 2024 00:54:35.788918018 CEST	175	OUT	POST /cgi-bin/iavsevents.cgi HTTP/1.1 Connection: Keep-Alive Content-Type: iavs4/stats User-Agent: AVG Microstub/2.1 Content-Length: 280 Host: v7event.stats.avast.com
Jul 29, 2024 00:54:35.788978100 CEST	280	OUT	Data Raw: 63 6f 6f 6b 69 65 3d 6d 6d 6d 5f 69 72 73 5f 70 70 69 5f 39 30 32 5f 34 35 31 5f 6f 0a 65 64 69 74 69 6f 6e 3d 31 35 0a 65 76 65 6e 74 3d 6d 69 63 72 6f 73 74 75 62 2d 64 6f 77 6e 6c 6f 61 64 0a 6d 69 64 65 78 3d 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: cookie=mmm_irs_ppi_902_451_oedition=15event=microstub-downloadmidex=00000000000000000000000000000000CF6E00279D845352844A379868ABE8A3stat_session=387cb8e1-2902-4236-a6ed-c9fbfa800400statsSendTime=1722207274os=win,6,1,2,7601,1,AMD64exe_ve
Jul 29, 2024 00:54:36.277153969 CEST	96	IN	HTTP/1.1 204 No Content Server: nginx Date: Sun, 28 Jul 2024 22:54:36 GMT Via: 1.1 google
Jul 29, 2024 00:54:36.488014936 CEST	96	IN	HTTP/1.1 204 No Content Server: nginx Date: Sun, 28 Jul 2024 22:54:36 GMT Via: 1.1 google

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49480	146.185.153.16	80	748	C:\Program Files (x86)\WeatherZero\WeatherZero.exe

Timestamp	Bytes transferred	Direction	Data
Jul 29, 2024 00:55:26.857204914 CEST	131	OUT	GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1 Host: api.openweathermap.org
Jul 29, 2024 00:55:27.476449013 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:55:27 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:55:27.692173958 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:55:27 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:55:28.484078884 CEST	131	OUT	GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1 Host: api.openweathermap.org
Jul 29, 2024 00:55:28.663319111 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:55:28 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}
Jul 29, 2024 00:55:29.669697046 CEST	131	OUT	GET /data/2.5/weather?zip=10123,us&units=imperial&appid=70297443c6fd8391e3fc4b7b0d344ae5 HTTP/1.1 Host: api.openweathermap.org
Jul 29, 2024 00:55:29.848352909 CEST	552	IN	HTTP/1.1 429 Too Many Requests Server: openresty Date: Sun, 28 Jul 2024 22:55:29 GMT Content-Type: application/json; charset=utf-8 Content-Length: 197 Connection: keep-alive X-Cache-Key: /data/2.5/weather?units=imperial&zip=10123,us Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST Data Raw: 7b 22 63 6f 64 22 3a 34 32 39 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 59 6f 75 72 20 61 63 63 6f 75 6e 74 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 62 6c 6f 63 6b 65 64 20 64 75 65 20 74 6f 20 65 78 63 65 65 64 69 6e 67 20 6f 66 20 72 65 71 75 65 73 74 73 20 6c 69 6d 69 74 61 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 74 79 70 65 2e 20 50 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 74 68 65 20 70 72 6f 70 65 72 20 73 75 62 73 63 72 69 70 74 69 6f 6e 20 68 74 74 70 73 3a 2f 2f 6f 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72 67 2f 70 72 69 63 65 22 7d Data Ascii: {"cod":429, "message": "Your account is temporary blocked due to exceeding of requests limitation of your subscription type. Please choose the proper subscription https://openweathermap.org/price"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49168	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:46 UTC	233	OUT	POST /o HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 127 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:46 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:46 UTC	126	OUT	Data Raw: 22 70 72 76 22 3a 20 22 30 2e 31 22 2c 22 70 6c 76 22 3a 20 22 32 2e 34 30 2e 31 2e 38 39 31 39 22 2c 22 6c 22 3a 20 22 65 6e 22 2c 22 61 22 3a 20 22 5a 61 79 61 74 73 22 2c 22 69 22 3a 20 22 47 61 6d 65 73 34 57 69 6e 22 2c 22 73 22 3a 20 22 5a 61 79 61 74 73 22 2c 22 75 22 3a 20 22 61 65 7a 2d 4c 55 31 22 2c 22 6f 22 3a 20 22 36 2e 31 2e 37 36 30 31 2e 32 33 37 31 35 22 7d Data Ascii: "prv": "0.1","plv": "2.40.1.8919","l": "en","a": "Zayats","i": "Games4Win","s": "Zayats","u": "aez-LU1","o": "6.1.7601.23715"}
2024-07-28 22:52:47 UTC	489	IN	HTTP/1.1 200 OK Content-Type: application/json Content-Length: 10501 Connection: close Server: awselb/2.0 Date: Sun, 28 Jul 2024 22:52:47 GMT x-true-request-id: 837e7e80-e27d-4b65-be8d-7053c973ca8e x-robots-tag: none expires: Thu, 01 Jan 1970 00:00:00 GMT cache-control: no-cache X-Cache: Miss from cloudfront Via: 1.1 0d54c3ddc4e7347d45d33a921b50661e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: Hs-Xeg8srq7Fp-eHhEYzCIVNVTcwrf-b_615jvpTqGhnIj77HbkGZg==
2024-07-28 22:52:47 UTC	10501	IN	Data Raw: 7b 22 76 22 3a 22 30 2e 31 22 2c 22 6c 22 3a 22 55 53 22 2c 22 69 22 3a 7b 22 63 75 22 3a 22 6d 61 67 6e 65 74 3a 3f 78 74 3d 75 72 6e 3a 62 74 69 68 3a 44 33 35 31 30 33 36 31 34 36 44 31 42 44 32 34 33 42 39 39 31 41 43 41 35 38 31 34 44 37 42 46 41 30 31 32 44 37 31 32 22 2c 22 63 74 22 3a 22 54 65 61 6d 20 46 6f 72 74 72 65 73 73 20 32 20 42 72 6f 74 68 65 72 68 6f 6f 64 20 4f 66 20 41 72 6d 73 22 2c 22 63 70 22 3a 22 22 2c 22 63 74 75 22 3a 22 22 2c 22 63 6c 22 3a 22 22 2c 22 63 68 22 3a 22 67 61 6d 65 66 61 62 72 69 71 75 65 22 2c 22 63 61 22 3a 22 76 35 2e 38 33 22 2c 22 63 66 22 3a 22 6d 61 67 6e 65 74 3a 3f 78 74 3d 75 72 6e 3a 62 74 69 68 3a 44 33 35 31 30 33 36 31 34 36 44 31 42 44 32 34 33 42 39 39 31 41 43 41 35 38 31 34 44 37 42 46 41 30 31 Data Ascii: {"v":"0.1","l":"US","i":{"cu":"magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA012D712","ct":"Team Fortress 2 Brotherhood Of Arms","cp":"","ctu":"","cl":"","ch":"gamefabrique","ca":"v5.83","cf":"magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA01

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49169	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:48 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 289 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:48 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:48 UTC	288	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 31 5c 22 2c 5c 22 37 5c 22 3a 5c 22 32 2e 34 30 2e 31 2e 38 39 31 39 5c 22 Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"\",\"18\":\"\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"1\",\"7\":\"2.40.1.8919\"
2024-07-28 22:52:49 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:49 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 38a3f663851a0597e7026100a58b9b38.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: Wlb1Z5HVx2lnmN826OE8if5wF9ibckB1BQ4oX2Z5U8umbybgU2_RWg==
2024-07-28 22:52:49 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49170	65.9.23.108	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:50 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 384 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:50 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:50 UTC	383	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 52 41 56 5f 43 72 6f 73 73 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 52 41 56 5f 43 72 6f 73 73 5f 54 72 69 5f 4e 43 42 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"RAV_Cross\",\"18\":\"ZB_RAV_Cross_Tri_NCB\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\
2024-07-28 22:52:50 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:50 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 eea4db3ca37c99035a6e9a24033c4cea.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: mv3oPuy_zk8W-SxqNctr0h5Q7dR36ikVjw8IPVlCeiXO0VOfJwJ1Nw==
2024-07-28 22:52:50 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49171	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:51 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 378 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:51 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:51 UTC	377	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 41 64 76 69 73 6f 72 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 65 62 41 64 76 69 73 6f 72 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"WebAdvisor\",\"18\":\"ZB_WebAdvisor\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"2\
2024-07-28 22:52:51 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:51 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 9680e9cb5cbc773ebfed1b7a558f7db6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: PyPXj7ETcFvUgtOXuQgJp5taM1vjQSc54ARBrW-JiyLWzNxHhC6rgQ==
2024-07-28 22:52:51 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49172	65.9.23.141	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:53 UTC	136	OUT	GET /f/AVG_AV/images/1509/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:53 UTC	608	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 53151 Connection: close Date: Sun, 28 Jul 2024 05:58:18 GMT Last-Modified: Wed, 01 May 2024 12:21:17 GMT ETag: "aee8e80b35dcb3cf2a5733ba99231560" x-amz-server-side-encryption: AES256 x-amz-meta-cb-modifiedtime: Tue, 30 Apr 2024 07:13:32 GMT x-amz-version-id: t0aKL0R4FYtf2ry_kAUySb7zudCs2Esv Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 0921eae154c93e666b192fa267ea4bfa.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: eydJTNoPIuUIVNPJy4bmqWzcyurvLqXyhtnQwGjukfEyUBWHwZzI_Q== Age: 60876
2024-07-28 22:52:53 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 23 00 00 01 18 08 06 00 00 00 8e 7f f6 42 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 cf 34 49 44 41 54 78 01 ec fd 09 98 1d c7 79 1e 0a bf 75 ce 99 7d c7 be e3 80 04 57 91 22 a8 d5 92 28 73 20 d9 f1 1a 13 94 1d c9 89 9d 70 90 dc eb dc fc ce bd 04 f3 c4 51 9c dc 84 83 3f 71 6c 3d c9 0d c1 27 cb 9f 38 b9 17 83 9b 45 b6 6c 99 a0 17 59 b2 2d 61 68 ad d4 46 50 0b 77 10 07 fb 8e d9 d7 b3 d4 5f 5f 75 55 77 75 77 f5 72 06 33 58 c8 7a c9 c6 e9 ae fa aa ea ab ea 9e fe de fe 6a 63 70 70 70 68 0e 9f da cd e1 e0 90 85 4f 1e 61 70 70 70 c8 85 02 1c 1c 1c 1c 1c 1c 1c 1c 6e 20 1c 19 71 70 68 1e 15 38 38 Data Ascii: PNGIHDR#BpHYssRGBgAMAa4IDATxyu}W"(s pQ?ql='8ElY-ahFPw__uUwuwr3XzjcppphOapppn qph88
2024-07-28 22:52:53 UTC	16384	IN	Data Raw: c1 73 9b 52 b7 ca 71 25 13 05 b9 54 39 82 ae 97 34 43 73 5c fd ea 73 7a e9 0c aa 73 dd e5 a1 87 ac f7 ab b0 31 a3 7c 93 30 65 c5 47 31 68 d4 85 f4 3d 82 e0 45 58 36 74 38 62 c8 3c a9 e2 0f 20 70 1d 6b 19 1d ae eb 34 ac ce 07 8d 32 75 9d 76 21 ee 59 d1 5f 85 4f aa f2 86 55 7b 44 eb 61 96 01 84 ef 49 b4 1e 51 1c 88 94 31 a6 d2 96 23 f5 3e 88 78 db 8f 20 dc b6 43 2a 6e 0f 82 fa ef 89 e8 36 18 d1 2d fa 3c 3c 66 e4 69 c6 ef 43 d0 b5 f7 38 82 af 65 dd 1e bb 8c 3c 9e 8c e8 f5 a4 11 b7 c7 08 3b 62 c8 d9 8c 5b 39 92 b7 d9 ee bb 10 7e 0e d2 da f8 88 aa b3 59 cf 17 10 ee be 4b d3 d9 56 47 f3 9e 6b 3d 9f 31 74 2a 27 e8 a1 ef cb 20 e2 ed c0 23 e5 96 11 6e 23 b3 fe d1 76 d1 ed 17 6d 97 17 90 dc 2e 50 f9 25 3d ab 49 65 e8 e7 11 09 65 46 ef 85 ae 77 f4 19 5f 12 29 d1 b3 Data Ascii: sRq%T94Cs\szs1\|0eG1h=EX6t8b< pk42uv!Y_OU{DaIQ1#>x Cn6-<<fiC8e<;b[9~YKVGk=1t' #n#vm.P%=IeeFw_)
2024-07-28 22:52:53 UTC	16384	IN	Data Raw: d3 53 ce 91 5e 3f f7 b0 e8 65 3e f3 74 4e cf 83 f9 4c 8f e0 da 30 1a f9 25 1c 8e fc 12 86 11 cc 6a d3 63 6d 2a 08 06 68 27 61 b7 ca 5b 4f 6b a6 76 dd 8f 5b 84 88 10 16 5a e7 07 21 07 ad 7a 2f 5e 73 59 6e 86 b0 c9 33 bf 26 ad 5e 91 84 77 77 46 74 3a 72 1b 85 95 44 1e 62 c0 12 e5 72 da e5 7c bd 5d cd 42 a9 d5 b0 76 4f 19 3a 27 56 81 a5 55 2d b9 cc 66 64 6d 65 a6 c9 e7 91 4b 2b 92 2d 2d 5d 42 6e 30 49 e4 ca 80 c6 8a 30 f1 72 e4 c2 e8 5c 3b 11 b1 a1 ac 7e 2b 09 f1 fa 45 a8 bd 1d 49 f1 95 25 a4 bd 16 bd 4c 39 32 2c 23 b0 77 7b 68 99 34 1d b2 e2 57 0a 59 ed 53 56 bf 15 64 a3 8c f4 7b a4 7f 2b f0 0c 20 7d 7d 0f 18 f2 69 f7 71 a9 c8 ca b3 8c e6 db 7d 39 f4 cc ca 63 25 da a2 19 2c b5 fc 6b f9 7b bb a1 58 fc bd ee af 0a 02 f2 41 7d ad 07 ad 7a 1c 80 f9 1f 91 b3 8d Data Ascii: S^?e>tNL0%jcm*h'a[Okv[Z!z/^sYn3&^wwFt:rDbr\|]BvO:'VU-fdmeK+--]Bn0I0r\;~+EI%L92,#w{h4WYSVd{+ }}iq}9c%,k{XA}z
2024-07-28 22:52:53 UTC	3999	IN	Data Raw: 18 16 3f 58 40 25 a3 82 ed 64 10 eb 52 16 1f 65 ec 19 69 ed 29 a1 a2 82 04 2d a9 6c 71 5f 01 de 75 e6 2e aa b8 e3 1a f5 26 0a 69 54 34 e1 7e 8d b7 aa ac 9d 3e 3e 3d 8b ce 75 8f a1 b1 a3 7a dd 61 45 9f 9e af a4 9e 78 f8 71 32 5b 3f fc 10 ee 13 00 6e 51 e6 cf 9f ef c8 cc cd ee 0c a7 11 ff f1 0a 6a bc 7a 83 b7 d9 aa 69 3c 5b bf 7d 7a 03 14 e6 29 39 8c 5d 36 f5 f3 6b cc f4 7a 06 35 ba b6 f2 4d e5 91 e5 b8 dc af 1c b3 c0 b0 1d 93 df 39 73 7c bc 12 a6 7a 0e 17 bd 2e b6 e3 d3 cb f3 44 46 d0 f1 99 f0 fb ad 4c e7 23 ec 35 a0 e4 dd 90 87 01 ac 94 f2 86 e8 23 a3 39 2e 35 4d 7b 64 60 24 71 a6 ae 03 95 16 e1 21 9f 8f ce c4 a7 c5 8b cc 53 22 42 64 c0 26 41 f9 46 a6 70 3f 7c 69 0a d5 dd 7d 8c 7e bf f2 0c 15 44 92 74 e8 d2 54 f7 ad 9b d2 c2 04 fd e4 8b d4 8c b1 0f 4e ba Data Ascii: ?X@%dRei)-lq_u.&iT4~>>=uzaExq2[?nQjzi<[}z)9]6kz5M9s\|z.DFL#5#9.5M{d`$q!S"Bd&AFp?\|i}~DtTN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49173	65.9.23.141	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:54 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 375 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:54 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:54 UTC	374	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 56 47 5f 42 52 57 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 4e 6f 72 74 6f 6e 5f 42 52 57 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"AVG_BRW\",\"18\":\"ZB_Norton_BRW\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"2\",\
2024-07-28 22:52:55 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:55 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 7fbfed9453edeb4b5dca9173a3f5f8dc.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: gVl-kH42Hn2u3EBBkeF1dInLsYuAZEmLqnsJXGz9OSUQDajTw1zGag==
2024-07-28 22:52:55 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49174	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:56 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 380 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:56 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:56 UTC	379	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 4f 70 65 72 61 5f 6e 65 77 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 4f 70 65 72 61 5f 4e 65 77 5f 44 4c 4d 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"Opera_new\",\"18\":\"ZB_Opera_New_DLM\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"
2024-07-28 22:52:57 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:56 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 b63f332297d95bccb0f4e41c4aef0ab0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: D-tZKPE4A42PBzbsQb3poeKAlCZZlG-u79zmZAOEo3XexfmtSKgQBw==
2024-07-28 22:52:57 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49176	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:57 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 372 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:57 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:57 UTC	371	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 69 6e 7a 69 70 31 39 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 69 6e 5a 69 70 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c 22 37 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"Winzip19\",\"18\":\"ZB_WinZip\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"2\",\"7\
2024-07-28 22:52:58 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:58 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 3180232852f42d0e8ed2a6999ef03c92.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: imnlQ8ZGb5TYyBjlhrTUElNAjEk8n-uuYU5mFdK_FH_0G6xZ7ajvzw==
2024-07-28 22:52:58 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49177	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:52:59 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 407 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:52:59 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:52:59 UTC	406	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 43 6f 6d 70 61 6e 69 6f 6e 43 48 4f 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 43 43 48 4f 5f 6e 65 77 5f 49 53 56 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"WebCompanionCHO\",\"18\":\"ZB_WCCHO_new_ISV\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"
2024-07-28 22:52:59 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:52:59 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 e4d3109086369a6becda895ae199f9ec.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: l49Vb2ao9LsN-8piK6A4D4TAuqAJv5YH042WkEGJlB-MHOsgzc4KKA==
2024-07-28 22:52:59 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49178	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:00 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 371 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:00 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:53:00 UTC	370	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 76 61 73 74 5f 4e 43 48 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 76 61 73 74 5f 4e 43 48 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"Avast_NCH\",\"18\":\"ZB_Avast_NCH\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"2\",
2024-07-28 22:53:01 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:53:01 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 76991fdca074ecae847653e013587ff8.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: vsFcOqnceLmU9n8ybz7qEsq4TNeO4J228i5ibu31hujXM7WiBqURPg==
2024-07-28 22:53:01 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49179	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:02 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 363 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:02 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:53:02 UTC	362	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 56 41 53 54 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 76 61 73 74 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c 22 37 5c 22 3a 5c 22 Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"AVAST\",\"18\":\"ZB_Avast\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"2\",\"7\":\"
2024-07-28 22:53:02 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:53:02 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 c49bda74c25f4f26cc20173eec28da1e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: GLW25Uwyt5L-nBMIaIVZPzqPq96V57h5Kv4plO8APKmymlTvOzQVkA==
2024-07-28 22:53:02 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49180	65.9.23.141	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:03 UTC	140	OUT	GET /f/WeatherZero/images/969/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:03 UTC	511	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 30586 Connection: close Date: Sun, 28 Jul 2024 04:44:18 GMT Last-Modified: Thu, 08 Dec 2022 12:37:43 GMT ETag: "9ac6287111cb2b272561781786c46cdd" x-amz-version-id: MVrTExmvEQAJj6fAGLSH_gwH63ab4qxc Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 17c1f7944e7f0a7a5535cc3cecf1da08.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: YBs6t3nropDFZiJ9_RzR9kgcShw2c7bM2s53m6iFzUUXTxZXou7_0Q== Age: 65326
2024-07-28 22:53:03 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 77 0f 49 44 41 54 78 01 ed bd 09 9c 5d 57 75 e6 bb 35 db 12 e0 12 24 a4 b1 8d 55 02 e7 e1 e9 21 89 04 92 74 9a 48 22 84 90 a1 23 39 09 79 49 27 d8 12 83 33 30 48 02 cc 0c 92 18 02 06 82 24 27 61 36 1a 92 ce 44 82 a4 4e 77 42 9a 04 c9 34 09 74 42 9e 24 9e b1 8d 27 95 07 08 84 07 92 30 c8 b2 64 bb 7a 7d 57 f7 2b 2f 2d ed 33 dc aa 5b 75 ef 3d f5 fd 7f bf 53 f7 0c 7b 58 7b ed 69 9d 7d f6 de 95 92 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 Data Ascii: PNGIHDRh(pHYssRGBgAMAawIDATx]Wu5$U!tH"#9yI'30H$'a6DNwB4tB$'0dz}W+/-3[u=S{X{i}B!B!B!B!B!B!B!B
2024-07-28 22:53:04 UTC	12398	IN	Data Raw: a8 0a af 4c 87 55 3a f0 e1 73 2a 0d 75 58 54 d7 72 e1 45 99 58 ce bd df 32 19 73 94 e5 75 ce 6d 2c c7 b9 34 4e a4 1c e5 ee 8d a7 7e 7a ff b9 f4 c4 76 aa ca 7d 8e b2 f4 d6 4d 1f 46 cd 30 1a 76 b8 c6 3f 8b 89 d3 a9 62 9d 8f e9 88 71 95 95 e9 a8 87 f1 a4 b9 6e 5d a7 ee 59 86 ea e8 bb ac cf 61 18 55 7d 56 a7 65 88 f3 52 73 ff b4 a4 4e bd a9 7b 8f f2 e5 d2 97 cb 47 52 96 77 45 6d 45 a4 93 36 8e e1 e4 ea 0d d3 e0 75 1c db 39 9e 4f 37 76 ed da 85 be 7b ca ed 4f 19 bc a2 ef 18 69 2f 80 19 c9 ec a6 40 68 f0 c6 b9 68 42 88 c1 84 06 00 16 82 e1 53 b8 16 f9 f4 0f c8 1b 7c fe c7 d4 01 bc 88 d4 79 11 10 a2 88 5e 19 bc 9a c3 2b 84 10 a2 e7 60 54 97 3b 7f c8 d8 ed 2f 30 c0 00 63 17 03 0c 32 76 c5 a0 a2 5d 1a 44 df 81 06 75 74 b4 7c 8a 4f 9d cf 9d 42 88 c1 01 9f c9 61 e8 Data Ascii: LU:s*uXTrEX2sum,4N~zv}MF0v?bqn]YaU}VeRsN{GRwEmE6u9O7v{Oi/@hhBS\|y^+`T;/0c2v]Dut\|OBa
2024-07-28 22:53:04 UTC	1804	IN	Data Raw: ef cb 3d 47 15 21 23 3a 4e d4 8b 98 c7 75 bf 5c 74 4a ae 1e 30 7d 55 a3 88 a0 d3 3c 19 0f d0 07 c2 f6 bb 4b 74 f2 c5 a2 2a 4f 30 fa 06 3d a0 9c 90 a9 d8 c7 36 d6 c9 11 b7 9b 06 eb 71 2c 27 a8 4f 75 5e 48 18 4e 1c 0d 1e 09 3b 76 44 3a 19 b1 e6 48 26 bf f6 90 b2 fa c1 f2 96 eb 3f 72 72 a1 5d e1 48 2d e0 c2 41 84 51 a7 2f 82 5f 94 43 dc 63 18 f8 e5 57 2f 94 d5 ba 8c 27 4f 8a d2 8b 74 8d f7 ab 8c 10 75 d0 08 ef 38 60 45 c6 9e a9 68 0c 39 42 e6 3f eb a0 73 40 87 54 b7 53 ce 35 aa f8 ec 84 06 88 cf d0 50 a1 51 62 c7 c3 cf f4 34 04 d0 68 a1 21 63 9c f8 45 43 58 b5 3f 2a 3f 1b 17 a5 03 71 96 8d 02 46 99 20 03 0c d4 a2 06 2f a6 83 71 c2 af 37 d6 d1 20 62 a4 2c f7 59 8f 40 c7 88 27 ca ec 81 2c 68 c4 a9 17 c4 03 bd 74 fa 19 b3 08 84 1d 77 95 c8 8d 82 02 e8 06 ee f9 Data Ascii: =G!#:Nu\tJ0}U<KtO0=6q,'Ou^HN;vD:H&?rr]H-AQ/_CcW/'Otu8`Eh9B?s@TS5PQb4h!cECX??qF /q7 b,Y@',htw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49181	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:04 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 361 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:04 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:53:04 UTC	360	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 4d 53 53 50 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 4d 53 53 50 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c 22 37 5c 22 3a 5c 22 32 2e Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"MSSP\",\"18\":\"ZB_MSSP\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"2\",\"7\":\"2.
2024-07-28 22:53:05 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:53:05 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 3108e2685e0e061c5abe75f40944947c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: 4KCYzQESANmofS90giuPtHNHQpbX2o1Q604sUV4Ycc8X8fWRRUr6bA==
2024-07-28 22:53:05 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49182	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:06 UTC	140	OUT	GET /f/AVG_TuneUp/images/1543/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:06 UTC	608	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 45092 Connection: close Date: Sun, 28 Jul 2024 03:33:39 GMT Last-Modified: Sun, 02 Jun 2024 09:57:34 GMT ETag: "6e2a379f09decca92dbbabec56cb748a" x-amz-server-side-encryption: AES256 x-amz-meta-cb-modifiedtime: Thu, 30 May 2024 08:10:06 GMT x-amz-version-id: .IWMV5stNYlY0nV16VkUn1SOxGSzpW3u Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 124f1c96be6ce1b7012fa9b6449f2ac6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: FLmfraM1Ra1hVk4dHFT2hPwhKcIOlpQrNKpf_SJk45rWWt9aPO298w== Age: 69567
2024-07-28 22:53:06 UTC	15776	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 23 00 00 01 18 08 06 00 00 00 8e 7f f6 42 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 af b9 49 44 41 54 78 01 ed fd 09 bc 1d c7 79 1f 88 fe eb 9c 73 77 dc 05 fb c2 05 07 04 49 89 12 25 82 a2 14 d9 da 78 21 c9 96 2d 3b 43 30 b1 3d 1e 27 19 02 bf 78 32 c9 4b f2 08 e6 bd 19 47 4e c6 b8 fc bd 8c 65 e7 cd 0c c1 5f 94 cc 24 4e 1e 2e df 4b 62 3b 8e 4c 50 8e 36 c7 16 2e 25 51 0b 29 8a 00 f7 1d 07 00 b1 03 77 c1 dd ef 3d e7 f4 ab af ba ba bb ba ba aa 97 73 2f 2e b6 fa 93 8d d3 5d f5 7d 5f 55 57 f7 ed ef df 5f 2d cd e0 e0 e0 50 0c bf bf d3 83 83 43 16 7e eb 10 83 83 83 43 2e 94 e0 e0 e0 e0 e0 e0 e0 Data Ascii: PNGIHDR#BpHYssRGBgAMAaIDATxyswI%x!-;C0='x2KGNe_$N.Kb;LP6.%Q)w=s/.]}_UW_-PC~C.
2024-07-28 22:53:06 UTC	16384	IN	Data Raw: 98 ca 0c 8a 70 17 96 1d 29 30 68 15 68 22 66 56 65 39 e4 b5 24 ea 72 7c f6 b9 9f 8a e9 de 9e 1c 6c 42 8b e3 d1 3d d7 4d ab eb aa 9f 05 d0 4d 85 65 67 9f eb 7b a7 4e e3 d2 e4 94 20 d9 7d 9c 94 bc fe c6 db 22 e2 97 a6 b9 92 64 a4 0a df 09 d3 ef 08 fc e8 c7 20 df 76 c3 77 a8 07 71 7d 62 2f fc 07 3a 9d 63 10 ed a1 87 ff 00 1c 6c 20 87 f7 00 df 76 c2 45 4e 96 1b 83 72 a3 7b 71 5c 49 a3 7b 74 37 df 9e 90 69 44 18 9f 94 32 23 88 5e 24 ae c9 eb a2 8e 15 b1 0e 30 d4 e3 c7 61 72 30 83 06 86 57 60 7b 9f 8c 3e 4c 4f 27 25 b4 f6 c6 82 9c aa 4b 6b 6c c4 fa 16 26 26 62 f6 ad 0f f1 58 ac 3b 88 e5 58 6b 17 d7 49 35 6c 50 f2 14 05 66 95 52 b2 95 41 96 29 3a 50 64 73 74 2e c5 e4 8d 29 89 f2 82 1c b3 f5 30 d7 53 ea 9d 41 d8 54 dd e0 9f c2 63 46 f2 35 29 4c 37 95 1a 0c 63 56 Data Ascii: p)0hh"fVe9$r\|lB=MMeg{N }"d vwq}b/:cl vENr{q\I{t7iD2#^$0ar0W`{>LO'%Kkl&&bX;XkI5lPfRA):Pdst.)0SATcF5)L7cV
2024-07-28 22:53:06 UTC	12932	IN	Data Raw: 04 5d 4e 64 43 1f 44 3b 80 78 5b 05 b3 4b c6 e4 ef a3 52 26 68 ab 60 7c c5 de 94 32 6b f2 f7 61 a9 43 65 df 8f fc a8 5a ea 34 a1 d9 bf 1f 49 82 16 9c e7 30 1c 96 09 9e f1 90 66 90 d4 79 84 c4 33 cd 42 60 88 71 07 2f fc f5 e4 0b a4 12 ad c8 f8 fc 7a 56 e6 da 5f b9 1b 9b f6 7e 52 6c 1b ff e1 cf a2 fb be 2d 46 05 7d 05 d2 52 a9 64 29 22 19 15 d1 65 19 2b 89 29 bd a5 52 fc 5d 37 3b 40 c1 ec a9 2c 5b ce a8 9b 5d a8 ad c4 16 a2 22 80 7a e9 0c b9 b9 4c 14 aa 49 4a 54 24 17 58 ae a4 78 26 b3 5f 27 96 33 35 bd 80 ec 24 35 33 6d c5 60 da 5f b9 75 46 f4 08 c9 95 23 22 01 02 47 44 4e 62 b7 dc 1f 41 f4 d6 3a 24 7f 03 c7 10 e4 db 9c e8 23 52 96 1c 1e 39 60 1a 23 60 1b 5f 72 48 b1 b7 c7 22 43 e1 7c 22 34 ea 14 d5 83 48 92 1c a6 d9 7b 54 ee 07 d1 94 bd 88 22 04 87 11 8d Data Ascii: ]NdCD;x[KR&h`\|2kaCeZ4I0fy3B`q/zV_~Rl-F}Rd)"e+)R]7;@,[]"zLIJT$Xx&_'35$53m`_uF#"GDNbA:$#R9`#`_rH"C\|"4H{T"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49183	65.9.23.141	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:19 UTC	136	OUT	GET /f/AVG_AV/files/1319/avg.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:19 UTC	556	IN	HTTP/1.1 200 OK Content-Type: application/zip Content-Length: 125405 Connection: close Last-Modified: Tue, 17 Oct 2023 08:25:24 GMT x-amz-server-side-encryption: AES256 x-amz-version-id: 7L8o.GLX1Vn.tHqh_TFMmsecTIZweR8e Accept-Ranges: bytes Server: AmazonS3 Date: Sun, 28 Jul 2024 11:51:22 GMT ETag: "56b0d3e1b154ae65682c167d25ec94a6" X-Cache: Hit from cloudfront Via: 1.1 a65cc3f0f56427b7099c895c026d63f0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: iVxo8LPmmCQq-xaPpRwnjmedzXL6f5AI8uZAblRD39kSwZRHGoH52w== Age: 39718
2024-07-28 22:53:19 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 c5 58 51 57 d0 61 0b d8 1f e9 01 00 b8 95 03 00 1c 00 00 00 61 76 67 5f 61 6e 74 69 76 69 72 75 73 5f 66 72 65 65 5f 73 65 74 75 70 2e 65 78 65 e4 5d 7f 7c 54 47 11 7f 97 1c c9 95 1e bc a3 4d 6a da 52 48 2d 56 ea d1 36 10 40 e8 01 0d 81 03 5a 09 bd 10 b8 a0 25 40 2d 8d e7 89 1a 93 3b 40 4b 28 e9 e5 2c cf c7 53 54 50 54 aa 54 ea 47 54 d4 a8 89 a4 48 e8 25 c1 fc 2a 42 42 51 d2 82 36 5a d4 97 26 da b4 a4 e1 80 34 e7 77 66 df fd 08 bf ac 1f fd 4f 5a ee ed db 9d 9d 9d 9d 99 dd 99 9d dd 7d e4 7d 6c bb 94 2c 49 92 19 7f 23 11 49 aa 95 c4 9f 1c e9 df ff c9 34 49 d2 e8 f1 07 47 4b d5 37 fc ee ce 5a d3 e2 df dd b9 cc f3 c9 b2 cc 92 d2 cf 7e a2 f4 b1 4f 67 3e fe d8 67 3e f3 59 5f e6 c7 9f c8 2c f5 7f 26 f3 93 9f c9 9c ff 48 41 e6 a7 3f Data Ascii: PKXQWaavg_antivirus_free_setup.exe]\|TGMjRH-V6@Z%@-;@K(,STPTTGTH%*BBQ6Z&4wfOZ}}l,I#I4IGK7Z~Og>g>Y_,&HA?
2024-07-28 22:53:19 UTC	16384	IN	Data Raw: 5f c5 5d 11 95 f4 c0 f9 6c b9 95 6e 28 fc 02 31 9f 64 47 90 ef f8 94 64 c1 6b 65 cd 4b 08 ba 3e 74 dc f7 1c 45 bd 18 b6 4f cd 38 16 38 67 75 dc 47 8a d6 cd 73 49 f4 71 04 ff 44 58 de b5 06 ce a5 3a ee fb 0d c2 f0 b4 65 0d bc 9b da ea 6e 5f 64 06 46 97 bb dd 3f 7d f3 b9 4e 4a b9 ef 01 2a 28 c5 4c 05 e5 a4 f9 37 28 9b b7 11 e2 d0 76 92 d5 e7 22 c7 57 ef 97 39 2a 46 d1 cb 63 6a f6 db 36 9f eb 05 44 f9 a2 86 94 04 35 6b 8e b2 79 17 67 ad a3 01 9d 6a 0e 34 df 8e 9b 55 d7 ba da cb af 21 c1 1d 57 69 16 b4 14 64 1e 92 fe 15 5a 56 8f aa ca 4a 36 f9 93 73 0a 70 34 b3 e1 fd f0 3d 66 72 fb 2c bf c1 a0 79 13 ef 84 4d 9d e3 be ef 9b 81 6e 49 bf e5 d9 cd 73 73 8a 7d c5 8e e0 1b 88 d8 bc de fa b5 bb 66 cf f7 67 06 ce 17 38 ee 53 f8 9e 79 7b 38 07 f3 89 6a c5 b7 38 3b d5 Data Ascii: _]ln(1dGdkeK>tEO88guGsIqDX:en_dF?}NJ(L7(v"W9Fcj6D5kygj4U!WidZVJ6sp4=fr,yMnIss}fg8Sy{8j8;
2024-07-28 22:53:19 UTC	16384	IN	Data Raw: ee 61 a2 f4 07 a9 51 b2 91 cf 00 7b 1b 60 b4 47 fa 1a de cf b1 15 49 a8 98 cf 20 4e ac 7d 46 12 76 ec 06 2e 91 c3 ee 17 8c 82 a5 57 e5 a5 a0 83 5c 4f 99 44 b3 02 ed 4b 49 c6 48 e3 6b 20 68 dc 90 b7 2c ab 0d d3 d3 0b 6d 39 09 e4 55 1e 31 74 1c 32 87 74 1c 2e a5 e0 50 f5 a0 88 47 1e 1a c3 d0 dc ad 6a 5c 12 b3 be c6 59 2c 63 e3 e6 d8 62 c6 c6 ee a5 58 c2 52 d8 85 e4 26 c8 d0 c7 c9 ad 1d 33 bf e6 f1 af fe 98 79 32 ec 16 e6 80 26 9e 05 c2 26 5b 99 fa 09 a4 03 e3 0d 55 ab f0 36 1b f2 85 52 3e 27 05 1e ba 05 7e 2c 0b ce b2 b2 87 d6 c0 ad 8f 83 12 32 2c c0 80 f2 63 48 fc 21 8a 5b 8f 8e 80 45 6b 64 15 ff 36 71 a4 02 9c 59 a2 a7 10 71 b7 19 31 89 1b c9 32 26 f2 c0 d3 08 a7 02 1c 05 00 cd e9 8a 17 d0 c7 f0 51 51 de 45 1c f1 f7 c0 a4 59 3a 39 64 be ca 5d 01 d5 31 f2 Data Ascii: aQ{`GI N}Fv.W\ODKIHk h,m9U1t2t.PGj\Y,cbXR&3y2&&[U6R>'~,2,cH![Ekd6qYq12&QQEY:9d]1
2024-07-28 22:53:19 UTC	11610	IN	Data Raw: 20 7e 30 de 7f 76 b2 6c 69 d8 67 bf bf 15 a4 3a ed 30 7d 8c 51 70 eb 8f cc 92 78 ef da d4 77 d9 ed fe 16 33 7c b6 83 32 93 27 db 26 1e 1c e8 9d d2 07 6b 4b 09 1c 73 f6 a5 44 ad 31 0d a2 63 16 3b cf c9 47 23 9e 72 0f dc 47 5d 73 a1 8e 85 d5 76 6d 3c 77 e7 33 2a 7a ce a1 0d c9 d4 b9 b2 4d 3e ea 68 09 f7 ef fd b1 40 1c 2d 40 54 48 c7 9e f3 24 bd b6 ea e9 2f a1 37 fc 8f 18 0c 42 85 f0 22 b6 c0 48 a4 41 a1 c3 75 27 c2 e5 d0 6f ba 6d 36 9e 44 b8 a8 9b 67 80 98 15 c8 bb 0f 09 b3 be 3b 06 fb c9 29 99 ae 0b cf 8d 67 cb 73 95 4b f8 a9 d6 eb 3f c2 0f 4f c8 ab e2 ec 84 df ad 21 a4 05 c9 6c ac e3 00 9f 64 ca ce de 5d ca ae b0 83 c7 ea 74 00 d6 92 81 9d c8 29 d5 59 08 33 57 a2 5e 28 60 8e ae ce 25 0f a2 d3 f1 c3 7e c2 dd ac 55 e7 53 c4 5c 87 ae 47 46 0b 82 1c d4 51 f5 Data Ascii: ~0vlig:0}Qpxw3\|2'&kKsD1c;G#rG]svm<w3*zM>h@-@TH$/7B"HAu'om6Dg;)gsK?O!ld]t)Y3W^(`%~US\GFQ
2024-07-28 22:53:19 UTC	3678	IN	Data Raw: aa b7 4d 05 f3 a2 d4 d1 92 92 00 66 d8 e4 1b 91 68 79 8b 5a 03 5b f1 01 6c 66 67 cd dd 64 b5 ba 07 91 83 fe ef 1c 35 42 18 0c d8 06 58 7a 15 98 a4 a2 8e 91 da a1 ae 6b 25 d4 2d 5c 4f 37 5b 05 81 10 ec 87 d4 c0 e5 43 a8 60 67 e0 ba c0 42 2b 8e a3 89 5d 03 07 2a 0b c2 b5 84 03 f9 c5 ca 7e b5 d8 98 0d 29 bd 4e 38 19 3d b9 11 ee b3 8a b2 5b a9 7a 73 ef 26 81 b7 44 67 82 9c ba c4 ff 91 04 19 7b e7 ce da 8f b4 d1 a4 ef 1d cc 6e 55 16 6d 91 9c 8b 14 69 ad 71 01 e6 65 4a 65 74 50 94 da 4e 32 ac 01 f1 f2 45 db 87 c0 c7 b4 bf da 0e b5 07 5f d2 8e 49 74 9f ee d4 2c 3b b2 10 d8 4e 3f 81 92 43 d9 41 20 5b 8d 5d e4 47 ed b0 52 f2 46 2f 03 0a d4 bb ea 70 ef 07 29 fd c8 e5 0f 99 6a ec 28 11 5f 94 45 af 0d f6 b2 a4 c2 c3 8e 33 1d 85 db a9 b1 fe d6 10 b4 c5 ec 4d e4 04 06 Data Ascii: MfhyZ[lfgd5BXzk%-\O7[C`gB+]*~)N8=[zs&Dg{nUmiqeJetPN2E_It,;N?CA []GRF/p)j(_E3M
2024-07-28 22:53:19 UTC	16384	IN	Data Raw: 81 48 04 f3 cb de 61 a6 02 18 ee 86 6d 39 83 9f 02 b7 82 dc 0e fb a5 b0 bf 45 69 18 2f e0 94 7f a2 fd 9e 2d 3f fd 41 6c 52 83 2d 9b 16 e0 2a 1b c2 7e 29 a8 03 3d 6c cb 9e 84 65 84 de 64 cb 14 87 65 71 d2 4b b1 36 b6 8b 75 4d 34 60 82 95 9d 1c 02 3a 10 83 6b c0 3d cc 54 f8 e6 6c db d5 1c b1 fd ec 1b fb f9 9f dd 5e 05 db 8d d6 cc 4d 4f 15 37 82 71 33 9f 4f 5f 8b 9b fa 14 6b a7 ba 5b d7 c4 02 e2 38 fb 94 d9 c4 c2 69 bd 0f 35 c1 29 93 e2 34 ef 12 03 95 1d 1d 2d 2b d9 21 a0 10 e9 f8 58 c9 3e 15 5c 58 02 0c c2 c4 7c 80 b4 7c a1 7d 11 37 64 8e d5 2a cb 29 6d e9 cb c5 44 65 3b 0b 61 6a 8e 14 37 83 13 89 83 eb 77 34 cf 75 c0 a8 78 82 e6 b3 d3 f1 ca ea 92 f5 6a f0 a3 7b 4a 82 8d 4d 4d 86 24 05 ee 44 2e ec 8c 93 61 3b 28 7c 8a b4 42 b6 4f b0 0b b5 bf da a2 f9 ec bc Data Ascii: Ham9Ei/-?AlR-~)=ledeqK6uM4`:k=Tl^MO7q3O_k[8i5)4-+!X>\X\|\|}7d)mDe;aj7w4uxj{JMM$D.a;(\|BO
2024-07-28 22:53:19 UTC	16384	IN	Data Raw: d1 e0 e3 a9 1c 88 8f 92 84 6c 7c 84 b0 b0 9e 29 29 3d d9 6a 2d 4a fc f6 1c ca f0 ef f0 46 23 4d 1d 19 8e ad 46 4c 27 41 03 3f 50 44 98 ec e9 9b 5e 52 39 0d 52 68 86 95 97 a5 59 3d 69 4c 23 d5 a7 97 e9 58 dd 46 0b 0d 6f c7 22 cd da 83 95 85 ae 3f 24 3d d9 a2 b6 38 6a 1b 69 a3 78 9f 63 00 b3 74 36 d9 51 1f 39 eb f8 77 1c 13 c5 3a b5 b0 84 3f f9 b7 72 23 d0 f7 0c f2 25 c5 b8 a5 fa d3 c5 5a b3 a5 76 8c 16 1a de 26 ac 93 a4 76 f1 4d 51 a9 4d 78 50 6a 17 f6 52 db ec 9b 9e 82 d4 07 13 b6 29 2c 66 2d f5 27 95 a5 cd fd 92 59 f0 3e ca 75 a8 7b 20 5b 13 73 1e 88 bf 8e f0 97 06 db 6c de be 86 ff 79 0a 4a e4 b2 3f a5 a4 81 15 b7 0c c3 5f 4f fa 0e 27 b6 69 fc 1b 88 5a 31 56 3e 14 7d 66 1f df 78 c4 5a 81 00 20 04 08 03 c2 81 48 20 1a 18 0d 68 00 1d 90 05 4c 07 e6 00 79 Data Ascii: l\|))=j-JF#MFL'A?PD^R9RhY=iL#XFo"?$=8jixct6Q9w:?r#%Zv&vMQMxPjR),f-'Y>u{ [slyJ?_O'iZ1V>}fxZ H hLy
2024-07-28 22:53:19 UTC	16384	IN	Data Raw: 50 0f 98 a8 77 df df 4d bd c7 fe 13 ea aa 07 7e 51 d7 3c 54 a6 ae 75 f8 9f 54 8b 9f 3f ba b7 3d 72 a0 67 a7 83 c4 d0 a3 e3 e1 fc 1e 1d 8f a8 f5 e8 74 98 7a 76 3e 4c ea ca fb 81 7d 97 80 d6 c0 79 00 f1 46 f4 03 72 85 f3 bd 02 54 f6 c5 a9 f7 3c 60 a7 ae 7e 90 d4 b5 71 7f bf 63 cf d4 07 1c eb ca ca 99 12 f6 bb b6 51 d1 9d 45 a1 49 ea 92 71 19 fd 24 23 a7 eb 49 86 cf 30 96 f8 17 89 25 be a5 32 89 57 b9 ad c4 b3 c2 41 32 64 b1 b3 c4 b5 72 88 c4 65 85 a7 c4 b9 ca 5b e2 bc d2 47 e2 54 e3 0b 0c 95 38 23 74 59 e9 2d 71 ad f6 92 78 ac 72 96 38 17 0f 93 0c 14 2f fd be bf 61 35 0d 00 8c ac 4a d7 5a 7a 66 8c d1 d3 5f 4e 7a 7a 2b 48 43 65 2f 93 e1 2a 38 aa 00 97 3f e1 2f 06 4a 1a e3 2a 90 b5 c7 81 e9 ea 1a 87 86 aa f7 3e 42 ea 3a df 90 86 c1 89 87 1a 46 df 75 63 fc 27 Data Ascii: PwM~Q<TuT?=rgtzv>L}yFrT<`~qcQEIq$#I0%2WA2dre[GT8#tY-qxr8/a5JZzf_Nzz+HCe/8?/J>B:Fuc'
2024-07-28 22:53:19 UTC	11610	IN	Data Raw: f1 fa c3 7a 9a 3e 52 9f a8 4f d7 2f eb 3f e9 2d 8d 0e 46 ac 71 db b0 88 71 c9 7a af 06 f4 68 41 0a e4 68 72 3c f9 34 39 9f dc 0b 7a 5f 23 6f 91 c7 a9 1b 94 3f 22 9f 7e f4 3c 7a 11 7d 86 be 44 5f a5 03 99 56 4c 04 a3 30 7d 98 1c 66 23 f3 0e f3 3e 73 d0 27 d6 ac c7 36 61 c3 d9 76 b0 19 1c ac 46 1c 9b c0 26 b1 c3 d9 4c 36 87 2d 64 1f 03 ad 17 b2 6b e0 8f 77 83 de 37 e0 77 eb 59 9e 04 72 39 0a 11 51 4d be 3e 7f 1f 3f 10 71 68 3e e2 cf 57 f8 4d d0 d8 fd fc 71 fe 22 5f 4d 68 28 dc 2f b4 16 3a 08 c3 84 49 c2 35 a1 ba d8 06 51 d3 97 52 a8 dc 1c 5a 1b 21 47 c2 27 4f 97 f7 83 5e 47 21 b9 27 e4 85 5a a4 3e 1c ff c3 cd f1 fa 93 f0 b5 0d 8d 08 a3 0c b1 9f 9f 2d 57 0f 02 cb c5 24 09 cb b8 90 da 40 bd 49 85 23 ee d9 4a cf 67 57 b3 7b d9 23 f8 91 eb ad fc 4e 44 be fb 60 Data Ascii: z>RO/?-FqqzhAhr<49z_#o?"~<z}D_VL0}f#>s'6avF&L6-dkw7wYr9QM>?qh>WMq"_Mh(/:I5QRZ!G'O^G!'Z>-W$@I#JgW{#ND`
2024-07-28 22:53:19 UTC	203	IN	Data Raw: b7 24 cd ac 69 8f 0b 92 b3 26 22 54 ee c7 1b 78 8d 8e 17 87 84 7b 38 94 bf 91 34 b6 54 93 08 39 af 1a c5 78 84 51 0c 79 60 2e a2 a5 aa 25 45 13 a4 76 e8 82 5b fb ca cd f8 5b 0e 22 4f 51 fc 75 2c 5c b8 3f 79 7d 0f 50 4b 01 02 3f 00 14 00 00 00 08 00 c5 58 51 57 d0 61 0b d8 1f e9 01 00 b8 95 03 00 1c 00 24 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 61 76 67 5f 61 6e 74 69 76 69 72 75 73 5f 66 72 65 65 5f 73 65 74 75 70 2e 65 78 65 0a 00 20 00 00 00 00 00 01 00 18 00 e0 cc bc c8 d0 00 da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 4b 05 06 00 00 00 00 01 00 01 00 6e 00 00 00 59 e9 01 00 00 00 Data Ascii: $i&"Tx{84T9xQy`.%Ev[["OQu,\?y}PK?XQWa$ avg_antivirus_free_setup.exe PKnY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49184	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:20 UTC	144	OUT	GET /f/WeatherZero/files/969/WZSetup.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:20 UTC	519	IN	HTTP/1.1 200 OK Content-Type: application/zip Content-Length: 6227973 Connection: close Last-Modified: Thu, 08 Dec 2022 09:14:29 GMT x-amz-version-id: s20fxiZKNPOZhn5cscxnL4vQWeKpCNmb Accept-Ranges: bytes Server: AmazonS3 Date: Sun, 28 Jul 2024 11:29:28 GMT ETag: "7cc0288a2a8bbe014f9e344f3068c8f1" X-Cache: Hit from cloudfront Via: 1.1 a65cc3f0f56427b7099c895c026d63f0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: kf7mzeLzv50Ilh1y7ICks8bhS0tr4x3d4t60DBCxN5w7lCqfyG_yFw== Age: 41033
2024-07-28 22:53:20 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 76 86 87 55 c9 02 ed f5 8d 07 5f 00 10 8b 5f 00 0b 00 00 00 57 5a 53 65 74 75 70 2e 65 78 65 ec bd 7d 78 54 d5 b9 37 bc e7 2b 19 92 09 7b 02 89 46 f9 0a 12 14 0d 52 34 60 89 43 74 02 d9 21 58 06 26 0c 99 81 0a 08 42 70 18 23 a1 c9 de 88 96 e8 84 9d d1 6c 36 63 39 ad 7a 6c 6b 2d 88 3d b5 2d e7 d4 9e 5a a5 ad 8d 19 b0 49 50 d4 f0 51 88 42 6b d4 54 f7 38 51 a3 a4 61 80 98 fd fc ee b5 67 00 cf 79 ce 7b 9e eb b9 de f7 ba de 3f 4e 70 cd 5e 9f f7 5a eb 5e f7 e7 5a 6b 6f 3d df de c5 59 38 8e b3 22 e8 3a c7 ed e7 8c 3f 37 f7 df ff 75 21 8c 9e f4 87 d1 dc 8b a3 de 9c bc df b4 e8 cd c9 cb 82 1b 1b 0b 37 37 d4 df d3 b0 f6 be c2 75 6b 37 6d aa 17 0b ef ae 2d 6c 90 36 15 6e dc 54 58 b1 c4 57 78 5f fd fa da 19 39 39 59 45 29 18 ff 7a d3 f5 Data Ascii: PKvU__WZSetup.exe}xT7+{FR4`Ct!X&Bp#l6c9zlk-=-ZIPQBkT8Qagy{?Np^Z^Zko=Y8":?7u!77uk7m-l6nTXWx_99YE)z
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: 6a f2 fa 47 1c 1c 2a c8 0f d9 c7 36 68 51 4f 32 da e6 b0 d1 77 64 1e 2b 34 1e 4e 1b dd 0a 0b 54 7b a1 21 bd a1 b1 d1 4a 47 68 ac b7 33 13 58 e1 b4 ae 0c 76 1d 65 4c 69 a6 38 7a 72 a5 bd 33 83 0e 51 e3 13 40 d3 06 2b c6 5f 23 1e 7c 84 00 a6 27 72 80 72 3c 34 11 fe a5 5c f5 8d 63 1f 8c aa 49 4d c4 d5 d3 70 9a 7f d9 2a d8 41 c6 53 c0 c3 ac e7 a8 b5 99 7f c9 6b e2 5f 76 9b e5 a4 53 11 fa 1b af 50 5f 2f 7e 17 04 8c 29 d3 f4 30 f4 f8 3e a2 c1 e4 18 c9 11 a2 77 5d 89 8b 97 27 a6 cb ed 5f 22 41 c6 6b ba eb 05 97 75 5d 8a ae 3f 1e d5 94 ea 3a ea 70 ba de 69 78 27 05 99 7f d9 61 0c c2 d3 ae d6 24 8b 7b 2c 47 d4 2e ac 8a d1 a7 9a 8c 7d 6e 93 3f 9e 24 f7 4e 8a b6 64 92 1c 8f ce cd 72 25 f9 47 b7 5d 80 9e 6f ea 77 4a bc 7c ce c4 6f bf 8f 6e 65 6d 7b cc 0e fd a1 47 31 Data Ascii: jG6hQO2wd+4NT{!JGh3XveLi8zr3Q@+_#\|'rr<4\cIMpASk_vSP_/~)0>w]'_"Aku]?:pix'a${,G.}n?$Ndr%G]owJ\|onem{G1
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: 7d 52 e9 fd 52 17 6e a8 cd 05 a5 2b 7b 86 b4 30 0d fa fc 2e e8 e9 13 59 96 74 cf 3e 5b c6 a9 36 9e b6 77 fd 54 e4 aa a9 97 6b 87 2d d7 1c 9b 7f 5d c3 33 70 bb 54 c8 34 f7 a0 51 9f e0 26 99 d3 25 0f 86 ee c5 9e b8 33 7f b5 59 99 e6 c6 0f 37 74 07 25 de 8c 6b 5c b4 3e ec e8 c3 34 95 43 7d f5 96 58 c1 d3 76 ae 44 be 8d 2e c7 18 9c 0d 7e 79 a8 69 f4 3a 76 aa 86 23 56 28 f1 f0 86 98 2b 14 77 a5 a7 c3 b8 4a ee 31 c4 32 59 e4 64 1c dd a1 cc cf 10 cf 36 ba 43 93 63 95 8b a6 c3 35 df df 5a 85 53 0d f8 35 1d 8e 5c 74 17 e0 0b 3a 73 55 ee 67 ae d8 eb 54 37 53 d2 ef d8 88 5e d4 74 12 31 da fc 30 ce 3e 5b bc db 55 e1 ee fd 78 19 1f cf b9 6b f7 e3 1b 58 ca 9b ec cc 87 75 35 85 9f ab 53 cc ed 0a 3b e7 32 39 c2 70 44 79 ae 64 77 f4 a2 d4 c7 f1 49 b5 ec 2b de 47 43 b6 be Data Ascii: }RRn+{0.Yt>[6wTk-]3pT4Q&%3Y7t%k\>4C}XvD.~yi:v#V(+wJ12Yd6Cc5ZS5\t:sUgT7S^t10>[UxkXu5S;29pDydwI+GC
2024-07-28 22:53:21 UTC	15283	IN	Data Raw: 09 6e bf 9d 5b d1 62 1d 9f 0a 4d af 14 24 21 75 10 5a f1 b6 15 6c 82 6f 7c cc 4a 1d a4 cc 36 f5 5b bf 99 c8 70 26 a3 9f 6e 49 79 8d bc eb d1 53 b4 05 2b 1d 67 dc aa 4b c1 87 ea 7b 31 9d f9 b8 2e 57 1f f0 bd dd b8 34 91 bf e7 c3 6a 43 bb 5b 25 98 f9 5a 06 2a 4e 2c e9 fc 82 f0 4c ff 68 f5 67 38 3f 32 7b 5a 2a 32 cf 7b 07 cd f9 51 c2 8e da 89 c5 91 a9 f3 62 86 38 5b e3 bb e9 5b c7 24 aa be cb 9b 63 c5 bb 08 4c 03 b8 5d 04 ad 57 ab df f3 f0 3d d2 0f ea 87 f0 99 27 ef f4 99 c7 c9 11 16 a5 77 f1 5e e8 59 85 09 81 7f f6 5f c1 d6 50 52 1c 3f 07 36 95 93 21 43 5d f5 10 60 dc 65 66 b1 08 dd 5e 5e 83 78 07 82 65 f9 b2 48 fb f7 8d 11 e7 f2 a0 35 16 d0 f3 8c b9 60 95 9c e1 5e 5c 1f 18 f4 9c f8 a0 d8 e6 57 1a f8 2a 07 a3 87 76 79 94 ac 47 c6 30 22 43 60 e1 62 c1 61 ec Data Ascii: n[bM$!uZlo\|J6[p&nIyS+gK{1.W4jC[%ZN,Lhg8?2{Z2{Qb8[[$cL]W='w^Y_PR?6!C]`ef^^xeH5`^\W*vyG0"C`ba
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: c3 34 5e 7b 6a 28 d2 d1 43 5f 5b 5c fd 6f a9 85 ae 11 2f a8 57 42 0e 66 78 09 20 c7 12 7e 84 04 90 bf 73 d1 a6 4b b7 de df 75 1f 21 52 de 94 2a 75 40 cd e2 2a 87 6c 2a 82 1d 67 d9 a6 af d8 93 08 fc 45 f7 70 e4 e7 de 01 02 db 30 b9 c5 58 48 26 dd 6a 8e 50 7f bc 07 7f db 02 2d 71 f6 2d 29 b5 97 bc af 41 fc 57 2f af 73 f6 e2 47 33 44 67 5d 54 56 8b 61 7e 0d 6e c9 a5 5b a1 6c 2a 7c c5 1a 10 7e a1 6c 18 10 1c 74 f7 60 ff 3d e9 6b 4e c5 94 39 de 6f 22 fa 3e b1 61 51 b7 3b b6 98 2e 19 14 b2 70 19 9c a7 d0 7a 01 64 a0 6d 7b 51 ff 78 ee f0 65 49 7d 95 de c0 98 2d 25 6a 97 9f d4 12 02 44 72 f4 cf 52 71 62 ab a4 e2 60 dd 88 5c a5 a0 b1 66 ba 9b 82 83 ee 52 19 1e 49 fa ed 74 66 23 8a d3 04 5e 2a 2f a1 8f 84 42 53 47 20 56 aa d6 85 4b 69 c2 b7 93 d7 43 da 84 de e6 da Data Ascii: 4^{j(C_[\o/WBfx ~sKu!Ru@lgEp0XH&jP-q-)AW/sG3Dg]TVa~n[l\|~lt`=kN9o">aQ;.pzdm{QxeI}-%jDrRqb`\fRItf#^*/BSG VKiC
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: ac f4 ce 67 2d 92 ad 6e 4f e8 aa 85 2a eb c0 b0 62 18 09 24 27 8e ca 45 0b 9e d7 e5 ce 69 08 eb 1e 89 d0 54 7f 92 7a e7 b6 9e de 3e ad 78 81 aa eb 45 4e 7e ec 5b 7e 8f 5a b5 8d f7 1e b5 ea ee bf a2 56 b5 79 45 0c 76 2f 18 dc e8 1f 1b bb 0b 8d e5 1e a9 f9 de ee c0 6a 2b 35 8a df a1 bc 4f f0 bb 15 c1 3e ba c4 fb 74 3f 04 0d 05 12 0a 3a f4 e8 bf 21 f8 be af 3a 49 bb 8b 53 00 e3 44 e4 37 a6 e4 01 d9 11 db 09 10 a0 4b eb 3e 77 f8 e6 9e 60 a9 6a 8f 85 44 8e d3 e8 d7 60 69 ff 1b 31 24 b5 4c 8a 0e bf 48 c3 e0 cf 76 04 8c ca 67 c7 2a 0f ee b6 c8 d0 d8 24 34 5a ef 0b a3 30 8d 05 be 84 ee bf 3e ef ae 39 39 1d e9 a3 b1 66 ad d4 d3 9c f8 d3 1c d1 3d 09 63 63 6a 14 0f db dd 31 e0 d3 c8 fe 8e 3f 53 7e 9c 5f 55 f0 05 c4 16 9e 88 3f 47 fc 17 b9 85 6e bd a8 57 89 ae 80 83 Data Ascii: g-nOb$'EiTz>xEN~[~ZVyEv/j+5O>t?:!:ISD7K>w`jD`i1$LHvg$4Z0>99f=ccj1?S~_U?GnW
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: fe c3 34 a2 ee 7e b5 06 5d 54 02 da eb f5 f1 0b f2 05 72 2f 0a d0 76 32 54 62 96 cf 09 fa a3 d3 e4 3c 84 14 73 c3 8e c9 3e 07 5a e9 8d f0 17 c9 50 ea 6b ed 4f 4f 05 4c d7 0e fd a2 db 66 72 96 8a 8a 0d 4f 85 5d 16 3d a6 3a 5e 82 df 0e 1d 48 43 5e 8a a8 ee 3a 58 84 9b e9 b4 33 15 11 36 7f 10 be 81 46 b2 81 0c ba 5a a9 4e 15 4e a9 a3 bd 1b 48 87 02 af 8f 53 34 36 aa 6a c8 6e 21 aa 6a cd 57 aa 01 09 ba 49 a5 59 f4 bc 51 82 9f 42 bb c9 5f 75 3d 7a 89 dc 22 ac ce 5f 90 a7 c8 7e c5 ae 54 f2 60 34 a5 5a 1a d2 15 c4 1f 9c fe df 4b b2 89 3d 58 69 de d8 56 68 a9 c8 d8 4a e8 19 11 34 03 81 46 84 eb 52 46 14 96 17 f1 40 f1 f2 4e 74 84 21 58 d2 57 39 5b 1d 8d f0 17 41 0a 5e eb c5 c6 c7 41 5b 65 30 85 08 d7 07 e1 a8 68 f5 b8 3a 66 4c 60 42 dc 6c 00 07 bc 98 37 6e f8 5e Data Ascii: 4~]Tr/v2Tb<s>ZPkOOLfrO]=:^HC^:X36FZNNHS46jn!jWIYQB_u=z"_~T`4ZK=XiVhJ4FRF@Nt!XW9[A^A[e0h:fL`Bl7n^
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: 87 d9 b2 b7 75 d8 64 2d 2e 49 18 bc 9b a4 ed c2 68 18 0b b3 0f a2 d2 01 63 7e 51 97 1d 26 3c 74 e1 71 53 84 ba 70 07 2b 82 98 2b 41 d9 b0 bd 4d 5a 44 dd cc 09 de 56 c5 92 f1 bf d1 cd 35 6c 0b 8f f6 fd ca 20 80 b0 22 3d 06 6f 66 6a 2b 4a 9b a4 bd 68 e4 63 ce 22 72 4e 26 61 ec 0c cd d2 c2 71 1b a2 8f fe 6f b3 c6 ed 87 27 45 7b ff 7a bf 20 39 1d 32 e1 6f e6 9f 62 35 4a b1 5d de df ea 1c 9e 57 77 c9 0c f0 f0 1b c5 a3 58 30 c9 24 46 19 c9 2b 14 a8 85 6f ef 95 7b 68 61 f3 4d 33 5d 6d 7b 19 24 6e 70 0b 71 5a e3 0b 07 c8 32 00 93 e7 58 98 18 a7 d2 70 bc 67 f4 15 2f e2 0b 53 ad 42 b9 52 8b 70 6e ca 35 4a 1b d4 98 d4 57 18 53 2b a6 4c 4e 40 f2 ef af de 2f 79 f5 fd cf b6 b8 8f cd 4d 4e 7a 3c c3 ac ea 2b 91 5f 0c 04 ca 68 b0 b4 c1 44 2c ae b3 e3 47 51 b2 f3 d5 5c f9 Data Ascii: ud-.Ihc~Q&<tqSp++AMZDV5l "=ofj+Jhc"rN&aqo'E{z 92ob5J]WwX0$F+o{haM3]m{$npqZ2Xpg/SBRpn5JWS+LN@/yMNz<+_hD,GQ\
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: db c6 4e 93 15 63 5c 8d 4a 68 9f e0 d8 d7 a0 c9 a8 cb 2e ab cb 82 98 ae 17 ae 94 c2 e4 44 97 bc 6b 4c 8d 44 94 0c 53 78 90 ec 41 7f 65 93 9d 3f 24 3f e8 2c a3 84 24 7c d8 dc 2c bf 12 34 b2 5e 44 9c 53 21 18 c7 bf 6d 96 3e 0a a6 6c 93 f9 7c 7e 9d 21 48 24 b7 56 44 4c 29 9e bc c5 1b 56 d5 2b c9 5c 0a 26 a5 ce 3c 67 f6 12 87 f3 f8 54 80 56 a0 84 7b b9 0b 89 96 a3 98 25 40 6c 88 82 e4 e9 88 ce 08 b6 d6 ec 0d 16 43 e3 e7 9e f9 8a 7b b9 05 11 8f dc 6d e5 e9 28 0d 58 dd 94 d9 c1 62 3e 51 ae 8f 77 ed d4 f2 74 e4 ce 09 d9 d4 6f 93 46 d2 b9 dc c8 ba ab bd bc 5c 9b f0 06 94 ac 92 35 f6 a4 ac 53 1b 98 b4 36 da ab 7a 54 e3 95 5c 7d fa b9 58 a4 ec 46 8d 7d 12 d7 ce 09 68 da aa 16 6a e3 d7 dc 3c a5 b3 80 d4 bb fd 45 97 1f fd 56 f0 33 8e 2c 6a db 5f 1b 35 98 41 bd 6e 28 Data Ascii: Nc\Jh.DkLDSxAe?$?,$\|,4^DS!m>l\|~!H$VDL)V+\&<gTV{%@lC{m(Xb>QwtoF\5S6zT\}XF}hj<EV3,j_5An(
2024-07-28 22:53:21 UTC	16384	IN	Data Raw: c5 1e 45 67 37 7c 16 93 09 d2 cf 86 0a 2c b6 8c ca 2a ce 18 3e 0a 77 e8 f4 4e 2f 10 c2 4d e3 90 46 94 b4 eb 78 a1 bc 25 92 4c 65 4f 71 38 a9 62 0a 4d 7d 43 29 5f 48 5e 19 bd 18 21 60 75 19 a1 8b b3 c9 4d 03 64 8a 7c 4f 51 2f 86 ee 5f 2e 08 cc 85 47 db bf d0 80 2c bd 9a 1e b2 3e 2a e2 29 6a 4e 28 ac 5e ab e0 8b 2b 3e c6 38 b4 a9 ce 24 62 3c b2 57 eb 89 0a 55 3e a9 be 17 cf 81 a6 e5 e6 f0 36 bf 28 c6 f6 4b 7b cc ff a2 4a 0e 89 ae ce 01 4d 40 a6 9f f7 c3 63 e8 7f 7b c5 9c 29 33 5a 1b 27 65 dc ac aa 82 6a eb 11 d7 7d 43 14 26 07 db 3b a7 73 88 f7 1c 5f 88 fa 97 8d 73 36 18 fd 8c ca 10 aa a7 cc bd 65 2c fa 2e ed d1 3f 06 2a 49 fd 74 3a 96 0a 35 67 74 be 43 af 09 5f 02 20 10 0b 7c a4 f3 80 d4 2d 25 5f 55 dd e8 7f 43 2d e1 f6 83 2b 91 c4 d2 6b b9 e1 d3 5e aa 13 Data Ascii: Eg7\|,>wN/MFx%LeOq8bM}C)_H^!`uMd\|OQ/_.G,>)jN(^+>8$b<WU>6(K{JM@c{)3Z'ej}C&;s_s6e,.?*It:5gtC_ \|-%_UC-+k^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49185	65.9.23.141	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:26 UTC	172	OUT	GET /f/AVG_TuneUp/files/1543/Fixed_Build/avg_tuneup_online_setup.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:26 UTC	628	IN	HTTP/1.1 200 OK Content-Type: application/x-zip-compressed Content-Length: 743635 Connection: close Date: Sun, 28 Jul 2024 06:13:03 GMT Last-Modified: Tue, 04 Jun 2024 13:26:42 GMT ETag: "f564f8ad7811b03e66a97c3f560eb20d" x-amz-server-side-encryption: AES256 x-amz-meta-cb-modifiedtime: Tue, 04 Jun 2024 13:25:07 GMT x-amz-version-id: wnaKlTurK4DczRABvmhM8XYiZ9IGtmvg Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 6e67f1ea42d4e5ff9c87cf2624025a28.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: QKaJ92v3IgNlmnF9sGXEjCDhUhRVpQywGlCE-3OO_4Uq9D-pPdgjYw== Age: 60024
2024-07-28 22:53:26 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 20 83 c4 58 47 dc 4a ab 17 58 0b 00 50 25 18 00 1b 00 00 00 61 76 67 5f 74 75 6e 65 75 70 5f 6f 6e 6c 69 6e 65 5f 73 65 74 75 70 2e 65 78 65 e4 1d 0b 78 53 d5 f9 a6 0d 6d a0 81 1b 24 68 9c 75 06 88 5a 04 b1 11 36 8b c0 56 b0 a1 75 50 9a 16 5a 50 5e 8a d2 d5 0e 0b 42 02 b8 59 04 d3 aa 77 d7 3b bb 4d 36 37 d9 a6 d3 bd d4 6d 38 51 01 5f 4d 69 49 0b 95 b6 58 68 41 94 02 15 6f a5 4a 1f 60 9f 34 fb ff 73 ee cd bd 69 d2 07 a5 6c 7c 5b 94 fb 38 e7 3f ff fb ff cf 7f ce bd 17 12 ef cd 63 42 19 86 d1 c2 1f af 97 61 76 32 f4 17 cb f4 fd 8b d5 30 cc 88 1b 76 8f 60 76 0c fd 68 cc 4e cd dc 8f c6 2c c8 78 68 9d 79 cd da d5 3f 5c 7b ff c3 e6 07 ee cf ca 5a ed 30 af 58 69 5e eb cc 32 3f 94 65 8e 4b 9a 6f 7e 78 f5 83 2b 27 0d 1f 3e cc 22 e1 d8 Data Ascii: PK XGJXP%avg_tuneup_online_setup.exexSm$huZ6VuPZP^BYw;M67m8Q_MiIXhAoJ`4sil\|[8?cBav20v`vhN,xhy?\{Z0Xi^2?eKo~x+'>"
2024-07-28 22:53:26 UTC	9200	IN	Data Raw: 60 c5 90 2e 56 e0 1b 08 26 3e 88 9d 5a c9 40 50 38 96 91 11 45 f7 38 dd fd 87 3e 7a 9c 6a da 13 c8 1a d8 1a d4 fd a1 8b 68 3b c3 db 4e 36 df 1a 75 59 4c f8 1e 7a fd c1 76 b6 d2 c6 f6 b3 39 56 af 9f f0 d2 20 27 d9 7e b5 c5 58 2c 64 51 e7 ec b7 d7 2e bd 5c bf a5 4c c1 76 d9 dc 79 8a 2d 9b 36 2e 66 d7 2e 90 d2 6a 9d da d6 a7 b1 5d 21 12 be b0 fd 87 fc 7d 22 ec 3f 0d 5d ec 3f f7 d0 c9 bd a6 ee 42 3a 07 76 1f 6e 00 b2 c0 06 e4 d4 d6 c9 bd 5b 7f 50 47 a4 f9 e7 6b cf 5f 74 f3 cf ad 95 dd cc 3f 81 fd d1 62 b1 0b 8b 79 58 ca ec 69 6f b2 69 a6 d3 1f a7 1d 08 79 c5 60 ea f1 0c a7 8f 85 a7 b5 df 5e 5c 5c 1c 2b 97 9f 20 6e 4c 33 a7 1d 28 51 17 1a f4 7c 5b e9 16 65 de 5b 7d ec 5a e3 5e 76 f0 e0 c7 69 35 70 eb 5c fd 0a 17 7d f1 ec 1c a6 77 4e fb 43 7e 5e c5 ea df f2 d4 Data Ascii: `.V&>Z@P8E8>zjh;N6uYLzv9V '~X,dQ.\Lvy-6.f.j]!}"?]?B:vn[PGk_t?byXioiy`^\\+ nL3(Q\|[e[}Z^vi5p\}wNC~^
2024-07-28 22:53:26 UTC	16384	IN	Data Raw: ac 40 45 bc a9 10 24 ba 1a 47 50 f9 59 32 53 a9 b6 fc b3 10 36 e2 a5 ae 0a 1c 5a 03 40 fa 7b 82 41 12 b7 04 3a c2 92 af 2b 40 4a ea 1b 40 4a fa 8f 03 a4 a4 ae 00 89 3f 74 e0 61 34 ef 7e 3a 2d 50 e1 bb 1c b7 80 98 74 ec 44 90 69 7a 08 32 81 f1 42 9f 01 48 f5 15 3b 41 86 95 4f ea 15 37 bd 19 c0 4d a9 02 37 fd ef 30 53 52 af 98 a9 cd aa 63 26 ca a6 fa 12 83 98 a9 fe e6 48 cc d4 de 1d 33 b5 87 61 a6 bb d2 09 33 59 42 3a a4 bd 77 cc f4 73 81 99 ee 1c 13 86 99 92 38 b3 cd 41 cc 64 09 62 a6 f6 ff 24 66 a2 66 b5 c4 f4 7e 60 a6 94 20 66 1a 66 10 42 5d 60 a6 1d 23 c2 30 53 52 00 33 5d 1c bc e4 d9 49 a3 18 c9 51 f0 52 52 7f f0 52 72 37 bc 84 49 53 64 c5 4f 6c 7b 10 2c 79 00 96 e6 71 b4 44 b6 e6 79 80 4b 4d 41 b8 34 45 87 4b 13 fd 42 5f 5e 30 5e da 11 86 97 aa c2 f0 Data Ascii: @E$GPY2S6Z@{A:+@J@J?ta4~:-PtDiz2BH;AO7M70SRc&H3a3YB:ws8Adb$ff~` ffB]`#0SR3]IQRRRr7ISdOl{,yqDyKMA4EKB_^0^
2024-07-28 22:53:26 UTC	16384	IN	Data Raw: 7a b6 73 e6 83 99 6e 14 9a dc 39 a5 b8 b2 86 26 19 b3 1c b2 41 8b 47 d9 aa 9c 57 54 70 a6 4a 15 6b e0 ec f0 76 f4 de 3f 9e 17 a7 78 5e e9 ba b4 b6 43 88 e0 3a 28 b5 bd 47 d7 60 71 27 da f9 a2 32 b1 d3 d5 0e 4b ef a7 c4 5e aa bd 9c 13 c4 46 fc e0 52 8e ec 3a e3 97 1f 39 88 24 85 7d 1f 77 d1 46 e6 d9 7e c3 b4 f9 f7 bf fe f0 f6 e6 7e 6d 1f a1 1c 1d 6d 1f ba 73 d6 b2 46 66 df d8 f6 91 3b a7 98 b5 e2 6d 2b f7 fe c0 d0 c6 8a 36 ba 73 36 b0 9c 62 d7 5e 1c da 6c 32 bc cb 9c 1b d8 ec b5 ae 7d 12 18 68 fb d8 ec 4d fd 2b 0d 4d ac a1 7f 6b f2 be c1 9d f2 c6 0e 5d c3 71 c3 be fe 9d cc f9 22 3e 86 cc af 92 76 fe da e6 39 3e 04 19 bf d9 8b 6b b2 70 67 6e 60 3b 61 2a 94 65 6e c8 5f ab 1d 2d bc cf 9a 3c 3e 43 59 35 1d 2e 58 07 e9 f7 5e bb 93 db 91 67 75 a4 b0 e2 30 43 a1 Data Ascii: zsn9&AGWTpJkv?x^C:(G`q'2K^FR:9$}wF~~mmsFf;m+6s6b^l2}hM+Mk]q">v9>kpgn`;a*en_-<>CY5.X^gu0C
2024-07-28 22:53:26 UTC	5946	IN	Data Raw: e3 95 4b 2d 6f 58 4d 7b 64 c3 9e b5 06 76 d2 3f 41 de 60 a0 03 8c 46 7d 33 0e 2f 5e d9 fc 26 85 f6 04 75 2b c8 0b a1 09 a8 76 25 b4 24 1b e8 88 7b da 76 1c 71 1b f6 0f a0 d8 56 df ca 69 75 33 b5 83 3e 2c 44 f8 3a 24 bf 5d 3f 47 7e 5f d4 8e 33 3f 84 1e 39 bf cf 3e c3 f3 db f9 f3 d1 f2 1b d9 7f 65 d8 59 39 b9 d0 6a 05 12 71 97 b5 c9 d0 72 09 c0 65 39 69 6d 63 c5 39 92 cf 57 9c 9d f8 29 af 51 59 b7 2f 87 59 b7 69 66 dd d9 6b 0f 73 6f e3 98 64 87 c0 ba 2d 6b eb f8 81 26 a4 2f 5c ed 59 32 53 6b c8 68 e9 a8 8a 77 bc d5 e1 d2 88 37 7a d8 71 20 6e 35 c2 77 f9 1f a2 37 09 d0 94 0c bf 59 09 87 e8 84 12 3b 54 94 c8 5f fb fd 8b 61 2f 8d 7f b9 c6 d3 11 17 f3 65 2e f9 50 ef e9 59 c2 7c fc bc 11 ef de f0 4f e3 f9 13 6f 9b 7f a8 fe 5a 24 3c 38 d2 63 78 2c ff 7a 4a c4 63 Data Ascii: K-oXM{dv?A`F}3/^&u+v%${vqViu3>,D:$]?G~_3?9>eY9jqre9imc9W)QY/Yifksod-k&/\Y2Skhw7zq n5w7Y;T_a/e.PY\|OoZ$<8cx,zJc
2024-07-28 22:53:26 UTC	16384	IN	Data Raw: 77 45 09 3b f0 2b 71 79 99 73 3d 86 b6 02 06 bc 65 4b 09 ee 63 10 4a fd 7d 1e 50 cd 30 b0 4a 22 02 94 ca 72 bb bb 54 b6 7f da 7c bc 84 05 79 92 0b 68 de 3c be 03 1d b0 53 97 d8 01 e2 82 87 91 80 99 1a ca 7e d4 dd 27 26 52 7f 79 fe 9a 08 b3 7a cd 59 77 94 ac 5e 14 8b 2c 28 d3 fc e4 52 76 72 dd 6e bc 56 82 21 10 fc 6d 22 e7 9d 41 6c 4e b0 59 b9 28 5c 08 52 76 ea e9 a3 41 93 b1 43 1e 21 63 f7 2c c9 dd 89 c3 96 02 0a 22 cc b8 1c c1 f4 01 1b 16 f3 5b 9e 5c 46 b6 fc ca 5b 43 ae 13 62 fd b6 e3 57 98 85 3e a3 ac e9 20 17 55 cb 7e cd 51 fb 0d 7c f1 fb 62 c8 e6 ae 94 ae f8 16 55 ae c4 7d f0 ec c3 98 37 3d 95 d5 15 65 ac 00 af d9 21 df 44 79 a9 89 fc dd a6 a0 36 b4 54 1d 75 49 78 c3 a5 08 17 6b 38 fe 77 81 3f 71 25 b3 c0 d4 15 42 30 17 4c a8 47 b0 84 a2 d4 c8 ec 3e Data Ascii: wE;+qys=eKcJ}P0J"rT\|yh<S~'&RyzYw^,(RvrnV!m"AlNY(\RvAC!c,"[\F[CbW> U~Q\|bU}7=e!Dy6TuIxk8w?q%B0LG>
2024-07-28 22:53:26 UTC	16384	IN	Data Raw: 86 7f 52 77 ed f1 4d 5d 75 3c 69 42 73 db 06 12 a0 6c 9d eb a0 8e 6e 83 95 cd 42 51 ca ca b6 be d2 f2 2a a4 2d a4 e8 10 50 11 6b 9d ca 20 19 cc 51 28 4b bb f6 ee 70 27 ea 36 f1 bd 29 2a ba a9 6c e2 e8 de 2d 60 d3 21 42 61 c8 d8 44 ed b6 3a 0e 94 6d 1d 22 14 c6 88 df df 39 f7 26 37 6d 0a 45 fd 43 f9 6c cd bd f7 bc cf f9 9d df f9 9d df 33 30 ea 49 6b db 10 4a b1 f2 5c f0 66 27 5b 7f bc 1f 2f 48 3d 81 54 1d 41 a1 1e 1d 37 d5 64 b0 bd d0 1a e6 3f 78 55 a0 6b 54 4d 4b 01 fc 9c 57 a2 80 15 89 67 0a e8 9b bb 3e dc f3 5a 11 5c 15 52 e8 c4 93 c8 da 3d 94 ed 93 c4 37 be 84 5f 45 1e 8a 05 b7 da be 3e 9c ff 3a f2 b9 19 fa 8c 60 1d af be 6e 11 c7 98 1b 78 a0 6f 01 b6 5a 59 1f 5e 42 b9 47 b0 f9 5d c8 8d 58 bf df fe 73 24 7f 57 9f fc 27 f4 11 10 05 54 9d 2b e4 9f df ff Data Ascii: RwM]u<iBslnBQ-Pk Q(Kp'6)l-`!BaD:m"9&7mECl30IkJ\f'[/H=TA7d?xUkTMKWg>Z\R=7_E>:`nxoZY^BG]Xs$W'T+
2024-07-28 22:53:26 UTC	16384	IN	Data Raw: 32 38 77 2b ec 09 15 f6 0a da bf f0 94 fc 91 e6 f7 b3 47 9e d2 66 9e 87 46 f7 2a 78 04 71 e6 95 9d 0f ec 41 e7 42 8b 89 1c 8e c0 43 cb bf 0d 0f fb cf f5 03 07 d3 a7 4e 71 18 ba ea 93 e3 40 03 a5 20 6b 5f 60 78 bd 0f 30 48 e6 f4 2e 13 30 24 c4 02 c3 2f 04 30 5c bf 3f 02 0c 3f 8e 07 0c 89 fb 07 01 0c f7 c3 70 82 88 39 8a 32 c8 47 90 9a 79 0a ca f4 81 87 9a 0b e1 58 78 f8 24 3e c4 c0 c3 82 73 e1 01 e1 e1 ce 77 01 0f 37 cc 04 3c dc 35 31 02 0f 67 ce 86 4d f0 f0 f2 c9 b0 84 87 e5 df ea 0f 0f cc 2a d0 2d ae f6 7f fa 63 7f 74 1b d9 df 93 2e e2 0f 30 7c 97 9b dd e5 8c 1a 84 c6 7a 7b 34 bb d7 8a dc 2f 7d 08 3e c4 de af de 5a 34 1f 2c f5 06 4d 11 8c 84 39 70 2b 8a f9 2e de cf 76 88 2b df 60 db af bb 47 b1 f8 53 71 70 84 27 b2 ec 41 76 23 7e 7c cb 54 1f df b7 27 d1 Data Ascii: 28w+GfFxqABCNq@ k_`x0H.0$/0\??p92GyXx$>sw7<51gM-ct.0\|z{4/}>Z4,M9p+.v+`GSqp'Av#~\|T'
2024-07-28 22:53:27 UTC	14808	IN	Data Raw: 7a 3c a1 3a a7 23 a7 c9 91 73 4c 5d ea 71 dc d3 e8 70 16 6e 74 a4 2f d9 e6 b8 a7 de e1 6f 74 a4 cf d9 e8 c8 39 e0 70 ce 4c ab 15 1f 3d b5 f8 88 c7 bd e2 e3 dd 48 a5 af 85 db e4 c7 66 7c 6c 96 1f f1 d6 86 d2 f8 d0 2c b3 50 c1 36 ca e6 3f ec 48 f7 d7 ba 55 ea ad 63 ed 52 3a 54 4b 60 aa 62 4b de 5f 51 c2 ea d5 bc 6f 75 36 cb b3 ab 84 bb 2b c2 ba e5 8d 90 eb 32 6e 2e c5 f6 a9 2e b5 de 72 77 6a 0f ab bf a5 b0 07 b6 31 85 d2 4c 51 7c 54 90 4e a2 b9 17 b4 01 c3 41 c2 1e c7 ba 5c 71 fd ac da 05 40 89 c8 65 dd 65 26 58 f4 9c 1d 86 8f 89 f2 34 bb b5 ff 7d 5b 86 a6 f2 a2 89 50 60 6e 3d 84 3b c4 d4 b5 b6 0f f6 f2 53 ad 82 e2 7c 38 e7 d2 91 f8 90 57 4e 11 7e 37 18 34 e3 f5 de f4 bb fb 9d 77 4b c4 dd 19 db 23 6e 05 4e a2 41 77 ef d2 c1 c2 29 0d 65 24 83 a4 a8 79 e9 6c Data Ascii: z<:#sL]qpnt/ot9pL=Hf\|l,P6?HUcR:TK`bK_Qou6+2n..rwj1LQ\|TNA\q@ee&X4}[P`n=;S\|8WN~74wK#nNAw)e$yl
2024-07-28 22:53:27 UTC	1576	IN	Data Raw: 07 fc 0b 2a e6 87 c0 17 9e 2b b7 b3 ac 74 b6 3a 2b ad f1 dd d5 17 ad 1d 45 c7 33 42 49 6b a1 a9 b6 32 21 a3 cf f7 ae 21 a8 59 4c 6b 67 0b 0f b0 3a 08 f2 66 39 15 6f 3b 8c 7e 13 fb 28 86 55 0e ef 71 15 4a 42 2c d2 dc 36 f4 8a d6 26 ae 68 0f e3 ad 93 b2 00 b1 b2 74 57 b4 03 fa 0b 80 85 08 f6 b5 c6 f0 05 0d 8d 27 4f 69 c6 37 7c 1a 78 1e 44 4f 57 08 ee e3 d7 58 bc a0 e7 b3 9c f6 9d b7 64 e5 42 bf 49 81 a0 5d 9e 7a 91 cb 0b 5f e4 6e 88 5c e4 8e d0 45 6e 3c 33 ce d7 5f e3 e6 76 89 fe eb 50 4f eb c3 36 c1 86 09 81 e7 18 54 58 3c 89 4e 10 f0 a0 2c 41 8d f2 34 b8 bb 75 15 76 7b 2d c4 32 cb de eb db 6b 61 6f 07 57 a1 7b cb 45 f7 be 1a a3 7b 87 cf df bd c3 17 d8 3d 2b 5b c8 7d fb 2d c1 44 b5 73 0c df aa ec 4e 96 38 1d f1 9b 6e b8 70 0e c2 47 3b b1 fa 1d 8f c8 d5 8f Data Ascii: *+t:+E3BIk2!!YLkg:f9o;~(UqJB,6&htW'Oi7\|xDOWXdBI]z_n\En<3_vPO6TX<N,A4uv{-2kaoW{E{=+[}-DsN8npG;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49186	65.9.23.108	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:29 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 397 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:29 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:53:29 UTC	396	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 56 47 5f 41 56 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 56 47 5f 41 56 5f 54 72 75 73 74 50 69 6c 6f 74 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"AVG_AV\",\"18\":\"ZB_AVG_AV_TrustPilot\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\
2024-07-28 22:53:29 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:53:29 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 eaa5b4468d4ba37bc9733291d72738ec.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: uVZ4N0LTtcd4wOLCrTa9eHkV_0tn5ekDES0dMsOSz_OHUGTeyxbQBg==
2024-07-28 22:53:29 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49190	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:31 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 380 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:31 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:53:31 UTC	379	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 61 74 68 65 72 5a 65 72 6f 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 5a 5f 56 31 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 33 5c 22 2c 5c 22 Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"WeatherZero\",\"18\":\"ZB_WZ_V1\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"3\",\"
2024-07-28 22:53:31 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:53:31 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 f1f7e88380a0546160e4e023c7c1d332.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: NQjNOMkPw0wuIIZfpGszei1cZZL9efKBBcZ2KLkbUkktnz9bUDuHnA==
2024-07-28 22:53:31 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49193	34.117.223.223	443	2860	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:34 UTC	139	OUT	POST /v4/receive/json/25 HTTP/1.1 Connection: Keep-Alive User-Agent: Icarus Http/1.0 Content-Length: 1103 Host: analytics.avcdn.net
2024-07-28 22:53:34 UTC	1103	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 33 39 63 35 35 36 32 36 2d 64 63 34 39 2d 34 31 61 33 2d 62 64 63 38 2d 61 62 37 39 38 32 35 38 32 36 61 35 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 32 30 37 32 31 31 37 38 30 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 37 38 62 38 63 34 64 38 2d 38 61 34 38 2d 34 33 30 63 2d 61 66 38 37 2d 37 33 62 65 31 35 64 38 39 39 65 34 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 73 74 61 72 74 22 2c 22 74 69 74 6c 65 22 3a 22 22 7d 2c 22 70 72 6f 64 75 63 74 22 3a 7b 22 6e Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"39c55626-dc49-41a3-bdc8-ab79825826a5","time":1722207211780},"setup":{"common":{"operation":"install","session_id":"78b8c4d8-8a48-430c-af87-73be15d899e4","stage":"sfx-start","title":""},"product":{"n
2024-07-28 22:53:34 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:34 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:53:34 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49192	188.114.97.3	443	2596	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:34 UTC	208	OUT	POST /forecast HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: NSIS_Inetc (Mozilla) Host: localweatherfree.com Content-Length: 277 Connection: Keep-Alive Cache-Control: no-cache
2024-07-28 22:53:34 UTC	277	OUT	Data Raw: 6c 6f 63 61 74 69 6f 6e 3d 36 73 56 79 42 6b 6e 53 55 4e 5a 52 69 72 25 32 46 66 75 34 66 71 53 4d 55 74 4f 25 32 46 65 4d 44 25 32 46 72 70 4e 47 6f 54 35 48 57 31 46 4b 76 56 37 77 36 66 54 73 5a 34 79 67 54 72 53 63 6e 77 25 32 42 45 6b 67 36 57 35 41 36 46 59 31 4b 63 63 39 30 4a 64 63 42 39 65 75 62 76 55 43 66 75 61 47 53 48 61 76 46 43 4a 45 72 51 74 5a 57 38 67 7a 45 31 33 71 4e 41 47 7a 72 69 68 78 58 44 6c 76 63 46 67 32 37 6a 50 4c 44 7a 32 39 47 55 47 25 32 42 55 71 35 70 48 38 38 72 68 62 62 63 65 4b 6f 38 51 54 75 49 36 47 31 7a 72 36 4b 47 43 48 4e 59 4e 72 35 6c 51 4c 4e 66 52 62 56 25 32 42 75 44 46 50 48 69 53 4f 63 38 67 79 78 45 56 67 4f 6d 6e 59 6a 52 73 6f 50 74 56 63 71 79 31 6e 67 6d 6f 76 4e 75 67 68 33 33 63 77 49 37 50 5a 4e 55 Data Ascii: location=6sVyBknSUNZRir%2Ffu4fqSMUtO%2FeMD%2FrpNGoT5HW1FKvV7w6fTsZ4ygTrScnw%2BEkg6W5A6FY1Kcc90JdcB9eubvUCfuaGSHavFCJErQtZW8gzE13qNAGzrihxXDlvcFg27jPLDz29GUG%2BUq5pH88rhbbceKo8QTuI6G1zr6KGCHNYNr5lQLNfRbV%2BuDFPHiSOc8gyxEVgOmnYjRsoPtVcqy1ngmovNugh33cwI7PZNU
2024-07-28 22:53:34 UTC	584	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:53:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zfX63YRX9I650qw%2FP9GZCc1lO7MVKuM7qHRm47aqiv%2FX6UJcMhjcFIr8VKgAwev83VpmcUdYoB6k2HJNrBr5%2B7wsA0wjJRo4CvciG8vfgrjBjZmPHWetLdAEE5MmAW4UvtxzfAzsNQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aa87232ad5c7d26-EWR alt-svc: h3=":443"; ma=86400
2024-07-28 22:53:34 UTC	70	IN	Data Raw: 34 30 0d 0a 36 57 53 55 69 43 42 50 67 33 34 53 37 64 6b 32 70 6c 74 53 4c 47 49 30 72 48 54 65 67 59 72 74 37 54 56 71 65 63 48 64 63 41 68 6c 32 77 59 4b 6a 44 58 32 77 79 33 4b 75 69 31 6c 67 36 50 53 0d 0a Data Ascii: 406WSUiCBPg34S7dk2pltSLGI0rHTegYrt7TVqecHdcAhl2wYKjDX2wy3Kui1lg6PS
2024-07-28 22:53:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49194	65.9.23.130	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:34 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 384 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:53:34 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:53:34 UTC	383	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 56 47 5f 54 75 6e 65 55 70 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 56 47 5f 54 75 6e 65 55 70 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c 22 2c 5c 22 36 5c 22 3a 5c 22 33 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"AVG_TuneUp\",\"18\":\"ZB_AVG_TuneUp\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\",\"6\":\"3\
2024-07-28 22:53:35 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:53:34 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 384bf15c1ac91d451725d766417680b0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: G_ZZPZarSboS1OnyA7p84F_2v9225JxOBki_kyAJoujuqoU1z9xzRA==
2024-07-28 22:53:35 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49195	34.117.223.223	443	2860	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:36 UTC	139	OUT	POST /v4/receive/json/25 HTTP/1.1 Connection: Keep-Alive User-Agent: Icarus Http/1.0 Content-Length: 1134 Host: analytics.avcdn.net
2024-07-28 22:53:36 UTC	1134	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 34 37 38 64 31 64 61 30 2d 31 37 32 30 2d 34 61 35 37 2d 38 37 39 64 2d 38 32 63 62 61 38 62 32 31 33 31 30 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 32 30 37 32 31 31 39 32 30 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 37 38 62 38 63 34 64 38 2d 38 61 34 38 2d 34 33 30 63 2d 61 66 38 37 2d 37 33 62 65 31 35 64 38 39 39 65 34 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 70 72 65 70 61 72 69 6e 67 22 2c 22 74 69 74 6c 65 22 3a 22 22 7d 2c 22 70 72 6f 64 75 63 74 22 Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"478d1da0-1720-4a57-879d-82cba8b21310","time":1722207211920},"setup":{"common":{"operation":"install","session_id":"78b8c4d8-8a48-430c-af87-73be15d899e4","stage":"sfx-preparing","title":""},"product"
2024-07-28 22:53:36 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:36 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:53:36 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49197	188.114.97.3	443	2596	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:36 UTC	208	OUT	POST /forecast HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: NSIS_Inetc (Mozilla) Host: localweatherfree.com Content-Length: 283 Connection: Keep-Alive Cache-Control: no-cache
2024-07-28 22:53:36 UTC	283	OUT	Data Raw: 6c 6f 63 61 74 69 6f 6e 3d 70 33 4c 57 49 4a 41 6e 4c 30 77 49 6f 4c 52 42 31 46 6d 77 39 38 7a 69 69 49 4c 36 41 25 32 42 41 56 51 42 73 6c 4f 34 25 32 42 35 6b 6b 55 25 32 46 35 67 70 62 4c 73 48 71 33 54 58 71 63 46 73 7a 57 6a 44 4c 47 33 69 25 32 42 4e 4d 7a 46 6e 4f 41 4c 44 74 67 45 4b 49 25 32 42 69 77 45 59 5a 39 76 4a 37 33 65 79 4d 69 77 61 54 32 46 6f 53 50 25 32 46 57 42 4d 47 66 25 32 42 56 49 6a 79 4a 42 4a 4b 35 66 69 48 41 43 41 39 51 77 6a 46 46 37 5a 25 32 42 31 33 39 25 32 42 4a 62 75 66 37 43 58 37 66 38 61 6e 4b 35 78 4a 6a 5a 4d 6f 73 58 4b 45 59 67 56 30 4e 63 65 34 44 6f 4d 49 4c 41 25 32 46 72 6b 31 68 54 62 41 52 6b 77 36 7a 4f 31 77 44 33 59 73 30 50 30 61 4c 68 5a 63 25 32 46 4c 42 31 56 4c 35 53 4a 71 6a 52 46 48 45 45 35 4e Data Ascii: location=p3LWIJAnL0wIoLRB1Fmw98ziiIL6A%2BAVQBslO4%2B5kkU%2F5gpbLsHq3TXqcFszWjDLG3i%2BNMzFnOALDtgEKI%2BiwEYZ9vJ73eyMiwaT2FoSP%2FWBMGf%2BVIjyJBJK5fiHACA9QwjFF7Z%2B139%2BJbuf7CX7f8anK5xJjZMosXKEYgV0Nce4DoMILA%2Frk1hTbARkw6zO1wD3Ys0P0aLhZc%2FLB1VL5SJqjRFHEE5N
2024-07-28 22:53:36 UTC	584	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:53:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I1PG4bTkazCv5AchQ47I%2FyjEvMgXQlQdQWveCqxW3FJT1wrLhSV5HJToW9qC6rO5wQGGfHsRBxYmhVKMARfRwJKec5%2Fp23Xnw7r%2F0bxbiWgVnuYggNCBfxja2YLHUrzlTkfGXY1rHg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aa87240bd000f7c-EWR alt-svc: h3=":443"; ma=86400
2024-07-28 22:53:36 UTC	70	IN	Data Raw: 34 30 0d 0a 74 63 37 68 4b 37 79 31 66 4a 68 77 68 66 65 45 6c 69 4c 6e 36 7a 58 51 4b 44 43 59 56 4d 53 62 6f 44 7a 69 32 5a 73 33 6a 46 77 37 52 53 52 58 55 69 56 56 72 36 6c 66 64 6f 33 71 38 57 56 42 0d 0a Data Ascii: 40tc7hK7y1fJhwhfeEliLn6zXQKDCYVMSboDzi2Zs3jFw7RSRXUiVVr6lfdo3q8WVB
2024-07-28 22:53:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49198	188.114.97.3	443	2596	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:37 UTC	208	OUT	POST /forecast HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: NSIS_Inetc (Mozilla) Host: localweatherfree.com Content-Length: 283 Connection: Keep-Alive Cache-Control: no-cache
2024-07-28 22:53:37 UTC	283	OUT	Data Raw: 6c 6f 63 61 74 69 6f 6e 3d 4e 45 76 78 54 38 79 66 41 65 69 61 68 55 72 64 37 56 48 52 48 51 30 30 75 39 70 62 6a 63 62 75 42 55 71 75 72 63 65 46 7a 41 6f 6a 37 64 43 69 49 6f 74 4e 64 25 32 42 4c 46 4e 25 32 46 7a 25 32 46 39 69 4b 4b 32 64 4a 34 51 52 34 37 71 66 25 32 46 68 57 61 77 72 6c 41 54 6d 4a 65 30 38 78 6b 4b 62 59 48 73 37 39 53 30 4c 63 72 49 56 59 6a 64 58 25 32 46 78 49 41 6d 4d 25 32 42 46 34 31 47 25 32 46 47 34 6c 4a 4a 50 37 78 79 79 68 72 6c 32 76 70 6f 43 48 34 75 72 72 6e 41 38 76 30 75 4e 47 74 66 54 77 61 52 46 38 56 47 71 35 4d 61 6d 35 72 38 44 6d 30 53 61 72 25 32 42 4f 52 7a 34 68 62 25 32 42 55 6a 59 51 4e 70 57 65 6d 38 39 45 32 41 73 68 44 44 41 41 61 76 69 58 46 5a 6d 25 32 46 38 31 25 32 42 71 4d 70 7a 35 34 34 59 77 55 Data Ascii: location=NEvxT8yfAeiahUrd7VHRHQ00u9pbjcbuBUqurceFzAoj7dCiIotNd%2BLFN%2Fz%2F9iKK2dJ4QR47qf%2FhWawrlATmJe08xkKbYHs79S0LcrIVYjdX%2FxIAmM%2BF41G%2FG4lJJP7xyyhrl2vpoCH4urrnA8v0uNGtfTwaRF8VGq5Mam5r8Dm0Sar%2BORz4hb%2BUjYQNpWem89E2AshDDAAaviXFZm%2F81%2BqMpz544YwU
2024-07-28 22:53:38 UTC	580	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:53:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pWIZKLVdEoGfKmqFpiohM45VaAYeAGVFhrbrnpyb44axqlVUyKUrdvbAJOdjoplGrGlBKiF4BSkVykEy%2Fi8aawrw6J8QVqqzyKZe5IGv3T0jKvKJkSLE8LCAzlcaqiEBDUbuLl9hOQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aa872482b24c47c-EWR alt-svc: h3=":443"; ma=86400
2024-07-28 22:53:38 UTC	70	IN	Data Raw: 34 30 0d 0a 44 47 71 6b 56 4c 30 72 79 46 6d 6f 79 2b 36 4c 50 67 46 61 53 39 6a 43 62 57 58 30 37 63 45 2f 72 6a 4d 79 6a 75 6f 77 4e 39 6c 37 54 6d 6d 37 4f 4a 70 56 4c 69 6b 77 34 43 76 33 52 48 6d 64 0d 0a Data Ascii: 40DGqkVL0ryFmoy+6LPgFaS9jCbWX07cE/rjMyjuowN9l7Tmm7OJpVLikw4Cv3RHmd
2024-07-28 22:53:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49199	188.114.97.3	443	2596	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:39 UTC	208	OUT	POST /forecast HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: NSIS_Inetc (Mozilla) Host: localweatherfree.com Content-Length: 275 Connection: Keep-Alive Cache-Control: no-cache
2024-07-28 22:53:39 UTC	275	OUT	Data Raw: 6c 6f 63 61 74 69 6f 6e 3d 66 34 43 41 72 49 66 31 6e 45 25 32 42 70 68 34 65 6e 62 38 4f 4e 30 31 75 37 74 52 34 64 35 75 75 4b 39 76 73 43 46 6f 78 69 64 4e 55 6c 6b 6a 59 79 71 4b 66 33 65 6b 7a 6e 4c 37 41 37 39 7a 36 4b 59 7a 36 36 64 76 42 4b 57 73 79 42 73 65 68 49 67 68 43 58 6a 32 33 72 25 32 46 43 75 4e 68 64 73 35 44 7a 39 4d 25 32 42 51 75 58 4d 46 37 6a 57 64 6d 67 43 6b 33 70 52 68 50 41 49 68 25 32 42 31 57 62 70 32 43 55 79 62 54 46 72 5a 53 76 25 32 46 67 52 25 32 46 44 52 46 37 34 56 68 4a 56 5a 73 67 59 63 74 6b 76 4d 48 43 6a 7a 57 74 44 4b 52 43 44 77 68 32 38 36 5a 4a 56 33 71 4f 52 6b 68 6f 30 75 46 25 32 46 6f 4a 6a 62 6a 43 66 63 37 35 35 76 46 6a 77 39 68 35 6c 4c 76 74 6c 78 52 36 4e 33 49 67 73 42 5a 68 69 71 4c 65 35 33 32 6b Data Ascii: location=f4CArIf1nE%2Bph4enb8ON01u7tR4d5uuK9vsCFoxidNUlkjYyqKf3ekznL7A79z6KYz66dvBKWsyBsehIghCXj23r%2FCuNhds5Dz9M%2BQuXMF7jWdmgCk3pRhPAIh%2B1Wbp2CUybTFrZSv%2FgR%2FDRF74VhJVZsgYctkvMHCjzWtDKRCDwh286ZJV3qORkho0uF%2FoJjbjCfc755vFjw9h5lLvtlxR6N3IgsBZhiqLe532k
2024-07-28 22:53:39 UTC	586	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:53:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ruP4d3xhSJhBWeizaLOR4eVJGwF7aF%2Bu8MW73qs8d4UiJ10vOwxxy3J4tTuwF00DIe%2BsxI8NwavGJuZdB3MeexbPQLcQzgZcVSeqNZ3xXlpHv16IGi%2FsRaO5Fzld%2F6WVqeeHX4yHOg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aa872519b7ec3ee-EWR alt-svc: h3=":443"; ma=86400
2024-07-28 22:53:39 UTC	70	IN	Data Raw: 34 30 0d 0a 33 38 2f 79 76 4f 35 77 44 6d 48 6a 33 6b 43 50 48 51 4b 4b 53 61 45 4b 49 6f 6e 4a 72 42 32 68 53 2b 44 45 6f 77 31 4c 51 31 53 4b 4e 36 4c 56 30 58 56 7a 36 76 6e 6b 55 77 79 41 59 39 39 37 0d 0a Data Ascii: 4038/yvO5wDmHj3kCPHQKKSaEKIonJrB2hS+DEow1LQ1SKN6LV0XVz6vnkUwyAY997
2024-07-28 22:53:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49201	188.114.97.3	443	2596	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:43 UTC	208	OUT	POST /forecast HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: NSIS_Inetc (Mozilla) Host: localweatherfree.com Content-Length: 271 Connection: Keep-Alive Cache-Control: no-cache
2024-07-28 22:53:43 UTC	271	OUT	Data Raw: 6c 6f 63 61 74 69 6f 6e 3d 4f 79 63 35 41 5a 74 65 36 42 52 78 77 31 6f 75 54 67 51 56 33 4a 53 78 66 49 50 79 50 65 34 45 36 6e 33 44 4a 78 59 35 45 6f 46 4a 62 53 70 61 52 64 57 78 57 65 5a 66 74 6b 6f 43 71 73 63 44 41 4f 34 44 44 66 54 59 4b 6e 74 62 70 77 68 57 4b 74 54 37 76 76 7a 6c 4e 31 78 43 30 6a 65 25 32 46 38 4d 75 66 63 53 4d 73 47 4d 37 43 48 56 53 68 6b 68 7a 41 77 63 54 32 4f 43 43 6a 74 25 32 42 39 4c 72 4c 44 41 75 4f 42 75 51 38 68 48 51 47 44 46 70 6b 52 4e 57 69 56 72 39 39 42 62 52 55 42 4a 71 58 78 42 76 4a 35 74 6e 58 79 63 67 6e 73 71 6a 31 58 74 33 67 4b 67 4f 36 4f 74 62 55 39 58 4b 72 74 36 4b 71 50 4a 4b 39 44 50 4e 73 79 73 25 32 46 64 51 36 68 6a 4a 30 7a 6d 6a 36 30 36 53 25 32 42 38 50 79 4c 53 37 49 47 64 48 66 52 25 32 Data Ascii: location=Oyc5AZte6BRxw1ouTgQV3JSxfIPyPe4E6n3DJxY5EoFJbSpaRdWxWeZftkoCqscDAO4DDfTYKntbpwhWKtT7vvzlN1xC0je%2F8MufcSMsGM7CHVShkhzAwcT2OCCjt%2B9LrLDAuOBuQ8hHQGDFpkRNWiVr99BbRUBJqXxBvJ5tnXycgnsqj1Xt3gKgO6OtbU9XKrt6KqPJK9DPNsys%2FdQ6hjJ0zmj606S%2B8PyLS7IGdHfR%2
2024-07-28 22:53:43 UTC	582	IN	HTTP/1.1 200 OK Date: Sun, 28 Jul 2024 22:53:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=42Irvg5tNYk2Pb6S1n2pG4GXaYgcaPwXiRzM1TWdJoQCkCVpdjoj9fE7Ofmau1wkEA7nHkNLMoHjt81vr0bO1eWucokRugH6o9uBjuZEFKSvz%2BdMjixe%2BR0zssC93FJrYgGXwR5w3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aa872683f4c0cb1-EWR alt-svc: h3=":443"; ma=86400
2024-07-28 22:53:43 UTC	70	IN	Data Raw: 34 30 0d 0a 45 6b 32 47 38 78 55 38 69 33 30 4d 7a 41 59 6e 4e 55 66 63 57 44 66 41 4e 50 31 36 49 74 32 36 35 35 46 7a 75 34 74 34 56 6c 66 4d 69 74 68 34 6e 6c 71 52 6a 64 75 53 32 77 41 77 31 4e 61 61 0d 0a Data Ascii: 40Ek2G8xU8i30MzAYnNUfcWDfANP16It2655Fzu4t4VlfMith4nlqRjduS2wAw1Naa
2024-07-28 22:53:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49206	34.117.223.223	443	2860	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:52 UTC	139	OUT	POST /v4/receive/json/25 HTTP/1.1 Connection: Keep-Alive User-Agent: Icarus Http/1.0 Content-Length: 1156 Host: analytics.avcdn.net
2024-07-28 22:53:52 UTC	1156	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 32 63 64 61 31 38 65 33 2d 32 34 39 64 2d 34 38 39 66 2d 39 37 30 33 2d 65 33 32 36 36 65 31 31 37 35 35 37 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 32 30 37 32 33 31 32 34 38 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 37 38 62 38 63 34 64 38 2d 38 61 34 38 2d 34 33 30 63 2d 61 66 38 37 2d 37 33 62 65 31 35 64 38 39 39 65 34 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 72 75 6e 6e 69 6e 67 2d 69 63 61 72 75 73 22 2c 22 74 69 74 6c 65 22 3a 22 41 56 47 20 54 75 6e Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"2cda18e3-249d-489f-9703-e3266e117557","time":1722207231248},"setup":{"common":{"operation":"install","session_id":"78b8c4d8-8a48-430c-af87-73be15d899e4","stage":"sfx-running-icarus","title":"AVG Tun
2024-07-28 22:53:53 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:52 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:53:53 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49207	34.117.223.223	443	2700	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:53 UTC	243	OUT	POST /v4/receive/json/25 HTTP/1.1 Host: analytics.avcdn.net User-Agent: libcurl/8.6.0-DEV Schannel zlib/1.3.1 c-ares/1.25.0 nghttp2/1.48.0 Accept: / Accept-Encoding: deflate, gzip Content-Type: application/json Content-Length: 1937
2024-07-28 22:53:53 UTC	1937	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 31 37 66 39 61 33 61 66 2d 33 38 33 61 2d 34 32 33 33 2d 38 35 62 37 2d 31 34 63 34 32 32 61 63 30 39 35 39 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 32 30 37 32 33 31 35 34 38 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 31 62 36 35 34 64 39 31 2d 37 32 32 61 2d 34 65 31 38 2d 39 37 34 64 2d 32 30 64 36 63 30 35 64 37 32 64 39 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 38 46 33 30 39 31 39 32 32 33 44 31 39 41 Data Ascii: {"record":[{"event" : {"request_id" : "17f9a3af-383a-4233-85b7-14c422ac0959","subtype" : 1,"time" : 1722207231548,"type" : 25},"identity" : {"endpoint_id" : "1b654d91-722a-4e18-974d-20d6c05d72d9","fingerprint" : "8F30919223D19A
2024-07-28 22:53:53 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:53 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:53:53 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49208	34.160.176.28	443	2700	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:53 UTC	416	OUT	GET /?p_age=0&p_bld=mmm_irs_ppi_907_959_m&p_cpua=x64&p_icar=1&p_lng=en&p_midex=00000000000000000000000000000000CF6E00279D845352844A379868ABE8A3&p_ost=0&p_osv=6.1&p_pro=111&p_prod=avg-tu&p_ram=8191&p_vbd=16424&p_vep=24&p_ves=1&p_vre=9662&repoid=release& HTTP/1.1 Host: shepherd.avcdn.net User-Agent: libcurl/8.6.0-DEV Schannel zlib/1.3.1 c-ares/1.25.0 nghttp2/1.48.0 Accept: / Accept-Encoding: deflate, gzip
2024-07-28 22:53:53 UTC	542	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:53 GMT Content-Type: text/plain Content-Length: 549 Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Config-Id, Config-Name, Config-Version, Segments, AB-Tests, TTL, TTL-Spread Config-Id: 41 Config-Name: Icarus_ipm-messaging-in-22.11-and-higher-35d9ef01c639551fb41b09bc21517e09e6e3842f3f451d292646023a9dd258fa Config-Version: 528 Segments: ipm messaging in 22.11 and higher TTL: 86400 TTL-Spread: 43200 Via: 1.1 google Alt-Svc: clear Connection: close
2024-07-28 22:53:53 UTC	549	IN	Data Raw: 5b 75 69 2e 6f 66 66 65 72 2e 61 63 74 69 6f 6e 73 5d 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 75 69 2e 6f 66 66 65 72 2e 77 65 6c 63 6f 6d 65 5d 0d 0a 6c 6f 61 64 74 69 6d 65 72 3d 31 30 30 30 30 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 72 65 70 6f 72 74 69 6e 67 5d 0d 0a 64 69 73 61 62 6c 65 5f 63 68 65 63 6b 66 6f 72 75 70 64 61 74 65 73 3d 31 0d 0a 72 65 70 6f 72 74 5f 61 63 74 69 6f 6e 5f 69 64 73 3d 52 49 44 5f 30 30 31 2c 52 49 44 5f 30 30 32 0d 0a 5b 63 6f 6d 6d 6f 6e 5d 0d 0a 63 6f 6e 66 69 67 2d 64 65 66 2d 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 68 65 70 68 65 72 64 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 72 65 70 6f 72 74 2d 75 72 6c 3d 68 74 Data Ascii: [ui.offer.actions]url=https://ipm.avcdn.net/[ui.offer.welcome]loadtimer=10000url=https://ipm.avcdn.net/[reporting]disable_checkforupdates=1report_action_ids=RID_001,RID_002[common]config-def-url=https://shepherd.avcdn.net/report-url=ht

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49215	34.117.223.223	443	2700	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:59 UTC	243	OUT	POST /v4/receive/json/25 HTTP/1.1 Host: analytics.avcdn.net User-Agent: libcurl/8.6.0-DEV Schannel zlib/1.3.1 c-ares/1.25.0 nghttp2/1.48.0 Accept: / Accept-Encoding: deflate, gzip Content-Type: application/json Content-Length: 2551
2024-07-28 22:53:59 UTC	2551	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 39 34 65 37 30 39 62 38 2d 61 35 37 35 2d 34 31 34 62 2d 62 37 64 61 2d 38 62 35 35 33 30 66 30 61 62 34 31 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 32 30 37 32 33 37 34 39 32 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 31 62 36 35 34 64 39 31 2d 37 32 32 61 2d 34 65 31 38 2d 39 37 34 64 2d 32 30 64 36 63 30 35 64 37 32 64 39 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 38 46 33 30 39 31 39 32 32 33 44 31 39 41 Data Ascii: {"record":[{"event" : {"request_id" : "94e709b8-a575-414b-b7da-8b5530f0ab41","subtype" : 1,"time" : 1722207237492,"type" : 25},"identity" : {"endpoint_id" : "1b654d91-722a-4e18-974d-20d6c05d72d9","fingerprint" : "8F30919223D19A
2024-07-28 22:53:59 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:59 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:53:59 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49216	34.117.223.223	443	2700	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:53:59 UTC	243	OUT	POST /v4/receive/json/25 HTTP/1.1 Host: analytics.avcdn.net User-Agent: libcurl/8.6.0-DEV Schannel zlib/1.3.1 c-ares/1.25.0 nghttp2/1.48.0 Accept: / Accept-Encoding: deflate, gzip Content-Type: application/json Content-Length: 3044
2024-07-28 22:53:59 UTC	3044	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 63 64 39 66 32 38 36 63 2d 30 32 35 35 2d 34 38 62 64 2d 62 63 31 31 2d 66 31 38 36 30 66 63 66 32 37 35 65 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 32 30 37 32 33 38 33 33 34 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 31 62 36 35 34 64 39 31 2d 37 32 32 61 2d 34 65 31 38 2d 39 37 34 64 2d 32 30 64 36 63 30 35 64 37 32 64 39 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 38 46 33 30 39 31 39 32 32 33 44 31 39 41 Data Ascii: {"record":[{"event" : {"request_id" : "cd9f286c-0255-48bd-bc11-f1860fcf275e","subtype" : 1,"time" : 1722207238334,"type" : 25},"identity" : {"endpoint_id" : "1b654d91-722a-4e18-974d-20d6c05d72d9","fingerprint" : "8F30919223D19A
2024-07-28 22:53:59 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:53:59 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:53:59 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49328	34.117.223.223	443	3448	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:54:37 UTC	139	OUT	POST /v4/receive/json/25 HTTP/1.1 Connection: Keep-Alive User-Agent: Icarus Http/1.0 Content-Length: 1279 Host: analytics.avcdn.net
2024-07-28 22:54:37 UTC	1279	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 30 35 36 38 30 36 38 36 2d 36 65 34 65 2d 34 65 64 33 2d 62 33 65 61 2d 62 64 31 61 31 65 65 66 38 66 36 32 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 32 30 37 32 37 35 33 33 39 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 33 38 37 63 62 38 65 31 2d 32 39 30 32 2d 34 32 33 36 2d 61 36 65 64 2d 63 39 66 62 66 61 38 30 30 34 30 30 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 73 74 61 72 74 22 2c 22 74 69 74 6c 65 22 3a 22 22 7d 2c 22 70 72 6f 64 75 63 74 22 3a 7b 22 6e Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"05680686-6e4e-4ed3-b3ea-bd1a1eef8f62","time":1722207275339},"setup":{"common":{"operation":"install","session_id":"387cb8e1-2902-4236-a6ed-c9fbfa800400","stage":"sfx-start","title":""},"product":{"n
2024-07-28 22:54:37 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:54:37 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:54:37 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49336	34.117.223.223	443	3448	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:54:38 UTC	139	OUT	POST /v4/receive/json/25 HTTP/1.1 Connection: Keep-Alive User-Agent: Icarus Http/1.0 Content-Length: 1310 Host: analytics.avcdn.net
2024-07-28 22:54:38 UTC	1310	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 62 36 35 61 36 35 39 65 2d 33 36 33 66 2d 34 66 64 65 2d 62 61 65 36 2d 64 63 33 65 63 33 63 33 39 65 38 31 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 32 30 37 32 37 35 34 31 37 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 33 38 37 63 62 38 65 31 2d 32 39 30 32 2d 34 32 33 36 2d 61 36 65 64 2d 63 39 66 62 66 61 38 30 30 34 30 30 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 70 72 65 70 61 72 69 6e 67 22 2c 22 74 69 74 6c 65 22 3a 22 22 7d 2c 22 70 72 6f 64 75 63 74 22 Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"b65a659e-363f-4fde-bae6-dc3ec3c39e81","time":1722207275417},"setup":{"common":{"operation":"install","session_id":"387cb8e1-2902-4236-a6ed-c9fbfa800400","stage":"sfx-preparing","title":""},"product"
2024-07-28 22:54:38 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:54:38 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:54:38 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49342	65.9.23.107	443	2580	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:54:41 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=b69381b2b6587690fa1a8df9884de669af70792840d2840009f37456ead070eb User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 359 Host: d3ben4sjdmrs9v.cloudfront.net
2024-07-28 22:54:41 UTC	1	OUT	Data Raw: 7b Data Ascii: {
2024-07-28 22:54:41 UTC	358	OUT	Data Raw: 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 65 61 38 36 30 65 37 61 2d 61 38 37 66 2d 34 61 38 38 2d 39 32 65 66 2d 33 38 66 37 34 34 34 35 38 31 37 31 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 38 31 38 35 32 34 36 5c 22 2c 5c 22 33 5c 22 3a 5c 22 5a 61 79 61 74 73 5c 22 2c 5c 22 34 5c 22 3a 5c 22 47 61 6d 65 73 34 57 69 6e 5c 22 2c 5c 22 35 5c 22 3a 5c 22 54 65 61 6d 20 46 6f 72 74 72 65 73 73 20 32 20 42 72 6f 74 68 65 72 68 6f 6f 64 20 4f 66 20 41 72 6d 73 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 6e 6f 43 68 47 72 6f 75 70 78 32 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 67 61 6d 65 66 61 62 72 69 71 75 65 5c Data Ascii: "table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"ea860e7a-a87f-4a88-92ef-38f744458171\",\"2\":\"20240728185246\",\"3\":\"Zayats\",\"4\":\"Games4Win\",\"5\":\"Team Fortress 2 Brotherhood Of Arms\",\"18\":\"\",\"19\":\"noChGroupx2\",\"21\":\"gamefabrique\
2024-07-28 22:54:41 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sun, 28 Jul 2024 22:54:41 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE X-Cache: Miss from cloudfront Via: 1.1 98e6142a124268fae259e9413f391902.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZAG50-C1 X-Amz-Cf-Id: JhjES9ySoIT64fzANNMoD0qISgdTaXOc-uSpGR2qyGSX0y_VHKF92g==
2024-07-28 22:54:41 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49401	34.117.223.223	443	3448	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:54:57 UTC	139	OUT	POST /v4/receive/json/25 HTTP/1.1 Connection: Keep-Alive User-Agent: Icarus Http/1.0 Content-Length: 1361 Host: analytics.avcdn.net
2024-07-28 22:54:57 UTC	1361	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 74 79 70 65 22 3a 32 35 2c 22 73 75 62 74 79 70 65 22 3a 31 2c 22 72 65 71 75 65 73 74 5f 69 64 22 3a 22 62 33 62 64 33 64 62 62 2d 32 39 62 35 2d 34 34 66 33 2d 62 38 30 39 2d 31 37 65 36 64 39 33 65 36 62 34 61 22 2c 22 74 69 6d 65 22 3a 31 37 32 32 32 30 37 32 39 35 39 35 32 7d 2c 22 73 65 74 75 70 22 3a 7b 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 6f 70 65 72 61 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 33 38 37 63 62 38 65 31 2d 32 39 30 32 2d 34 32 33 36 2d 61 36 65 64 2d 63 39 66 62 66 61 38 30 30 34 30 30 22 2c 22 73 74 61 67 65 22 3a 22 73 66 78 2d 72 75 6e 6e 69 6e 67 2d 69 63 61 72 75 73 22 2c 22 74 69 74 6c 65 22 3a 22 41 56 47 20 41 6e 74 Data Ascii: {"record":[{"event":{"type":25,"subtype":1,"request_id":"b3bd3dbb-29b5-44f3-b809-17e6d93e6b4a","time":1722207295952},"setup":{"common":{"operation":"install","session_id":"387cb8e1-2902-4236-a6ed-c9fbfa800400","stage":"sfx-running-icarus","title":"AVG Ant
2024-07-28 22:54:57 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:54:57 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:54:57 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49402	34.117.223.223	443	3668	C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:54:57 UTC	243	OUT	POST /v4/receive/json/25 HTTP/1.1 Host: analytics.avcdn.net User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0 Accept: / Accept-Encoding: deflate, gzip Content-Type: application/json Content-Length: 2226
2024-07-28 22:54:57 UTC	2226	OUT	Data Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 0a 09 22 65 76 65 6e 74 22 20 3a 20 0a 09 7b 0a 09 09 22 72 65 71 75 65 73 74 5f 69 64 22 20 3a 20 22 34 65 30 30 65 32 39 31 2d 31 35 65 32 2d 34 65 37 37 2d 61 66 30 34 2d 61 31 38 39 61 38 66 35 39 32 39 32 22 2c 0a 09 09 22 73 75 62 74 79 70 65 22 20 3a 20 31 2c 0a 09 09 22 74 69 6d 65 22 20 3a 20 31 37 32 32 32 30 37 32 39 36 31 39 37 2c 0a 09 09 22 74 79 70 65 22 20 3a 20 32 35 0a 09 7d 2c 0a 09 22 69 64 65 6e 74 69 74 79 22 20 3a 20 0a 09 7b 0a 09 09 22 65 6e 64 70 6f 69 6e 74 5f 69 64 22 20 3a 20 22 31 62 36 35 34 64 39 31 2d 37 32 32 61 2d 34 65 31 38 2d 39 37 34 64 2d 32 30 64 36 63 30 35 64 37 32 64 39 22 2c 0a 09 09 22 66 69 6e 67 65 72 70 72 69 6e 74 22 20 3a 20 22 38 46 33 30 39 31 39 32 32 33 44 31 39 41 Data Ascii: {"record":[{"event" : {"request_id" : "4e00e291-15e2-4e77-af04-a189a8f59292","subtype" : 1,"time" : 1722207296197,"type" : 25},"identity" : {"endpoint_id" : "1b654d91-722a-4e18-974d-20d6c05d72d9","fingerprint" : "8F30919223D19A
2024-07-28 22:54:57 UTC	216	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:54:57 GMT Content-Type: application/json Content-Length: 19 Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-28 22:54:57 UTC	19	IN	Data Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d Data Ascii: {"processed": true}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49403	34.160.176.28	443	3668	C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-28 22:54:57 UTC	424	OUT	GET /?p_age=0&p_bld=mmm_irs_ppi_902_451_o&p_cpua=x64&p_edi=15&p_icar=1&p_lng=en&p_midex=00000000000000000000000000000000CF6E00279D845352844A379868ABE8A3&p_ost=0&p_osv=6.1&p_pro=111&p_prod=avg-av&p_ram=8191&p_vbd=9311&p_vep=24&p_ves=7&p_vre=1966&repoid=release& HTTP/1.1 Host: shepherd.avcdn.net User-Agent: libcurl/8.7.0-DEV Schannel zlib/1.3.1 c-ares/1.28.1 nghttp2/1.48.0 Accept: / Accept-Encoding: deflate, gzip
2024-07-28 22:54:57 UTC	634	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 28 Jul 2024 22:54:57 GMT Content-Type: text/plain Content-Length: 756 Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Config-Id, Config-Name, Config-Version, Segments, AB-Tests, TTL, TTL-Spread Config-Id: 41 Config-Name: Icarus_ipm-messaging-in-22.11-and-higher_avg-av-release_avg-av_avg-av-on-win7-and-win8-729650b142838c4566eb7e29c8a498862e314f8f46c79a00011909cf94449c1d Config-Version: 528 Segments: ipm messaging in 22.11 and higher,avg-av release,avg-av,avg av on win7 and win8 TTL: 86400 TTL-Spread: 43200 Via: 1.1 google Alt-Svc: clear Connection: close
2024-07-28 22:54:57 UTC	756	IN	Data Raw: 5b 75 69 2e 6f 66 66 65 72 2e 61 63 74 69 6f 6e 73 5d 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 75 69 2e 6f 66 66 65 72 2e 77 65 6c 63 6f 6d 65 5d 0d 0a 6c 6f 61 64 74 69 6d 65 72 3d 31 30 30 30 30 0d 0a 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 69 70 6d 2e 61 76 63 64 6e 2e 6e 65 74 2f 0d 0a 5b 62 75 67 72 65 70 6f 72 74 5d 0d 0a 70 72 6f 64 75 63 74 5f 66 69 6e 69 73 68 65 64 5f 65 72 72 6f 72 73 3d 32 35 38 2c 34 35 30 32 31 0d 0a 5b 72 65 70 6f 72 74 69 6e 67 5d 0d 0a 64 69 73 61 62 6c 65 5f 63 68 65 63 6b 66 6f 72 75 70 64 61 74 65 73 3d 31 0d 0a 72 65 70 6f 72 74 5f 61 63 74 69 6f 6e 5f 69 64 73 3d 52 49 44 5f 30 30 31 2c 52 49 44 5f 30 30 32 0d 0a 5b 63 6f 6d 6d 6f 6e 5d 0d 0a 63 6f 6e 66 69 67 2d 64 65 Data Ascii: [ui.offer.actions]url=https://ipm.avcdn.net/[ui.offer.welcome]loadtimer=10000url=https://ipm.avcdn.net/[bugreport]product_finished_errors=258,45021[reporting]disable_checkforupdates=1report_action_ids=RID_001,RID_002[common]config-de

Target ID:	0
Start time:	18:52:40
Start date:	28/07/2024
Path:	C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe"
Imagebase:	0x400000
File size:	14'472'880 bytes
MD5 hash:	F3F16A12CDAF4E3FE51BECE5DFF8970F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	18:52:41
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-HKSI3.tmp\Team Fortress 2 Brotherhood Of Arms_aez-LU1.tmp" /SL5="$10302,13566766,780800,C:\Users\user\Desktop\Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe"
Imagebase:	0x400000
File size:	3'025'328 bytes
MD5 hash:	67BCDCA0E7E60025269D8C14094BADCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	18:53:27
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl
Imagebase:	0xdc0000
File size:	234'936 bytes
MD5 hash:	26816AF65F2A3F1C61FB44C682510C97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:53:29
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
Imagebase:	0x400000
File size:	6'261'520 bytes
MD5 hash:	3C17F28CC001F6652377D3B5DEEC10F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:53:31
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod2_extract\avg_tuneup_online_setup.exe" /silent /delayUIStart:120
Imagebase:	0x10f0000
File size:	1'582'416 bytes
MD5 hash:	F3B23C42A4CF4CA9F0C48F93B121CB41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	18:53:37
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	"netsh" firewall add allowedprogramC:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe "qBittorrent" ENABLE
Imagebase:	0xbc0000
File size:	96'256 bytes
MD5 hash:	784A50A6A09C25F011C3143DDD68E729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:53:39
Start date:	28/07/2024
Path:	C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
Imagebase:	0x390000
File size:	3'385'616 bytes
MD5 hash:	2B149BA4C21C66D34F19214D5A8D3067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:53:39
Start date:	28/07/2024
Path:	C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
Imagebase:	0x1070000
File size:	3'385'616 bytes
MD5 hash:	2B149BA4C21C66D34F19214D5A8D3067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:53:39
Start date:	28/07/2024
Path:	C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
Imagebase:	0x1070000
File size:	3'385'616 bytes
MD5 hash:	2B149BA4C21C66D34F19214D5A8D3067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	18:53:51
Start date:	28/07/2024
Path:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\icarus-info.xml /install /silent /delayUIStart:120
Imagebase:	0x13f2a0000
File size:	8'064'448 bytes
MD5 hash:	97856AB19BE2842F985C899CCDE7E312
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	18:53:55
Start date:	28/07/2024
Path:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Temp\asw-8bd746bf-7577-45b2-9723-adc06a21d336\avg-tu\icarus.exe /silent /delayUIStart:120 /er_master:master_ep_ff588211-0cd3-42f4-9abe-e7d866589a74 /er_ui:ui_ep_3071ddee-57f2-4a50-9ba3-75a4d0a633fd /er_slave:avg-tu_slave_ep_03796b32-0f70-4f87-a538-ebf63a8f1c72 /slave:avg-tu
Imagebase:	0x13fef0000
File size:	8'064'448 bytes
MD5 hash:	97856AB19BE2842F985C899CCDE7E312
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	18:53:55
Start date:	28/07/2024
Path:	C:\Program Files (x86)\WeatherZero\WeatherZero.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DDFD1E983F83B350CD251831739BBC54
Imagebase:	0x1f0000
File size:	2'876'688 bytes
MD5 hash:	7DC1C6AB3BF2DD1C825914F7F6F31B45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	18:53:58
Start date:	28/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqgrcbua.cmdline"
Imagebase:	0x400000
File size:	77'960 bytes
MD5 hash:	0A1C81BDCB030222A0B0A652B2C89D8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:53:59
Start date:	28/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4C9.tmp" "c:\Users\user\AppData\Local\Temp\CSCA4C8.tmp"
Imagebase:	0x400000
File size:	32'912 bytes
MD5 hash:	200FC355F85ECD4DB77FB3CAB2D01364
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:54:02
Start date:	28/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Imagebase:	0x860000
File size:	42'856 bytes
MD5 hash:	A8B7F3818AB65695E3A0BB3279F6DCE6
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	18:54:34
Start date:	28/07/2024
Path:	C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\asw.8bb23e66c52bd2be\avg_antivirus_free_online_setup.exe" /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /ga_clientid:387cb8e1-2902-4236-a6ed-c9fbfa800400 /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be
Imagebase:	0x8f0000
File size:	1'631'120 bytes
MD5 hash:	678507E1459F47A4D77AACE80D42D52D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	18:54:38
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\qbittorrent.exe" magnet:?xt=urn:btih:D351036146D1BD243B991ACA5814D7BFA012D712
Imagebase:	0x1160000
File size:	23'891'968 bytes
MD5 hash:	22A34900ADA67EAD7E634EB693BD3095
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	18:54:45
Start date:	28/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0xff150000
File size:	27'136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	18:54:45
Start date:	28/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 468
Imagebase:	0x710000
File size:	360'448 bytes
MD5 hash:	5FEAB868CAEDBBD1B7A145CA8261E4AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	18:54:56
Start date:	28/07/2024
Path:	C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-0f801654-05af-4ad8-86d7-928505b2e51a\icarus-info.xml /install /silent /ws /psh:92pTu5fbOjrX1Hwr5ymS8nIKngALcOCmkBEPD0y4asAb9sTLV2t6SsbOEW9GYcpp2iGuXBycnb6Jsl /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.8bb23e66c52bd2be /track-guid:387cb8e1-2902-4236-a6ed-c9fbfa800400
Imagebase:	0x13fb60000
File size:	8'064'960 bytes
MD5 hash:	0CD5718F7F5F8529FE4FF773DEF52DAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00369E1A Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.625101763.000000000035E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0035E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_35e000_Team Fortress 2 Brotherhood Of Arms_aez-LU1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51568eb17b744daf5ca39f68c0462b697cc7cd7bca56005d5b664db9a8193a1c
Instruction ID: 398755d1862a1ffdd474c81878f83d01b791549ac472cc939f9a42b0369447d2
Opcode Fuzzy Hash: 51568eb17b744daf5ca39f68c0462b697cc7cd7bca56005d5b664db9a8193a1c
Instruction Fuzzy Hash: F1A1CBA284E7C15FDB178B704D79650BF706E2320470E86CFC4C68F8A7E299994AD763

Analysis Process: avg_antivirus_free_setup.exePID: 1992, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	25

Executed Functions

Function 00DC52F0 Relevance: 229.8, APIs: 95, Strings: 35, Instructions: 2278synchronizationfileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000103), ref: 00DC548F

Part of subcall function 00DC7FE0: GetVersionExW.KERNEL32(?), ref: 00DC8004

GetCurrentProcess.KERNEL32 ref: 00DC54D6

Part of subcall function 00DC7E70: OpenProcessToken.ADVAPI32(00DC54E2,00000008,?,84D1659C,?,00000000), ref: 00DC7EAC
Part of subcall function 00DC7E70: GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00DE20C0), ref: 00DC7ED9
Part of subcall function 00DC7E70: GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00DC7F15
Part of subcall function 00DC7E70: IsValidSid.ADVAPI32 ref: 00DC7F22
Part of subcall function 00DC7E70: GetSidSubAuthorityCount.ADVAPI32 ref: 00DC7F31
Part of subcall function 00DC7E70: GetSidSubAuthority.ADVAPI32(?,?), ref: 00DC7F3D
Part of subcall function 00DC7E70: CloseHandle.KERNELBASE(00000000), ref: 00DC7F4F

InterlockedExchange.KERNEL32(?,0000052F), ref: 00DC54FC
InterlockedExchange.KERNEL32(?,00000000), ref: 00DC550A
InterlockedExchange.KERNEL32(?,000000C1), ref: 00DC5593
InterlockedExchange.KERNEL32(?,00000000), ref: 00DC55A2
CreateMutexW.KERNELBASE(00000000,00000001,00000000), ref: 00DC55D9
GetLastError.KERNEL32 ref: 00DC55E9
InterlockedExchange.KERNEL32(?,00000420), ref: 00DC5602
CloseHandle.KERNEL32(?), ref: 00DC75E3
CloseHandle.KERNEL32(?), ref: 00DC75F4
CloseHandle.KERNEL32(?), ref: 00DC7605
_wcsrchr.LIBVCRUNTIME ref: 00DC76A1
_wcsrchr.LIBVCRUNTIME ref: 00DC76B3
CreateHardLinkW.KERNEL32(?,00000000,00000000), ref: 00DC76EF
CopyFileW.KERNEL32 ref: 00DC7707
ReleaseMutex.KERNEL32(?), ref: 00DC7718
CloseHandle.KERNEL32(?), ref: 00DC771F
___delayLoadHelper2@8.DELAYIMP ref: 00DC7817

Part of subcall function 00DC3B70: #17.COMCTL32 ref: 00DC3B84
Part of subcall function 00DC3B70: LoadStringW.USER32(00DC0000,000003E9,?,00000000), ref: 00DC3BA1
Part of subcall function 00DC3B70: LoadStringW.USER32(00DC0000,?,?,00000000), ref: 00DC3BBA
Part of subcall function 00DC3B70: MessageBoxExW.USER32 ref: 00DC3BCF

Strings

https://, xrefs: 00DC659F
ProxyType, xrefs: 00DC5E18
Password, xrefs: 00DC5FA8
Properties, xrefs: 00DC62AD
%s\%s, xrefs: 00DC6DBE
/cust_ini, xrefs: 00DC5C76
User, xrefs: 00DC5F5F
http://, xrefs: 00DC6554
server0, xrefs: 00DC6511
Avast One, xrefs: 00DC5A80, 00DC5AA3, 00DC5B01, 00DC7064, 00DC7087, 00DC70DB
/silent, xrefs: 00DC5495
User-Agent: avast! Antivirus (instup), xrefs: 00DC6EF5
servers, xrefs: 00DC64D3
installer.exe, xrefs: 00DC6A15
/cookie:, xrefs: 00DC732A
allow_fallback, xrefs: 00DC6722
avcfg://settings/Common/VersionSwitch, xrefs: 00DC62A8
/ga_clientid:, xrefs: 00DC7363
{versionSwitch}, xrefs: 00DC6BED
enable, xrefs: 00DC649E
/cookie, xrefs: 00DC5856
Port, xrefs: 00DC5E9D
D, xrefs: 00DC742A
urlpgm, xrefs: 00DC650C
/smbupd, xrefs: 00DC632B
count, xrefs: 00DC64CE
/ppi_icd, xrefs: 00DC5B68
, xrefs: 00DC5AC3, 00DC70AD
AuthorizationType, xrefs: 00DC626F
ProxySettings, xrefs: 00DC5DED, 00DC5E1D, 00DC5E5B, 00DC5EA2, 00DC5F64, 00DC5FAD, 00DC6274
/sub_edition:, xrefs: 00DC73E5
stable, xrefs: 00DC6C52
Enabled, xrefs: 00DC5DE8
mirror, xrefs: 00DC64A3, 00DC6727
/edat_dir:, xrefs: 00DC739E

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ExchangeInterlocked$CloseHandle$LoadToken$AuthorityCreateInformationMutexProcessString_wcsrchr$CopyCountCurrentErrorFileHardHelper2@8LastLinkMessageOpenReleaseValidVersion___delay
String ID: $ /cookie:$ /edat_dir:$ /ga_clientid:$ /sub_edition:$%s\%s$/cookie$/cust_ini$/ppi_icd$/silent$/smbupd$AuthorizationType$Avast One$D$Enabled$Password$Port$Properties$ProxySettings$ProxyType$User$User-Agent: avast! Antivirus (instup)$allow_fallback$avcfg://settings/Common/VersionSwitch$count$enable$http://$https://$installer.exe$mirror$server0$servers$stable$urlpgm${versionSwitch}
API String ID: 1722064709-657827273
Opcode ID: ee3e862cfc9ddd8229f2c5fd9e162377450af2dc3b8f4c70b7a0debcf81072a7
Instruction ID: ef3ae431e3d3dc27069bd5b6fcf89c27e06b46da2116d32595eee20891fb41dc
Opcode Fuzzy Hash: ee3e862cfc9ddd8229f2c5fd9e162377450af2dc3b8f4c70b7a0debcf81072a7
Instruction Fuzzy Hash: 7E236B71E012699AEB24DB64CC89FEDB7B8AF45304F1441D9E509A7282DB70AF84CF71

Function 00DCBB70 Relevance: 39.3, APIs: 13, Strings: 9, Instructions: 777
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(84D1659C,00000000,00000000), ref: 00DCBBCD
GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemFirmwareTable), ref: 00DCBC00
GetProcAddress.KERNEL32(00000000), ref: 00DCBC07
GetSystemFirmwareTable.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DCBC26
GetSystemFirmwareTable.KERNEL32 ref: 00DCBCB9
GetModuleHandleW.KERNEL32(ntdll.dll,NtOpenSection), ref: 00DCBD1B
GetProcAddress.KERNEL32(00000000), ref: 00DCBD22
MapViewOfFile.KERNEL32(00000000,00000004,00000000,000F0000,00010000), ref: 00DCBD88
UnmapViewOfFile.KERNEL32(00000000), ref: 00DCBE31
MapViewOfFile.KERNEL32(00000000,00000004,00000000,?,?), ref: 00DCBE5A
UnmapViewOfFile.KERNEL32(00000000), ref: 00DCBECA
CloseHandle.KERNEL32(00000000), ref: 00DCBF30
UnmapViewOfFile.KERNEL32(00000000), ref: 00DCC466

Strings

kernel32.dll, xrefs: 00DCBBFB
_DMI, xrefs: 00DCBDFA
_SM_, xrefs: 00DCBDA0
,, xrefs: 00DCBD06
W, xrefs: 00DCBBDF
NtOpenSection, xrefs: 00DCBCF5
ntdll.dll, xrefs: 00DCBCFA
GetSystemFirmwareTable, xrefs: 00DCBBF6
@, xrefs: 00DCBD51

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: FileView$HandleUnmap$AddressFirmwareModuleProcSystemTable$CloseVersion
String ID: ,$@$GetSystemFirmwareTable$NtOpenSection$W$_DMI$_SM_$kernel32.dll$ntdll.dll
API String ID: 26960555-752303837
Opcode ID: 16d3c808afd2dbd21069e8a56231dedcdc225822781080fa0f08eb3e14e6f044
Instruction ID: ad44342903e5ac5d2468ab3ee92cb73bbae07a43631667daa3c503f2bd32c482
Opcode Fuzzy Hash: 16d3c808afd2dbd21069e8a56231dedcdc225822781080fa0f08eb3e14e6f044
Instruction Fuzzy Hash: 2E52A171E0065A9FDB10DBA8CC55FAEBBB9EF45310F18411DEA49AB341D731A902CBB4

Function 00DC41B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 132
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00DC41D4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC41ED
GetVersionExA.KERNEL32(0000009C,?,?,00989680,00000000), ref: 00DC4217
GetNativeSystemInfo.KERNEL32(?), ref: 00DC422E
wsprintfA.USER32 ref: 00DC42DC
wsprintfA.USER32 ref: 00DC42FF
lstrcatA.KERNEL32(?,?), ref: 00DC4316
lstrlenA.KERNEL32(?), ref: 00DC436E

Strings

microstub, xrefs: 00DC4261, 00DC42CF
AMD64, xrefs: 00DC424F, 00DC429D
status=%08lxstatus_microstub=%08lx%08lx, xrefs: 00DC42F9
cookie=%lsedition=%ldevent=%smidex=%lsstat_session=%lsstatsSendTime=%I64dos=win,%d,%d,%d,%d,%d,%s%sexe_version=%lsSfxVersion=%ls, xrefs: 00DC42D6
srv, xrefs: 00DC4247, 00DC429C

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: SystemTimewsprintf$FileInfoNativeUnothrow_t@std@@@Version__ehfuncinfo$??2@lstrcatlstrlen
String ID: status=%08lxstatus_microstub=%08lx%08lx$AMD64$cookie=%lsedition=%ldevent=%smidex=%lsstat_session=%lsstatsSendTime=%I64dos=win,%d,%d,%d,%d,%d,%s%sexe_version=%lsSfxVersion=%ls$microstub$srv
API String ID: 2179732243-3440893326
Opcode ID: 332ad5781763fa912337ebbfb5d85a5b90be410723bda8bd72bb9dd9cbb5d5e4
Instruction ID: 6a323079d3a34993369e1273da25f22d0f8926d4b469d991a0de7c95b4c54a49
Opcode Fuzzy Hash: 332ad5781763fa912337ebbfb5d85a5b90be410723bda8bd72bb9dd9cbb5d5e4
Instruction Fuzzy Hash: 205151B1A002589FCF60DF55CC88BAEBBB9EF48305F0041E9E608E7251DB719A94DF64

Function 00DC38C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,01000002,00000000,00000000,00000000,?), ref: 00DC38E7
GetLastError.KERNEL32 ref: 00DC38F3
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?), ref: 00DC390A
GetLastError.KERNEL32 ref: 00DC3916
CloseHandle.KERNEL32(00000000), ref: 00DC398F
SetLastError.KERNEL32(00000000), ref: 00DC3997

Strings

%d.%d.%d.%d, xrefs: 00DC396C

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateHandleMappingView
String ID: %d.%d.%d.%d
API String ID: 1867540158-3491811756
Opcode ID: e46211c107958a6cd292c0732472cf7b42d6ebfccf360f96895b37e47c2a5dc7
Instruction ID: e58fa98af73539567ddbd0c60c9e4f42c258fc8823725086828ddcc0bb289fcf
Opcode Fuzzy Hash: e46211c107958a6cd292c0732472cf7b42d6ebfccf360f96895b37e47c2a5dc7
Instruction Fuzzy Hash: C2214C71A00315BBD720AF658C8DFBABB68EB49B51F14805DB946EB280DA749A00CA70

Function 00DCA100 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 329
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00DCA180
CreateFileW.KERNELBASE(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00DCA1A9
GetLastError.KERNEL32 ref: 00DCA1B9
CloseHandle.KERNEL32(?), ref: 00DCA468

Strings

SCSIDISK, xrefs: 00DCAE58
\\.\PhysicalDrive%u, xrefs: 00DCA18F, 00DCA5B9, 00DCA9C5
\\.\Scsi%u:, xrefs: 00DCAD66

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastVersion
String ID: SCSIDISK$\\.\PhysicalDrive%u$\\.\Scsi%u:
API String ID: 1515857667-131545429
Opcode ID: c3248cbfe53eac0282d7362b85d13489e7c58e2ccd9f9406c47099edd9e58b74
Instruction ID: 5459e5a3ea68535072905b7d144039ee39222fff70cbf30dff1587dd52ef0b6c
Opcode Fuzzy Hash: c3248cbfe53eac0282d7362b85d13489e7c58e2ccd9f9406c47099edd9e58b74
Instruction Fuzzy Hash: 83C18C70A002199FDB04DFA8C899FADB7B5EF48314F14815EE906AB351DB71AD01CBB5

Function 00DC8DC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 88
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC7FE0: GetVersionExW.KERNEL32(?), ref: 00DC8004

lstrcatA.KERNEL32(?, (Prototype),?,84D1659C,?), ref: 00DC8E56
CryptAcquireContextA.ADVAPI32(?,00000000,?,00000018,F0000040,?,84D1659C,?), ref: 00DC8E6D
CryptReleaseContext.ADVAPI32(00000000,00000000,?,84D1659C,?), ref: 00DC8E85
GetLastError.KERNEL32(Unable to acquire cryptographic provider!,?,84D1659C,?), ref: 00DC8EAC

Part of subcall function 00DC7DA0: ___std_exception_copy.LIBVCRUNTIME ref: 00DC7DD8

__CxxThrowException@8.LIBVCRUNTIME ref: 00DC8ECA

Part of subcall function 00DD203A: RaiseException.KERNEL32(?,?,00DC8071,?,?,?,?,?,?,?,?,00DC8071,?,00DEB144,00000000), ref: 00DD209A

CryptReleaseContext.ADVAPI32(00000000,00000000,?,00DEB144,00000000,?,84D1659C,?), ref: 00DC8ED9

Strings

Unable to acquire cryptographic provider!, xrefs: 00DC8EA7
(Prototype), xrefs: 00DC8E4D
vider, xrefs: 00DC8DFE

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ContextCrypt$Release$AcquireErrorExceptionException@8LastRaiseThrowVersion___std_exception_copylstrcat
String ID: (Prototype)$Unable to acquire cryptographic provider!$vider
API String ID: 2041426586-155044149
Opcode ID: 3f27e3c75ecb13b61453441b364a10a1559d97e083cd47b84fbec3640644e34f
Instruction ID: 371886357813e84802e6563899c4d35ebccd5448d02c19a491c4a7daf8ae13b9
Opcode Fuzzy Hash: 3f27e3c75ecb13b61453441b364a10a1559d97e083cd47b84fbec3640644e34f
Instruction Fuzzy Hash: 7B313D71D04799ABDB20EFA9DC45BAAB7B8FB08704F10461EF904E7291EB7166448B60

Function 00DC8130 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wintrust.dll), ref: 00DC8136
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2,00000000,?,?,00DEB144,00000000), ref: 00DC8149
FreeLibrary.KERNELBASE(00000000,?,?,00DEB144,00000000), ref: 00DC8152

Strings

CryptCATAdminAcquireContext2, xrefs: 00DC8143
wintrust.dll, xrefs: 00DC8131

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 13165cc171cdccf60e6fc9f0dc8b5eba0ae852eeda1f1c20b1c367aa5b95121d
Instruction ID: 3c8571775e621c30ddc8934f878a3a0d562da75c45344c32fe4780811f6f6c1a
Opcode Fuzzy Hash: 13165cc171cdccf60e6fc9f0dc8b5eba0ae852eeda1f1c20b1c367aa5b95121d
Instruction Fuzzy Hash: 38D05E32640BA17B4A1037E97C4DDAB6B649DC2E6134E029DF401DB2588A248882A170

Function 00DC9250 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000008,00DC9209,84D1659C,?,00DC9209,0000800C,?,?,00DEB144,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC92A8
GetLastError.KERNEL32(Unable to generate random number!,?,00DC9209,0000800C,?,?,00DEB144,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC9320

Part of subcall function 00DC7DA0: ___std_exception_copy.LIBVCRUNTIME ref: 00DC7DD8

__CxxThrowException@8.LIBVCRUNTIME ref: 00DC9338

Part of subcall function 00DD203A: RaiseException.KERNEL32(?,?,00DC8071,?,?,?,?,?,?,?,?,00DC8071,?,00DEB144,00000000), ref: 00DD209A

Strings

Unable to generate random number!, xrefs: 00DC931B

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CryptErrorExceptionException@8LastRaiseRandomThrow___std_exception_copy
String ID: Unable to generate random number!
API String ID: 4207938790-1854326980
Opcode ID: aaa8245a02a80c098bf77655ce6365c39cdb0cff169c19273b339680155eca5e
Instruction ID: 95700c6a338abfc6443db4c97a0a6688a75690c47eeff9e90dc1dea2c5b844c9
Opcode Fuzzy Hash: aaa8245a02a80c098bf77655ce6365c39cdb0cff169c19273b339680155eca5e
Instruction Fuzzy Hash: F0217F71A003899FCB14EFA4DC86FBEB7B8FB04720F14062AE512A7791DB306944CA75

Function 00DCF080 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,00DCFCDE,?,?,?,?,?,00000000), ref: 00DCF0A3
RtlAllocateHeap.NTDLL(00000000,?,00DCFCDE,?,?,?,?,?,00000000), ref: 00DCF0AA
GetProcessHeap.KERNEL32(00000000,00000000,00DCFCDE,?,?,?,?,?,00000000), ref: 00DCF0E2
HeapFree.KERNEL32(00000000,?,?), ref: 00DCF0E9

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 54de164b2447b2ff5a897a3ef46e6f67c1f4b8fe7e11cc6bb2e5f77e2311c630
Instruction ID: bbc709a527f0f81c2dfbb6549c8dfd6044bf3be0450ceba9b59f0ee08eec72a0
Opcode Fuzzy Hash: 54de164b2447b2ff5a897a3ef46e6f67c1f4b8fe7e11cc6bb2e5f77e2311c630
Instruction Fuzzy Hash: 94018071604705ABE710AF99DC89F67B7ADEB40761B04852EF51AC7661D631E9008B70

Function 00DCB0E0 Relevance: 3.4, APIs: 2, Instructions: 449encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB780: GetProcessHeap.KERNEL32(00DC5644), ref: 00DCB7DC

Part of subcall function 00DC8DC0: lstrcatA.KERNEL32(?, (Prototype),?,84D1659C,?), ref: 00DC8E56
Part of subcall function 00DC8DC0: CryptAcquireContextA.ADVAPI32(?,00000000,?,00000018,F0000040,?,84D1659C,?), ref: 00DC8E6D
Part of subcall function 00DC8DC0: CryptReleaseContext.ADVAPI32(00000000,00000000,?,84D1659C,?), ref: 00DC8E85

Part of subcall function 00DC9450: CryptCreateHash.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00DC8378,0000800C,84D1659C,?), ref: 00DC9470
Part of subcall function 00DC9450: CryptDestroyHash.ADVAPI32(?,00000000), ref: 00DC9489

Part of subcall function 00DC8DC0: GetLastError.KERNEL32(Unable to acquire cryptographic provider!,?,84D1659C,?), ref: 00DC8EAC
Part of subcall function 00DC8DC0: __CxxThrowException@8.LIBVCRUNTIME ref: 00DC8ECA
Part of subcall function 00DC8DC0: CryptReleaseContext.ADVAPI32(00000000,00000000,?,00DEB144,00000000,?,84D1659C,?), ref: 00DC8ED9

Part of subcall function 00DC9450: GetLastError.KERNEL32(Unable to create hash context!), ref: 00DC94A4
Part of subcall function 00DC9450: __CxxThrowException@8.LIBVCRUNTIME ref: 00DC94BC

Part of subcall function 00DCC500: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00DCC5FD
Part of subcall function 00DCC500: GetLastError.KERNEL32(?,?,?,?,00DE2548), ref: 00DCC607

Part of subcall function 00DC9340: CryptGetHashParam.ADVAPI32(?,00000004,0000800C,00DC8744,00000000,84D1659C,?,?,?,00000000), ref: 00DC9395
Part of subcall function 00DC9340: CryptGetHashParam.ADVAPI32(?,00000002,00000000,0000800C,00000000,0000800C,00000000,?), ref: 00DC93DC

CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00008003), ref: 00DCB5EF
CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00008003), ref: 00DCB623

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Crypt$Hash$ContextDestroyErrorLast$Exception@8ParamReleaseThrow$AcquireCreateDirectoryHeapProcessSystemlstrcat
String ID:
API String ID: 2781682779-0
Opcode ID: 370fd68f18d9cbbbee643c29dab41121c3080f39d58c89f2091723faaae3c47e
Instruction ID: 2b6cd11cad76090ae2ccdedbc84ea6b3c8d8fa407917dc9bfc5f377605cdfa19
Opcode Fuzzy Hash: 370fd68f18d9cbbbee643c29dab41121c3080f39d58c89f2091723faaae3c47e
Instruction Fuzzy Hash: BB128D31D012698BDB25DB68CC45BEDBBB5AF44314F1442DED849A7382DB31AE84CFA1

Function 00DC82F0 Relevance: 1.6, APIs: 1, Instructions: 90encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(00000000,?,?,?,00000000,00000004,?,00DC8744,0000800C,84D1659C,?), ref: 00DC83CB

Part of subcall function 00DC9020: CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?,84D1659C,?,?,00DC8744,?,?,?,?,00DE2269,000000FF), ref: 00DC9088
Part of subcall function 00DC9020: CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC90A4
Part of subcall function 00DC9020: CryptHashData.ADVAPI32(?,?,84D1659C,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC90BB
Part of subcall function 00DC9020: CryptGetHashParam.ADVAPI32(00000000,00000004,?,?,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC90E4
Part of subcall function 00DC9020: CryptGetHashParam.ADVAPI32(00000000,00000002,?,?,00000000,?,00000000,?,?,?,?,?,00DE2269,000000FF), ref: 00DC9128
Part of subcall function 00DC9020: CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC913E
Part of subcall function 00DC9020: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC914E

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Crypt$Hash$Destroy$Param$ContextCreateDataRelease
String ID:
API String ID: 2857581251-0
Opcode ID: ac350242c4b1b1257d9ebe7fabfbb258238afcd6ac3b69f2849466ce1a5fcef2
Instruction ID: a296e4e7ef2424035863a9a77cc1e728ffaea749839fa9bd4cf3bc982ed026c5
Opcode Fuzzy Hash: ac350242c4b1b1257d9ebe7fabfbb258238afcd6ac3b69f2849466ce1a5fcef2
Instruction Fuzzy Hash: DF311AB1D0024AABDB00EF94C896FEFBBB8FB44714F004119E901A3281DB74AA04DBB0

Function 00DD1292 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00DD1297

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 87e3826197dcd6c1a80bf64b43c71ca4004eea0def8bb7ccb563f2babafe6f37
Instruction ID: bbe6127f829dd64e2f9191c5b2677fdda55f2328885e67e8efb0978b46196620
Opcode Fuzzy Hash: 87e3826197dcd6c1a80bf64b43c71ca4004eea0def8bb7ccb563f2babafe6f37
Instruction Fuzzy Hash:

Function 00DC27B0 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00DC280A
GetLastError.KERNEL32 ref: 00DC2831
GetLastError.KERNEL32 ref: 00DC286C
GetFileSizeEx.KERNEL32(33C033FC,?), ref: 00DC2944
wsprintfW.USER32 ref: 00DC296F
SetLastError.KERNEL32(00000000), ref: 00DC2B76

Strings

Range: bytes=, xrefs: 00DC2961
AMD64, xrefs: 00DC27C0
%hs%d-, xrefs: 00DC2969

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLast$FileSizewsprintf
String ID: %hs%d-$AMD64$Range: bytes=
API String ID: 297799064-1968478037
Opcode ID: 63fa68108132aab58f30f597cfc27b4bb97bbda2241a6be97327c79eec31befe
Instruction ID: 873f2763387967f9153bed22d6f7b1b0b0acc4b4beb9b4683d0731b70ee4df92
Opcode Fuzzy Hash: 63fa68108132aab58f30f597cfc27b4bb97bbda2241a6be97327c79eec31befe
Instruction Fuzzy Hash: 36C11D70A00306ABEB209FA5DC89F7EBBB9AF04701F18452DE946DB294DB71D945CB30

Function 00DC7E70 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(00DC54E2,00000008,?,84D1659C,?,00000000), ref: 00DC7EAC
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00DE20C0), ref: 00DC7ED9
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00DC7F15
IsValidSid.ADVAPI32 ref: 00DC7F22
GetSidSubAuthorityCount.ADVAPI32 ref: 00DC7F31
GetSidSubAuthority.ADVAPI32(?,?), ref: 00DC7F3D
CloseHandle.KERNELBASE(00000000), ref: 00DC7F4F
GetLastError.KERNEL32(Unable to open process token!), ref: 00DC7F78
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC7F90
GetLastError.KERNEL32(Unable to retrieve process mandatory label!,?,00DEB144,00000000), ref: 00DC7F9A
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC7FB2
GetLastError.KERNEL32(Unable to verify mandatory label!,?,00DEB144,00000000), ref: 00DC7FBC
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC7FD4

Strings

Unable to verify mandatory label!, xrefs: 00DC7FB7
Unable to open process token!, xrefs: 00DC7F73
Unable to retrieve process mandatory label!, xrefs: 00DC7F95

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorException@8LastThrowToken$AuthorityInformation$CloseCountHandleOpenProcessValid
String ID: Unable to open process token!$Unable to retrieve process mandatory label!$Unable to verify mandatory label!
API String ID: 492105640-3458634299
Opcode ID: fc01de11c30b9a2c6be781055d832a8a8cee9e0cc625568eb0d850de7a7985a3
Instruction ID: 7894ad789c84f1a80e7160cb9923a7a20b3fffa6cf54710fc754f552755afa8c
Opcode Fuzzy Hash: fc01de11c30b9a2c6be781055d832a8a8cee9e0cc625568eb0d850de7a7985a3
Instruction Fuzzy Hash: 86410C71904259AFDB10EFA5DC89FBEB7B8FF08711F10411AF502E7291DA74AA048B70

Function 00DC1020 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 60
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DC1029
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DC1034
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DC1044
SetDllDirectoryW.KERNEL32 ref: 00DC1068
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00DC1073
GetProcAddress.KERNEL32(00000000,LdrEnumerateLoadedModules), ref: 00DC1083
IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00DC10A4
ExitProcess.KERNEL32 ref: 00DC10C0
ExitProcess.KERNEL32 ref: 00DC10E4
ExitProcess.KERNEL32 ref: 00DC10F0

Strings

LdrEnumerateLoadedModules, xrefs: 00DC107D
kernel32.dll, xrefs: 00DC102F
SetDefaultDllDirectories, xrefs: 00DC103E
ntdll.dll, xrefs: 00DC106E

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc$DirectoryFeatureHeapInformationPresentProcessor
String ID: LdrEnumerateLoadedModules$SetDefaultDllDirectories$kernel32.dll$ntdll.dll
API String ID: 1484830609-1451921263
Opcode ID: 3e49c15f87cea7acc64bb1c4388a5a4740a9bf6d4d008dc61eba0bd235e5bd8e
Instruction ID: 9ddb14310a1c43a7939fa85ede0445f304ad162fdcb0833b1719a7431329c7db
Opcode Fuzzy Hash: 3e49c15f87cea7acc64bb1c4388a5a4740a9bf6d4d008dc61eba0bd235e5bd8e
Instruction Fuzzy Hash: 2111EF74B803A27BD6303BB2AC9FF3D29149B11B51F144118FA45EB3D1DA508A445AB6

Function 00DC3190 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000020,?,?,?), ref: 00DC31B1
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(D:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;FRFX;;;BU),00000001,?,00000000), ref: 00DC31DA
wsprintfW.USER32 ref: 00DC3201
CreateDirectoryW.KERNELBASE(?,?), ref: 00DC320F
wsprintfW.USER32 ref: 00DC3228
CreateDirectoryW.KERNEL32(?,?), ref: 00DC3236
GetLastError.KERNEL32(?,?,?), ref: 00DC3240
LocalFree.KERNEL32(?,?,?,?), ref: 00DC3250
SetLastError.KERNEL32(00000000,?,?,?), ref: 00DC3257

Part of subcall function 00DC9250: CryptGenRandom.ADVAPI32(00000008,00DC9209,84D1659C,?,00DC9209,0000800C,?,?,00DEB144,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC92A8

Strings

%c:\asw.%08x%08x, xrefs: 00DC3222
%s\Temp\asw.%08x%08x, xrefs: 00DC31F1
D:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;FRFX;;;BU), xrefs: 00DC31D5

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Directory$CreateDescriptorErrorLastSecuritywsprintf$ConvertCryptFreeLocalRandomStringWindows
String ID: %c:\asw.%08x%08x$%s\Temp\asw.%08x%08x$D:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;FRFX;;;BU)
API String ID: 1345463893-1526440225
Opcode ID: 996026c9e4204b7c2e9c61b6bce0bb46cfe700d4eca3225951ef403c737bf1e2
Instruction ID: 59c0cc4ea5efc8c646e8b28aae337eb32d22a21b57e4e98bcc87094d9c1d2d7f
Opcode Fuzzy Hash: 996026c9e4204b7c2e9c61b6bce0bb46cfe700d4eca3225951ef403c737bf1e2
Instruction Fuzzy Hash: D7212C71A00249ABDB10EFE58D89EBEFBBCEF45B41F044019F905EB240D7709A458B75

Function 00DC8520 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unable to read signature!, xrefs: 00DC8801, 00DC881E, 00DC8845, 00DC8862
ASWS, xrefs: 00DC86BD
ASWS, xrefs: 00DC8675
ig2A, xrefs: 00DC86C9
ig2A, xrefs: 00DC86F2
ASWS, xrefs: 00DC86E2

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID:
String ID: ASWS$ASWS$ASWS$Unable to read signature!$ig2A$ig2A
API String ID: 0-1997839495
Opcode ID: e94d078e69df4e36fa9738f24ae12387dfb692f200f156f3e172d8c67a243ca5
Instruction ID: 2d20e6df15a7d38a60c669b833f9352958b360a3436bad3efa67b8eac97520f3
Opcode Fuzzy Hash: e94d078e69df4e36fa9738f24ae12387dfb692f200f156f3e172d8c67a243ca5
Instruction Fuzzy Hash: DF91EF7090025A9FDF14DFA8C985FADB7B5FF05304F64812EE401AB281EB35A948DBB4

Function 00DC8410 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileSizeEx.KERNEL32(?,00DE2160,84D1659C,?,?,?,?,?,00000000,00DE2160,000000FF,?,00DC26F7,?,00000000), ref: 00DC8443
CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000,?,?,00000000,00DE2160), ref: 00DC847C
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,?,00000000,00DE2160), ref: 00DC84A2
UnmapViewOfFile.KERNELBASE(00000000,?,?,?,?,?,00000000,00DE2160), ref: 00DC84CE
CloseHandle.KERNEL32(00000000), ref: 00DC84D5
GetLastError.KERNEL32(Unable to determine file size!,?,?,00000000,00DE2160,000000FF,?,00DC26F7,?,00000000), ref: 00DC84FE
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC8516

Strings

Unable to open file mapping!, xrefs: 00DC8488, 00DC84AE
Unable to process files over 1GB!, xrefs: 00DC8462
Unable to determine file size!, xrefs: 00DC84F9

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: File$View$CloseCreateErrorException@8HandleLastMappingSizeThrowUnmap
String ID: Unable to determine file size!$Unable to open file mapping!$Unable to process files over 1GB!
API String ID: 3729524651-729644499
Opcode ID: 4e3374a442bafcfb57b8c4cab54bb3346e297752222021833be6715ed8b2226d
Instruction ID: e4c8f7f34df77a61d57a6846ef6706f040b15fd2913aef1b9bb6ec32de70fa44
Opcode Fuzzy Hash: 4e3374a442bafcfb57b8c4cab54bb3346e297752222021833be6715ed8b2226d
Instruction Fuzzy Hash: 5C31B431944346BBDB21AF54CC4AFBF7B78EB04B10F10401EF901BB280DB7456049AB4

Function 00DCC500 Relevance: 16.8, APIs: 11, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DCB780: GetProcessHeap.KERNEL32(00DC5644), ref: 00DCB7DC

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00DCC5FD
GetLastError.KERNEL32(?,?,?,?,00DE2548), ref: 00DCC607
GetVolumePathNameW.KERNELBASE(?,?,00000104), ref: 00DCC67E
GetLastError.KERNEL32(?,?,?,?,?,00DE2548), ref: 00DCC688
GetVolumeNameForVolumeMountPointW.KERNEL32(00000010,00000010,00000104), ref: 00DCC6EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,00DE2548), ref: 00DCC6F6
CreateFileW.KERNELBASE(00000010,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00DCC7AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00DE2548), ref: 00DCC7B8
DeviceIoControl.KERNELBASE(00000000,002D1080,00000000,00000000,?,0000000C,00000000,00000000), ref: 00DCC7D9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00DE2548), ref: 00DCC7E3
CloseHandle.KERNEL32(00000000), ref: 00DCC7F7

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLast$Volume$Name$CloseControlCreateDeviceDirectoryFileHandleHeapMountPathPointProcessSystem
String ID:
API String ID: 204137380-0
Opcode ID: b0a7f939e5f8ec755c90b9f7555139971c2aa94ca41ef0de0b324b71d207143c
Instruction ID: b92e9daf15f8d2bf8eded6c0a3e26478ea502accbc76c7e6d7e8bb717a186798
Opcode Fuzzy Hash: b0a7f939e5f8ec755c90b9f7555139971c2aa94ca41ef0de0b324b71d207143c
Instruction Fuzzy Hash: 7BB1BF35A107069FDB00DFA9C889FAEB7A4EF48310F14512DEA46EB390DB71A9018F74

Function 00DC2BA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 319
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00DC0000,?,0000000A,.edat,00000005,?,?,?,?,00000000,?,?,00000000), ref: 00DC30A3
LoadResource.KERNEL32(00DC0000,00000000,?,?,00000000,?,?,00000000), ref: 00DC30B5
SizeofResource.KERNEL32(00DC0000,00000000,?,?,00000000,?,?,00000000), ref: 00DC30C3
CreateFileW.KERNELBASE(?,00000004,00000001,00000000,00000002,00000080,00000000), ref: 00DC30EE
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00DC310B
CloseHandle.KERNELBASE(00000000), ref: 00DC3112

Strings

EDAT_, xrefs: 00DC2E54
.edat, xrefs: 00DC303B

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Resource$File$CloseCreateFindHandleLoadSizeofWrite
String ID: .edat$EDAT_
API String ID: 2436039785-3242799629
Opcode ID: 20c10a6532f6de2440dbabf00325947239f4b7701f54ee06f0401e5ed14b853e
Instruction ID: a3d5b39ef326064939976446f5e180e8cf2b80688b0a2ad60f1613a0db4abeed
Opcode Fuzzy Hash: 20c10a6532f6de2440dbabf00325947239f4b7701f54ee06f0401e5ed14b853e
Instruction Fuzzy Hash: 55A18476E002069FDB149FA9CC95FFEB7B5EF48710F15812DE816A7391DA309A058BB0

Function 00DC4020 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 81
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00DC404C
wsprintfA.USER32 ref: 00DC406C
wsprintfA.USER32 ref: 00DC40B6
lstrlenA.KERNEL32(?), ref: 00DC410D

Strings

&t=event&ec=microstub&ea=ok&el=%08lx, xrefs: 00DC4066
&t=screenview&cd=%s, xrefs: 00DC4046
v=1&tid=%ls&cid=%ls&aiid=%ls&an=Free&cd3=Online%s, xrefs: 00DC40B0
&t=event&ec=microstub&ea=error&el=%08lx%08lx, xrefs: 00DC4081

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: wsprintf$lstrlen
String ID: &t=event&ec=microstub&ea=error&el=%08lx%08lx$&t=event&ec=microstub&ea=ok&el=%08lx$&t=screenview&cd=%s$v=1&tid=%ls&cid=%ls&aiid=%ls&an=Free&cd3=Online%s
API String ID: 217384638-4207265834
Opcode ID: 2f4926abd01f801babac5e8b630c7dee9110017900416c40a922da3a1046289c
Instruction ID: 097e564581a21f4871fa7470d0eacc8e5cbe28dda0afa71309879ffe252c69bb
Opcode Fuzzy Hash: 2f4926abd01f801babac5e8b630c7dee9110017900416c40a922da3a1046289c
Instruction Fuzzy Hash: C03123B1900259ABCB20EF65DC49BAAB7B8EF04314F404199A649E7241EB709A94CFB5

Function 00DCE450 Relevance: 13.1, APIs: 10, Instructions: 634
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000001), ref: 00DCEC60
HeapFree.KERNEL32(00000000), ref: 00DCEC67
GetProcessHeap.KERNEL32(00000000,?), ref: 00DCECB5
HeapFree.KERNEL32(00000000), ref: 00DCECBC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DCECE2
HeapFree.KERNEL32(00000000), ref: 00DCECE9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DCED0F
HeapFree.KERNEL32(00000000), ref: 00DCED16
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DCED4C
HeapFree.KERNEL32(00000000), ref: 00DCED53

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8956aeda5b884101e86b511547ce59dce25198796197aac0cff0abdafcbb49d3
Instruction ID: 06a5e4e5325ae96ce3f2bdafcd75cb2c6094e18e3c338522e9e7108bae80f91e
Opcode Fuzzy Hash: 8956aeda5b884101e86b511547ce59dce25198796197aac0cff0abdafcbb49d3
Instruction Fuzzy Hash: DD3233B1D416299FDB30DF54CD85FAAB7BAEB94310F0401D9E809A7241DB369E94CFA0

Function 00DD8EAA Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00DD90FB,00000001,00000001,8B000053), ref: 00DD8F04
__alloca_probe_16.LIBCMT ref: 00DD8F3C
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DD90FB,00000001,00000001,8B000053,84D1659C,?,?), ref: 00DD8F8A
__alloca_probe_16.LIBCMT ref: 00DD9021
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,84D1659C,8B000053,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DD9084
__freea.LIBCMT ref: 00DD9091

Part of subcall function 00DD8E23: HeapAlloc.KERNEL32(00000000,?,?,?,00DD2AA0,?,?,?,?,?,00DC7DDD,?,?), ref: 00DD8E55

__freea.LIBCMT ref: 00DD909A
__freea.LIBCMT ref: 00DD90BF

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: b7b3f78d299dd57f263b2cfacddf26fd0f2531ba152fe19d9e1f25b7036fdb8b
Instruction ID: 35e7d54e0bec3212a7410e373ec42c6950693388b456251ab8fb0c24759f6685
Opcode Fuzzy Hash: b7b3f78d299dd57f263b2cfacddf26fd0f2531ba152fe19d9e1f25b7036fdb8b
Instruction Fuzzy Hash: 3251C072610206ABEB259F74DC51EBBB7AAEF40750F19462AFC04D7240DB36DC40D6B0

Function 00DC39C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00DC0000,00000001,00000010), ref: 00DC39F1
LoadResource.KERNEL32(00DC0000,00000000), ref: 00DC3A01
wsprintfW.USER32 ref: 00DC3A52

Strings

%d.%d.%d.%d, xrefs: 00DC3A4A
\StringFileInfo\040904b0\Edition, xrefs: 00DC3A67
\StringFileInfo\040904b0\SubEdition, xrefs: 00DC3A8F

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Resource$FindLoadwsprintf
String ID: %d.%d.%d.%d$\StringFileInfo\040904b0\Edition$\StringFileInfo\040904b0\SubEdition
API String ID: 1667977947-3794282237
Opcode ID: 8a73349391c3eafa67f33df382a33175060fa540940de5131051e52900b6f3e4
Instruction ID: 737d254425883c196adbbed330a1a7e5a58abfaef263689d9a8fa7d7ca76846a
Opcode Fuzzy Hash: 8a73349391c3eafa67f33df382a33175060fa540940de5131051e52900b6f3e4
Instruction Fuzzy Hash: AF314D72A00219ABDB10EF95CC81FBFB7A8EF49700F18406AF905E7241D631DE5587B1

Function 00DC2480 Relevance: 9.1, APIs: 6, Instructions: 95sleepfileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 00DC2506
SetEndOfFile.KERNELBASE(?), ref: 00DC2511
GetLastError.KERNEL32 ref: 00DC251B
GetLastError.KERNEL32 ref: 00DC2550
Sleep.KERNELBASE(000003E8,00000000), ref: 00DC2574
SetLastError.KERNEL32(00000000,00000000), ref: 00DC2585

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLast$File$PointerSleep
String ID:
API String ID: 3209234422-0
Opcode ID: df5e301024ae8b2a3d21b26e27a375f673647f82a368e180dab9d9309fdfa93f
Instruction ID: efe6284a86e01fe760c706fd443a7e7835902551060954147d9b8e86d69077fc
Opcode Fuzzy Hash: df5e301024ae8b2a3d21b26e27a375f673647f82a368e180dab9d9309fdfa93f
Instruction Fuzzy Hash: 89316B75D0030A9BDB10DFA5E889BBEBBB4FF48310F15411AE815A7350DB709A41CBB0

Function 00DCB890 Relevance: 6.2, APIs: 4, Instructions: 243COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00000010,000000FF,00000000,00000000,?,00DCB45F), ref: 00DCB99D
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000010,00000000,?,00DCB45F), ref: 00DCB9D6
WideCharToMultiByte.KERNELBASE(00000003,00000000,00000010,000000FF,00000000,00000000,00000000,00000000,?,00DCB45F), ref: 00DCBA89
WideCharToMultiByte.KERNEL32(00000003,00000000,00000010,000000FF,00DCB45F,00000000,00000000,00000000,?,00DCB45F), ref: 00DCBAC7

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 5c8e1ebec4e9088a73b502c0c1a2a1d17a8d9a3ee836e9bf2d6bcdd7ce112b65
Instruction ID: 72a964b26054c52318b5d9597424c8bd64561f05979ce11e9bb761f7ef2b33cd
Opcode Fuzzy Hash: 5c8e1ebec4e9088a73b502c0c1a2a1d17a8d9a3ee836e9bf2d6bcdd7ce112b65
Instruction Fuzzy Hash: 8F916C31A012069FDB11CF68C889F6DBBB5EF85324F24415EE955AB391DB71EA01CFA0

Function 00DDB1D4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00DDB17B,?,00000000,00000000,00000000,?,00DDB378,00000006,FlsSetValue), ref: 00DDB206
GetLastError.KERNEL32(?,00DDB17B,?,00000000,00000000,00000000,?,00DDB378,00000006,FlsSetValue,00DE6E08,FlsSetValue,00000000,00000364,?,00DD8B77), ref: 00DDB212
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DDB17B,?,00000000,00000000,00000000,?,00DDB378,00000006,FlsSetValue,00DE6E08,FlsSetValue,00000000), ref: 00DDB220

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 27b842e0f05f959be744cf23d34f78da6958f4d61447f7a80fd11c04d1a47240
Instruction ID: f4253ee92eff37762ff564da88af9407b8ef0471457c715c284fedab74aaac5d
Opcode Fuzzy Hash: 27b842e0f05f959be744cf23d34f78da6958f4d61447f7a80fd11c04d1a47240
Instruction Fuzzy Hash: 4D01FC33601322EBC7215B78AC8496A7F98EF1A7B57160527F946DB340D720D900C6F4

Function 00DC8880 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 315COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00DC8C7A

Part of subcall function 00DCFC70: GetProcessHeap.KERNEL32(00000000,?,?,?,?,00000000), ref: 00DCFCB3
Part of subcall function 00DCFC70: HeapFree.KERNEL32(00000000), ref: 00DCFCBA

Part of subcall function 00DCED90: GetProcessHeap.KERNEL32(00000000,8B55CCCC,00DC82E6,?,00DC8A31,?,?,?), ref: 00DCEDB7
Part of subcall function 00DCED90: HeapFree.KERNEL32(00000000,?,?), ref: 00DCEDBE

Part of subcall function 00DCFAC0: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,-00000002), ref: 00DCFC26
Part of subcall function 00DCFAC0: HeapFree.KERNEL32(00000000), ref: 00DCFC2D
Part of subcall function 00DCFAC0: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,-00000002), ref: 00DCFC4D
Part of subcall function 00DCFAC0: HeapFree.KERNEL32(00000000), ref: 00DCFC54

Part of subcall function 00DCE450: GetProcessHeap.KERNEL32(00000000,00000001), ref: 00DCEC60
Part of subcall function 00DCE450: HeapFree.KERNEL32(00000000), ref: 00DCEC67

Strings

Unable to initialize DSA parameters!, xrefs: 00DC8C50
Unable to read digest or signature!, xrefs: 00DC8C47

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$FreeProcess$Exception@8Throw
String ID: Unable to initialize DSA parameters!$Unable to read digest or signature!
API String ID: 786774151-2226104879
Opcode ID: a333e330b4a863e1a893ebb40a192dee3a95eedcadf3b06adf07e57b2ea893bd
Instruction ID: d63752039ffc13ff070500619c41452a553cfd20abce2f347f2e70b65a3c4b21
Opcode Fuzzy Hash: a333e330b4a863e1a893ebb40a192dee3a95eedcadf3b06adf07e57b2ea893bd
Instruction Fuzzy Hash: AAB1A9B2D0031E9ADF50DBA4DD45FDEB3BDAB08304F44456AE909E7141EB70EA889B71

Function 00DDAA3A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00DDAA5F

Strings

, xrefs: 00DDAAA4

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: d93951b11920c15e145d758db7a9e8893815cd85f2f74f229b5fd602d1d01514
Instruction ID: 2723e8839168b9c79b1032e3d7a49340f4b9b7f3f97f7f1f1f7a669bf94059d1
Opcode Fuzzy Hash: d93951b11920c15e145d758db7a9e8893815cd85f2f74f229b5fd602d1d01514
Instruction Fuzzy Hash: DE4108715043889ADB228F2C8D84AF6BBEADB45304F1844EFE5DA87242D235A946DF71

Function 00DDB40C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,84D1659C,8B000053,00000001,84D1659C,00000000), ref: 00DDB47D

Strings

LCMapStringEx, xrefs: 00DDB41D, 00DDB427

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: b23eae37dc4d30776a3b5f1035fe252bd481ca39e36acb5553264cc3504cbd28
Instruction ID: 7628e2b142058e069c6060c67f67aef2ce39c4ad54876f5789771eec38f8f1b3
Opcode Fuzzy Hash: b23eae37dc4d30776a3b5f1035fe252bd481ca39e36acb5553264cc3504cbd28
Instruction Fuzzy Hash: BB011332500249FBCF12AF91DC06DEE3F62EB08B64F018116FE1866261C772C931EBA0

Function 00DDB24F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00DDB28E

Strings

FlsAlloc, xrefs: 00DDB260, 00DDB26A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: bba92998993553a22b8e81fdb2908f3a0d0d6dfb8bf12f4feac53e065dda0ba3
Instruction ID: 486750823ccffb7958cac5a7cb114748dc8cc1131e726eaa5a5e6e48e32c5d87
Opcode Fuzzy Hash: bba92998993553a22b8e81fdb2908f3a0d0d6dfb8bf12f4feac53e065dda0ba3
Instruction Fuzzy Hash: BEE0E531781368ABC711BB519C0696EBB54DF94B70F810257FC059B340DA719E1187F9

Function 00DD3FCA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00DD3FDF

Strings

FlsAlloc, xrefs: 00DD3FCE, 00DD3FD8

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 531211320234ce1c6e1f813fb16945b60fb26f84079e44de38029d969871794d
Instruction ID: b01382450b9bfa1241b43886dcd0f87fdd11ffe06911d93e1faca9edf013facb
Opcode Fuzzy Hash: 531211320234ce1c6e1f813fb16945b60fb26f84079e44de38029d969871794d
Instruction Fuzzy Hash: A2D01231A8A7786BC6113796BC06BA9BA54CF01FA2F040062FF0C96394D9A15A1556F9

Function 00DDAD90 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00DDA962: GetOEMCP.KERNEL32(00000000), ref: 00DDA98D

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00DDAC30,?,00000000), ref: 00DDAE04
GetCPInfo.KERNEL32(00000000,00DDAC30,?,?,?,00DDAC30,?,00000000), ref: 00DDAE17

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: a9c7a79ee0cb4c9b587a77aec721fccbc8aba7919653a9468a6e133a74c89fc3
Instruction ID: 99fc35c6ae5117851925a60cddc70936aa50c705f9d564f39e2cfb60db9a443e
Opcode Fuzzy Hash: a9c7a79ee0cb4c9b587a77aec721fccbc8aba7919653a9468a6e133a74c89fc3
Instruction Fuzzy Hash: C15101B0A043459EDB209F79C884ABABBE5EF41300F18C46FE4968B391D6359945CBB2

Function 00DDABCE Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00DD8AA5: GetLastError.KERNEL32(?,?,00DD4E11,?,?,?,00DD52E9,84D1659C,00000000,?,00DCD904,0123456789ABCDEF,84D1659C,?,?,00000000), ref: 00DD8AA9
Part of subcall function 00DD8AA5: _free.LIBCMT ref: 00DD8ADC
Part of subcall function 00DD8AA5: SetLastError.KERNEL32(00000000,00DD52E9,84D1659C,00000000,?,00DCD904,0123456789ABCDEF,84D1659C,?,?,00000000,00DC8722), ref: 00DD8B1D
Part of subcall function 00DD8AA5: _abort.LIBCMT ref: 00DD8B23

Part of subcall function 00DDACEE: _abort.LIBCMT ref: 00DDAD20
Part of subcall function 00DDACEE: _free.LIBCMT ref: 00DDAD54

Part of subcall function 00DDA962: GetOEMCP.KERNEL32(00000000), ref: 00DDA98D

_free.LIBCMT ref: 00DDAC46
_free.LIBCMT ref: 00DDAC7C

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 3f1f958b3161facfb74a6e7e7e196ab0e83684b73b52cae2fd8deb347e4f8058
Instruction ID: c610cbea9cfd96ad2dcf8167e980f2a364e1e9a62f57784a312c0bca7bbec38f
Opcode Fuzzy Hash: 3f1f958b3161facfb74a6e7e7e196ab0e83684b73b52cae2fd8deb347e4f8058
Instruction Fuzzy Hash: 7131C435904208AFDB11EFACD481B69B7E5EF40330F29809BE4049B391EB719D40DB71

Function 00DDB138 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00DDB378,00000006,FlsSetValue,00DE6E08,FlsSetValue,00000000,00000364,?,00DD8B77,00000000), ref: 00DDB198
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DDB1A5

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 0bda9b5549fc66fa6e1cfdbd18f70c9e492cbba78649e62d33819ca9734b2aa8
Instruction ID: f715f274b2e537541a463dc85d3afd77598af2f6273429c5d5d03a4fc14a8279
Opcode Fuzzy Hash: 0bda9b5549fc66fa6e1cfdbd18f70c9e492cbba78649e62d33819ca9734b2aa8
Instruction Fuzzy Hash: A611BF37A00365DBEB25AE29DCA096A7395AB8177871B0223EC14EB354D730EC4186B0

Function 00DC43E0 Relevance: 3.0, APIs: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00004020,?,00000000,?), ref: 00DC440A
CloseHandle.KERNELBASE(00000000), ref: 00DC4415

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: ca1a00e13c296e81f9ce0d44b3268ba47ca2e4613df1169d6ec57d4b11f72dd3
Instruction ID: 4cf99a5edee816072244b8594695194d207ffaaa804d5ca3f801b9ab0063f461
Opcode Fuzzy Hash: ca1a00e13c296e81f9ce0d44b3268ba47ca2e4613df1169d6ec57d4b11f72dd3
Instruction Fuzzy Hash: 3EF05E70600348AFDB24EFA4DC59B6D7BB4EB04702F500098E9059B2D1DAB06A44CB70

Function 00DC4440 Relevance: 3.0, APIs: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000041B0,?,00000000,?), ref: 00DC446A
CloseHandle.KERNELBASE(00000000), ref: 00DC4475

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 19cb28f7b749bf30ca4e2c2730010bc62dd00bf0664b84a61347374f254a1497
Instruction ID: 5239dafb7109b0df83e97f8d2e14bf959e93fd2b36086e0c1cdd8876497ab79e
Opcode Fuzzy Hash: 19cb28f7b749bf30ca4e2c2730010bc62dd00bf0664b84a61347374f254a1497
Instruction Fuzzy Hash: 7AF05E70600348AFDB14EFA4DC99B697BB8EB04705F504098E805DB2D0DBB06A44CB70

Function 00DD308C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00DD3FCA: try_get_function.LIBVCRUNTIME ref: 00DD3FDF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DD30AA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00DD30B5

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 165fb965eb4e6da7c876b7ca53a391ca719d022ff85b03f624e70727f75cf81f
Instruction ID: c78fb850e10f3fad66d016032544c115623c05f014157b7d47034abbb02f2d32
Opcode Fuzzy Hash: 165fb965eb4e6da7c876b7ca53a391ca719d022ff85b03f624e70727f75cf81f
Instruction Fuzzy Hash: 65D02226444341488E243FB43D0307A2354DC51B703644B4BF020CA7C3EF24D749A033

Function 00DCFC70 Relevance: 2.6, APIs: 2, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00000000), ref: 00DCFCB3
HeapFree.KERNEL32(00000000), ref: 00DCFCBA

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f816f99cf27a97a08a1b2a4097cfe6c29175a5093795d96a5bd921ba1f094728
Instruction ID: 36317385e8014da1f427106a4af0ef5043e38fac04b763803883d9ce037690bc
Opcode Fuzzy Hash: f816f99cf27a97a08a1b2a4097cfe6c29175a5093795d96a5bd921ba1f094728
Instruction Fuzzy Hash: 4521A2B5A0030A9BDB10DF59D881FAA77EAEF48311F08456CE95AD7341E770EE0087B0

Function 00DDB5D6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00DDA272: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DD8B5A,00000001,00000364,?,00DD2AA0,?,?,?,?,?,00DC7DDD,?), ref: 00DDA2B3

_free.LIBCMT ref: 00DDB642

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2264b8dc440bd836ca5efdcdcc207cde03cd0b5dfc6e4b607fc2e260d0dd6cb0
Instruction ID: 0049184bb087a688768e5965eaaaa1fe3b3aa2cd8fc8b2ecac81d6316fff99ea
Opcode Fuzzy Hash: 2264b8dc440bd836ca5efdcdcc207cde03cd0b5dfc6e4b607fc2e260d0dd6cb0
Instruction Fuzzy Hash: 2201D672204345AFE7218E6A9881A5AFBEDEB85370F26051FE5C5873C0EB30E9058774

Function 00DDA272 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DD8B5A,00000001,00000364,?,00DD2AA0,?,?,?,?,?,00DC7DDD,?), ref: 00DDA2B3

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 676d6096ebbe2b93c9381401b67774e603fbd84a80453c21b9cec4e303d38db1
Instruction ID: f61b5b94a3d9bb4fc755a74384d9fdc522335211a3ecc46615778e55355eb636
Opcode Fuzzy Hash: 676d6096ebbe2b93c9381401b67774e603fbd84a80453c21b9cec4e303d38db1
Instruction Fuzzy Hash: 81F0B4312056216B9B216B7F9C45A5A3F99AF51B60B18D563FC04DA398DA22EC0042F6

Function 00DC3B30 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00DC0000,00000000,00DE35D4,00000000), ref: 00DC3B55

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: d41453db8dea4898e2bdab0a22c61e7c4425e08e454a7a09875edf360e9b8c1d
Instruction ID: c5cfad0343d0aa6725baa3ef0008d6fdf47ec35c0e7db66f2e4ec77af5c225e3
Opcode Fuzzy Hash: d41453db8dea4898e2bdab0a22c61e7c4425e08e454a7a09875edf360e9b8c1d
Instruction Fuzzy Hash: A0E04F74A0430CAFDB00EF94D845BADBFB8EB08300F404099EC059B340DA706A588BA1

Function 00DD05F8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD0610

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 54476a2273c2334f981010b1c8e057091d32799afc62cf72244a8eae725eadf2
Instruction ID: 8d5c7e8e74bf5ba2dbc309c2bfed84f8be17527033f63e19f4a8417e96b65113
Opcode Fuzzy Hash: 54476a2273c2334f981010b1c8e057091d32799afc62cf72244a8eae725eadf2
Instruction Fuzzy Hash: 22B012812DD0067E3314E1015C02F3B050CC1C0B31B30C81FF0C1C1291D880AC141835

Function 00DD0684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7740af829a2c03ae325e18cced3a410d4a877b8bb81b743254fb0eb167e27476
Instruction ID: f7e92d6fc0d45590b03d44db640718b3af633587861fafa4ce9426c8186b17e1
Opcode Fuzzy Hash: 7740af829a2c03ae325e18cced3a410d4a877b8bb81b743254fb0eb167e27476
Instruction Fuzzy Hash: 1FB0128125C006BE3314E2155C02F3B050CC1C0F20B30C51FF445C6351D940DC141532

Function 00DD065C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e80ccad9301fac7a58cec7c32fcb2fa26b6647dbc015aacb670d0d437f8b28ff
Instruction ID: 3639dd07f1ff9bd37dfcc66633b2ae7744b158149a83d17cef41f22c749a976b
Opcode Fuzzy Hash: e80ccad9301fac7a58cec7c32fcb2fa26b6647dbc015aacb670d0d437f8b28ff
Instruction Fuzzy Hash: 96B0129125D2027E3355E2155C02F3B050CC1C0F20B30861FF045C6351D9409C980632

Function 00DD0652 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 27dc6cb0289c4093a7f645c1ea13b06e1c0420b7b278569c2f1e1b8e6152fc2c
Instruction ID: 2b04731b710c81e199ed2205ec9d9eadd0ad8ddac1619fdead634a9fae52f3e0
Opcode Fuzzy Hash: 27dc6cb0289c4093a7f645c1ea13b06e1c0420b7b278569c2f1e1b8e6152fc2c
Instruction Fuzzy Hash: 13B0128125E0027E3315E2155D02F3B050CC1C0F60B30C51FF145CA351D940AC550532

Function 00DD0648 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 109a96c8950cc360e36523e0fb44037efbebba6c5e7fdfaa50a8d630ecd10cc1
Instruction ID: 0979418d6ef3828d859d3efcc9ba41a7a57f6219e8b06c1c191fbb7070a3031a
Opcode Fuzzy Hash: 109a96c8950cc360e36523e0fb44037efbebba6c5e7fdfaa50a8d630ecd10cc1
Instruction Fuzzy Hash: FCB0128126E0027E3315E2155C12F3B050CC5C0F20F30851FF045C6351D9409C540532

Function 00DD067A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4b535c000ac51c2891eeb41e3c8fb26749ab81ca2bd5fd5a557e190d9bfd8cbb
Instruction ID: 7d9576000fd0e769dfcd879ad041bb7c89ad1da8a82750db4af65fd929761ba1
Opcode Fuzzy Hash: 4b535c000ac51c2891eeb41e3c8fb26749ab81ca2bd5fd5a557e190d9bfd8cbb
Instruction Fuzzy Hash: 4EB0128125C1067E3354E2155C02F3B050CC2C0F20B30861FF045C6351D9409D581632

Function 00DD0670 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: fd11e950518aed18be8119b7663703c83d76d2f0ec33721ef89a37474bc1408d
Instruction ID: e76f94202b163fdd75140b122ac024532dd60b6f42bfe86bf00c1988915bf4c6
Opcode Fuzzy Hash: fd11e950518aed18be8119b7663703c83d76d2f0ec33721ef89a37474bc1408d
Instruction Fuzzy Hash: 67B0128125D002BE3315E2155C02F3B050CC1C0F20B30C51FF445C6351D9409C540632

Function 00DD0666 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b7677e31db134aa86554d0b3626abd4761cb7d9e3eae5acfcdaeb7052bf63e99
Instruction ID: 0a3e4b62e008df2b8b0df91a9ea43852655831d588ae8be19a4ae233a5f03c89
Opcode Fuzzy Hash: b7677e31db134aa86554d0b3626abd4761cb7d9e3eae5acfcdaeb7052bf63e99
Instruction Fuzzy Hash: 2EB0129125C0027E3304E2155D02F3B068CC1C0F21F30C51FF545C6351D9409C150532

Function 00DD0619 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 9b4651f94c199b3c075291c342c0eeee2165021550e438c235f44c6566a02f91
Instruction ID: 293a9545523d1fb2895462dbbc731693318fc97c5f118ff0fe528c6d3c11191d
Opcode Fuzzy Hash: 9b4651f94c199b3c075291c342c0eeee2165021550e438c235f44c6566a02f91
Instruction Fuzzy Hash: 96B0128325C1067E3304A211AC02F3B060CC1C0F21F30851FF441D5252D9409D140436

Function 00DD063E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 91fed53f15073a36c667c34685b072b30255f9cbd524ef673382c69425875146
Instruction ID: 1a1366d3114963161df2c34b1901e9407e3cbe53961c6a43380c517c4bcd3f12
Opcode Fuzzy Hash: 91fed53f15073a36c667c34685b072b30255f9cbd524ef673382c69425875146
Instruction Fuzzy Hash: 7CB0128125C002BE3304E2255C02F3B064CC1C0F21B30C51FF845C6351DA409C140532

Function 00DD0634 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DD062B

Part of subcall function 00DC7AE6: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00DC7AF1
Part of subcall function 00DC7AE6: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DC7B59
Part of subcall function 00DC7AE6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,?,?), ref: 00DC7B6A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e50e51759f53ecbf0d27462fca89128c50f7f2264f205c69fa21b5158ad57d2c
Instruction ID: d6869ee4bcfcee7047a334e44c964f4985dd1b054de0232e36433ec7a17fd38e
Opcode Fuzzy Hash: e50e51759f53ecbf0d27462fca89128c50f7f2264f205c69fa21b5158ad57d2c
Instruction Fuzzy Hash: A4B0128525D1027E3344E2155C02F3B064CC1C0F21B30861FF445C6351D9409C580632

Function 00DC3FE0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNEL32(00DC0000,0000000A,00DC2BA0,?), ref: 00DC3FF2

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: a3fb76070b6dfa741cbe57350eebd9de55dca05cc1c76f8229719e9e3becf136
Instruction ID: 96dec7434c2c181d3a1d08fa444202ab7eb9fb21e02422fc64f22defb7233ff5
Opcode Fuzzy Hash: a3fb76070b6dfa741cbe57350eebd9de55dca05cc1c76f8229719e9e3becf136
Instruction Fuzzy Hash: 15B09231284309FFCA002E91EC4AFA43F19A745B56F404044F60DAA1908AA2A62456B6

Function 00DC9CE0 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00DC9CEB

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e5d925bb4c4526b22e368915937211619a0fde30dbc7278bc7416b72631904f2
Instruction ID: c450b241226b3e527ad83b7364b86f8d7f534712cf48450fda4dee3155255ca5
Opcode Fuzzy Hash: e5d925bb4c4526b22e368915937211619a0fde30dbc7278bc7416b72631904f2
Instruction Fuzzy Hash: 0BB09232140208FBCA016F82EC0AF99BF2DEB15790F10C021F609491628773E521ABA8

Non-executed Functions

Function 00DC9020 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 152encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC8DC0: lstrcatA.KERNEL32(?, (Prototype),?,84D1659C,?), ref: 00DC8E56
Part of subcall function 00DC8DC0: CryptAcquireContextA.ADVAPI32(?,00000000,?,00000018,F0000040,?,84D1659C,?), ref: 00DC8E6D
Part of subcall function 00DC8DC0: CryptReleaseContext.ADVAPI32(00000000,00000000,?,84D1659C,?), ref: 00DC8E85

CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?,84D1659C,?,?,00DC8744,?,?,?,?,00DE2269,000000FF), ref: 00DC9088
CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC90A4
CryptHashData.ADVAPI32(?,?,84D1659C,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC90BB
CryptGetHashParam.ADVAPI32(00000000,00000004,?,?,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC90E4
CryptGetHashParam.ADVAPI32(00000000,00000002,?,?,00000000,?,00000000,?,?,?,?,?,00DE2269,000000FF), ref: 00DC9128
CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC913E
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC914E
GetLastError.KERNEL32(Unable to create hash context!,?,?,?,?,00DE2269,000000FF), ref: 00DC9177
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC918F
GetLastError.KERNEL32(Unable to update hash context!,?,00DEB144,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC9199
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC91B1
GetLastError.KERNEL32(Unable to determine digest size!,?,00DEB144,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC91BB
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC91D3
GetLastError.KERNEL32(Unable to retrieve digest!,?,00DEB144,00000000,?,?,?,?,00DE2269,000000FF), ref: 00DC91DD
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC91F5

Strings

Unable to determine digest size!, xrefs: 00DC91B6
Unable to retrieve digest!, xrefs: 00DC91D8
Unable to update hash context!, xrefs: 00DC9194
Unable to create hash context!, xrefs: 00DC9172

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Crypt$Hash$ErrorException@8LastThrow$Context$DestroyParamRelease$AcquireCreateDatalstrcat
String ID: Unable to create hash context!$Unable to determine digest size!$Unable to retrieve digest!$Unable to update hash context!
API String ID: 827938544-872507617
Opcode ID: e79ad709fa9661ab89d5a67fbc5403bdeef81f14d6d2c0488c0ad2b9997f7ac9
Instruction ID: e629e3e446ddc4952770d7e2ad50037c381ef709afce24775ab2899a4b21524c
Opcode Fuzzy Hash: e79ad709fa9661ab89d5a67fbc5403bdeef81f14d6d2c0488c0ad2b9997f7ac9
Instruction Fuzzy Hash: A351E871A4034AAEDB10EFA1DC89FEEBBB8EF04714F14451AF511F7290DB74AA048A74

Function 00DC9340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000004,0000800C,00DC8744,00000000,84D1659C,?,?,?,00000000), ref: 00DC9395
CryptGetHashParam.ADVAPI32(?,00000002,00000000,0000800C,00000000,0000800C,00000000,?), ref: 00DC93DC
GetLastError.KERNEL32(Unable to determine digest size!), ref: 00DC940A
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC9422
GetLastError.KERNEL32(Unable to retrieve digest!,?,00DEB144,00000000), ref: 00DC942C
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC9444

Strings

Unable to determine digest size!, xrefs: 00DC9405
Unable to retrieve digest!, xrefs: 00DC9427

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CryptErrorException@8HashLastParamThrow
String ID: Unable to determine digest size!$Unable to retrieve digest!
API String ID: 2498184597-199986585
Opcode ID: 2bfc0a4bbfe32073f503f71e2bd73edfd7ea4d349596af41365d96a89c8e8319
Instruction ID: 707eac73b55cc702dcd0c0c1b1dc7473a6851258b3bd3695c8dc32f1448af72e
Opcode Fuzzy Hash: 2bfc0a4bbfe32073f503f71e2bd73edfd7ea4d349596af41365d96a89c8e8319
Instruction Fuzzy Hash: 083109B1A40249AFDB10EF95DD49FEEBBB8EF04714F10411AB511A7280DB74AA08CBB4

Function 00DC9450 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00DC8378,0000800C,84D1659C,?), ref: 00DC9470
CryptDestroyHash.ADVAPI32(?,00000000), ref: 00DC9489
GetLastError.KERNEL32(Unable to create hash context!), ref: 00DC94A4
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC94BC

Strings

Unable to create hash context!, xrefs: 00DC949F

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CryptHash$CreateDestroyErrorException@8LastThrow
String ID: Unable to create hash context!
API String ID: 1323042765-1944974401
Opcode ID: 5fb13adb27496788c284a3a9d5512ed4eadb870a66dbf6bd6b2e077695bbb88c
Instruction ID: 22e1b4d8c8c1bedc4241fcc08156cf19c44d8ffb156d3fdb6fd8ff51df13a038
Opcode Fuzzy Hash: 5fb13adb27496788c284a3a9d5512ed4eadb870a66dbf6bd6b2e077695bbb88c
Instruction Fuzzy Hash: AD016271500309AFDB14FF60CC49FBEBBA8EF04710F00046DA902D7250DA70AA04CAB4

Function 00DC94D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00DC94E2
GetLastError.KERNEL32(Unable to update hash context!), ref: 00DC94F7
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC950F

Strings

Unable to update hash context!, xrefs: 00DC94F2

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CryptDataErrorException@8HashLastThrow
String ID: Unable to update hash context!
API String ID: 913647941-2364437153
Opcode ID: 89b441070463453b52d7de5e22eb1b279f6d400f71e2203e43d7c0f7eddc0a04
Instruction ID: e9f83183ffd4e108ef5c18b24f390fe6d19286cabe1f462cb3e76121d03fce9c
Opcode Fuzzy Hash: 89b441070463453b52d7de5e22eb1b279f6d400f71e2203e43d7c0f7eddc0a04
Instruction Fuzzy Hash: F6E01A3164024AAFCB10BFA5CC4AF7EBB6CEB10710F004459B91596191EA31A9148AB4

Function 00DCEDE0 Relevance: 5.2, APIs: 4, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 00DCF034
HeapFree.KERNEL32(00000000), ref: 00DCF03B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 00DCF058
HeapFree.KERNEL32(00000000), ref: 00DCF05F

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4859b4425103d3ddd71918dc1c88219aea5fae41c4dd8e1ee7bc411b44322838
Instruction ID: 0403c5f620b575e2d2639ae95e8c28baac7a52cc6220179910cbb1f5c1f6cb26
Opcode Fuzzy Hash: 4859b4425103d3ddd71918dc1c88219aea5fae41c4dd8e1ee7bc411b44322838
Instruction Fuzzy Hash: 33712AB2D0021A5BDB20DBA49C85FEFB7BDAF08355F09416DE911A7201E7759E098BB0

Function 00DD4476 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00DD456E
SetUnhandledExceptionFilter.KERNEL32 ref: 00DD4578
UnhandledExceptionFilter.KERNEL32(?), ref: 00DD4585

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 33ca43c6d09d6e952a7a7ec08121b7e0582cf92b65f9e425c0c7c4db054b5b77
Instruction ID: a85c2aedcb9d2f2c49f79b9824e755bb3e6f4c6d43dfdbcd4e0f60be60ae6b93
Opcode Fuzzy Hash: 33ca43c6d09d6e952a7a7ec08121b7e0582cf92b65f9e425c0c7c4db054b5b77
Instruction Fuzzy Hash: B0319275941218ABCB21DF64D889799BBB8FF08310F5041EAE91CA7350E7709F858F65

Function 00DD7C5A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00DD7C30,00000000,00DEBA28,0000000C,00DD7D87,00000000,00000002,00000000), ref: 00DD7C7B
TerminateProcess.KERNEL32(00000000,?,00DD7C30,00000000,00DEBA28,0000000C,00DD7D87,00000000,00000002,00000000), ref: 00DD7C82
ExitProcess.KERNEL32 ref: 00DD7C94

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e101b2736522dbe1acefee5bd8e2aaf01ab2b75aa07c156958e57c180b8147f
Instruction ID: 20b061f48eb22c628ba21fac8bfb1f5d238b2f28b81e95ac25abdc997778f382
Opcode Fuzzy Hash: 5e101b2736522dbe1acefee5bd8e2aaf01ab2b75aa07c156958e57c180b8147f
Instruction Fuzzy Hash: A1E04631020288AFCF11BF18DD4DAA83B6AEB10391F000051F8088B731EB35DE86CBB0

Function 00DDA4B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00DDA57F

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0070d82ec55aee28cea7c58477ca9234eff47a025d904618e19976ae1a9f0102
Instruction ID: 002f4b10cc7c3bc1aa37fb86c0d59f8e33409109083e6d75e4059566c4ae1250
Opcode Fuzzy Hash: 0070d82ec55aee28cea7c58477ca9234eff47a025d904618e19976ae1a9f0102
Instruction Fuzzy Hash: 29412872500219AFCB209FBDDC89EBB7778EB80710F14826AF905C7280E671DE818B71

Function 00DC8260 Relevance: 1.5, APIs: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?,84D1659C,?,?,00DE20F0,000000FF), ref: 00DC8296

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CryptDestroyHash
String ID:
API String ID: 174375392-0
Opcode ID: 29dcc4beb15cb406296b968e2dacf9a68fd534064387532fb46f1cdf1c906d2b
Instruction ID: c7e8f9a806bc3b6b872a25e645c94de2e3c1aeacfe6dfe6c8eac2ef8146a1469
Opcode Fuzzy Hash: 29dcc4beb15cb406296b968e2dacf9a68fd534064387532fb46f1cdf1c906d2b
Instruction Fuzzy Hash: 33F03071644645AFD711DF58C941FAAB3ECEB08710F10455EFC15D3780DB76A904D6A4

Function 00DC8EF0 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,00DC83E7,00000000,?,?,?,00000000,00000004,?,00DC8744,0000800C,84D1659C,?), ref: 00DC8EF8

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 33b70905acc4f270ba49465d761535e6ec830dd792a11913f99f2a94dc4e9423
Instruction ID: 49617b636a67b57efada9bcbd325bd3fe656789ab14c3e1e878b3ce429e73da9
Opcode Fuzzy Hash: 33b70905acc4f270ba49465d761535e6ec830dd792a11913f99f2a94dc4e9423
Instruction Fuzzy Hash: E3B0123104030CB7C6102F41EC09F55BF2CD710760F004021F7044917087726520A5B9

Function 00DE2660 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(002BFBE8,00000000), ref: 00DE266C

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: b8441c4b132cdc1646988528f301a3ef76e1648502d028828762ec774c23c9a3
Instruction ID: 1a8009564fd44d9d65cbb4f43b193cf12801fb187fb916648ef0b009a0efc899
Opcode Fuzzy Hash: b8441c4b132cdc1646988528f301a3ef76e1648502d028828762ec774c23c9a3
Instruction Fuzzy Hash: 4BB012707003C057DE20BF33AD8DB2633EC6700700F0440047200DA2B0C660EA00C934

Function 00DC12F0 Relevance: 66.9, APIs: 35, Strings: 3, Instructions: 434windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00DC1362
PostQuitMessage.USER32 ref: 00DC136A
DestroyWindow.USER32 ref: 00DC1386
PostQuitMessage.USER32 ref: 00DC138E
DestroyWindow.USER32 ref: 00DC13AF
DestroyWindow.USER32 ref: 00DC13BB
DestroyWindow.USER32 ref: 00DC13C7
DestroyWindow.USER32 ref: 00DC13D3
DestroyWindow.USER32 ref: 00DC13DF
DestroyWindow.USER32 ref: 00DC13EB
DeleteObject.GDI32 ref: 00DC13F7
DeleteObject.GDI32 ref: 00DC1403
DeleteObject.GDI32 ref: 00DC140F
DestroyIcon.USER32 ref: 00DC141B
SystemParametersInfoW.USER32 ref: 00DC1460
CreateFontIndirectW.GDI32(?), ref: 00DC146A
CreateFontIndirectW.GDI32(?), ref: 00DC1491
CreateFontIndirectW.GDI32(?), ref: 00DC14B8
LoadImageW.USER32 ref: 00DC1669
CreateWindowExW.USER32 ref: 00DC1695
SendMessageW.USER32(00000000,00000172,00000001), ref: 00DC16AE
CreateWindowExW.USER32 ref: 00DC16ED
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DC1703
CreateWindowExW.USER32 ref: 00DC1746
CreateWindowExW.USER32 ref: 00DC1787
SendMessageW.USER32(00000030,00000000), ref: 00DC17A2
SendMessageW.USER32(00000030,00000000), ref: 00DC17B8

Part of subcall function 00DC3B30: LoadStringW.USER32(00DC0000,00000000,00DE35D4,00000000), ref: 00DC3B55

CreateWindowExW.USER32 ref: 00DC1810
CreateWindowExW.USER32 ref: 00DC1851
SendMessageW.USER32(00000030,00000000), ref: 00DC186C
SendMessageW.USER32(00000030,00000000), ref: 00DC1882
SystemParametersInfoW.USER32 ref: 00DC1898
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DC18EB
SetFocus.USER32 ref: 00DC18F7
DefWindowProcW.USER32(?,?,?,?), ref: 00DC190C

Strings

BUTTON, xrefs: 00DC1809, 00DC184A
}&Nw, xrefs: 00DC190C
STATIC, xrefs: 00DC168E, 00DC16E6, 00DC173F, 00DC1780

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Window$CreateDestroy$Message$Send$DeleteFontIndirectObject$InfoLoadParametersPostQuitSystem$FocusIconImageProcString
String ID: BUTTON$STATIC$}&Nw
API String ID: 2791220612-355568966
Opcode ID: 1ff846212fe2afcba7b2c8443e1452ed4726a5b2964ed6ade185d38cffaefe3f
Instruction ID: 742d2c090dabcbcb18ffb69bef686c0ffb54ee53cafea2b7ab5e3b90996ed35c
Opcode Fuzzy Hash: 1ff846212fe2afcba7b2c8443e1452ed4726a5b2964ed6ade185d38cffaefe3f
Instruction Fuzzy Hash: 6C029F71A41354AFDB61AFA4DC8DBA9BBB5FB48300F104199F609EB3A1D7715A80CF24

Function 00DC21B0 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 241timelibraryloaderCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00DC2233
InterlockedExchange.KERNEL32(-0000000C,00000000), ref: 00DC2244
DefWindowProcW.USER32(?,?,?,?), ref: 00DC2250
GetWindowRect.USER32(?,?), ref: 00DC226E
GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 00DC22B5
GetProcAddress.KERNEL32(00000000), ref: 00DC22BC
GetVersionExW.KERNEL32(?), ref: 00DC22D8
SetTimer.USER32(?,00000001,00000019,?), ref: 00DC230B
DefWindowProcW.USER32(?,?,?,?), ref: 00DC2317
DefWindowProcW.USER32(?,00000010,?,?), ref: 00DC2401
DefWindowProcW.USER32(?,?,?,?), ref: 00DC242E

Part of subcall function 00DC1FC0: CreateSolidBrush.GDI32(00824049), ref: 00DC2021
Part of subcall function 00DC1FC0: CreateSolidBrush.GDI32(00F67000), ref: 00DC2064
Part of subcall function 00DC1FC0: BeginPaint.USER32(?,?), ref: 00DC2074
Part of subcall function 00DC1FC0: FillRect.USER32 ref: 00DC20E3
Part of subcall function 00DC1FC0: FillRect.USER32 ref: 00DC210D
Part of subcall function 00DC1FC0: EndPaint.USER32(?,?), ref: 00DC2118

Strings

}&Nw, xrefs: 00DC2250, 00DC2317, 00DC2348, 00DC23C8, 00DC2401, 00DC242E
ShutdownBlockReasonCreate, xrefs: 00DC229F
DwmSetWindowAttribute, xrefs: 00DC2374
dwmapi.dll, xrefs: 00DC2363
user32.dll, xrefs: 00DC22AB

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ProcWindow$Rect$BrushCreateFillPaintSolidTimer$AddressBeginExchangeHandleInterlockedKillModuleVersion
String ID: DwmSetWindowAttribute$ShutdownBlockReasonCreate$dwmapi.dll$user32.dll$}&Nw
API String ID: 190927372-456768010
Opcode ID: 689cd7907b70830337888d9f9a4150dc7608508724bcf8a2077ea28477089ba9
Instruction ID: 1ae92376ea275c78e87bc8af5dc06343ad8567ff1fd7fe52928ba28e7654d1e2
Opcode Fuzzy Hash: 689cd7907b70830337888d9f9a4150dc7608508724bcf8a2077ea28477089ba9
Instruction Fuzzy Hash: 75719332600349ABDB20AFA4EC89FBE7B68FB49711F04045EF645DB3A1C7759A109B71

Function 00DC1930 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 243commemoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,PNG), ref: 00DC1956
SizeofResource.KERNEL32(00000000,00000000), ref: 00DC1964
LoadResource.KERNEL32(00000000,00000000), ref: 00DC196F
LockResource.KERNEL32(00000000), ref: 00DC197A
GlobalAlloc.KERNEL32(00000002,?), ref: 00DC198B
GlobalLock.KERNEL32 ref: 00DC1998
GlobalUnlock.KERNEL32(00000000), ref: 00DC19B0
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00DC19BD
GlobalFree.KERNEL32(00000000), ref: 00DC19CB
CoInitializeEx.OLE32(00000000,00000000), ref: 00DC19E6
CoCreateInstance.OLE32(00DE3EF4,00000000,00000001,00DE366C,?), ref: 00DC1A06
GetDC.USER32(00000000), ref: 00DC1B3B
CreateDIBSection.GDI32(00000000,00000028,00000000,00000000,00000000,00000000), ref: 00DC1B52
ReleaseDC.USER32(00000000,00000000), ref: 00DC1B5E
DeleteObject.GDI32(00000000), ref: 00DC1B98

Strings

(, xrefs: 00DC1B06
PNG, xrefs: 00DC1947

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Global$Resource$Create$Lock$AllocDeleteFindFreeInitializeInstanceLoadObjectReleaseSectionSizeofStreamUnlock
String ID: ($PNG
API String ID: 3552602207-4064097209
Opcode ID: 3f119dbcf0526acef10e6e76d657035603b01881c4817c20027989d94d5882c3
Instruction ID: 9beafe3cfc26b2c875366ead4f6e59f21d0bc5e2ebc665a3fa346b8549b1c46b
Opcode Fuzzy Hash: 3f119dbcf0526acef10e6e76d657035603b01881c4817c20027989d94d5882c3
Instruction Fuzzy Hash: 11916075A01229AFDB009F95DC88FAEBBB8FF49700F144159E505EB350DB70AE05CBA4

Function 00DC1D90 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 168windowregistryCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000018,?), ref: 00DC1E04
LoadImageW.USER32 ref: 00DC1E51
LoadImageW.USER32 ref: 00DC1E6C
CreatePatternBrush.GDI32(00000000), ref: 00DC1E76
GetSystemMetrics.USER32 ref: 00DC1E98
GetSystemMetrics.USER32 ref: 00DC1EA2
LoadImageW.USER32 ref: 00DC1EB2
SystemParametersInfoW.USER32 ref: 00DC1EC5
RegisterClassExW.USER32(?), ref: 00DC1F0F
CreateWindowExW.USER32 ref: 00DC1F38
InterlockedExchange.KERNEL32(?,00000000), ref: 00DC1F40
GetMessageW.USER32 ref: 00DC1F5A
DispatchMessageW.USER32(?), ref: 00DC1F6D

Strings

0, xrefs: 00DC1E12

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ImageLoadSystem$CreateMessageMetrics$BrushClassDispatchExchangeInfoInterlockedObjectParametersPatternRegisterWindow
String ID: 0
API String ID: 1229437984-4108050209
Opcode ID: e12fb664c916dbc525161e4271ba91fc17e4c5c2a5d0ab57987c3467d3e923f0
Instruction ID: aeb204c0cd3e8520c03af86bc0fe0b6942a118c80d0e3ef2ebe7b2a7d53aba9f
Opcode Fuzzy Hash: e12fb664c916dbc525161e4271ba91fc17e4c5c2a5d0ab57987c3467d3e923f0
Instruction Fuzzy Hash: E6514A75A40359AFEB209FA4CC49FAEBBB8FB05700F144119F605EB2D1DB74A904CBA4

Function 00DC1BF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128windowregistryCOMMON

Download Yara Rule

APIs

#17.COMCTL32(84D1659C), ref: 00DC1C33
LoadImageW.USER32 ref: 00DC1C6A
LoadImageW.USER32 ref: 00DC1C85

Part of subcall function 00DC3B30: LoadStringW.USER32(00DC0000,00000000,00DE35D4,00000000), ref: 00DC3B55

GetSystemMetrics.USER32 ref: 00DC1CAE
GetSystemMetrics.USER32 ref: 00DC1CB8
LoadImageW.USER32 ref: 00DC1CC7
RegisterClassExW.USER32(?), ref: 00DC1CE3
CreateWindowExW.USER32 ref: 00DC1D05
GetMessageW.USER32 ref: 00DC1D1B
IsDialogMessageW.USER32 ref: 00DC1D2F
TranslateMessage.USER32(?), ref: 00DC1D3D
DispatchMessageW.USER32(?), ref: 00DC1D47

Strings

0, xrefs: 00DC1C39

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: LoadMessage$Image$MetricsSystem$ClassCreateDialogDispatchRegisterStringTranslateWindow
String ID: 0
API String ID: 2026041735-4108050209
Opcode ID: d79b5682d9a5db93a22eb03d7d351bbcac4ec02db2d93c7908ba0dcfbc05acb4
Instruction ID: a9897abb267712ec69338713b33e4ed262c8a29bf09460f66ddc627aedf6b4c5
Opcode Fuzzy Hash: d79b5682d9a5db93a22eb03d7d351bbcac4ec02db2d93c7908ba0dcfbc05acb4
Instruction Fuzzy Hash: 24414E75A40359BFEB209FA0DC49FAEBBB8EB04714F204119F615EF2D0D7B45A048B65

Function 00DDBBA7 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00DDBBEB

Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB87B
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB88D
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB89F
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB8B1
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB8C3
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB8D5
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB8E7
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB8F9
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB90B
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB91D
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB92F
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB941
Part of subcall function 00DDB85E: _free.LIBCMT ref: 00DDB953

_free.LIBCMT ref: 00DDBBE0

Part of subcall function 00DD8DE9: HeapFree.KERNEL32(00000000,00000000), ref: 00DD8DFF
Part of subcall function 00DD8DE9: GetLastError.KERNEL32(?,?,00DDB9F3,?,00000000,?,00000000,?,00DDBA1A,?,00000007,?,?,00DDBD3F,?,?), ref: 00DD8E11

_free.LIBCMT ref: 00DDBC02
_free.LIBCMT ref: 00DDBC17
_free.LIBCMT ref: 00DDBC22
_free.LIBCMT ref: 00DDBC44
_free.LIBCMT ref: 00DDBC57
_free.LIBCMT ref: 00DDBC65
_free.LIBCMT ref: 00DDBC70
_free.LIBCMT ref: 00DDBCA8
_free.LIBCMT ref: 00DDBCAF
_free.LIBCMT ref: 00DDBCCC
_free.LIBCMT ref: 00DDBCE4

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5691779cddd7ff67cf6f56d7a4efee5f5f264c8f1b0f6824d315ce2adf9b74fd
Instruction ID: 5082a34262e35fae75c7f39696b62e7a5b16793af025dd2b41133414ce7eedab
Opcode Fuzzy Hash: 5691779cddd7ff67cf6f56d7a4efee5f5f264c8f1b0f6824d315ce2adf9b74fd
Instruction Fuzzy Hash: F8315D35500301EFEB22AE79E845B6A77E9FB00364F19442BE088D7391DF75AC809B30

Function 00DC5535 Relevance: 16.7, APIs: 11, Instructions: 166synchronizationfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC8080: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2), ref: 00DC809B
Part of subcall function 00DC8080: GetProcAddress.KERNEL32(00000000), ref: 00DC80A2

InterlockedExchange.KERNEL32(?,000000C1), ref: 00DC5593
InterlockedExchange.KERNEL32(?,00000000), ref: 00DC55A2
CreateMutexW.KERNELBASE(00000000,00000001,00000000), ref: 00DC55D9
GetLastError.KERNEL32 ref: 00DC55E9
InterlockedExchange.KERNEL32(?,00000420), ref: 00DC5602
CloseHandle.KERNEL32(?), ref: 00DC75E3
CloseHandle.KERNEL32(?), ref: 00DC75F4
CloseHandle.KERNEL32(?), ref: 00DC7605
_wcsrchr.LIBVCRUNTIME ref: 00DC76A1
_wcsrchr.LIBVCRUNTIME ref: 00DC76B3
CreateHardLinkW.KERNEL32(?,00000000,00000000), ref: 00DC76EF
CopyFileW.KERNEL32 ref: 00DC7707
ReleaseMutex.KERNEL32(?), ref: 00DC7718
CloseHandle.KERNEL32(?), ref: 00DC771F

Part of subcall function 00DC3B70: #17.COMCTL32 ref: 00DC3B84
Part of subcall function 00DC3B70: LoadStringW.USER32(00DC0000,000003E9,?,00000000), ref: 00DC3BA1
Part of subcall function 00DC3B70: LoadStringW.USER32(00DC0000,?,?,00000000), ref: 00DC3BBA
Part of subcall function 00DC3B70: MessageBoxExW.USER32 ref: 00DC3BCF

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Handle$Close$ExchangeInterlocked$CreateLoadMutexString_wcsrchr$AddressCopyErrorFileHardLastLinkMessageModuleProcRelease
String ID:
API String ID: 3636221856-0
Opcode ID: 3bade53f08f2f2db3e8e50b8d10cba6843b189b9a944735913e6e10ec1a29057
Instruction ID: a18e743d76fbc8b59003fd27a1968bbb4e1abbffaf90a5780b9ffd562256eedf
Opcode Fuzzy Hash: 3bade53f08f2f2db3e8e50b8d10cba6843b189b9a944735913e6e10ec1a29057
Instruction Fuzzy Hash: AA513A71A042199BDB21EB64DC96FAD7778EF05705F0400E9E50AE7291DB709F848FB1

Function 00DC1FC0 Relevance: 15.1, APIs: 10, Instructions: 136COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00824049), ref: 00DC2021
CreateSolidBrush.GDI32(00362620), ref: 00DC2042
CreateSolidBrush.GDI32(00DBDBDA), ref: 00DC2054
CreateSolidBrush.GDI32(00F67000), ref: 00DC2064
BeginPaint.USER32(?,?), ref: 00DC2074
FillRect.USER32 ref: 00DC20E3
FillRect.USER32 ref: 00DC210D
EndPaint.USER32(?,?), ref: 00DC2118
CreateSolidBrush.GDI32(003F382C), ref: 00DC214E
CreateSolidBrush.GDI32(00FF9640), ref: 00DC218A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: BrushCreateSolid$FillPaintRect$Begin
String ID:
API String ID: 2220257389-0
Opcode ID: 8ad8b3c373cef6d7cdcec2c41c68d80c076b2ae054d6c2a13efd0f65946f4f46
Instruction ID: cad4011ede03c93236a779373569312b0de44c6552eef06f637a1569c550cd08
Opcode Fuzzy Hash: 8ad8b3c373cef6d7cdcec2c41c68d80c076b2ae054d6c2a13efd0f65946f4f46
Instruction Fuzzy Hash: D7514C75A00395EFDB11EFB8EC899B977B4EB09300B14462AE506DB362D730AA44DF71

Function 00DD89B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DD89C5

Part of subcall function 00DD8DE9: HeapFree.KERNEL32(00000000,00000000), ref: 00DD8DFF
Part of subcall function 00DD8DE9: GetLastError.KERNEL32(?,?,00DDB9F3,?,00000000,?,00000000,?,00DDBA1A,?,00000007,?,?,00DDBD3F,?,?), ref: 00DD8E11

_free.LIBCMT ref: 00DD89D1
_free.LIBCMT ref: 00DD89DC
_free.LIBCMT ref: 00DD89E7
_free.LIBCMT ref: 00DD89F2
_free.LIBCMT ref: 00DD89FD
_free.LIBCMT ref: 00DD8A08
_free.LIBCMT ref: 00DD8A13
_free.LIBCMT ref: 00DD8A1E
_free.LIBCMT ref: 00DD8A2C

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f6e184596d98a00f6cbdd330b9e37fac2f82c984df6448cba93984a801dbd65f
Instruction ID: 03926df1a6538c1ad93e434d233aa07c329aa63629708251a1e5b09f310d7250
Opcode Fuzzy Hash: f6e184596d98a00f6cbdd330b9e37fac2f82c984df6448cba93984a801dbd65f
Instruction Fuzzy Hash: 5A11A779101208FFCB03EFD5DC42CE93F66EF14350B4140A6F9484B2A2DA35EA50EBA0

Function 00DC8080 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2), ref: 00DC809B
GetProcAddress.KERNEL32(00000000), ref: 00DC80A2
GetCurrentProcess.KERNEL32(?,?), ref: 00DC80D1

Strings

IsWow64Process2, xrefs: 00DC8091
Unable to determine native architecture of the system!, xrefs: 00DC8101
kernel32, xrefs: 00DC8096

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process2$Unable to determine native architecture of the system!$kernel32
API String ID: 4190356694-2412497375
Opcode ID: 90673ac37363099c3b2ca44c92bf6c6e4c3af4c6e09f28ef5d957117a03040cd
Instruction ID: cff3cb462f537a2f97c0da1d8167eb2172c068a11ef87f8cf2c7d69c43242800
Opcode Fuzzy Hash: 90673ac37363099c3b2ca44c92bf6c6e4c3af4c6e09f28ef5d957117a03040cd
Instruction Fuzzy Hash: D0115E31E40359ABCB10FFF59C499AE7BB8EF04710B00419AE806D7350DE349A488BB5

Function 00DC1100 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00DC1115
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 00DC111F
GetProcessHeap.KERNEL32(00000000,00000100), ref: 00DC1157
HeapAlloc.KERNEL32(00000000), ref: 00DC115E
GetSystemDirectoryW.KERNEL32(00000000,00000060), ref: 00DC116D
lstrcpyW.KERNEL32(?,\b86362a5.exe), ref: 00DC1187

Strings

\b86362a5.exe, xrefs: 00DC117E

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$AllocProcess$DirectorySystemlstrcpy
String ID: \b86362a5.exe
API String ID: 2190664303-3123522761
Opcode ID: 9f0a50ee79804456e0d1d04c35f22af0104f9f2478b68046552d827f336296a3
Instruction ID: a2e0d6541d79b3ed085789ba826ab87db085947f52cb3e412eb47426c36d1517
Opcode Fuzzy Hash: 9f0a50ee79804456e0d1d04c35f22af0104f9f2478b68046552d827f336296a3
Instruction Fuzzy Hash: 3711C475900752BBD710AFA6DC89B6ABBA8FF08750B08001AF905CB751D774E810C7F4

Function 00DDEEDD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00DDEF1F
__fassign.LIBCMT ref: 00DDEF9A
__fassign.LIBCMT ref: 00DDEFB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00DDEFDB
WriteFile.KERNEL32(?,00000000,00000000,00DDF652,00000000), ref: 00DDEFFA
WriteFile.KERNEL32(?,00000000,00000001,00DDF652,00000000), ref: 00DDF033

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e644224b54ae53591a3b98c9c7228ed6ba925d5d018f567d4433d2ba100cae30
Instruction ID: ace35aecc2a63224cbc90d25209b64c12eaad40d8923bb1949fda7a5a7d9c707
Opcode Fuzzy Hash: e644224b54ae53591a3b98c9c7228ed6ba925d5d018f567d4433d2ba100cae30
Instruction Fuzzy Hash: 4F51A1709002499FCB10DFA8D885BEEBBF8EF49310F14416BE592E7391D6309A45CBB0

Function 00DD1D80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DD1DAB
___except_validate_context_record.LIBVCRUNTIME ref: 00DD1DB3
_ValidateLocalCookies.LIBCMT ref: 00DD1E41
__IsNonwritableInCurrentImage.LIBCMT ref: 00DD1E6C
_ValidateLocalCookies.LIBCMT ref: 00DD1EC1

Strings

csm, xrefs: 00DD1E56

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b4e0fc23d7ede0275bb946b1b4a942a5eafe5f46a529b84faf2a94f0092209a5
Instruction ID: 4a6c3a516636776d19687183dddb839efef01209193615560e5bc602b634cd6d
Opcode Fuzzy Hash: b4e0fc23d7ede0275bb946b1b4a942a5eafe5f46a529b84faf2a94f0092209a5
Instruction Fuzzy Hash: 4F416238A00219ABCB10DF69C885AAEBBB5FF44314F148557FC159B392D771DA15CBB0

Function 00DCD860 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00DCD90A

Part of subcall function 00DC7DA0: ___std_exception_copy.LIBVCRUNTIME ref: 00DC7DD8

__CxxThrowException@8.LIBVCRUNTIME ref: 00DCD997

Part of subcall function 00DD203A: RaiseException.KERNEL32(?,?,00DC8071,?,?,?,?,?,?,?,?,00DC8071,?,00DEB144,00000000), ref: 00DD209A

__CxxThrowException@8.LIBVCRUNTIME ref: 00DCD9B2

Strings

Unable to convert invalid hexadecimal string!, xrefs: 00DCD99C
Unable to convert invalid hexadecimal character!, xrefs: 00DCD97F
0123456789ABCDEF, xrefs: 00DCD8F0, 00DCD8FE, 00DCD905, 00DCD91D, 00DCD934, 00DCD94D

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise___from_strstr_to_strchr___std_exception_copy
String ID: 0123456789ABCDEF$Unable to convert invalid hexadecimal character!$Unable to convert invalid hexadecimal string!
API String ID: 2723989866-230084144
Opcode ID: 386fa2da214e6e41ed7a31b414144ac3650f4386f3dde369d20f662853e6a21a
Instruction ID: a9eb5015a672b1fcd9c507a0bbf23849b237a42a86bed9d4a2af6e3629d5209e
Opcode Fuzzy Hash: 386fa2da214e6e41ed7a31b414144ac3650f4386f3dde369d20f662853e6a21a
Instruction Fuzzy Hash: ED41B070A00646AFCB10EFA9C951BAEBBF8EF05710F14456DE455AB381DB74E944CBB0

Function 00DC3280 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00DC0000,EDAT_ECOO,0000000A), ref: 00DC3294
LoadResource.KERNEL32(00DC0000,00000000), ref: 00DC32AB
SizeofResource.KERNEL32(00DC0000,00000000), ref: 00DC32B9

Strings

EDAT_ECOO, xrefs: 00DC328A
@, xrefs: 00DC32C9
, xrefs: 00DC331A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID: $@$EDAT_ECOO
API String ID: 507330600-2393187713
Opcode ID: 083c31941bfd608dc4f087f187e59ecccd7dc248e5e73ba4cb391d49bf39e892
Instruction ID: c947db61934d5ff2e75c7f636b2d8fc164a9febd639f7bececbb8cf1e0c09351
Opcode Fuzzy Hash: 083c31941bfd608dc4f087f187e59ecccd7dc248e5e73ba4cb391d49bf39e892
Instruction Fuzzy Hash: 1C31EA32A10B9397DB348FB888D5F69B3A1FF95344715C72EE44697102EF70AB948364

Function 00DDBA01 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DDB9C5: _free.LIBCMT ref: 00DDB9EE

_free.LIBCMT ref: 00DDBA4F

Part of subcall function 00DD8DE9: HeapFree.KERNEL32(00000000,00000000), ref: 00DD8DFF
Part of subcall function 00DD8DE9: GetLastError.KERNEL32(?,?,00DDB9F3,?,00000000,?,00000000,?,00DDBA1A,?,00000007,?,?,00DDBD3F,?,?), ref: 00DD8E11

_free.LIBCMT ref: 00DDBA5A
_free.LIBCMT ref: 00DDBA65
_free.LIBCMT ref: 00DDBAB9
_free.LIBCMT ref: 00DDBAC4
_free.LIBCMT ref: 00DDBACF
_free.LIBCMT ref: 00DDBADA

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dc5d96b687ae4ce69053fd4d6e2136e2519ea8f0b48376b875dcd5d2fa60128c
Instruction ID: 7ea1ac7400ddcf40bf6bf2953944f82044a7fb37228f9700c7e032ef96d6b2f2
Opcode Fuzzy Hash: dc5d96b687ae4ce69053fd4d6e2136e2519ea8f0b48376b875dcd5d2fa60128c
Instruction Fuzzy Hash: 44118E31541B48FAD622BBB0CC07FEB779DEF01720F410817B399A62D2DB69B5049A70

Function 00DD2FFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DD2FF1,00DD2215), ref: 00DD3008
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DD3016
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DD302F
SetLastError.KERNEL32(00000000,?,00DD2FF1,00DD2215), ref: 00DD3081

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5dc29217c772c7c81930083725f4d0bc1279729b0a3cb759297b2da1ede2d76c
Instruction ID: a56fd2f924fc1e8ae3aa30370fda5f4d2139ba3b1509d21cef8177f3772447bb
Opcode Fuzzy Hash: 5dc29217c772c7c81930083725f4d0bc1279729b0a3cb759297b2da1ede2d76c
Instruction Fuzzy Hash: 650171322097516FA6343B74BCCA63B2754DB01774728432BF2109A3F4EF654E015172

Function 00DD8AA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DD4E11,?,?,?,00DD52E9,84D1659C,00000000,?,00DCD904,0123456789ABCDEF,84D1659C,?,?,00000000), ref: 00DD8AA9
_free.LIBCMT ref: 00DD8ADC
_free.LIBCMT ref: 00DD8B04
SetLastError.KERNEL32(00000000,00DD52E9,84D1659C,00000000,?,00DCD904,0123456789ABCDEF,84D1659C,?,?,00000000,00DC8722), ref: 00DD8B11
SetLastError.KERNEL32(00000000,00DD52E9,84D1659C,00000000,?,00DCD904,0123456789ABCDEF,84D1659C,?,?,00000000,00DC8722), ref: 00DD8B1D
_abort.LIBCMT ref: 00DD8B23

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 62c1c4a7a5cf26dc126f442d46eafb249421b644a5eefe373066ad30f3cbc4ef
Instruction ID: 0514f5e24ea6bd28720077978aded8a3febb3a22f8e406dc03e94f21bad99f31
Opcode Fuzzy Hash: 62c1c4a7a5cf26dc126f442d46eafb249421b644a5eefe373066ad30f3cbc4ef
Instruction Fuzzy Hash: DDF0FF36200B407BC2037769AC4AF3B2A2ADBC2731F2A0017F944DA3D6EE60C9026131

Function 00DC8F10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(Unable to decode base64 string!), ref: 00DC8FD7
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC8FEF
GetLastError.KERNEL32(Unable to decode base64 string!,?,00DEB144,00000000), ref: 00DC8FF9
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC9011

Strings

Unable to decode base64 string!, xrefs: 00DC8FD2, 00DC8FF4

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorException@8LastThrow
String ID: Unable to decode base64 string!
API String ID: 1006195485-979745446
Opcode ID: 6aa250aa110830ce88ae6a8bcb3070b0be379dcd0e9032ee416643853cce5e6e
Instruction ID: 57479ec2fcd01454cb7537f799adb62f6e8ca6c50ed3c536af895983cd617e0d
Opcode Fuzzy Hash: 6aa250aa110830ce88ae6a8bcb3070b0be379dcd0e9032ee416643853cce5e6e
Instruction Fuzzy Hash: 50312971A4435AAFDB20EF95DC46FAEBBB8FF04B14F10411AB515A7280DBB46A04CB74

Function 00DC3BF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00DC3BF5

Part of subcall function 00DD059D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00DD05A9
Part of subcall function 00DD059D: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD05B7

std::_Xinvalid_argument.LIBCPMT ref: 00DC3C05

Part of subcall function 00DD05BD: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00DD05C9
Part of subcall function 00DD05BD: __CxxThrowException@8.LIBVCRUNTIME ref: 00DD05D7
Part of subcall function 00DD05BD: ___delayLoadHelper2@8.DELAYIMP ref: 00DD05EF

Strings

invalid string_view position, xrefs: 00DC3C10
vector<T> too long, xrefs: 00DC3C00
string too long, xrefs: 00DC3BF0

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::invalid_argument::invalid_argument$Helper2@8Load___delay
String ID: invalid string_view position$string too long$vector<T> too long
API String ID: 1134749845-2832074639
Opcode ID: a37eb0262e6f8b8ccc2ba74f01048941e40c08c03a1bc5d0d4ad608c8f463025
Instruction ID: 230b9919d9455abb330521a19bd699d5d428117af93fb0d4219b5e59ad44a38c
Opcode Fuzzy Hash: a37eb0262e6f8b8ccc2ba74f01048941e40c08c03a1bc5d0d4ad608c8f463025
Instruction Fuzzy Hash: 9FF0E2705002098A860CB320AC0AEA837959980334B60472BB835C76D1DB20EA098532

Function 00DD7CDF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DD7C90,00000000,?,00DD7C30,00000000,00DEBA28,0000000C,00DD7D87,00000000,00000002), ref: 00DD7CFF
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00DD7C90,00000000,?,00DD7C30,00000000,00DEBA28,0000000C,00DD7D87,00000000,00000002), ref: 00DD7D12
FreeLibrary.KERNEL32(00000000,?,?,?,00DD7C90,00000000,?,00DD7C30,00000000,00DEBA28,0000000C,00DD7D87,00000000,00000002), ref: 00DD7D35

Strings

CorExitProcess, xrefs: 00DD7D0A
mscoree.dll, xrefs: 00DD7CF8

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: aac53d75db1606c23f129735417fb43584bff6bbe2f72cc7c2ad6dbe118c8432
Instruction ID: 70962fcf2b8508f5f9cea61f6ff69ec6d4d60d8e9bbf82614abd75a9ca4d02ca
Opcode Fuzzy Hash: aac53d75db1606c23f129735417fb43584bff6bbe2f72cc7c2ad6dbe118c8432
Instruction Fuzzy Hash: 4DF03130604358BFCB11AB91DC49BBEBFB5EF04755F0441A9F905AA360DB715E84CAB4

Function 00DD81DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DD824D
_free.LIBCMT ref: 00DD826D

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d3b3dd60f24bd07634c01b4e1acb190af579f0ec5d9ca071c9b185db8a6c77e2
Instruction ID: 35f567c5cf59d414b5fc5e85149d394264098cfd453243a9605aa128506f932c
Opcode Fuzzy Hash: d3b3dd60f24bd07634c01b4e1acb190af579f0ec5d9ca071c9b185db8a6c77e2
Instruction Fuzzy Hash: C941E432A003009FDB11DF78C881A6DBBB5EF88714F1945AAE545EB381DA70AD01DBA0

Function 00DDA07D Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(84D1659C,00000000,8B000053,00DCD904,00000000,00000000,?,?,?,84D1659C,00000001,00DCD904,8B000053,00000001,?,?), ref: 00DDA0CA
__alloca_probe_16.LIBCMT ref: 00DDA102
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DDA153
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00DDA165
__freea.LIBCMT ref: 00DDA16E

Part of subcall function 00DD8E23: HeapAlloc.KERNEL32(00000000,?,?,?,00DD2AA0,?,?,?,?,?,00DC7DDD,?,?), ref: 00DD8E55

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 8f7d48cb29a8e7c8a30399b289a8ffc1bf4e9271bcb1943baacba87d86b210c9
Instruction ID: 68e8fefab910219128f665b2aae0bee89d6618f517052f76b3f8251bde0363a5
Opcode Fuzzy Hash: 8f7d48cb29a8e7c8a30399b289a8ffc1bf4e9271bcb1943baacba87d86b210c9
Instruction Fuzzy Hash: D531AE32A0031AABDB259F68CC85EAF7BA5EB40750F08816AFC14DB250E735DD50CBB1

Function 00DD8B29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00DD5183,00DD8E66,?,?,00DD2AA0,?,?,?,?,?,00DC7DDD,?,?), ref: 00DD8B2E
_free.LIBCMT ref: 00DD8B63
_free.LIBCMT ref: 00DD8B8A
SetLastError.KERNEL32(00000000,?,?), ref: 00DD8B97
SetLastError.KERNEL32(00000000,?,?), ref: 00DD8BA0

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 05e32c9b6bd2610cf828b3bc5f8f8d65eac3bb5b6ae01a2112eccde7841ff8d4
Instruction ID: bd7ab5aee1f4bdc3d65d61c2c9fb998b6e3feb9b7aac98b8d3699f79bac62dff
Opcode Fuzzy Hash: 05e32c9b6bd2610cf828b3bc5f8f8d65eac3bb5b6ae01a2112eccde7841ff8d4
Instruction Fuzzy Hash: F901D1B6140B406F92133779AC8AD2B2A6AEBC27753260027F546E6391EF74C9016134

Function 00DDB95C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DDB974

Part of subcall function 00DD8DE9: HeapFree.KERNEL32(00000000,00000000), ref: 00DD8DFF
Part of subcall function 00DD8DE9: GetLastError.KERNEL32(?,?,00DDB9F3,?,00000000,?,00000000,?,00DDBA1A,?,00000007,?,?,00DDBD3F,?,?), ref: 00DD8E11

_free.LIBCMT ref: 00DDB986
_free.LIBCMT ref: 00DDB998
_free.LIBCMT ref: 00DDB9AA
_free.LIBCMT ref: 00DDB9BC

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6228dd275613d70738aa3b6171a37a3f94a4a779b120fa9f24bba81e174ec2ae
Instruction ID: 28105872fec5d61566ca1f8ced301204d3c4437cbbba788c973870e9db64b59d
Opcode Fuzzy Hash: 6228dd275613d70738aa3b6171a37a3f94a4a779b120fa9f24bba81e174ec2ae
Instruction Fuzzy Hash: EBF0FF72515780EF8622FBA4F8D6C2673DAEA147247690807F188DB781CB34FC804A74

Function 00DD8450 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DD846E

Part of subcall function 00DD8DE9: HeapFree.KERNEL32(00000000,00000000), ref: 00DD8DFF
Part of subcall function 00DD8DE9: GetLastError.KERNEL32(?,?,00DDB9F3,?,00000000,?,00000000,?,00DDBA1A,?,00000007,?,?,00DDBD3F,?,?), ref: 00DD8E11

_free.LIBCMT ref: 00DD8480
_free.LIBCMT ref: 00DD8493
_free.LIBCMT ref: 00DD84A4
_free.LIBCMT ref: 00DD84B5

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 436978710d37e3dab96a43a2d1230688e218c383e1da5b6465ff3be7f103e142
Instruction ID: 6cabd39ba7e3d35ac4de890462834898ca7be83b84df7104bd6706cd257cba06
Opcode Fuzzy Hash: 436978710d37e3dab96a43a2d1230688e218c383e1da5b6465ff3be7f103e142
Instruction Fuzzy Hash: EBF017798063A0AFA723BF54FCC25183BA2E714B20305015BF450DA3F0CB750941ABF0

Function 00DD750E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe,00000104), ref: 00DD7549
_free.LIBCMT ref: 00DD7614
_free.LIBCMT ref: 00DD761E

Strings

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe, xrefs: 00DD7540, 00DD7547, 00DD7576, 00DD75AE

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod0_extract\avg_antivirus_free_setup.exe
API String ID: 2506810119-1481071300
Opcode ID: e7f79075b66952e10630b35ded3266b84b7d8355909b4c4cb50e9e32fe1bf547
Instruction ID: 694cf55cbe06646de5d216647f0eb89798aefe47b3e8729458450232a051ff63
Opcode Fuzzy Hash: e7f79075b66952e10630b35ded3266b84b7d8355909b4c4cb50e9e32fe1bf547
Instruction Fuzzy Hash: 98316171A09758AFCB21DF99E985D9EBBFCEB85710B1440A7F40497350E6708E40CBB1

Function 00DC7FE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00DC8004
GetLastError.KERNEL32(Unable to determine the operating system version!), ref: 00DC804E
__CxxThrowException@8.LIBVCRUNTIME ref: 00DC806C

Strings

Unable to determine the operating system version!, xrefs: 00DC8049

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ErrorException@8LastThrowVersion
String ID: Unable to determine the operating system version!
API String ID: 2663129220-661432720
Opcode ID: 327dd260411d8e87474b7c20363983a9f550e00361a3c8556b338e66fa74fcac
Instruction ID: 92eba4c9cd8a606b321ad2403b3d0502c0a620ac932f86f13af666176e604191
Opcode Fuzzy Hash: 327dd260411d8e87474b7c20363983a9f550e00361a3c8556b338e66fa74fcac
Instruction Fuzzy Hash: B701F7709142AC56CB15BB659C65AFE7BF4EF09300F4000DEB095D3281DA389B08DB74

Function 00DD92FC Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DD9387
__alldvrm.LIBCMT ref: 00DD9588
__alldvrm.LIBCMT ref: 00DD95AA

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 59875573e72320a7118c1066d22839fbe5f18940918a11b40eb48330f722db00
Instruction ID: ef8082713feefea3c339a764102beadb576fa8b8974cd147bca017c2b50564c2
Opcode Fuzzy Hash: 59875573e72320a7118c1066d22839fbe5f18940918a11b40eb48330f722db00
Instruction Fuzzy Hash: A8A13575A042869FDB22DE68D8A17AEFBE5EF11350F18417BE4859B382C236C942C770

Function 00DC11E0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00DC1206
SelectObject.GDI32(00000000,?), ref: 00DC1214
GetTextExtentPoint32W.GDI32(?,00000000,-00000002,?), ref: 00DC128F
ReleaseDC.USER32(?,?), ref: 00DC12D5

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: ExtentObjectPoint32ReleaseSelectText
String ID:
API String ID: 4006923989-0
Opcode ID: a041b15f44734d80a7ff6340aebc64d1c80a2ab54e4ef18bbe519652c9a891b0
Instruction ID: 4ae79c5aa9d72c3918a2a5674ed807a569570f9b5201cf7106f1029971bf6994
Opcode Fuzzy Hash: a041b15f44734d80a7ff6340aebc64d1c80a2ab54e4ef18bbe519652c9a891b0
Instruction Fuzzy Hash: FC31EF75A402189BCB50DF64DC45BDAB7F9FF49300F1481E9E949E7201DA70AE8A8FE4

Function 00DD32B2 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00DD32CC

Part of subcall function 00DD3219: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00DD3248
Part of subcall function 00DD3219: ___AdjustPointer.LIBCMT ref: 00DD3263

_UnwindNestedFrames.LIBCMT ref: 00DD32E1
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00DD32F2
CallCatchBlock.LIBVCRUNTIME ref: 00DD331A

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4dbbf62a230ce864b2bb52b0cfdce793e84e64ee971ad292059bf22fa32e6a78
Instruction ID: 000beaa090769967d445cb1f356db5cdaf00a54c6b0976f28e2fd40daf45b6ff
Opcode Fuzzy Hash: 4dbbf62a230ce864b2bb52b0cfdce793e84e64ee971ad292059bf22fa32e6a78
Instruction Fuzzy Hash: 99012532600108BBDF126E95CC41EEB7F69EF98754F08411AFE58A6221C732E961DBB5

Function 00DD0A80 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00DEEA40,?,?,00DC219F,00DEE97C), ref: 00DD0A8A
LeaveCriticalSection.KERNEL32(00DEEA40,?,?,00DC219F,00DEE97C), ref: 00DD0ABD
SetEvent.KERNEL32(00000000,00DC219F,00DEE97C), ref: 00DD0B4B
ResetEvent.KERNEL32 ref: 00DD0B57

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 355cdfa5fc6953797517d9ddae83e660295362d133cd96344c5192185cc1be16
Instruction ID: d4331eee6bb6ee8f43eda5ac466ea507782f46ef4db3c740dd25948703792344
Opcode Fuzzy Hash: 355cdfa5fc6953797517d9ddae83e660295362d133cd96344c5192185cc1be16
Instruction Fuzzy Hash: 4E012C31A003A09BCB04BF55FC8CA697BA9FB4A311741486DE902DB720CB70AA00CBB5

Function 00DC3B70 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00DC3B84
LoadStringW.USER32(00DC0000,000003E9,?,00000000), ref: 00DC3BA1
LoadStringW.USER32(00DC0000,?,?,00000000), ref: 00DC3BBA
MessageBoxExW.USER32 ref: 00DC3BCF

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: LoadString$Message
String ID:
API String ID: 2278601591-0
Opcode ID: 8db09ad646fb01abc51ef0a313213d1cae1ac834032f8526283752f9583a7fda
Instruction ID: fe92497fb1009fbd60842e8f379b8a5031b019b9f56cb5e2ea3975d0c984d216
Opcode Fuzzy Hash: 8db09ad646fb01abc51ef0a313213d1cae1ac834032f8526283752f9583a7fda
Instruction Fuzzy Hash: 58F03135A44308BFDB00AF94DC49FAD7B78EB08701F404095FA04AB290C6B056588BB5

Function 00DD16E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DD176C: GetLastError.KERNEL32 ref: 00DD177E

IsDebuggerPresent.KERNEL32(?,?,?,00DC100A), ref: 00DD1713
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DC100A), ref: 00DD1722

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DD171D

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: da914c8386f32e5f6cac2e3ba0b515a5382ae2122f05bd840caee41ba0c7d4aa
Instruction ID: 4e89785ffb61505a136f8c6b0fa22c9a6a7b1bbb4ce671e19f9b61e2138ff7a1
Opcode Fuzzy Hash: da914c8386f32e5f6cac2e3ba0b515a5382ae2122f05bd840caee41ba0c7d4aa
Instruction Fuzzy Hash: 76E06D78600391EBD360AF25E949B527BE4EF04744F00881EE491C7761D7B0D4048BB1

Function 00DC7ABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadGetSRWLockFunctionPointers.DELAYIMP ref: 00DC7ABA

Part of subcall function 00DC787A: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00DC78F2,00DC7858,00DC7AF6,?,?,?,?,?,?,?,?,00DD05F4,00DEBD94), ref: 00DC7891

RtlReleaseSRWLockExclusive.NTDLL ref: 00DC7AD7

Strings

)@Nw, xrefs: 00DC7AC4

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Lock$DloadExclusiveFunctionHandleModulePointersRelease
String ID: )@Nw
API String ID: 2763976883-746534012
Opcode ID: 4fc8261cab23c821da979d785b3d55d1ff7a1397a180138e4d8ab83a3bba4739
Instruction ID: b97cd07e6e2e946ecb4d821e6ab3b4cd73028b09578eb362b4e05a8b1fcd45ae
Opcode Fuzzy Hash: 4fc8261cab23c821da979d785b3d55d1ff7a1397a180138e4d8ab83a3bba4739
Instruction Fuzzy Hash: BCC012201053B04BCB50BB55BC4979C3B94EB40750F444066E505EB352C6645804CFB1

Function 00DCFAC0 Relevance: 5.2, APIs: 4, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,-00000002), ref: 00DCFC26
HeapFree.KERNEL32(00000000), ref: 00DCFC2D
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,-00000002), ref: 00DCFC4D
HeapFree.KERNEL32(00000000), ref: 00DCFC54

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: da594ce21a38b04936d4e65152749dd0f6066422997be845b390eb1582194194
Instruction ID: 00965db19712beb2681341c157c1de04a19555ea502dde15ca387347699e325f
Opcode Fuzzy Hash: da594ce21a38b04936d4e65152749dd0f6066422997be845b390eb1582194194
Instruction Fuzzy Hash: C2512971E0021A9BDB10DFA4C985FEEBBB9EF08314F18416DE814AB351D775AE058BB0

Function 00DCF800 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000004,?,?,?,00DCFCED,?,00000000,?,?,?,00000000), ref: 00DCF814
HeapAlloc.KERNEL32(00000000,?,00DCFCED,?,00000000,?,?,?,00000000), ref: 00DCF81B
GetProcessHeap.KERNEL32(00000000,?,00DCFCED,?,00000000,?,?,?,00000000), ref: 00DCF85A
HeapFree.KERNEL32(00000000), ref: 00DCF861

Memory Dump Source

Source File: 00000003.00000002.762236773.0000000000DC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.762225859.0000000000DC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762259320.0000000000DE3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762289044.0000000000DEE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.762301512.0000000000DF1000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_avg_antivirus_free_setup.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 9278705759ac2374d99d9d2a1c071ef4d10bbe0f73151f02a17de0611f0ca14f
Instruction ID: 76447ae933d51a57845cfedee903f527c8274d74f81b04b9615a31a63129cb46
Opcode Fuzzy Hash: 9278705759ac2374d99d9d2a1c071ef4d10bbe0f73151f02a17de0611f0ca14f
Instruction Fuzzy Hash: BE11BFB5600612BBD7109F69DC49FAAB769FF40364F048625F918DB740C331E921CBE0

Analysis Process: WZSetup.exePID: 2596, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.6%
Total number of Nodes:	1328
Total number of Limit Nodes:	28

Executed Functions

Function 004033B3 Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 004033D6
GetVersionExA.KERNEL32(?), ref: 004033FF
GetVersionExA.KERNEL32(0000009C), ref: 00403416
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034DF
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040351C
OleInitialize.OLE32(00000000), ref: 00403523
SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403541
GetCommandLineA.KERNEL32(WeatherZero 1.0.0.9 Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403556
CharNextA.USER32(00000000), ref: 00403590
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403689
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040369A
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036A6
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 004036BA
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036C2
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036D3
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036DB
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 004036EF
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 00403795
OleUninitialize.OLE32 ref: 0040379A
ExitProcess.KERNEL32 ref: 004037BB
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,00000000,?,?,00000007,00000009,0000000B), ref: 004037CE
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A14C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,00000000,?,?,00000007,00000009,0000000B), ref: 004037DD
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,00000000,?,?,00000007,00000009,0000000B), ref: 004037E8
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,00000000,?,?,00000007,00000009,0000000B), ref: 004037F4
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403810
DeleteFileA.KERNEL32(00429450,00429450,?,00430000,?,?,00000007,00000009,0000000B), ref: 0040386D
CopyFileA.KERNEL32 ref: 00403882
CloseHandle.KERNEL32(00000000), ref: 004038AF
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038DD
OpenProcessToken.ADVAPI32(00000000), ref: 004038E4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403917
ExitWindowsEx.USER32(00000002,80040002), ref: 0040393C
ExitProcess.KERNEL32 ref: 0040395D

Strings

TMP, xrefs: 004036D6
\Temp, xrefs: 004036A0
"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123, xrefs: 0040355C, 00403562, 00403711
~nsu, xrefs: 004037C6
WeatherZero 1.0.0.9 Setup, xrefs: 0040354C
.tmp, xrefs: 004037E2
UXTHEME, xrefs: 004034D3, 004034D8, 004034DE
Error launching installer, xrefs: 00403753
C:\Users\user\AppData\Local\Temp\, xrefs: 0040367E, 00403683, 00403699, 004036A5, 004036B4, 004036C1, 004036CD, 004036D5, 004037CB, 004037DC, 004037E7, 004037F3, 00403800, 0040380F, 004038C4
A, xrefs: 00403451
C:\Program Files (x86)\WeatherZero, xrefs: 00403778
NSIS Error, xrefs: 00403547
C:\Program Files (x86)\WeatherZero, xrefs: 0040366E, 0040376D, 00403816, 00403820
1033, xrefs: 004036EA
TEMP, xrefs: 004036CE
SeShutdownPrivilege, xrefs: 004038F2
C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract, xrefs: 004037ED, 004037F2, 0040381F
", xrefs: 004035B3
C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe, xrefs: 0040387D
Low, xrefs: 004036BC

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123$.tmp$1033$A$C:\Program Files (x86)\WeatherZero$C:\Program Files (x86)\WeatherZero$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract$C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$WeatherZero 1.0.0.9 Setup$\Temp$~nsu
API String ID: 2882342585-715898289
Opcode ID: b81a96be3f2e02c6a2bc19dee2b15dd6465ea81e2f2d8c5fb96459ea38834aa7
Instruction ID: 223053d6f2ec0cc509bcc84454fcb5a587f3d9304b07d6be13cf3966b97333d0
Opcode Fuzzy Hash: b81a96be3f2e02c6a2bc19dee2b15dd6465ea81e2f2d8c5fb96459ea38834aa7
Instruction Fuzzy Hash: DCE1F470904354AADB21AF759D49B6F7EB8AF4570AF0440BFE441B62D2CB7C4A05CB2E

Function 00405A19 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123), ref: 00405A42
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*,?,?,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123), ref: 00405A8A
lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*,?,?,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123), ref: 00405AAB
lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*,?,?,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123), ref: 00405AB1
FindFirstFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*,?,?,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123), ref: 00405AC2
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6F
FindClose.KERNEL32(00000000), ref: 00405B80

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26
C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*, xrefs: 00405A72, 00405A78, 00405A89, 00405ABF
"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123, xrefs: 00405A22
\*.*, xrefs: 00405A84

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\*.*$\*.*
API String ID: 2035342205-1982795030
Opcode ID: 6279d5409f9ac8fecf523039a44e07b92db75dbea9c2d76fe17a079ddec69c30
Instruction ID: 3775624a82358ee84ae0e61ef35c65b769ecc780556a32b7edc65eda158531b4
Opcode Fuzzy Hash: 6279d5409f9ac8fecf523039a44e07b92db75dbea9c2d76fe17a079ddec69c30
Instruction Fuzzy Hash: D351BD30904A08AADB22AB618C89FAF7B78DF42714F24417BF441752D2D77C6982DE6D

Function 004065CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000020,0042C0E0,C:\,00405D1A,C:\,C:\,00000000,C:\,C:\,T'qu,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 004065D9
FindClose.KERNEL32(00000000), ref: 004065E5

Strings

C:\, xrefs: 004065CE

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction ID: 8216c8ff522cab9e5c4fbd2006c0822adf2a7579a10bfa080a6703c422ecd414
Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction Fuzzy Hash: 66D01231504520EBC7515B78BD0CC4B7A589F053313218A36F466F22E4CB34CC22A6DC

Function 00403A3D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406663: GetModuleHandleA.KERNEL32(?,00000000,?,004034F5,0000000B), ref: 00406675
Part of subcall function 00406663: GetProcAddress.KERNEL32(00000000,?), ref: 00406690

lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,75712754,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,00000009,0000000B), ref: 00403AB8
lstrlenA.KERNEL32(PrepareUninstall,?,?,?,PrepareUninstall,00000000,C:\Program Files (x86)\WeatherZero,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,75712754), ref: 00403B2D
lstrcmpiA.KERNEL32(?,.exe,PrepareUninstall,?,?,?,PrepareUninstall,00000000,C:\Program Files (x86)\WeatherZero,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403B40
GetFileAttributesA.KERNEL32(PrepareUninstall,?,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,00000009,0000000B), ref: 00403B4B
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\WeatherZero), ref: 00403B94

Part of subcall function 004061B5: wsprintfA.USER32 ref: 004061C2

RegisterClassA.USER32(0042EBC0), ref: 00403BD1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BE9
CreateWindowExA.USER32 ref: 00403C1E
ShowWindow.USER32(00000005,00000000), ref: 00403C54
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBC0), ref: 00403C80
GetClassInfoA.USER32(00000000,RichEdit,0042EBC0), ref: 00403C8D
RegisterClassA.USER32(0042EBC0), ref: 00403C96
DialogBoxParamA.USER32 ref: 00403CB5

Strings

_Nb, xrefs: 00403BB0, 00403C18
Control Panel\Desktop\ResourceLocale, xrefs: 00403A71
RichEdit, xrefs: 00403C87
RichEdit20A, xrefs: 00403C78, 00403C7E
"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123, xrefs: 00403A40
.DEFAULT\Control Panel\International, xrefs: 00403AA3
RichEd32, xrefs: 00403C68
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A42
.exe, xrefs: 00403B3A
RichEd20, xrefs: 00403C5A
PrepareUninstall, xrefs: 00403AFB, 00403B03, 00403B10, 00403B5A, 00403B60
1033, xrefs: 00403A5D, 00403AB3
C:\Program Files (x86)\WeatherZero, xrefs: 00403AC7, 00403ACF, 00403B67, 00403B6D, 00403B7D

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\WeatherZero$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$PrepareUninstall$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-3521903216
Opcode ID: 29ccced9cd3b91ede68e14d676b6f46169d35ef19c796de8586ad51bef4d8373
Instruction ID: 6db815c1d0a977664f3d39510f8e98c50f9dfcfb4850e4c10674fdff383f0bc2
Opcode Fuzzy Hash: 29ccced9cd3b91ede68e14d676b6f46169d35ef19c796de8586ad51bef4d8373
Instruction Fuzzy Hash: C061B9716442046EE620BF669D46F373A7CEB54709F40443FF941B62D3CB7CA9069A2D

Function 00402F0C Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402F1D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,00000400,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402F39

Part of subcall function 00405DEA: GetFileAttributesA.KERNEL32(00000003,00402F4C,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
Part of subcall function 00405DEA: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E10

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,80000000,00000003,?,?,004036FD,?,?,00000007), ref: 00402F85
GlobalAlloc.KERNEL32(00000040,00000007,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 004030BB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402F13
Inst, xrefs: 00402FF1
@TA, xrefs: 00402F9A
"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123, xrefs: 00402F12
soft, xrefs: 00402FFA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E2
C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract, xrefs: 00402F67, 00402F6C, 00402F72
Null, xrefs: 00403003
C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe, xrefs: 00402F23, 00402F32, 00402F46, 00402F66
Error launching installer, xrefs: 00402F5C

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123$@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract$C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3810190910
Opcode ID: 309384e8a46cee6475fa6f32bc227d3efb1737e1aadde640dca7e14b32c4e110
Instruction ID: 70ffca3bdba6f18ae0426a301ce6e6f0801d42355b595fcaf053b8d4d934ef0e
Opcode Fuzzy Hash: 309384e8a46cee6475fa6f32bc227d3efb1737e1aadde640dca7e14b32c4e110
Instruction Fuzzy Hash: B351D371A01204ABDB20AF64DD85B9B7EBCEB1431AF60813BF500B62D1C7BC9E458B5D

Function 004062EA Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(PrepareUninstall,00000400), ref: 00406418
GetWindowsDirectoryA.KERNEL32(PrepareUninstall,00000400,?,0042A070,00000000,004053B0,0042A070,00000000), ref: 0040642B
SHGetSpecialFolderLocation.SHELL32(004053B0,756F110C,?), ref: 00406467
SHGetPathFromIDListA.SHELL32(756F110C,PrepareUninstall), ref: 00406475
CoTaskMemFree.OLE32(756F110C), ref: 00406481
lstrcatA.KERNEL32(PrepareUninstall,\Microsoft\Internet Explorer\Quick Launch), ref: 004064A5
lstrlenA.KERNEL32(PrepareUninstall,?,0042A070,00000000,004053B0,0042A070,00000000,00000000,0042288B,756F110C), ref: 004064F7

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063E7
PrepareUninstall, xrefs: 00406314, 004063E4, 004063E5, 004063E6, 00406402, 00406417, 0040642A, 00406446, 00406471, 004064A4, 004064AA, 004064C2, 004064D5, 004064F0, 004064F6, 004064FE, 00406528
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040649F

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: PrepareUninstall$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2808097956
Opcode ID: a2f56f6d0f1162f5eaac14cd87f867bf1e8ae6f6d2175ce0c13bbb87bd24daf5
Instruction ID: b52c447f78294e1834a117c6ffbc2f7508752916544efe1487e33f4ad7b91c7d
Opcode Fuzzy Hash: a2f56f6d0f1162f5eaac14cd87f867bf1e8ae6f6d2175ce0c13bbb87bd24daf5
Instruction Fuzzy Hash: 53612270900110AFDF20AF24DD90B7E3BA8AB15318F52403FE903BA2D1C67C99A6DB5D

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,PrepareUninstall,C:\Program Files (x86)\WeatherZero,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,PrepareUninstall,PrepareUninstall,00000000,00000000,PrepareUninstall,C:\Program Files (x86)\WeatherZero,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406257: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403556,WeatherZero 1.0.0.9 Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406264

Part of subcall function 00405378: lstrlenA.KERNEL32(0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
Part of subcall function 00405378: lstrcatA.KERNEL32(0042A070,0040329E,0040329E,0042A070,00000000,0042288B,756F110C), ref: 004053D4
Part of subcall function 00405378: SetWindowTextA.USER32(0042A070,0042A070), ref: 004053E6
Part of subcall function 00405378: SendMessageA.USER32 ref: 0040540C
Part of subcall function 00405378: SendMessageA.USER32 ref: 00405426
Part of subcall function 00405378: SendMessageA.USER32 ref: 00405434

Strings

C:\Program Files (x86)\WeatherZero, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nss2F4C.tmp, xrefs: 004017A3, 00401812, 00401830
PrepareUninstall, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\WeatherZeroNSISPlugin.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\WeatherZero$C:\Users\user\AppData\Local\Temp\nss2F4C.tmp$C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\WeatherZeroNSISPlugin.dll$PrepareUninstall
API String ID: 1941528284-1156617716
Opcode ID: 8d3b5ae6c6b003efd18ab5b2e71d482c3699f1416a594a6df6e726509aa3855b
Instruction ID: 09a7a28129c88a40a5f98fd7d2104631a28ae03f955191848f4916981dc93f0e
Opcode Fuzzy Hash: 8d3b5ae6c6b003efd18ab5b2e71d482c3699f1416a594a6df6e726509aa3855b
Instruction Fuzzy Hash: 2E41B572900615BBCB207BB5CD45DAF3679EF05369F60823FF422B20E1D67C8A518A6D

Function 004065F5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040660C
wsprintfA.USER32 ref: 00406645
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406659

Strings

\, xrefs: 0040661D
%s%s.dll, xrefs: 0040663F
UXTHEME, xrefs: 004065FE

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 9f789840e0b15416ae64874b5c60068ae2f650887ed5db1015d4ebb1f4ad26b2
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: 12F0213051060A67DB14A764DD0DFFB3B5CEB08304F14047EA586F10C1DAB9D5358B5D

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
CloseHandle.KERNEL32(?), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0a858ad747990003e0502537ad84b7b57d2089fe9a4e23a85f5d834710d08887
Instruction ID: 8ee3283f5e82c4de6b5bb6756b1dc9e053edc2f3d39da16acebec05e3c4c8ed7
Opcode Fuzzy Hash: 0a858ad747990003e0502537ad84b7b57d2089fe9a4e23a85f5d834710d08887
Instruction Fuzzy Hash: 55318F32800124BBDF217FA5DE89D9E7B79BF08324F14423AF554B62D1CB7949419B68

Function 00403143 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 004031AA
GetTickCount.KERNEL32(0040B880,0041D448,00004000), ref: 00403251
MulDiv.KERNEL32 ref: 0040327A
wsprintfA.USER32 ref: 0040328A

Strings

... %d%%, xrefs: 00403284

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 7025284360d03d8e766f027862492d7b6285ba9bc66dcabc93bb20b55c1b267b
Instruction ID: cc32688fb846b20799601ecf4724bdf5f6a604bb501928ae6cb5e0d1b862edc2
Opcode Fuzzy Hash: 7025284360d03d8e766f027862492d7b6285ba9bc66dcabc93bb20b55c1b267b
Instruction Fuzzy Hash: 10517C71800219ABDB10DFA5DA8469F7BB8EF44766F14817BEC41B72D0C7389A50CBA9

Function 00405CD7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406257: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403556,WeatherZero 1.0.0.9 Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406264

Part of subcall function 00405C82: CharNextA.USER32(?), ref: 00405C90
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405C95
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405CA9

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,T'qu,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,75712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123), ref: 00405D2A
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,T'qu,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,75712754,C:\Users\user\AppData\Local\Temp\), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CD7
C:\, xrefs: 00405CDD, 00405CE2, 00405CE8, 00405D23, 00405D29, 00405D31, 00405D39
T'qu, xrefs: 00405CD9

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\$T'qu
API String ID: 3248276644-822705346
Opcode ID: 29467e021e5a5cbfdb50d3ef3054caf9b3e4a2c2be32e2e0e67c19f10da5a835
Instruction ID: 961b8afdf15cf8a693d93a37420b81600cf3221e3748574004b2986df105c153
Opcode Fuzzy Hash: 29467e021e5a5cbfdb50d3ef3054caf9b3e4a2c2be32e2e0e67c19f10da5a835
Instruction Fuzzy Hash: 01F02D25108E6526E62632391D09AAF0645CD93324759453FFCA2762C1DB3C89439E6D

Function 0040583E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 00405881
GetLastError.KERNEL32 ref: 00405895
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058AA
GetLastError.KERNEL32 ref: 004058B4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405864

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4017390910
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 2f5b217c954ff7fbb4119b01485a045b77912d3f79ec2e58d5a645a6a403fb95
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: A7010872C00219EAEF00DBA1C944BEFBBB8EF04355F00803AD945B6290E7789658CB99

Function 0040247E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss2F4C.tmp,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nss2F4C.tmp,00000000), ref: 00402509
RegCloseKey.ADVAPI32(?), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nss2F4C.tmp, xrefs: 004024BA, 004024C8, 004024DC, 004024F3, 004024FE

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nss2F4C.tmp
API String ID: 2655323295-3274884388
Opcode ID: 295319e2c791f480c45178241e9784c9093b9fe0b9181941fb42c61741a372fd
Instruction ID: f3aadfd2260b8f93e823aa7e7f88ba76dab9d069632aeea64c5940af2cf5b862
Opcode Fuzzy Hash: 295319e2c791f480c45178241e9784c9093b9fe0b9181941fb42c61741a372fd
Instruction Fuzzy Hash: 5E119371E04208BFEB20AFA59E49AAE7A74EB44714F21443FF504F71C1D6B94D409B68

Function 00405E19 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(75712754,C:\Users\user\AppData\Local\Temp\,?,004033B1,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 00405E2D
GetTempFileNameA.KERNEL32(0000000B,?,00000000,?), ref: 00405E47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1C
nsa, xrefs: 00405E24

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4262883142
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: db84433a099d66a6ad53f3418d19e52f8fbd3804b66164b4918815a523437c08
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 9CF0A736348208BBEB109F56ED04B9B7B9CDF91B50F10C03BFA84DB180D6B5DA548798

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 00405378: lstrlenA.KERNEL32(0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
Part of subcall function 00405378: lstrcatA.KERNEL32(0042A070,0040329E,0040329E,0042A070,00000000,0042288B,756F110C), ref: 004053D4
Part of subcall function 00405378: SetWindowTextA.USER32(0042A070,0042A070), ref: 004053E6
Part of subcall function 00405378: SendMessageA.USER32 ref: 0040540C
Part of subcall function 00405378: SendMessageA.USER32 ref: 00405426
Part of subcall function 00405378: SendMessageA.USER32 ref: 00405434

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,00000000,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 5043b9ad868d31df55020ac2c6da054ab893feff42efe059edc62cf0909231b8
Instruction ID: 3c6328a696446079fc2d308fbd04895e9a1cd4fdde8666fe7d5c2d170abc5611
Opcode Fuzzy Hash: 5043b9ad868d31df55020ac2c6da054ab893feff42efe059edc62cf0909231b8
Instruction Fuzzy Hash: 7721F631904215E7CF207FA58F4DAAF3670AF54358F60423BF601B61E0DAFD49819A6E

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C82: CharNextA.USER32(?), ref: 00405C90
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405C95
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405CA9

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040583E: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 00405881

SetCurrentDirectoryA.KERNEL32(00000000,C:\Program Files (x86)\WeatherZero,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Program Files (x86)\WeatherZero, xrefs: 00401631

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Program Files (x86)\WeatherZero
API String ID: 1892508949-1378906097
Opcode ID: 9d5b8b13a7ebc94a0759c85c13f43ccc3f1ea05e5a10ed71fb4293789d51863b
Instruction ID: 7a2b8dfd757742e83ffe6dd7df5b12a9f5db33ee71018b299411addc72821366
Opcode Fuzzy Hash: 9d5b8b13a7ebc94a0759c85c13f43ccc3f1ea05e5a10ed71fb4293789d51863b
Instruction Fuzzy Hash: 54110431508141EBDF307BA54D409BF27B49A96324B68453FF9D1B22E2DA3D4942AA3E

Function 0040613E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32 ref: 00406184
RegCloseKey.KERNEL32(?), ref: 0040618F

Strings

PrepareUninstall, xrefs: 00406141, 00406175

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CloseQueryValue
String ID: PrepareUninstall
API String ID: 3356406503-1439147290
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 76517841fcd29efece62e5e1a2c360dd076a242d2a9727e46a6747b1579fdab2
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8F017C72500209ABDF22CF61CC09FDB3FACEF55364F05803AF956A6192D278D964DBA4

Function 004059D1 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405DC5: GetFileAttributesA.KERNEL32(?,?,004059DD,?,?,00000000,00405BC0,?,?,?,?), ref: 00405DCA
Part of subcall function 00405DC5: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDE

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405BC0), ref: 004059EC
DeleteFileA.KERNEL32(?,?,?,00000000,00405BC0), ref: 004059F4
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405A0C

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: e1eff927f90318b2be8d8bfa20ab09362dfea904f1db048edee7874e77ba7622
Instruction ID: 820bf976d85fbe5b961297c7232a115658e53f6cb416c9f670a33f926cfc4cf0
Opcode Fuzzy Hash: e1eff927f90318b2be8d8bfa20ab09362dfea904f1db048edee7874e77ba7622
Instruction Fuzzy Hash: 07E0E531328A915AC6106735AA0C75B2A94DFC6324F064A3AF992B10C1DB3888469E7D

Function 004066D8 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E9
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004066FE
GetExitCodeProcess.KERNEL32(?,?), ref: 0040670B

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: a23785c27a035ce2cb8362471393df4f98b29c58adbccf09c010a19c033fc59f
Instruction ID: df502c766e02f759b121d05a366231dffe3435fd6339d9c465792b4bb34c6ab8
Opcode Fuzzy Hash: a23785c27a035ce2cb8362471393df4f98b29c58adbccf09c010a19c033fc59f
Instruction Fuzzy Hash: CCE0D831600218FBDB009B54DD05E9E7B6EEB44714F110037FA05F6190C7B2AE22DBA8

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d6c05e2d17e61aa35ed6ac458fea53b968503eb473f312dedad9b12065ca57f
Instruction ID: 2b84f8aef59f8f821fe865236d11139dc57ce13a72bb3d14165ba5b6471e206c
Opcode Fuzzy Hash: 6d6c05e2d17e61aa35ed6ac458fea53b968503eb473f312dedad9b12065ca57f
Instruction Fuzzy Hash: B101D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4C

Function 004058F0 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,00000009), ref: 00405919
CloseHandle.KERNEL32(?), ref: 00405926

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction ID: e60734fd28e9767f1f300975a6fa4801ce2439602a91b16223c64e021327a7e1
Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction Fuzzy Hash: A0E0B6F4600209BFEB109BA4ED4AF7F7BBCEB04704F504525BE59F2290D67498198A7C

Function 00406663 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,004034F5,0000000B), ref: 00406675
GetProcAddress.KERNEL32(00000000,?), ref: 00406690

Part of subcall function 004065F5: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040660C
Part of subcall function 004065F5: wsprintfA.USER32 ref: 00406645
Part of subcall function 004065F5: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406659

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 4d0569fb13f52ba758ba0dc8838e9a6308561242633793a73e58d4c8114d4ccd
Instruction ID: 42df78af1693d05b1f4151e300c7058424afa75421c13d02aa0b0909378b53c4
Opcode Fuzzy Hash: 4d0569fb13f52ba758ba0dc8838e9a6308561242633793a73e58d4c8114d4ccd
Instruction Fuzzy Hash: 7FE086326042106BD3105B755E0493B73AC9E997103020D3EF94AF2140D7399C32966D

Function 00405DEA Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F4C,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E10

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Function 00405DC5 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,004059DD,?,?,00000000,00405BC0,?,?,?,?), ref: 00405DCA
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDE

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 1444cfec4ca9bf1d34442b2169c12043b22736e773fd5239433e8f32ad8d098d
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 6FD0C972504421ABC6112728EE0C89BBB55DB54271702CA36FDA5A26B1DB304C569A98

Function 00403963 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF), ref: 0040396E

Strings

C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\, xrefs: 00403982

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nss2F4C.tmp\
API String ID: 2962429428-2350851142
Opcode ID: 277f30cbe302f60db3aee089ff01cecb2e411bed247286758014d28a83891400
Instruction ID: 1200111adfac7592e79476d78741274177c0c64d242d418e9fed9ea5dab37cc8
Opcode Fuzzy Hash: 277f30cbe302f60db3aee089ff01cecb2e411bed247286758014d28a83891400
Instruction Fuzzy Hash: E1C01270544B046AC1247F759D8F9053A146B44736B604735B0B4F00F0C77C4659495E

Function 004058BB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,004033A6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 004058C1
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CF

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 3fc85bafe69b7557593d5765bf5919c43deceba34b0c9ea4212deea00e127d8c
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 34C04C31214601EED6106B219E08B177BE5AB50741F25843E6646F00A0DE388469DA2D

Function 0040610B Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00406134

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: f3dc4abaab06895e066b0b710936ca54da7b1f8b7a25aa4512e4b4def2a222e8
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: BAE0E672110209BEEF195F50DC0AD7B371DEB14314F01452EF947D4091E6B5A9305634

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000), ref: 00405E76

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: d159feaa40f66387c232a0365126d803d89e879c5a9a8176c13ce5bb2f202f1c
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: CFE0B63221025AAFDF109F95DC00AAB7B6CEB05260F144437FD99E6150D671E961DAE4

Function 00405E91 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000), ref: 00405EA5

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: f6dbd1b2bb29cf3778f9da1b12eb4ab865b2d476cff05d6c6da3e568d4bed244
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: CEE0EC3221165AABEF119F65DC00AEB7B6CEB05361F004836FA95E3150D631E9219BE4

Function 004060DD Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?), ref: 00406101

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: acfb9daac442d6471bee54970dc50a73ebaac4160da87f0822be439bec8b4f66
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 01D0123204020DFBEF119F90DD05FAB3B1DAB08310F014426FE06A4091D776D530A724

Function 0040336B Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,004030D1,?,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00403379

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405378: lstrlenA.KERNEL32(0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
Part of subcall function 00405378: lstrcatA.KERNEL32(0042A070,0040329E,0040329E,0042A070,00000000,0042288B,756F110C), ref: 004053D4
Part of subcall function 00405378: SetWindowTextA.USER32(0042A070,0042A070), ref: 004053E6
Part of subcall function 00405378: SendMessageA.USER32 ref: 0040540C
Part of subcall function 00405378: SendMessageA.USER32 ref: 00405426
Part of subcall function 00405378: SendMessageA.USER32 ref: 00405434

Part of subcall function 004058F0: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,00000009), ref: 00405919
Part of subcall function 004058F0: CloseHandle.KERNEL32(?), ref: 00405926

CloseHandle.KERNEL32(?), ref: 00401FC0

Part of subcall function 004066D8: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E9
Part of subcall function 004066D8: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670B

Part of subcall function 004061B5: wsprintfA.USER32 ref: 004061C2

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: bf6730e7619718112b71bb2de5ff766b245367cdc6e5ad6091da68d00fc25440
Instruction ID: 23637cbd659b7b2b5436305da43621c16b9f3eeb50dd0f89da281ea130073468
Opcode Fuzzy Hash: bf6730e7619718112b71bb2de5ff766b245367cdc6e5ad6091da68d00fc25440
Instruction Fuzzy Hash: ADF0B432905221DBCB20BFA54E88CEFB2A49F05318B24463FF502B21D1CBBC0D415AAE

Non-executed Functions

Function 004054B6 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405515
GetDlgItem.USER32(?,000003EE), ref: 00405524
GetClientRect.USER32 ref: 00405561
GetSystemMetrics.USER32 ref: 00405568
SendMessageA.USER32 ref: 00405589
SendMessageA.USER32 ref: 0040559A
SendMessageA.USER32 ref: 004055AD
SendMessageA.USER32 ref: 004055BB
SendMessageA.USER32 ref: 004055CE
ShowWindow.USER32(00000000,?), ref: 004055F0
ShowWindow.USER32(?,00000008), ref: 00405604
GetDlgItem.USER32(?,000003EC), ref: 00405625
SendMessageA.USER32 ref: 00405635
SendMessageA.USER32 ref: 0040564E
SendMessageA.USER32 ref: 0040565A
GetDlgItem.USER32(?,000003F8), ref: 00405533

Part of subcall function 00404309: SendMessageA.USER32 ref: 00404317

GetDlgItem.USER32(?,000003EC), ref: 00405676
CreateThread.KERNEL32(00000000,00000000,Function_0000544A,00000000), ref: 00405684
CloseHandle.KERNEL32(00000000), ref: 0040568B
ShowWindow.USER32(00000000), ref: 004056AE
ShowWindow.USER32(?,00000008), ref: 004056B5
ShowWindow.USER32(00000008), ref: 004056FB
SendMessageA.USER32 ref: 0040572F
CreatePopupMenu.USER32 ref: 00405740
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405755
GetWindowRect.USER32(?,000000FF), ref: 00405775
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578E
SendMessageA.USER32 ref: 004057CA
OpenClipboard.USER32(00000000), ref: 004057DA
EmptyClipboard.USER32 ref: 004057E0
GlobalAlloc.KERNEL32(00000042,?), ref: 004057E9
GlobalLock.KERNEL32 ref: 004057F3
SendMessageA.USER32 ref: 00405807
GlobalUnlock.KERNEL32(00000000), ref: 00405820
SetClipboardData.USER32 ref: 0040582B
CloseClipboard.USER32 ref: 00405831

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 9f894bfef72f42a5d80c28a2cfb4653c4d0ae1818b29ab90f23da2409dea8f81
Instruction ID: 345e578925e8e8fc579d0e732d58a8f557a0115a7d420367cc7026d592e1690f
Opcode Fuzzy Hash: 9f894bfef72f42a5d80c28a2cfb4653c4d0ae1818b29ab90f23da2409dea8f81
Instruction Fuzzy Hash: D6A189B1900608BFDB11AF61DD89EAE7B79FB08354F40403AFA45B61A0CB758E51DF68

Function 00404CD9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CF0
GetDlgItem.USER32(?,00000408), ref: 00404CFD
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D4C
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404D63
SetWindowLongA.USER32(?,000000FC,004052EC), ref: 00404D7D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8F
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA3
SendMessageA.USER32 ref: 00404DB9
SendMessageA.USER32 ref: 00404DC5
SendMessageA.USER32 ref: 00404DD5
DeleteObject.GDI32(00000110), ref: 00404DDA
SendMessageA.USER32 ref: 00404E05
SendMessageA.USER32 ref: 00404E11
SendMessageA.USER32 ref: 00404EAB
SendMessageA.USER32 ref: 00404EDB

Part of subcall function 00404309: SendMessageA.USER32 ref: 00404317

SendMessageA.USER32 ref: 00404EEF
GetWindowLongA.USER32(?,000000F0), ref: 00404F1D
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F2B
ShowWindow.USER32(?,00000005), ref: 00404F3B
SendMessageA.USER32 ref: 00405036
SendMessageA.USER32 ref: 0040509B
SendMessageA.USER32 ref: 004050B0
SendMessageA.USER32 ref: 004050D4
SendMessageA.USER32 ref: 004050F4
ImageList_Destroy.COMCTL32(?), ref: 00405109
GlobalFree.KERNEL32(?), ref: 00405119
SendMessageA.USER32 ref: 00405192
SendMessageA.USER32 ref: 0040523B
SendMessageA.USER32 ref: 0040524A
InvalidateRect.USER32(?,00000000,00000001), ref: 00405275
ShowWindow.USER32(?,00000000), ref: 004052C3
GetDlgItem.USER32(?,000003FE), ref: 004052CE
ShowWindow.USER32(00000000), ref: 004052D5

Strings

N, xrefs: 00404F74
, xrefs: 004052AD
M, xrefs: 00404E93

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 0aaace5e7038786aacf0d0ec6efdbd7d394b60eb8694dc7bb3af05aed72767f4
Instruction ID: c814a1149ae8d70461ce7ac85806320f31a4e43cf09a070d2a5393f0519b6fc2
Opcode Fuzzy Hash: 0aaace5e7038786aacf0d0ec6efdbd7d394b60eb8694dc7bb3af05aed72767f4
Instruction Fuzzy Hash: 1E026AB0A00209AFDB20DF64CD45AAE7BB5FB44354F54817AFA10BA2E0C7788D52DF59

Function 00403DDA Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E16
ShowWindow.USER32(?), ref: 00403E36
GetWindowLongA.USER32(?,000000F0), ref: 00403E48
ShowWindow.USER32(?,00000004), ref: 00403E61
DestroyWindow.USER32 ref: 00403E75
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E8E
GetDlgItem.USER32(?,?), ref: 00403EAD
SendMessageA.USER32 ref: 00403EC1
IsWindowEnabled.USER32(00000000), ref: 00403EC8
GetDlgItem.USER32(?,00000001), ref: 00403F73
GetDlgItem.USER32(?,00000002), ref: 00403F7D
SetClassLongA.USER32(?,000000F2,?), ref: 00403F97
SendMessageA.USER32 ref: 00403FE8
GetDlgItem.USER32(?,00000003), ref: 0040408E
ShowWindow.USER32(00000000,?), ref: 004040AF
EnableWindow.USER32(?,?), ref: 004040C1
EnableWindow.USER32(?,?), ref: 004040DC
GetSystemMenu.USER32 ref: 004040F2
EnableMenuItem.USER32 ref: 004040F9
SendMessageA.USER32 ref: 00404111
SendMessageA.USER32 ref: 00404124
lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 0040414E
SetWindowTextA.USER32(?,0042A890), ref: 0040415D
ShowWindow.USER32(?,0000000A), ref: 00404291

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: 127d2bede9c928d446a527d2bae20013705ae04109f31a2289bd5e7c7bb7a3e0
Instruction ID: f21371ea752dfce5ee3d4a80c6152a791402a2454a60405a922b397e1036299a
Opcode Fuzzy Hash: 127d2bede9c928d446a527d2bae20013705ae04109f31a2289bd5e7c7bb7a3e0
Instruction Fuzzy Hash: C1C1E5B1A00205AFDB207F62ED45E2B3A78EB85745F41053EF641B51F0CB799852DB2D

Function 0040443F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004044CA
GetDlgItem.USER32(00000000,000003E8), ref: 004044DE
SendMessageA.USER32 ref: 004044FC
GetSysColor.USER32 ref: 0040450D
SendMessageA.USER32 ref: 0040451C
SendMessageA.USER32 ref: 0040452B
lstrlenA.KERNEL32(?), ref: 0040452E
SendMessageA.USER32 ref: 0040453D
SendMessageA.USER32 ref: 00404552
GetDlgItem.USER32(?,0000040A), ref: 004045B4
SendMessageA.USER32 ref: 004045B7
GetDlgItem.USER32(?,000003E8), ref: 004045E2
SendMessageA.USER32 ref: 00404622
LoadCursorA.USER32 ref: 00404631
SetCursor.USER32(00000000), ref: 0040463A
LoadCursorA.USER32 ref: 00404650
SetCursor.USER32(00000000), ref: 00404653
SendMessageA.USER32 ref: 0040467F
SendMessageA.USER32 ref: 00404693

Strings

D@, xrefs: 0040463E
N, xrefs: 004045D0
PrepareUninstall, xrefs: 0040460D

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: D@$N$PrepareUninstall
API String ID: 3103080414-1682003289
Opcode ID: 35ee71d5250129fbf2f36168019ba60c9b2f338ba1f9cfece2971a749f388ba2
Instruction ID: ec86402776fd01095bc4262357a67ddb6d4548b01b5252dde79e8ca7eec82ec2
Opcode Fuzzy Hash: 35ee71d5250129fbf2f36168019ba60c9b2f338ba1f9cfece2971a749f388ba2
Instruction Fuzzy Hash: 0761A2B1A00209BBDB10AF61DC45B6A3B68EB84754F10443AFB04BB1D1D7B9A9618F98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,WeatherZero 1.0.0.9 Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
WeatherZero 1.0.0.9 Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$WeatherZero 1.0.0.9 Setup
API String ID: 941294808-3556239767
Opcode ID: 2271267dbcbb5a429a5c45712c2942ab76dd5bcbd32f73574c3dae7e133f94db
Instruction ID: 1fbfacec2506b2ab202253b0e42594ede9e170c8a1cf430301d1f688d6e441df
Opcode Fuzzy Hash: 2271267dbcbb5a429a5c45712c2942ab76dd5bcbd32f73574c3dae7e133f94db
Instruction Fuzzy Hash: AA417D71800209AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74E955DFA4

Function 00404766 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004047B5
SetWindowTextA.USER32(00000000,?), ref: 004047DF
SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404890
CoTaskMemFree.OLE32(00000000), ref: 0040489B
lstrcmpiA.KERNEL32(PrepareUninstall,0042A890,00000000,?,?), ref: 004048CD
lstrcatA.KERNEL32(?,PrepareUninstall), ref: 004048D9
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048EB

Part of subcall function 00405951: GetDlgItemTextA.USER32 ref: 00405964

Part of subcall function 00406535: CharNextA.USER32(0000000B), ref: 0040658D
Part of subcall function 00406535: CharNextA.USER32(0000000B), ref: 0040659A
Part of subcall function 00406535: CharNextA.USER32(0000000B), ref: 0040659F
Part of subcall function 00406535: CharPrevA.USER32(0000000B,0000000B), ref: 004065AF

GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 004049A9
MulDiv.KERNEL32 ref: 004049C4

Part of subcall function 00404B1D: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A38,000000DF,00000000,00000400,?), ref: 00404BBB
Part of subcall function 00404B1D: wsprintfA.USER32 ref: 00404BC3
Part of subcall function 00404B1D: SetDlgItemTextA.USER32(?,0042A890), ref: 00404BD6

Strings

PrepareUninstall, xrefs: 004048C7, 004048CC, 004048D7
C:\Program Files (x86)\WeatherZero, xrefs: 004048B6
A, xrefs: 00404889

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Program Files (x86)\WeatherZero$PrepareUninstall
API String ID: 2624150263-3266454866
Opcode ID: 77a47a1ab08589053cc7753b654a21a624dca3a385ae25c0a950fb0e42879f7b
Instruction ID: 575699f201696e67f0f9c35a0e1f8108b56c42fe30a04e4012ee5e208413707b
Opcode Fuzzy Hash: 77a47a1ab08589053cc7753b654a21a624dca3a385ae25c0a950fb0e42879f7b
Instruction Fuzzy Hash: 89A18FB1A00209ABDB11AFA6CD41AAF77B8AF84314F14843BF601B62D1D77C99518F6D

Function 00405EC0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00405EF1
GetShortPathNameA.KERNEL32 ref: 00405EFA

Part of subcall function 00405D4F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
Part of subcall function 00405D4F: lstrlenA.KERNEL32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D91

GetShortPathNameA.KERNEL32 ref: 00405F17
wsprintfA.USER32 ref: 00405F35
GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405F70
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7F
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB7
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 0040600D
GlobalFree.KERNEL32(00000000), ref: 0040601E
CloseHandle.KERNEL32(00000000), ref: 00406025

Part of subcall function 00405DEA: GetFileAttributesA.KERNEL32(00000003,00402F4C,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
Part of subcall function 00405DEA: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E10

Strings

[Rename], xrefs: 00405F9F, 00405FB1
%s=%s, xrefs: 00405F2B

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 04599d0c150f36447c5ac4f777ab143f32376e0bff9e00a2ddcaf5b3a954d367
Instruction ID: 8908439cc2d3cfcd996604707d180e10d826c6d0da91f503aeabb4e5616cbf2a
Opcode Fuzzy Hash: 04599d0c150f36447c5ac4f777ab143f32376e0bff9e00a2ddcaf5b3a954d367
Instruction Fuzzy Hash: 1531E731640B16ABC2207B65AD48F5B3A9CDF45758F14043BFA42F62D2DB7CD8118AAD

Function 00406535 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B), ref: 0040658D
CharNextA.USER32(0000000B), ref: 0040659A
CharNextA.USER32(0000000B), ref: 0040659F
CharPrevA.USER32(0000000B,0000000B), ref: 004065AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406536
"C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123, xrefs: 00406535
*?|<>/":, xrefs: 0040657D

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010434637
Opcode ID: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction ID: f1a46c244338e9c327de57877a99ef2f1f2ce6c7380876dc27bda46ebf0462ee
Opcode Fuzzy Hash: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction Fuzzy Hash: 671134918047903DFB3216386C04B776FC94F9B760F5A007BE4C2722CAC63C5CA6826D

Function 0040433B Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404358
GetSysColor.USER32 ref: 00404396
SetTextColor.GDI32(?,00000000), ref: 004043A2
SetBkMode.GDI32(?,?), ref: 004043AE
GetSysColor.USER32 ref: 004043C1
SetBkColor.GDI32(?,?), ref: 004043D1
DeleteObject.GDI32(?), ref: 004043EB
CreateBrushIndirect.GDI32(?), ref: 004043F5

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: d64fbe2596ca860a271eaf52242e9b3e10407c8dba4713a28e38d7cfcaef20bb
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 822174716007049FCB30DF68D908B5BBBF8AF81710B04892EED96A26E1C734D915CB54

Function 00405378 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
lstrlenA.KERNEL32(0040329E,0042A070,00000000,0042288B,756F110C,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
lstrcatA.KERNEL32(0042A070,0040329E,0040329E,0042A070,00000000,0042288B,756F110C), ref: 004053D4
SetWindowTextA.USER32(0042A070,0042A070), ref: 004053E6
SendMessageA.USER32 ref: 0040540C
SendMessageA.USER32 ref: 00405426
SendMessageA.USER32 ref: 00405434

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 21f3fbad3f320d21e4f6dada675e32395d1bb8621f14401d727b4391d208c3a9
Instruction ID: bfa893c7d30147700316bd172ea6c956eb0bdb6a7275625f57f4f23b87bde493
Opcode Fuzzy Hash: 21f3fbad3f320d21e4f6dada675e32395d1bb8621f14401d727b4391d208c3a9
Instruction Fuzzy Hash: D7218C71A00518BBDB11AFA5DD84ADFBFB9EF04354F14807AF904B6290C7798E908F98

Function 00404C27 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00404C42
GetMessagePos.USER32 ref: 00404C4A
ScreenToClient.USER32(?,?), ref: 00404C64
SendMessageA.USER32 ref: 00404C76
SendMessageA.USER32 ref: 00404C9C

Strings

f, xrefs: 00404C78

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 6a0354fd0873e2a66e4e803e7b6bfaf8a717de4a4c12bc6328b4bc3a065c57a7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: DB015E71900219BAEB00DBA4DD85BFFBBBCAF55B25F10012BBB40B61D0C7B499018BA4

Function 00402E25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
MulDiv.KERNEL32 ref: 00402E6B
wsprintfA.USER32 ref: 00402E7B
SetWindowTextA.USER32(?,?), ref: 00402E8B
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E9D

Strings

verifying installer: %d%%, xrefs: 00402E75

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: eba7e3e6a7a9e8d042f95bb146de847513e93a7983d8e04ff54a2d99dc20c472
Instruction ID: 3badc6b09a90e5cd1525348ef4ea74cecb255546bda3c46a06932aa9f71b5be3
Opcode Fuzzy Hash: eba7e3e6a7a9e8d042f95bb146de847513e93a7983d8e04ff54a2d99dc20c472
Instruction Fuzzy Hash: 61016270640209FBEF209F60DE09EEE3769EB04344F008039FA06B51D0DBB89955CF59

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?), ref: 00402E06

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: d3065a1495d08a70ee0ec73ce03137b35b959529f7d494a5279a47c727d8abac
Instruction ID: d48e4a71bfa48a15fd7248f9ae3dc224302ba9e6f67c9eaa91d5645e55e2e307
Opcode Fuzzy Hash: d3065a1495d08a70ee0ec73ce03137b35b959529f7d494a5279a47c727d8abac
Instruction Fuzzy Hash: D9213771500108BADF129F90CE89EEB7B7DEF44344F10047AFA15B11A0D7B49EA4AAA8

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: aac179cc4a1ea37f398950429777a32d29ab910b0ca69bec431bc59fb76cd7ad
Instruction ID: 4973ce5daa8367ce9871db5c73950c0598185a6d8b35e77b8380d9c424f967d4
Opcode Fuzzy Hash: aac179cc4a1ea37f398950429777a32d29ab910b0ca69bec431bc59fb76cd7ad
Instruction Fuzzy Hash: E3213B72E00109AFDF15DFA4DD85AAEBBB5EB48300F24407EF901F62A0DB789941DB54

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32 ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 9b11d4c019c816d20c1c21f539ca41ee850594db86684445f923bb2a1dbfe0ac
Instruction ID: 7d8b70fc9580f7c0a3656fe434d2777149f8876c9caaa3587920b0b4353cf884
Opcode Fuzzy Hash: 9b11d4c019c816d20c1c21f539ca41ee850594db86684445f923bb2a1dbfe0ac
Instruction Fuzzy Hash: 04019E72504240AFE7007BB0AF4AA9A7FF8EB55305F10847DF281B61F2CB7804888B6C

Function 00404B1D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A38,000000DF,00000000,00000400,?), ref: 00404BBB
wsprintfA.USER32 ref: 00404BC3
SetDlgItemTextA.USER32(?,0042A890), ref: 00404BD6

Strings

%u.%u%s%s, xrefs: 00404BA5

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: cb957fc4db8a1e40465dafa4ff9b9538edb65549acbd6bcc8d463070165e739e
Instruction ID: b26deece5e1670680048ef5420f4dfbdf719bfc276585dbcb3e162ecceacc2fc
Opcode Fuzzy Hash: cb957fc4db8a1e40465dafa4ff9b9538edb65549acbd6bcc8d463070165e739e
Instruction Fuzzy Hash: 8311B773A0412867DB00756D9C41FAF3698DB85374F25027BFA26F31D1E979DC1282AD

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 60960b56f400513723277229af694750ddbbe590db3b19512bd1bbbb0dd5075d
Instruction ID: 6395210313b5e96ec4903c6722a9a41e79e60401c6fef9bd0231d245bd3396c8
Opcode Fuzzy Hash: 60960b56f400513723277229af694750ddbbe590db3b19512bd1bbbb0dd5075d
Instruction Fuzzy Hash: 56218571948208BEEB059FF5D986AAD7FB4EF44304F10447EF101B61D1D7B989819B18

Function 00405BE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 00405BEF
CharPrevA.USER32(?,00000000), ref: 00405BF8
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C09

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE9

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 3e3e415651ec8bc6573efeb1b95b99caa1af1f852236f091574545f75c3ac81b
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 15D02362609634BBE20137154D05EDF194C8F0335070504BBF100B31A1C77C4C1147FD

Function 00405C82 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 00405C90
CharNextA.USER32(00000000), ref: 00405C95
CharNextA.USER32(00000000), ref: 00405CA9

Strings

C:\, xrefs: 00405C83

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
Instruction ID: e132378b0e7d4ce345f1aae0c2e060e26282e20dec01eee3492acdbf86008134
Opcode Fuzzy Hash: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
Instruction Fuzzy Hash: 89F0F65190CF902BFB3292244C40B775F89CB56315F18007BD281F72C1C27C48409FAA

Function 00402EA8 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00402EBB
GetTickCount.KERNEL32(00000000,00403086,00000001,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402ED9
CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402EF6
ShowWindow.USER32(00000000,00000005), ref: 00402F04

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5b1e02df2a5da4039d6b12178acb40621d70ebca526a36ee1d8f5fcc3c5ae34a
Instruction ID: d6c9869078f7173a9f6fd6f2732e3e3a433b8c8c07e8cf938b477ca654505681
Opcode Fuzzy Hash: 5b1e02df2a5da4039d6b12178acb40621d70ebca526a36ee1d8f5fcc3c5ae34a
Instruction Fuzzy Hash: 30F05E30645620ABC6317BA0FE8C99B7B64A704B12BA1043AF101F22E4CA7408878BED

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Program Files (x86)\WeatherZero, xrefs: 00402238

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Program Files (x86)\WeatherZero
API String ID: 123533781-1378906097
Opcode ID: 475c322b4348aaa67208cb989495111dfb5a11c3c95639a7d3a7ad81faa12027
Instruction ID: ec6a4b66970030f98d0c357d5daeebd90ed2a1685bb0ce4afdd26a2e8d50d7fb
Opcode Fuzzy Hash: 475c322b4348aaa67208cb989495111dfb5a11c3c95639a7d3a7ad81faa12027
Instruction Fuzzy Hash: 68511675A00208BFDF10DFE4C988A9D7BB6AF48314F2045AAF505EB2D1DA799981CB54

Function 004052EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040531B
CallWindowProcA.USER32(?,?,?,?), ref: 0040536C

Part of subcall function 00404320: SendMessageA.USER32 ref: 00404332

Strings

, xrefs: 004052FC

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2bda5d118e415af4fa0da154639cfdb284582745e0818f00f9dac7c2683be084
Instruction ID: 088eb893e58e7befb787ec48b20f4cc5058787dea00b391af27f8784c6c771c5
Opcode Fuzzy Hash: 2bda5d118e415af4fa0da154639cfdb284582745e0818f00f9dac7c2683be084
Instruction Fuzzy Hash: 59017172204608ABEF206F11DD81A9B3769EB84395F541037FF05761D0C7BA8D629E2A

Function 004039A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75712754,00000000,C:\Users\user\AppData\Local\Temp\,00403980,0040379A,?,?,00000007,00000009,0000000B), ref: 004039C2
GlobalFree.KERNEL32(00000000), ref: 004039C9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004039A8

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4017390910
Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction ID: 4fd9126d001fd6f9661ff5a064fa74b3c5ec8a5f3f5490ff4f649df82ed95c92
Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction Fuzzy Hash: C5E0EC3261112057C7616F55EA0476AB7A86F49B66F0A006EE8847B2A08BB85C468BD8

Function 00405C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract,00402F78,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract\WZSetup.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009), ref: 00405C36
CharPrevA.USER32(80000000,00000000), ref: 00405C44

Strings

C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract, xrefs: 00405C30

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp\is-IANRG.tmp\prod1_extract
API String ID: 2709904686-2538186911
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 122f4ef1c51afe0287f8aef094741ea3ea5c8e0f1b3bdfc6c9647d6fbcc18736
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: 75D0A76240CA746EF30362108D00B9F6A88DF13340F0A04E6F081A2190C2784C424BFD

Function 00405D4F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D77
CharNextA.USER32(00000000), ref: 00405D88
lstrlenA.KERNEL32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D91

Memory Dump Source

Source File: 00000004.00000002.600831102.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.600827196.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600834956.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.000000000042B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000430000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600839045.0000000000439000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.600860588.000000000043D000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_WZSetup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 87b880d6ec66590321046a57115c6c0db4d123b3cd257c49f1686e195a850605
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 0DF0F632200814FFCB02DFA4DD44D9FBBA8EF55350B2580BAE840F7210D634DE019BA8

Analysis Process: avg_tuneup_online_setup.exePID: 2860, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	123

Executed Functions

Function 0114DAD0 Relevance: 82.7, APIs: 11, Strings: 35, Instructions: 2209COMMON

Download Yara Rule

APIs

Part of subcall function 01150950: GetModuleHandleW.KERNEL32(kernel32.dll,88D0918B,?), ref: 011509B8
Part of subcall function 01150950: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 011509CA
Part of subcall function 01150950: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 011509D9

std::generic_category.LIBCPMTD ref: 0114E0B0

Strings

sfx-cmd, xrefs: 0114E0D6
sfx-running-icarus, xrefs: 0114F055
Restart is required, xrefs: 0114F4FB
SFX started with command line '{}', xrefs: 0114DB4D
install, xrefs: 0114EBC4, 0114EBFE
sfx-finish, xrefs: 0114F592
process-path, xrefs: 0114DB96, 0114E019
sfx-dir, xrefs: 0114DFDA
COLOR, xrefs: 0114F942
clear, xrefs: 0114EB59, 0114EB7D, 0114EBBB
F5C2877A, xrefs: 0114DB4A
@Sfx_Title, xrefs: 0114F7F3
isfx, xrefs: 0114DB5B
sfx-preparing, xrefs: 0114E49E
csm, xrefs: 0114F141
icarus-info-path, xrefs: 0114EA9E, 0114EAE3
icarus-info.xml, xrefs: 0114EA3F
F5C2877A, xrefs: 0114F4D0
stub_loading, xrefs: 0114E923
proxy_ini, xrefs: 0114EFAC, 0114EFEB
splash, xrefs: 0114E899
silent, xrefs: 0114E80D, 0114E82E, 0114E872, 0114E8B8, 0114E8FC, 0114ED20, 0114ED4B, 0114ED63, 0114EDA6
@Sfx_Starting, xrefs: 0114E766
GIF, xrefs: 0114F840
Execute setup master process '{}' failed!, xrefs: 0114F6C0
lang-id, xrefs: 0114E256, 0114E294, 0114E2AE, 0114E2EF, 0114E39F, 0114F734
sssid, xrefs: 0114EDEE, 0114EE33
string too long, xrefs: 0114E387
language, xrefs: 0114E273, 0114E2F8, 0114E335
session-id, xrefs: 0114E18D, 0114E1CC
!, xrefs: 0114DB73
@, xrefs: 0114F5B8
common, xrefs: 0114F204
... , xrefs: 0114E74B
tmp-path, xrefs: 0114E43C, 0114E66E, 0114EA66, 0114ED06, 0114F16E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressProc$HandleModulestd::generic_category
String ID: !$... $@$@Sfx_Starting$@Sfx_Title$COLOR$Execute setup master process '{}' failed!$F5C2877A$F5C2877A$GIF$Restart is required$SFX started with command line '{}'$clear$common$csm$icarus-info-path$icarus-info.xml$install$isfx$lang-id$language$process-path$proxy_ini$session-id$sfx-cmd$sfx-dir$sfx-finish$sfx-preparing$sfx-running-icarus$silent$splash$sssid$string too long$stub_loading$tmp-path
API String ID: 1040336583-4269367277
Opcode ID: b60026f0380b0ddba384f0eb752ec6a13afcd2ffb1e1358f7e4c4ad9d897fb20
Instruction ID: 52a5b9d509109a811b24191ca0c1544e7bc9eb48f49d03c13297449ab9bd3973
Opcode Fuzzy Hash: b60026f0380b0ddba384f0eb752ec6a13afcd2ffb1e1358f7e4c4ad9d897fb20
Instruction Fuzzy Hash: F7238A74E0021A8FDB18DFA8C944BADBBF1BF58304F144199D819AB391DB74AE85CF81

Function 0113A980 Relevance: 51.8, APIs: 7, Strings: 27, Instructions: 837
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VarFileInfo\Translation, xrefs: 0113AF79
ProductId, xrefs: 0113B4FA
VerQueryValueW '{}', xrefs: 0113AF99
VerQueryValueW signature is invalid, xrefs: 0113ACE5
ProductVersion, xrefs: 0113B10A
GetFileVersionInfoSizeW, xrefs: 0113AC6D
OriginalFilename, xrefs: 0113B23C
LegalTrademarks, xrefs: 0113B36E
asw, xrefs: 0113AA6B, 0113AE1E
FileVersion, xrefs: 0113B1D6
Comments, xrefs: 0113B3D4
tmp, xrefs: 0113AA40, 0113ADE4
LegalCopyright, xrefs: 0113B308
GetFileVersionInfoSizeW '{}', xrefs: 0113B634
InternalName, xrefs: 0113B2A2
PrivateBuild, xrefs: 0113B43A
ProductName, xrefs: 0113B0A4
FileDescription, xrefs: 0113B170
Unable to make a .sys copy, xrefs: 0113AC4C, 0113B605
Cannot query a .sys file version from PPL process '{}', xrefs: 0113AC2B
Cannt query a .sys file version info from PPL process '{}', xrefs: 0113B5E4
GetFileVersionInfoW, xrefs: 0113AC95
SpecialBuild, xrefs: 0113B49D
GetFileVersionInfoW '{}', xrefs: 0113AF64
.sys, xrefs: 0113AA09, 0113ADAA
VerQueryValueW, xrefs: 0113ACBD
CompanyName, xrefs: 0113B017

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID: .sys$Cannot query a .sys file version from PPL process '{}'$Cannt query a .sys file version info from PPL process '{}'$Comments$CompanyName$FileDescription$FileVersion$GetFileVersionInfoSizeW$GetFileVersionInfoSizeW '{}'$GetFileVersionInfoW$GetFileVersionInfoW '{}'$InternalName$LegalCopyright$LegalTrademarks$OriginalFilename$PrivateBuild$ProductId$ProductName$ProductVersion$SpecialBuild$Unable to make a .sys copy$VerQueryValueW$VerQueryValueW '{}'$VerQueryValueW signature is invalid$\VarFileInfo\Translation$asw$tmp
API String ID: 0-1107915544
Opcode ID: 91d4329ece253636a146fd5a5b70c82b23ed5d427349b57e66688d72f0f77f43
Instruction ID: 8b2b4222e1080c11dbb7e020e881af36787fde7917a911437d2771ef2074dd77
Opcode Fuzzy Hash: 91d4329ece253636a146fd5a5b70c82b23ed5d427349b57e66688d72f0f77f43
Instruction Fuzzy Hash: EB72B371D1025E9BDB19DFA4C840BEEF7B4BF58308F50429AD409A7244EB70AB89CF91

Function 01158A10 Relevance: 40.8, APIs: 4, Strings: 19, Instructions: 584
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01150950: GetModuleHandleW.KERNEL32(kernel32.dll,88D0918B,?), ref: 011509B8
Part of subcall function 01150950: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 011509CA
Part of subcall function 01150950: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 011509D9

CreateFileW.KERNELBASE(?,00000001,00000005,?,00000003,00000000,00000000), ref: 01158AB3
std::generic_category.LIBCPMTD ref: 01159149

Strings

file, xrefs: 01158D84
sha-256, xrefs: 01158DD3
isfx, xrefs: 01159049
flags, xrefs: 01158E91
alias, xrefs: 01158D9B
4EE5, xrefs: 01159196
file-list, xrefs: 01158D2D
isfx, xrefs: 01158F6F
file-mapping-sfx, xrefs: 011590F8
timestamp, xrefs: 01158E62
offset, xrefs: 01158E0A
4EE5EE22, xrefs: 01158F64
size, xrefs: 01158E36
Failed to open sfx file., xrefs: 011591F0
file alias = '{}' packed in payload twice, overriding, xrefs: 01159080
Payload: Failed to open sfx file '{}', {}, xrefs: 011591DD
L, xrefs: 01159093
file sha-256 = '{}' packed in payload twice, overriding, xrefs: 01158F6A
EE22, xrefs: 011591A0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressProc$CreateFileHandleModulestd::generic_category
String ID: 4EE5$4EE5EE22$EE22$Failed to open sfx file.$L$Payload: Failed to open sfx file '{}', {}$alias$file$file alias = '{}' packed in payload twice, overriding$file sha-256 = '{}' packed in payload twice, overriding$file-list$file-mapping-sfx$flags$isfx$isfx$offset$sha-256$size$timestamp
API String ID: 1797869230-2667583810
Opcode ID: 075086669e4fe3b63afed5ebfeaa6d19c8eaddb1cf22eea1260adc7de23c7939
Instruction ID: 86cb6b0bd3a223abb3c02f675226f528d21fcfe1e12c5e535cd80bb05ef1b33c
Opcode Fuzzy Hash: 075086669e4fe3b63afed5ebfeaa6d19c8eaddb1cf22eea1260adc7de23c7939
Instruction Fuzzy Hash: AB428F70900219DFDB29DF64C954BEDBBF5BF58304F108299E919A7390DB70AA85CF90

Function 0115C780 Relevance: 39.8, APIs: 1, Strings: 21, Instructions: 1265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

branding-url, xrefs: 0115CA45, 0115CAFC
clear, xrefs: 0115CD20
The product-info.xml '{}' has not been found in SFX, fail!, xrefs: 0115EB0B, 0115EB54
BD219561, xrefs: 0115DBE9
File is not DSA signed (alias:{})!, xrefs: 0115EC2F
average-download-speed, xrefs: 0115E729
lang-id, xrefs: 0115D004
base-url, xrefs: 0115C93B, 0115C9DF
clear, xrefs: 0115CCF8, 0115DF33
package.edat, xrefs: 0115D082
The sfx-info.xml does not contain any product data!, xrefs: 0115EBB1
@, xrefs: 0115E851
cookie, xrefs: 0115CEF0
package, xrefs: 0115D14F
The file name is not specified in product-info.xml for hash '{}', fail!, xrefs: 0115ED02, 0115ED1A
BD219561, xrefs: 0115EC78
The product-info.xml '{}' has been correctly unpacked from SFX archive., xrefs: 0115DBEC
\product-info.xml, xrefs: 0115DEB8
DSA verification check of file data '{}' fail!, xrefs: 0115EC08
common, xrefs: 0115D69A
isfx, xrefs: 0115EB10

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID: @$BD219561$BD219561$DSA verification check of file data '{}' fail!$File is not DSA signed (alias:{})!$The file name is not specified in product-info.xml for hash '{}', fail!$The product-info.xml '{}' has been correctly unpacked from SFX archive.$The product-info.xml '{}' has not been found in SFX, fail!$The sfx-info.xml does not contain any product data!$\product-info.xml$average-download-speed$base-url$branding-url$clear$clear$common$cookie$isfx$lang-id$package$package.edat
API String ID: 0-2920732319
Opcode ID: f8b7fb02db65ad5b9b3c6859e96e5aa0aa355cb555494b73f2a70d9831e8a9fa
Instruction ID: 840733e1c321dcdfca7193ae43227cddf4d3b697add76e6d573b9c74a30aa66e
Opcode Fuzzy Hash: f8b7fb02db65ad5b9b3c6859e96e5aa0aa355cb555494b73f2a70d9831e8a9fa
Instruction Fuzzy Hash: ECC28A74E0022ACFDB19DFA4C944BADBBB5BF58304F0440A9D919A7391DB70AE85CF91

Function 01169230 Relevance: 23.3, APIs: 3, Strings: 10, Instructions: 591
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Xtime_get_ticks.LIBCPMT ref: 01169274
__Xtime_get_ticks.LIBCPMT ref: 01169306
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01169332

Part of subcall function 01107240: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,88D0918B,?), ref: 011072DD
Part of subcall function 01107240: MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,0000FDE9,00000000,00000000,?,?,00000000,00000000,88D0918B,?), ref: 01107344

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Strings

DSA signature of LZMA file is invalid:'{}', xrefs: 0116979F
Download of '{}' succeeded. (speed current: {:6.4f}, total: {:6.4f}), xrefs: 01169458
://, xrefs: 011699BB
Download of '{}' failed. HTTP status:'{}' err:'{}'., xrefs: 011695FB
isfx, xrefs: 0116945D
6DC0, xrefs: 0116973C
DSA verification check of downloaded LZMA file (url {}) fail, xrefs: 0116976F
57E3, xrefs: 0116944D
No content for '{}' status: {}, xrefs: 011696E0
isfx, xrefs: 01169600

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ByteCharMultiWideXtime_get_ticks$DispatcherExceptionUnothrow_t@std@@@User__ehfuncinfo$??2@
String ID: 57E3$6DC0$://$DSA signature of LZMA file is invalid:'{}'$DSA verification check of downloaded LZMA file (url {}) fail$Download of '{}' failed. HTTP status:'{}' err:'{}'.$Download of '{}' succeeded. (speed current: {:6.4f}, total: {:6.4f})$No content for '{}' status: {}$isfx$isfx
API String ID: 2911324042-1520656910
Opcode ID: cd177e1bad96c42244eaa1d966531ef73dc0b555dace411ae6497daa1e4ba391
Instruction ID: a48750e21cfc2ec808bc4aa1e1251d20627e987321f7b098de6a9f313a059fff
Opcode Fuzzy Hash: cd177e1bad96c42244eaa1d966531ef73dc0b555dace411ae6497daa1e4ba391
Instruction Fuzzy Hash: BF32BF70E0021DDFDB19DFA8C944B9DBBB9BF59304F10819AE509AB280DB71AE45CF91

Function 0111B930 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 105
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 0111B968
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 0111B97F
GetLastError.KERNEL32 ref: 0111B99F
GetLastError.KERNEL32(?,0123F910,00000000,GetModuleHandleW ({}),00000015,ntdll), ref: 0111B9C7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000,00000000), ref: 0111BA23

Strings

NtQueryInformationProcess, xrefs: 0111B972, 0111B978
GetProcAddress ({}), xrefs: 0111B9CF
System, xrefs: 0111BAD2
GetModuleHandleW ({}), xrefs: 0111B9AB
Unable to retrieve basic process information!, xrefs: 0111BA3E
Unable to get image path of process {}!, xrefs: 0111BB9C
System Idle Process, xrefs: 0111BAB0
ntdll, xrefs: 0111B95C, 0111B961, 0111B9A8

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$AddressHandleInformationModuleProcProcessQuery
String ID: GetModuleHandleW ({})$GetProcAddress ({})$NtQueryInformationProcess$System$System Idle Process$Unable to get image path of process {}!$Unable to retrieve basic process information!$ntdll
API String ID: 2026571179-4279731967
Opcode ID: f4fbe85a622f7971015117165a3b27cf69feb4eb58615f22b15b243cc0b0672f
Instruction ID: fd6919dadb545fd1cfc97d1ab0b35bee26de45ded14bc40b64c268c1904709f1
Opcode Fuzzy Hash: f4fbe85a622f7971015117165a3b27cf69feb4eb58615f22b15b243cc0b0672f
Instruction Fuzzy Hash: BA313871A1020DABD728EFA5DC46EDEB7FCBF18604F44052DFD15A7184EB70A6048B62

Function 01140810 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 153encryptiontimethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0114083A
GetCurrentProcessId.KERNEL32 ref: 01140853
GetCurrentThreadId.KERNEL32 ref: 0114086F
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 011408AC
GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,00000000), ref: 011408E3
GetSystemTimes.KERNEL32 ref: 0114090C
QueryPerformanceCounter.KERNEL32(?), ref: 0114097D
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000040), ref: 011409C7
CryptGenRandom.ADVAPI32(?,00000008,?), ref: 011409E2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 01140A04

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 011409BF

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Crypt$ContextCurrentSystemTime$AcquireCounterDiskFileFreeGlobalMemoryPerformanceProcessQueryRandomReleaseSpaceStatusThreadTimes
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 1216455848-291530887
Opcode ID: ccc9e13701880865dcafbd216c8bc6cbcb3bc943821108a349d30c330d768d5a
Instruction ID: cb1ec1eea43b68c3c2b09013227358c56d392e510c09f8030c455d471e7a8a20
Opcode Fuzzy Hash: ccc9e13701880865dcafbd216c8bc6cbcb3bc943821108a349d30c330d768d5a
Instruction Fuzzy Hash: FB517E70E0032E9BEF14EBA1DD85FDDB774BF14B04F008565A619BA080EB706749CB95

Function 0118DBE0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 282fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01190E20: GetProcessHeap.KERNEL32 ref: 01190E8A

CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0118DCF1
GetLastError.KERNEL32 ref: 0118DCFF

Strings

\\.\PhysicalDrive%u, xrefs: 0118DCD0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CreateErrorFileHeapLastProcess
String ID: \\.\PhysicalDrive%u
API String ID: 2202902945-3292898883
Opcode ID: fc58fe87cd3dfa599d94ca3d6556c126fefab2b47abdec1a332fd68b27052d65
Instruction ID: a84dcc51dfc6e1e62a0e1f7ac21d0e0b54d2c575718eac7164b83bb426247171
Opcode Fuzzy Hash: fc58fe87cd3dfa599d94ca3d6556c126fefab2b47abdec1a332fd68b27052d65
Instruction Fuzzy Hash: F8A1BC71D0030A9BEF18DFE8D845BAEBBB4AF54314F148219E915AB2C1DB70A945CF91

Function 0118DF40 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 238fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01190E20: GetProcessHeap.KERNEL32 ref: 01190E8A

CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0118E03D
GetLastError.KERNEL32 ref: 0118E04B
DeviceIoControl.KERNELBASE(00000000,00074080,00000000,00000000,?,00000018,00000000,00000000), ref: 0118E06F
GetLastError.KERNEL32 ref: 0118E079
CloseHandle.KERNEL32(?), ref: 0118E18D

Strings

\\.\PhysicalDrive%u, xrefs: 0118E01C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandleHeapProcess
String ID: \\.\PhysicalDrive%u
API String ID: 3681805340-3292898883
Opcode ID: 17f5087904c9d97a89a1537d62efb2f290d4f618c35c9b5af00186bd30c1f6b1
Instruction ID: c2a079680af48cf2ed7002bf4d95f4daaa00d84eafc2a1e5cb19ac9676f77d0e
Opcode Fuzzy Hash: 17f5087904c9d97a89a1537d62efb2f290d4f618c35c9b5af00186bd30c1f6b1
Instruction Fuzzy Hash: B991C175D0070A9FEB18DFA4CC45BADBBB4FF58314F148219E915AB281EB70A941CF91

Function 011774F0 Relevance: 14.2, APIs: 2, Strings: 7, Instructions: 693COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(Store data to HKLM failed.), ref: 01177630
GetLastError.KERNEL32(Store data to HKCU failed.), ref: 01177707

Strings

SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198, xrefs: 011775C4, 01177A15
Store data to HKCU failed., xrefs: 011776FD
C06AEB9D-8774-46E7-8160-8321BCD14D9F, xrefs: 011776A0, 01177AE0
Permanent storage - failed to store data to HKLM., xrefs: 01177638
Permanent storage - failed to store data to HKCU., xrefs: 0117770F
PSK contains null, xrefs: 011778CE, 01177DF1
Store data to HKLM failed., xrefs: 01177626

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID: C06AEB9D-8774-46E7-8160-8321BCD14D9F$PSK contains null$Permanent storage - failed to store data to HKCU.$Permanent storage - failed to store data to HKLM.$SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198$Store data to HKCU failed.$Store data to HKLM failed.
API String ID: 1452528299-1756622524
Opcode ID: 2aab0664e14e5c35a60345be305377ee9e311a62f2f4c12c0094a7edc0172804
Instruction ID: 800cec24bba6f2dac8a7acaaeb528eff5cccb67a7d4093d078e22b6f036e5480
Opcode Fuzzy Hash: 2aab0664e14e5c35a60345be305377ee9e311a62f2f4c12c0094a7edc0172804
Instruction Fuzzy Hash: 23529C71D00259DBDB19DFA8C948BEEBBB4BF58304F10825AE805AB381DB746A85CF51

Function 0118D900 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01190E20: GetProcessHeap.KERNEL32 ref: 01190E8A

GetVersion.KERNEL32 ref: 0118D980
CreateFileW.KERNELBASE(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0118D9A9
GetLastError.KERNEL32 ref: 0118D9B9
CloseHandle.KERNEL32(?), ref: 0118DB68

Strings

\\.\PhysicalDrive%u, xrefs: 0118D98F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleHeapLastProcessVersion
String ID: \\.\PhysicalDrive%u
API String ID: 516677361-3292898883
Opcode ID: 6172b19b2910649d3286715c6ae2aa8a3b0e14627807f755dfb817838076a411
Instruction ID: 63ea650238dd7632c5aec9167a8e86dfa43e87391cda3d88bbc40cb9542f3a80
Opcode Fuzzy Hash: 6172b19b2910649d3286715c6ae2aa8a3b0e14627807f755dfb817838076a411
Instruction Fuzzy Hash: FE81A275D0020A9FDF19EFE8E884BAEBBB5EF09314F148169E911A72C1DB349941CF91

Function 011781F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 164encryptionCOMMON

Download Yara Rule

APIs

CryptProtectData.CRYPT32(?,00000000,?,00000000,00000000,00000005,?), ref: 01178234
GetLastError.KERNEL32(Failed to encrypt data), ref: 01178268
CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000005,?), ref: 011782FB

Strings

Failed to encrypt data, xrefs: 01178263
Failed to decrypt data, xrefs: 01178382, 011783A4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CryptData$ErrorLastProtectUnprotect
String ID: Failed to decrypt data$Failed to encrypt data
API String ID: 671455497-2906240006
Opcode ID: b852fabec4815495d11fd4f27270bf2b903eef09a8ff08fc0280114e1618fc9d
Instruction ID: 4f41a46f81068be9c93dc6e0568e7819a77a148cd6d987a317cb88436c6bdbce
Opcode Fuzzy Hash: b852fabec4815495d11fd4f27270bf2b903eef09a8ff08fc0280114e1618fc9d
Instruction Fuzzy Hash: 81513C75E10219AFDB18DFD4D845BDEBBFCEB08710F10412AE915E7240DB71AA04CBA1

Function 0111B9F0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0111B930: GetModuleHandleW.KERNEL32(ntdll), ref: 0111B968
Part of subcall function 0111B930: GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 0111B97F

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000,00000000), ref: 0111BA23

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressHandleInformationModuleProcProcessQuery
String ID:
API String ID: 3384173408-0
Opcode ID: 25c09eb282967efb1a2962cf19ffaedcb6cdcf9d244d543d77a96fc85a08e303
Instruction ID: a6431b6140ac85aac1846051d1b670b8c55b064e04b12ee9a12e5031527fdc1e
Opcode Fuzzy Hash: 25c09eb282967efb1a2962cf19ffaedcb6cdcf9d244d543d77a96fc85a08e303
Instruction Fuzzy Hash: 99F0EC3131521857D324A6359C06F6BF7ECAB94A14F40062FFD55D72D4EF50E9014BE6

Function 01151C20 Relevance: 107.8, APIs: 29, Strings: 32, Instructions: 1034fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?), ref: 01151F34
GetFileSizeEx.KERNEL32(?,?,?,?,?,?), ref: 01152072
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000002), ref: 011520AA
GetLastError.KERNEL32(?,?,?,?), ref: 01152127
SetFilePointerEx.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 01152463
SetEndOfFile.KERNEL32(000000FF,?,?,?,?), ref: 0115247D
GetLastError.KERNEL32(?,?,?,?), ref: 011524EE
WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 0115262D
GetLastError.KERNEL32(?,?,?,00010000,?,?,?,?), ref: 011526D4
GetLastError.KERNEL32(?,?,?,00010000,?,?,?,?), ref: 011526E1
___std_exception_destroy.LIBVCRUNTIME ref: 0115273C
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000001), ref: 011527A8
SetEndOfFile.KERNEL32(000000FF,?,?,?,?,?,?,00000000,Unable to read data,?,?,?,00010000), ref: 011527C2
GetLastError.KERNEL32(Unable to open session), ref: 01152923
GetLastError.KERNEL32(Unable to create connection,?,0123FDE4,00000000), ref: 01152945
GetLastError.KERNEL32(Unable to open request,?,0123FDE4,00000000), ref: 0115296C
GetLastError.KERNEL32(Unable to set TLS1,?,0123FDE4,00000000), ref: 0115298E
GetLastError.KERNEL32(Unable to set security flags,?,0123FDE4,00000000), ref: 011529B0
GetLastError.KERNEL32(Unable to set WinHTTP timeouts,?,0123FDE4,00000000), ref: 011529D2
GetLastError.KERNEL32(Unable to send request,?,0123F69C,?,0123FDE4,00000000), ref: 01152A19
GetLastError.KERNEL32(Unable to receive response,?,0123FDE4,00000000,?,0123F69C,?,0123FDE4,00000000), ref: 01152A3B
GetLastError.KERNEL32(Unable to query status header,?,0123FDE4,00000000,?,0123F69C,?,0123FDE4,00000000), ref: 01152A5D
GetLastError.KERNEL32(?,0123FDE4,00000000,?,0123F69C,?,0123FDE4,00000000), ref: 01152A7A
GetLastError.KERNEL32(Unable to set file pointer to start,?,0123FDD4,?,?,0123FDE4,00000000,Receive fail status:'{}',00000018,?,?,0123F69C,?,0123FDE4,00000000), ref: 01152AC1
GetLastError.KERNEL32(Unable to set end of file,?,0123FDE4,00000000,?,?,0123FDE4,00000000,Receive fail status:'{}',00000018,?,?,0123F69C,?,0123FDE4,00000000), ref: 01152AE3
GetLastError.KERNEL32(Unable to query content length,?,0123FDE4,00000000,?,?,0123FDE4,00000000,Receive fail status:'{}',00000018,?,?,0123F69C,?,0123FDE4,00000000), ref: 01152B05
GetLastError.KERNEL32(Unable to set position to end,?,0123FDE4,00000000,?,?,0123FDE4,00000000,Receive fail status:'{}',00000018,?,?,0123F69C,?,0123FDE4,00000000), ref: 01152B2C
GetLastError.KERNEL32(Unable to set file end,?,0123FDE4,00000000,?,?,0123FDE4,00000000,Receive fail status:'{}',00000018,?,?,0123F69C,?,0123FDE4,00000000), ref: 01152B4E

Strings

Cannot get file size for '{}' (no resume): error: {}, xrefs: 01152294
Receive fail status:'{}', xrefs: 01152A8C
Unable to set position to end, xrefs: 01152B27
Cannot set file to end (no resume) for '{}': error: {}, xrefs: 011521AF
Unable to write data to file, xrefs: 011526DA
Unable to set file end, xrefs: 01152B49
isfx, xrefs: 01152257
P, xrefs: 01151CFD
E759, xrefs: 01151F3A
GET, xrefs: 01152038
Unable to set TLS1, xrefs: 01152989
Unable to set WinHTTP timeouts, xrefs: 011529CD
Download less than expected, xrefs: 0115285B
Unable to query content length, xrefs: 01152B00
https, xrefs: 01151D15, 01151DA5
Unable to receive response, xrefs: 01152A36
Unable to open session, xrefs: 0115291E
Unable to open request, xrefs: 01152967
Unable to query status header, xrefs: 01152A58
Unable to set security flags, xrefs: 011529AB
Icarus Http/1.0, xrefs: 01151CB3
Range: bytes={}-, xrefs: 011520B6, 011522BC
Unable to set file pointer to start, xrefs: 01152ABC
A976, xrefs: 01152162
http, xrefs: 01151CEC
Unable to set end of file, xrefs: 01152ADE
isfx, xrefs: 01151F67
Unable to read data, xrefs: 011526E7
E759, xrefs: 0115218F
Unable to set other TLS ({}), xrefs: 01151F62
Unable to create connection, xrefs: 01152940
Unable to send request, xrefs: 01152A14

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$File$Pointer$SizeWrite___std_exception_destroy
String ID: A976$Cannot get file size for '{}' (no resume): error: {}$Cannot set file to end (no resume) for '{}': error: {}$Download less than expected$E759$E759$GET$Icarus Http/1.0$P$Range: bytes={}-$Receive fail status:'{}'$Unable to create connection$Unable to open request$Unable to open session$Unable to query content length$Unable to query status header$Unable to read data$Unable to receive response$Unable to send request$Unable to set TLS1$Unable to set WinHTTP timeouts$Unable to set end of file$Unable to set file end$Unable to set file pointer to start$Unable to set other TLS ({})$Unable to set position to end$Unable to set security flags$Unable to write data to file$http$https$isfx$isfx
API String ID: 1381021637-4138036385
Opcode ID: d03fbc56fbacf69c746bd71a23c9733d7a3425b6e89761a09493498bbb81a457
Instruction ID: 6edbab0a7aebfd80d31e325d21160db976529fcccc2a701f3a479c995ea83882
Opcode Fuzzy Hash: d03fbc56fbacf69c746bd71a23c9733d7a3425b6e89761a09493498bbb81a457
Instruction Fuzzy Hash: 77926D71900219DFEB68DFA4CC84FEDBBB5BF14304F144199E929A7281DB70AA85CF61

Function 0111A6F0 Relevance: 49.1, APIs: 3, Strings: 25, Instructions: 83
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,01119A99), ref: 0111A6FD
GetProcAddress.KERNEL32(00000000,on_avast_dll_unload,?,?,?,?,?,?,?,?,?,01119A99), ref: 0111A709
GetModuleHandleW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,01119A99), ref: 0111A717

Strings

prf, xrefs: 0111AD59
ModuleId, xrefs: 0111A71D, 0111A768
avg, xrefs: 0111AAC5, 0111ABBA, 0111ACA5, 0111AD85, 0111AE65
avast, xrefs: 0111AAA5, 0111AABF, 0111AAC0
ProductId, xrefs: 0111A784
Avast Software, xrefs: 0111AA33, 0111AA4F, 0111AA50
on_avast_dll_unload, xrefs: 0111A703
Avast, xrefs: 0111AA61
AVG Technologies, xrefs: 0111AB6B
avr, xrefs: 0111AE39
avg, xrefs: 0111AA9B, 0111AB97, 0111ABA8, 0111ABBF, 0111AC7E, 0111AD5E, 0111AE3E
Privax, xrefs: 0111AC01, 0111AC1F, 0111AC20
avg, xrefs: 0111AB7A, 0111AB91, 0111AB92
Piriform, xrefs: 0111ACE2, 0111ACFF, 0111AD00
asw, xrefs: 0111AA96
avira, xrefs: 0111AE48, 0111AE5F, 0111AE60
AVG, xrefs: 0111AA66, 0111AAD6, 0111AAED, 0111AB5E, 0111AC48, 0111ACB6, 0111ACCD, 0111AD28, 0111AD96, 0111ADAD, 0111AE08, 0111AE76, 0111AE8D
Avg, xrefs: 0111AAE8, 0111ABCC, 0111ACC8, 0111ADA8, 0111AE88
Avira, xrefs: 0111ADC2, 0111ADDF, 0111ADE0
piriform, xrefs: 0111AD68, 0111AD7F, 0111AD80
AVG, xrefs: 0111AA55, 0111AA77, 0111AA8E, 0111AB3B, 0111AB4C, 0111AB63, 0111AC25, 0111AC36, 0111AC4D, 0111AC5A, 0111AC71, 0111AD05, 0111AD16, 0111AD2D, 0111AD3A, 0111AD51, 0111ADE5, 0111ADF6, 0111AE0D, 0111AE1A, 0111AE31
AVG, xrefs: 0111AB1E, 0111AB35, 0111AB36
privax, xrefs: 0111AC88, 0111AC9F, 0111ACA0
Avg, xrefs: 0111ABC7
pvx, xrefs: 0111AC79

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AVG$AVG$AVG$AVG Technologies$Avast$Avast Software$Avg$Avg$Avira$ModuleId$Piriform$Privax$ProductId$asw$avast$avg$avg$avg$avira$avr$on_avast_dll_unload$piriform$prf$privax$pvx
API String ID: 1883125708-2937535294
Opcode ID: 2e2adf5110d023d45ea54685b0e6752431ec33cc59ee26f8b95c2b7860956c87
Instruction ID: 3bcc0350fdbc904fb1957846c0b3dc78455a3fb8e93303076c5712594e23ac32
Opcode Fuzzy Hash: 2e2adf5110d023d45ea54685b0e6752431ec33cc59ee26f8b95c2b7860956c87
Instruction Fuzzy Hash: 01219B6564120223E22CB7A46C417B7BAE99F60554F040434FE079B28DE723DA46C3A5

Function 01142690 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 197
memorysleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,{9C7565A2-47C2-4869-B388-8C7F9AD8E577},00000030,88D0918B,00000005,00000000), ref: 011426EB
GetClassInfoExW.USER32 ref: 011426F2
GetLastError.KERNEL32 ref: 01142700
Sleep.KERNELBASE(00000001), ref: 0114270A
GetProcessHeap.KERNEL32 ref: 01142722
HeapAlloc.KERNEL32(00000000,00000000,00000034), ref: 01142737
asw_process_storage_allocate_connector.AVG_TUNEUP_ONLINE_SETUP ref: 01142747
InitializeCriticalSection.KERNEL32(00000000), ref: 0114275A
GetProcessHeap.KERNEL32 ref: 01142760
GetProcessHeap.KERNEL32 ref: 0114277E
RegisterClassExW.USER32(00000030), ref: 011427A0
HeapFree.KERNEL32(?,00000000,00000000), ref: 011427D4
asw_process_storage_deallocate_connector.AVG_TUNEUP_ONLINE_SETUP ref: 011427E4
DeleteCriticalSection.KERNEL32(?), ref: 011427FF
GetProcessHeap.KERNEL32 ref: 01142805
HeapFree.KERNEL32(00000000,00000000,?), ref: 0114281B
asw_process_storage_deallocate_connector.AVG_TUNEUP_ONLINE_SETUP ref: 0114282B
GetLastError.KERNEL32 ref: 01142830
GetLastError.KERNEL32(?,0123F98C,?,0123FA64,00000000,00000000), ref: 011428A3

Strings

{9C7565A2-47C2-4869-B388-8C7F9AD8E577}, xrefs: 011426E4, 01142799

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Heap$Process$ErrorLast$ClassCriticalFreeSectionasw_process_storage_deallocate_connector$AllocDeleteHandleInfoInitializeModuleRegisterSleepasw_process_storage_allocate_connector
String ID: {9C7565A2-47C2-4869-B388-8C7F9AD8E577}
API String ID: 502576007-480667601
Opcode ID: 674521db13ab1c1a32b5807ac700aa2b935451d121b18dde2c5b1c8466255cf0
Instruction ID: 2ee88fcfbdaa64a8c08ff5e3999c8ba473c38530bc9480893fc2ba744a5bca49
Opcode Fuzzy Hash: 674521db13ab1c1a32b5807ac700aa2b935451d121b18dde2c5b1c8466255cf0
Instruction Fuzzy Hash: DE61B1759006179BDB29DFE8E848B9EBBF8EF44714F004129FC16E7640DB30A985CB90

Function 011254C0 Relevance: 32.0, APIs: 10, Strings: 8, Instructions: 531
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,00010000,00000007,00000000,00000003,00000000,00000000), ref: 011256B4
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0112574E
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0112587E

Part of subcall function 011253E0: SetLastError.KERNEL32(00000000,?,88D0918B,?,00000001,0000000D,88D0918B), ref: 01125494

MoveFileExW.KERNEL32(?,00000000,00000004), ref: 01125990
CloseHandle.KERNEL32(00000000), ref: 011259B5
EnterCriticalSection.KERNEL32(?,?), ref: 01125A93
LeaveCriticalSection.KERNEL32(?), ref: 01125AB4
WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 01125AE9
FlushFileBuffers.KERNEL32 ref: 01125B10

Part of subcall function 01140A30: EnterCriticalSection.KERNEL32(8q:,?), ref: 01140A51
Part of subcall function 01140A30: LeaveCriticalSection.KERNEL32(8q:), ref: 01140B08

GetLastError.KERNEL32 ref: 01125BA0

Strings

{}.to_rotate.{:016x}, xrefs: 0112557B
.old, xrefs: 0112561C
.log, xrefs: 01125548
{}.to_delete.{:016x}, xrefs: 01125781
BOM not present in '{}', xrefs: 01126072
.tmp., xrefs: 01125D7E
Failed to create new log file '{}', xrefs: 0112616E
Failed to open log file '{}', xrefs: 01126140

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$CriticalSection$Move$EnterErrorLastLeave$BuffersCloseCreateFlushHandleWrite
String ID: .log$.old$.tmp.$BOM not present in '{}'$Failed to create new log file '{}'$Failed to open log file '{}'${}.to_delete.{:016x}${}.to_rotate.{:016x}
API String ID: 3410606403-1439687905
Opcode ID: 2c2067c176f0dc42513dd7d94d7d09a153f9e5a8e7bc1da3ec1d9f3662d0f581
Instruction ID: 2f82bde6391b2ea6a7837da5a917f4347f0aa98d2804cb06da6de4b3d10fff0b
Opcode Fuzzy Hash: 2c2067c176f0dc42513dd7d94d7d09a153f9e5a8e7bc1da3ec1d9f3662d0f581
Instruction Fuzzy Hash: A412A171D00229DBDF18DBA4CC84BEDB7B6FF55304F4446A9E90AA7280EB706A85CF51

Function 0111C750 Relevance: 28.6, APIs: 8, Strings: 11, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 0111C87E
CloseHandle.KERNEL32(?), ref: 0111C893
CloseHandle.KERNEL32(?), ref: 0111C8A8
CloseHandle.KERNEL32(?), ref: 0111C8BD
CloseHandle.KERNEL32(?), ref: 0111C8D2
CloseHandle.KERNEL32(?), ref: 0111C8E7
CloseHandle.KERNEL32(?), ref: 0111C954
CloseHandle.KERNEL32(88D0918B), ref: 0111C96F

Strings

GetCachedSigningLevel, xrefs: 0111C064
kernel32.dll, xrefs: 0111C069, 0111C0B8
Unable to retrieve exit status for process '{}'!, xrefs: 0111C6AD
Unable to create process '{}'!, xrefs: 0111C2B8
Unable to write to the pipe!, xrefs: 0111C3ED
H, xrefs: 0111C1F2
D, xrefs: 0111C80B
Unable to wait for process '{}'!, xrefs: 0111C683
Wrong signature level '{}'!, xrefs: 0111C71D
UpdateProcThreadAttribute set_protection_level, xrefs: 0111C6E9
SetCachedSigningLevel, xrefs: 0111C0B3

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle
String ID: D$GetCachedSigningLevel$H$SetCachedSigningLevel$Unable to create process '{}'!$Unable to retrieve exit status for process '{}'!$Unable to wait for process '{}'!$Unable to write to the pipe!$UpdateProcThreadAttribute set_protection_level$Wrong signature level '{}'!$kernel32.dll
API String ID: 2962429428-819407044
Opcode ID: 1c46b9487da1161a949eeb59975769cc6a2fff1f0e3f2a3d6a09818ced6cc589
Instruction ID: af1f32d34dd07a80bdbdebe9e186972460d4129a6402eb69692ceb4b53f9efcb
Opcode Fuzzy Hash: 1c46b9487da1161a949eeb59975769cc6a2fff1f0e3f2a3d6a09818ced6cc589
Instruction Fuzzy Hash: B1617474D0035A8BDB24CFA8C944BADFBF4AF54314F1481A5E919A7384EB749A84CF91

Function 01154FA0 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000001,00000001,00000000,00000003,00000000,00000000), ref: 01154FE1
CloseHandle.KERNEL32(00000000), ref: 01155088
GetLastError.KERNEL32 ref: 011550AF
GetLastError.KERNEL32(Open file for DSA check fail!), ref: 01155107

Part of subcall function 01184FC0: GetFileSizeEx.KERNEL32(?,?,88D0918B,00000000), ref: 01184FF7

Strings

9536, xrefs: 01155053
isfx, xrefs: 01155063
5C69, xrefs: 011551A9
5C69, xrefs: 01155042
DSA for block with size '{}' verified with result '{}', xrefs: 011551C5
isfx, xrefs: 011551CA
9536, xrefs: 011551BA
Open file for DSA check fail!, xrefs: 01155102
Open file '{}' for DSA check fail {}!, xrefs: 011550F2
#, xrefs: 01155078
DSA for file '{}' verified with result '{}', xrefs: 0115505E
5, xrefs: 011551DF

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: #$5$5C69$5C69$9536$9536$DSA for block with size '{}' verified with result '{}'$DSA for file '{}' verified with result '{}'$Open file '{}' for DSA check fail {}!$Open file for DSA check fail!$isfx$isfx
API String ID: 3555958901-3607574954
Opcode ID: 386beba8a7b875524348b3e3de7388d119743c6be16daad8db1186ac0b5a585c
Instruction ID: 9cb59937da66cd94f90f4f598e0b3967e92049c50f63d6f213b9fe847df0504a
Opcode Fuzzy Hash: 386beba8a7b875524348b3e3de7388d119743c6be16daad8db1186ac0b5a585c
Instruction Fuzzy Hash: 6861ADB5D04249EFDB14DFD9D844BDEBBB8EB18714F10821AE820BB280DB745604CFA1

Function 01164700 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01164AE0: GetFileAttributesW.KERNEL32(88D0916B,88D0918B,00000000,?), ref: 01164B2D

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000), ref: 011648E4
GetLastError.KERNEL32 ref: 011649DA
GetLastError.KERNEL32(Create tmp directory security descriptor fail), ref: 01164A31

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

GetLastError.KERNEL32(?,0123F910,00000000), ref: 01164A54
GetLastError.KERNEL32(Create directory fail), ref: 01164AAF

Strings

Create tmp directory security descriptor fail {}!, xrefs: 01164A1C
Create tmp directory security descriptor fail, xrefs: 01164A2C
asw-, xrefs: 01164764
Create directory fail, xrefs: 01164AAA
SFX temp folder '{}' created., xrefs: 0116494E
Create directory '{}' fail {}!, xrefs: 01164A9A
G, xrefs: 01164971
D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU), xrefs: 01164897
4C6FF0D6, xrefs: 0116494B
isfx, xrefs: 01164953

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$DescriptorSecurity$AttributesConvertDispatcherExceptionFileStringUser
String ID: 4C6FF0D6$Create directory '{}' fail {}!$Create directory fail$Create tmp directory security descriptor fail$Create tmp directory security descriptor fail {}!$D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)$G$SFX temp folder '{}' created.$asw-$isfx
API String ID: 1834389848-888273643
Opcode ID: 02cbca6eaefc2aa4c6d51b849d4987357a2e542b5ba7d4ff3621c1ea2a0ebc1e
Instruction ID: 68ca8647b9a827a1fe15b6750c4cca00a854d63cdbcd38fa57f1c7ad88d4a6c0
Opcode Fuzzy Hash: 02cbca6eaefc2aa4c6d51b849d4987357a2e542b5ba7d4ff3621c1ea2a0ebc1e
Instruction Fuzzy Hash: 4AB15771C1025DDADF15DFA4C894BDDBBB4BF28308F508259D419BB281EB746A88CF51

Function 01172050 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?), ref: 011722D5
GetLastError.KERNEL32 ref: 011722F6

Strings

isfx, xrefs: 0117224D
Unpacking EDAT ({}), xrefs: 011721A1
EDAT not in payload ({}), xrefs: 01172255
6A36DF9A, xrefs: 0117218D
DF9A, xrefs: 01172324
Create EDAT directory '{}' fail {} ({}), skip, xrefs: 01172335
6A36, xrefs: 0117230C
6A36DF9A, xrefs: 01172241
isfx, xrefs: 0117233A
, xrefs: 0117227E
.edat, xrefs: 01172156
), xrefs: 01172358
tmp-path, xrefs: 01172098

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $)$.edat$6A36$6A36DF9A$6A36DF9A$Create EDAT directory '{}' fail {} ({}), skip$DF9A$EDAT not in payload ({})$Unpacking EDAT ({})$isfx$isfx$tmp-path
API String ID: 1799206407-18928079
Opcode ID: 70bf76af4bd9cd89a9bb068fd194ca529ae42beb0b4f06f15c0bf330fc3df606
Instruction ID: 12d5b07ae3a37b5cbd782f0f492c0aca8e906a0c587265a7b5247a4f07627ffc
Opcode Fuzzy Hash: 70bf76af4bd9cd89a9bb068fd194ca529ae42beb0b4f06f15c0bf330fc3df606
Instruction Fuzzy Hash: 7CB18A75E00229CFDB28CFA8C944B9DBBB1BF18314F148299D419A7381DB746E86CF91

Function 011831F0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 228
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,00000002,00000005,00000000,00000002,00000080,00000000), ref: 01183241
GetLastError.KERNEL32(?,?,011ECA2E,000000FF), ref: 01183278
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 01183302
SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0118331C
SetEndOfFile.KERNELBASE(?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000001,01227204,01227204), ref: 01183327
SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0118333C

Strings

Unable to create file '{}'!, xrefs: 01183284
Unable to set the file pointer!, xrefs: 0118337B
Unable to retrieve the file pointer!, xrefs: 01183359
Unable to set size of file to {} bytes!, xrefs: 011833A5

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$Pointer$CreateErrorLast
String ID: Unable to create file '{}'!$Unable to retrieve the file pointer!$Unable to set size of file to {} bytes!$Unable to set the file pointer!
API String ID: 2176584126-2660858681
Opcode ID: 5f996b276636e04f434e0345c60c8a175e806024c2fd63f35ad521313ac2fa7d
Instruction ID: 42965e90218774bf403cb64e65615d2750f74f75fa12c6705401cf0522f1315f
Opcode Fuzzy Hash: 5f996b276636e04f434e0345c60c8a175e806024c2fd63f35ad521313ac2fa7d
Instruction Fuzzy Hash: 9B71D671A10219ABDB28DFD5DC45FEEB7B8FB04B10F144229F925A72C0DB70AA048B61

Function 01144180 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 45
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 01144189
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 01144199
GetProcAddress.KERNEL32(00000000), ref: 011441A0
SetDllDirectoryW.KERNEL32 ref: 011441C4
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 011441D4
GetProcAddress.KERNEL32(00000000), ref: 011441DB
IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 011441FC
ExitProcess.KERNEL32 ref: 0114420B
ExitProcess.KERNEL32 ref: 01144217

Strings

LdrEnumerateLoadedModules, xrefs: 011441CA
kernel32.dll, xrefs: 01144194
ntdll.dll, xrefs: 011441CF
SetDefaultDllDirectories, xrefs: 0114418F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess$DirectoryFeatureHeapInformationPresentProcessor
String ID: LdrEnumerateLoadedModules$SetDefaultDllDirectories$kernel32.dll$ntdll.dll
API String ID: 1015791202-1451921263
Opcode ID: 9382ea7251455d04c269c3b4ae26bb489e01abf742ed19fc79fcc7042fc5d471
Instruction ID: 44740776db2292875cba4c3b85648e165a0731bf20a17d3ff6ddc8c116f92a14
Opcode Fuzzy Hash: 9382ea7251455d04c269c3b4ae26bb489e01abf742ed19fc79fcc7042fc5d471
Instruction Fuzzy Hash: EB014F35B903276BE63D2BF19D0EF1E3A946B14F42F040024FE16AE588CBA084838B91

Function 011583C0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 206
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000001,00000005,00000000,00000003,00000000,00000000), ref: 0115846E
CloseHandle.KERNEL32(00000000), ref: 01158492

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

GetLastError.KERNEL32(?,0123F910,The digest is not initialized!,00000020,88D0918B,?,?), ref: 011584EC

Strings

http://www.w3.org/2001/XMLSchema-instance, xrefs: 01158614
utf-8, xrefs: 011585E0
The digest is not initialized!, xrefs: 011584D1
encoding, xrefs: 011585E5
version, xrefs: 011585C8
Unable to open file '{}' for reading!, xrefs: 011584F8
xmlns:xs, xrefs: 01158619
1.0, xrefs: 011585C3
icarus-info, xrefs: 011585FD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
String ID: 1.0$The digest is not initialized!$Unable to open file '{}' for reading!$encoding$http://www.w3.org/2001/XMLSchema-instance$icarus-info$utf-8$version$xmlns:xs
API String ID: 3278050421-311654148
Opcode ID: 8eb6e55095a1f2e4fa910a706fac851682430ca1d70d8599acc441718a6aaf76
Instruction ID: b933f0bd410e4dc75ebd6fce6091deeb8dfd82cdb5d363e8653aaac918da83ef
Opcode Fuzzy Hash: 8eb6e55095a1f2e4fa910a706fac851682430ca1d70d8599acc441718a6aaf76
Instruction Fuzzy Hash: A6719F70E50219ABCF14DFA5C945BEEBBF8FF59704F10421AE511B7280DBB56A44CBA0

Function 0113B970 Relevance: 19.8, APIs: 4, Strings: 9, Instructions: 336COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0113BBBC
GetLastError.KERNEL32 ref: 0113BBEC
GetLastError.KERNEL32 ref: 0113BD52

Strings

Unable to make a .sys copy, xrefs: 0113BE41
\VarFileInfo\Translation, xrefs: 0113BBDA
GetFileVersionInfoSizeW '{}', xrefs: 0113BE6B
\StringFileInfo\%04x%04x\%s, xrefs: 0113BCD6
GetFileVersionInfoW '{}', xrefs: 0113BBC5
.sys, xrefs: 0113BA1F
asw, xrefs: 0113BA7E
VerQueryValueW '{}', xrefs: 0113BBF5, 0113BE3A
tmp, xrefs: 0113BA48

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID: .sys$GetFileVersionInfoSizeW '{}'$GetFileVersionInfoW '{}'$Unable to make a .sys copy$VerQueryValueW '{}'$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation$asw$tmp
API String ID: 1452528299-1955712893
Opcode ID: 183d0e9e8ef396c59a8fdff8db53e99e9f27d54f7dbf742d2d3c05038230a496
Instruction ID: b93be17c47b73c57f2106e159415ff9177c5f083d496da9c42e95a116d3fa27f
Opcode Fuzzy Hash: 183d0e9e8ef396c59a8fdff8db53e99e9f27d54f7dbf742d2d3c05038230a496
Instruction Fuzzy Hash: 9FE1AE70D1421A9BDB28DF64CC48BEDB7B4AF58308F1041EEE419A7295EB706B88CF51

Function 0116ADA0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 291COMMON

Download Yara Rule

APIs

std::generic_category.LIBCPMTD ref: 0116AFCC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0116B10E

Strings

DSA verification check of file '{}' fail!, xrefs: 0116B166
sfx info can't be parsed., xrefs: 0116AF8C
Mandatory file '{}' is missing in payload., xrefs: 0116B0F6
sfx info file wasn't found in payload., xrefs: 0116B103
File is not DSA signed (alias:{})!, xrefs: 0116B17E
9608, xrefs: 0116B133
Failed to parse xml file '{}', '{}', xrefs: 0116AF7F
9403, xrefs: 0116B127
sfx-info.xml, xrefs: 0116ADEB

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::generic_categorystd::invalid_argument::invalid_argument
String ID: 9403$9608$DSA verification check of file '{}' fail!$Failed to parse xml file '{}', '{}'$File is not DSA signed (alias:{})!$Mandatory file '{}' is missing in payload.$sfx info can't be parsed.$sfx info file wasn't found in payload.$sfx-info.xml
API String ID: 4034108733-760804866
Opcode ID: ca44338d5ba36f0a52488c29c198f6946bce632ad805fdc13c329e4a63ff427a
Instruction ID: eac452c85bf4f330ff5cd15eaaec7945c04b0ce177e38901f2a9c1bedbce60e2
Opcode Fuzzy Hash: ca44338d5ba36f0a52488c29c198f6946bce632ad805fdc13c329e4a63ff427a
Instruction Fuzzy Hash: BCB1C371E002199BCB19EFA4CC54BEDB7B8BF58314F048299E519A7280DB74AE85CF91

Function 0113E2F0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253COMMON

Download Yara Rule

APIs

FindFirstVolumeW.KERNELBASE ref: 0113E33B
QueryDosDeviceW.KERNEL32(?,?,00000104,?,?,?), ref: 0113E3DC
FindNextVolumeW.KERNEL32(00000000,?,00000040), ref: 0113E449
GetLastError.KERNEL32(?,?), ref: 0113E457
FindVolumeClose.KERNEL32 ref: 0113E62C
GetLastError.KERNEL32(?,?), ref: 0113E657
GetLastError.KERNEL32(Unable to enumerate volumes!,?,?), ref: 0113E670

Strings

Unable to convert NT path '{}' to a volume GUID path!, xrefs: 0113E663, 0113E699
Unable to enumerate volumes!, xrefs: 0113E66B
\Device\LanmanRedirector\, xrefs: 0113E9BD
\\?\, xrefs: 0113E3B0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFindLastVolume$CloseDeviceFirstNextQuery
String ID: Unable to convert NT path '{}' to a volume GUID path!$Unable to enumerate volumes!$\Device\LanmanRedirector\$\\?\
API String ID: 1172878621-4107698323
Opcode ID: b16a4104adfbd77f048f0a06141966c22e75e58d5773071e44c4b027d204d782
Instruction ID: c99855dc7d72c27b6cbe9200e6c394097a0a8c9aca5b5e5f24600c49639165fe
Opcode Fuzzy Hash: b16a4104adfbd77f048f0a06141966c22e75e58d5773071e44c4b027d204d782
Instruction Fuzzy Hash: FCA17D7081125A9ADB28DF64CC49BEDB7B8AF54304F4446EAE809A7190EB70AB84CF50

Function 0115FEF0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 114COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0115FF80

Part of subcall function 01139BE0: CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139BFD
Part of subcall function 01139BE0: GetLastError.KERNEL32(?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C0B
Part of subcall function 01139BE0: GetFileAttributesW.KERNELBASE(?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C21
Part of subcall function 01139BE0: SetLastError.KERNEL32(000000B7,?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C39

GetLastError.KERNEL32 ref: 0116000B
GetLastError.KERNEL32(Create directory fail), ref: 01160062

Strings

BD21, xrefs: 01160019
Create directory fail, xrefs: 0116005D
Create directory '{}' fail {}!, xrefs: 01160050
The temp folder '{}' has been successfully created., xrefs: 0115FFB5
isfx, xrefs: 0115FFD6
9561, xrefs: 0115FFC3
tmp-path, xrefs: 0115FF2D
The folder {} already exists., xrefs: 0115FF98

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$AttributesFile$CreateDirectory
String ID: 9561$BD21$Create directory '{}' fail {}!$Create directory fail$The folder {} already exists.$The temp folder '{}' has been successfully created.$isfx$tmp-path
API String ID: 3677629684-1044835154
Opcode ID: 30af33435251f8fae0ea3202ac80807f815a31fb1d082ee4ea11c3dbeab95bea
Instruction ID: f38a6974b88f7237a6c75470680341da53c246b6be683210467309aebe2386a8
Opcode Fuzzy Hash: 30af33435251f8fae0ea3202ac80807f815a31fb1d082ee4ea11c3dbeab95bea
Instruction Fuzzy Hash: A2418175E00219EFCB14DF95D944BDEBBB5FB18708F104119E815B7380DB755A05CBA1

Function 01163710 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 244COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 01163A08
CloseHandle.KERNEL32(00000000), ref: 01163A1D

Strings

isfx, xrefs: 0116398E
Process '{}', timeout '{}' is still running, xrefs: 0116392B
Process '{}' finished with exit code '{}', xrefs: 01163989
874D, xrefs: 01163752
Start of run_process '{}', cmdline '{}', timeout '{}', xrefs: 01163778
3252, xrefs: 01163971
874D, xrefs: 01163906
3252, xrefs: 01163767
', xrefs: 011639A3
isfx, xrefs: 0116377D

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle
String ID: '$3252$3252$874D$874D$Process '{}' finished with exit code '{}'$Process '{}', timeout '{}' is still running$Start of run_process '{}', cmdline '{}', timeout '{}'$isfx$isfx
API String ID: 2962429428-821306548
Opcode ID: 3273bb240f05a89bc1e1894e08b852236ae0ac0d4f62c1b8762670206c1c1608
Instruction ID: 6cb030ac91ff3a2289d8e68d2e6b686aac121b152af05bb35ea098d0cf74f3d0
Opcode Fuzzy Hash: 3273bb240f05a89bc1e1894e08b852236ae0ac0d4f62c1b8762670206c1c1608
Instruction Fuzzy Hash: 09B17775E00269DFEB18CFA8C944BEDBBB8BF04314F104199E919AB380DB746A45CF91

Function 0113F890 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 221registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01140670: RegOpenKeyExW.KERNEL32 ref: 0114072E

Part of subcall function 0113FB80: RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,000000FF), ref: 0113FC01

RegCloseKey.ADVAPI32(?), ref: 0113F90A
SetLastError.KERNEL32(00000000,?,?,0000000C,00000000), ref: 0113F915
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,0000000C,00000000), ref: 0113F9DA
ExpandEnvironmentStringsW.KERNEL32(?,0000000C,?,-00000001,00000000,?,?,?,0000000C,00000000), ref: 0113FA48
std::bad_exception::bad_exception.LIBCMT ref: 0113FAEC
std::bad_exception::bad_exception.LIBCMT ref: 0113FB07
RegCloseKey.ADVAPI32(00000000), ref: 0113FB2A
SetLastError.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 0113FB35

Strings

String environment expansion failed due to unexpected buffer size, xrefs: 0113FAFF
String environment expansion failed, xrefs: 0113FAE4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseEnvironmentErrorExpandLastStringsstd::bad_exception::bad_exception$OpenQueryValue
String ID: String environment expansion failed$String environment expansion failed due to unexpected buffer size
API String ID: 1312300718-527591527
Opcode ID: 58553d181eba12238c5162dcd3cacb64a114c11c25d1cee870e26acd3d27f37f
Instruction ID: be2afb9250b3cd114fe9fe6a7e063ba4b03ea9a5126b99b90f81554b87db4ecd
Opcode Fuzzy Hash: 58553d181eba12238c5162dcd3cacb64a114c11c25d1cee870e26acd3d27f37f
Instruction Fuzzy Hash: 7981E5B0D0020AAFDB28CFB8C854BEEBBF5EF98704F10851DE855A7254E770A546CB51

Function 0118D5A0 Relevance: 16.8, APIs: 11, Instructions: 278fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01190E20: GetProcessHeap.KERNEL32 ref: 01190E8A

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0118D6A8
GetLastError.KERNEL32(?,?,011ED49D), ref: 0118D6B2
GetVolumePathNameW.KERNELBASE(00000000,00000000,00000104), ref: 0118D729
GetLastError.KERNEL32(?,?,?,011ED49D), ref: 0118D733
GetVolumeNameForVolumeMountPointW.KERNEL32(00000010,00000010,00000104), ref: 0118D797
GetLastError.KERNEL32(?,?,?,?,?,011ED49D), ref: 0118D7A1
CreateFileW.KERNELBASE(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0118D7EB
GetLastError.KERNEL32(?,?,?,?,?,?,?,011ED49D), ref: 0118D7F9
DeviceIoControl.KERNELBASE(00000000,002D1080,00000000,00000000,?,0000000C,00000000,00000000), ref: 0118D81C
GetLastError.KERNEL32(?,?,?,?,?,?,?,011ED49D), ref: 0118D826
CloseHandle.KERNEL32(?), ref: 0118D83E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$Volume$Name$CloseControlCreateDeviceDirectoryFileHandleHeapMountPathPointProcessSystem
String ID:
API String ID: 204137380-0
Opcode ID: ab841ee8d0cf99af04cca5feccad84380ab807757d1e1c47b0fa0c81e4284e8e
Instruction ID: b86dcbd493b2c194fe5330ea41b20ee2d0ed09309f04443e28f0fa3e68244dbe
Opcode Fuzzy Hash: ab841ee8d0cf99af04cca5feccad84380ab807757d1e1c47b0fa0c81e4284e8e
Instruction Fuzzy Hash: 2BA19D70A006069FDB18EFE8D898BAEBBB5FF49314F148129E916A73D0DB709941CF50

Function 0118E230 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 259fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01190E20: GetProcessHeap.KERNEL32 ref: 01190E8A

CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0118E2F9
GetLastError.KERNEL32 ref: 0118E307
CloseHandle.KERNEL32(?), ref: 0118E4D0

Strings

\\.\Scsi%u:, xrefs: 0118E2D8
SCSIDISK, xrefs: 0118E3E0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleHeapLastProcess
String ID: SCSIDISK$\\.\Scsi%u:
API String ID: 3436858811-3530472383
Opcode ID: e73e79a51525401e60d1bedc3a187d40171df1e1799dbd8e048d1c9046ce2d4f
Instruction ID: 07d76b506d58ba6a64896bcd914a3267d86db54be450c6f17f7d32c137860730
Opcode Fuzzy Hash: e73e79a51525401e60d1bedc3a187d40171df1e1799dbd8e048d1c9046ce2d4f
Instruction Fuzzy Hash: AFA1D27490020A9FEB19DFA8D884B9EBBF4FF08314F148159E915BB381E7759904CFA1

Function 0111A7E0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 220COMMON

Download Yara Rule

Strings

PersistentStorage, xrefs: 0111B08C
avg, xrefs: 0111A8F1, 0111A902
AVG, xrefs: 0111A95C, 0111A972, 0111B07E, 0111B092
avg, xrefs: 0111A908, 0111A91E
Avg, xrefs: 0111A924, 0111A93A
AVG, xrefs: 0111A940, 0111A956
IcarusEnabled, xrefs: 0111B0FD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID: AVG$AVG$Avg$IcarusEnabled$PersistentStorage$avg$avg
API String ID: 0-1260397143
Opcode ID: 0e934d11717b7747885c3c163dd29f40c0d5995343bf1ece545810747b99de14
Instruction ID: 9e6a15219b0e94babf3082d166b07453790e8d70000d7bf4c175e7128235b0b5
Opcode Fuzzy Hash: 0e934d11717b7747885c3c163dd29f40c0d5995343bf1ece545810747b99de14
Instruction Fuzzy Hash: BAA1C27C915645EFDB28CF6CFA4CBAABBB0FB98308F118219D80597248E7706584CB51

Function 01131950 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 206libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0113196A
GetVersionExW.KERNEL32(0000011C), ref: 011319CD
GetVersionExW.KERNEL32(0000011C), ref: 011319E8
GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlGetVersion), ref: 01131A03
GetProcAddress.KERNEL32(00000000), ref: 01131A0A
RtlGetVersion.NTDLL ref: 01131A4B

Strings

RtlGetVersion, xrefs: 011319F9
NTDLL.DLL, xrefs: 011319FE

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Version$AddressHandleInfoModuleProcSystem
String ID: NTDLL.DLL$RtlGetVersion
API String ID: 335284197-196638859
Opcode ID: f692e9c69890f960e17833b896dfc0a3a2dd8ed386b9f4f8e3290cf1fab55952
Instruction ID: 427e108454dc044edb9f4491108156fe42a5d4201790482461ce8ad5880cbb30
Opcode Fuzzy Hash: f692e9c69890f960e17833b896dfc0a3a2dd8ed386b9f4f8e3290cf1fab55952
Instruction Fuzzy Hash: 7271D871E1012CA7FB3D8A55D8687E977A5EBCA310F19007AE706D728CD7388E904B5B

Function 0113D6D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00008000,00000000,88D0918B,?,?,88D0918B), ref: 0113D7AD
K32GetMappedFileNameW.KERNEL32(00000000,010F0000,?,00000000), ref: 0113D7BB
GetLastError.KERNEL32(Unable to retrieve the path of the module!), ref: 0113D91B
GetLastError.KERNEL32(Unable to get the path of the module!,?,0123F910,00000000), ref: 0113D93D
GetLastError.KERNEL32(Unable to store the path of the module!,?,0123F910,00000000), ref: 0113D95F

Strings

Unable to retrieve the path of the module!, xrefs: 0113D916
Unable to get the path of the module!, xrefs: 0113D938
Unable to store the path of the module!, xrefs: 0113D95A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$CurrentFileMappedNameProcess
String ID: Unable to get the path of the module!$Unable to retrieve the path of the module!$Unable to store the path of the module!
API String ID: 1207367512-2385983247
Opcode ID: 3e2da48f1d54eba3a5940fbf8b0baa984ae5346b212a702bd5687f91b706df7e
Instruction ID: c9e5c8aa2b0cf725c5946c4dd8a33e122d4f88bbb5208d6790d516543b2301fa
Opcode Fuzzy Hash: 3e2da48f1d54eba3a5940fbf8b0baa984ae5346b212a702bd5687f91b706df7e
Instruction Fuzzy Hash: DF519D71D10249ABDB18DFE9D844BEEB7B8FF58704F10812AE425B7250EB746648CBA1

Function 01139BE0 Relevance: 13.6, APIs: 9, Instructions: 115COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139BFD
GetLastError.KERNEL32(?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C0B
GetFileAttributesW.KERNELBASE(?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C21
SetLastError.KERNEL32(000000B7,?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C39
CreateDirectoryW.KERNEL32(?,?,?,0122147C), ref: 01139CC0
CreateDirectoryW.KERNEL32(?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139CE6
GetLastError.KERNEL32(?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139CF0
GetFileAttributesW.KERNEL32(?,?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139D01
SetLastError.KERNEL32(00000000,?,?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139D11

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$CreateDirectory$AttributesFile
String ID:
API String ID: 2650082360-0
Opcode ID: 67dface74ae836fdd9a22f66e2234d067968e191191283024d5e42778b51a73f
Instruction ID: 41708c5570dbe491f47e4a4900fa3d1ebe02de87930d76c30f70621c46616333
Opcode Fuzzy Hash: 67dface74ae836fdd9a22f66e2234d067968e191191283024d5e42778b51a73f
Instruction Fuzzy Hash: B831B6719042199BC7389FACD84856EB7F5EFC5328F100E2DE8A9D7144D770D9868B92

Function 011825D0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 332fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,01182FF0,01183470,?,00000000), ref: 01182872
GetLastError.KERNEL32(Unable to write uncompressed data to the disk!,?,0123F910,00000002,Unable to allocate LZMA context!,00000000,00000000,01182D0C,01227204,00000000,00000000,000000FF,88D0918B,00000000,01227204,?), ref: 0118299C

Strings

The LZMA stream has ended prematurely!, xrefs: 011829BB
Unable to write uncompressed data to the disk!, xrefs: 01182997
Unable to read LZMA header!, xrefs: 01182931
Unable to decompress LZMA stream!, xrefs: 011829DA
Unable to allocate LZMA context!, xrefs: 01182974

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: The LZMA stream has ended prematurely!$Unable to allocate LZMA context!$Unable to decompress LZMA stream!$Unable to read LZMA header!$Unable to write uncompressed data to the disk!
API String ID: 442123175-2965191148
Opcode ID: 6a2dd2e4395ddd2532b052e00f0c367fc83b9f27247505d4d868738380550b13
Instruction ID: 951ebee4d5603cd1d47c5514bb33f3c89d1c2a319a36756509140c79d3960ff6
Opcode Fuzzy Hash: 6a2dd2e4395ddd2532b052e00f0c367fc83b9f27247505d4d868738380550b13
Instruction Fuzzy Hash: 01C1E474604702AFD71DEF29C890B2ABBE5BF98314F148A2DF95597290E730E944CF92

Function 01126820 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

%04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu, xrefs: 01127769
list too long, xrefs: 01127197

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID: %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu$list too long
API String ID: 0-157234411
Opcode ID: 320018a9ae407d7a5dbe9d1af16576f4544bbd372bcc66c454f851a92357e19b
Instruction ID: 3f904d312285cc5354a63ea251e377a2e6c2e34781443193bddbc65665c673fe
Opcode Fuzzy Hash: 320018a9ae407d7a5dbe9d1af16576f4544bbd372bcc66c454f851a92357e19b
Instruction Fuzzy Hash: 83B1C371E00219DFCB18DFA8D844AEEF7B5FF58314F148229E925A7290EB30A915CF91

Function 0112D6E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0113EF50: UnmapViewOfFile.KERNELBASE(?,0113EEBF,?,?,?,?,0113EED2,00000000,00000000,00000000), ref: 0113EFD6
Part of subcall function 0113EF50: MapViewOfFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0113EEBF,?,?,?,?,0113EED2,00000000,00000000,00000000), ref: 0113F002

UnmapViewOfFile.KERNEL32(00000000,?,00000000,?,00000000,?,?), ref: 0112D81C
CloseHandle.KERNEL32(00000000), ref: 0112D82A
CloseHandle.KERNEL32(FFFFFFFF), ref: 0112D839
UnmapViewOfFile.KERNEL32(?,?,00000000,0123F910,Unable to retrieve size of unmapped view!,00000000,00000000,02000000,?,?,00000000,?,00000000,?,?), ref: 0112D88B
CloseHandle.KERNEL32(?), ref: 0112D8AB
CloseHandle.KERNEL32(?), ref: 0112D8C0

Part of subcall function 0113EF50: GetLastError.KERNEL32(Unable to create mapping view!,?,0123F69C,?,0123F910,Unable to map a view of uninitialized mapping!,0113EEBF,?,?,?,?,0113EED2,00000000,00000000,00000000), ref: 0113F085

Strings

Unable to retrieve size of unmapped view!, xrefs: 0112D85C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseFileHandleView$Unmap$ErrorLast
String ID: Unable to retrieve size of unmapped view!
API String ID: 998875810-268701684
Opcode ID: e98df7f8fff3d4c56abd918049154a9123cb405f6e4f6823c00749d0d031f4ae
Instruction ID: 0ff9a6abb94862b7ee3c79678e4c766599105bc87e31feb8ed4e1587af4a1692
Opcode Fuzzy Hash: e98df7f8fff3d4c56abd918049154a9123cb405f6e4f6823c00749d0d031f4ae
Instruction Fuzzy Hash: 60514D74D00659AFEB28CFA8E948B9EBBF4FF58314F144219E815A7390DB74A941CB90

Function 01184FC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 125fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,88D0918B,00000000), ref: 01184FF7
UnmapViewOfFile.KERNELBASE(00000000), ref: 011850C4
CloseHandle.KERNELBASE(00000000), ref: 011850D2
CloseHandle.KERNEL32(FFFFFFFF), ref: 011850E1

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

GetLastError.KERNEL32(Unable to get file size!,?,?,88D0918B,00000000), ref: 01185114

Strings

Unable to get file size!, xrefs: 0118510F
Unable to retrieve pointer of the unmapped view!, xrefs: 01185131

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseFileHandle$DispatcherErrorExceptionLastSizeUnmapUserView
String ID: Unable to get file size!$Unable to retrieve pointer of the unmapped view!
API String ID: 3332622499-1313134473
Opcode ID: 7100781d680b11d146b44a1b0eadf2d48d37c8e74482c59d44345767036a23fa
Instruction ID: 7900255039af32706c1c9ebd02e916ed95d75fafda8e240c566ec2baef997ef0
Opcode Fuzzy Hash: 7100781d680b11d146b44a1b0eadf2d48d37c8e74482c59d44345767036a23fa
Instruction Fuzzy Hash: 1C41E271D10349ABDF29DFE4C904BEEBBB5FF55714F204219E811B7280DB746A458B90

Function 0113EDC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(0113EEBF,?,?,FFFFFFFF,?,?,?,?,?,?,?,?,?,0113EEBF,?,00000000), ref: 0113EDEE
CreateFileMappingW.KERNELBASE(0113EEBF,?,00000002,?,?,00000000,?,?,?,?,?,?,?,?,?,0113EEBF), ref: 0113EE12
CloseHandle.KERNEL32(?), ref: 0113EE22
GetLastError.KERNEL32(Unable to get file size!,?,?,?,?,?,?,?,?,?,0113EEBF,?,00000000,?,?), ref: 0113EE52
GetLastError.KERNEL32(Unable to create file mapping!,?,0123F910,00000000,?,?,?,?,?,?,?,?,?,0113EEBF,?,00000000), ref: 0113EE74

Strings

Unable to get file size!, xrefs: 0113EE4D
Unable to create file mapping!, xrefs: 0113EE6F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleMappingSize
String ID: Unable to create file mapping!$Unable to get file size!
API String ID: 1040420615-1879323020
Opcode ID: e4eab0589bc2ab99a72732636362a46fc368aabe25226f3126c8ef59c72acfe6
Instruction ID: b3df9522564a71538294e9bdbd85cf1233606d1d70fabc44640da2d0838aea78
Opcode Fuzzy Hash: e4eab0589bc2ab99a72732636362a46fc368aabe25226f3126c8ef59c72acfe6
Instruction Fuzzy Hash: 4631F5716003096BD728EFA9DC49F9BBBFCAB94610F04052DF915A7294DB70B94487B0

Function 0113C030 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000005,00000000,?,00000080,00000000), ref: 0113C0B7
WriteFile.KERNELBASE(00000000,?,?,?,00000000), ref: 0113C0DB
CloseHandle.KERNELBASE(00000000), ref: 0113C0E6
GetLastError.KERNEL32(?,40000000,00000005,00000000,?,00000080,00000000), ref: 0113C107

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

GetLastError.KERNEL32(set_file_content,?,0123F910,00000000,set_file_content '{}',00000015,?,?,40000000,00000005,00000000,?,00000080,00000000), ref: 0113C131

Strings

set_file_content '{}', xrefs: 0113C110
set_file_content, xrefs: 0113C12C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateDispatcherExceptionHandleUserWrite
String ID: set_file_content$set_file_content '{}'
API String ID: 804581075-2708867019
Opcode ID: e94f3d491c0e73e54d0ac2f3707103c4dddfde3cc8690d50e8ba5b1851f00d30
Instruction ID: edb6a598a7612fa728cf4e861520e7f4206fd84972343f77efd5faef5f20f3ad
Opcode Fuzzy Hash: e94f3d491c0e73e54d0ac2f3707103c4dddfde3cc8690d50e8ba5b1851f00d30
Instruction Fuzzy Hash: B331947590021ABFDB18DFE4DC04FEEBBB9EB45704F100129F525A7280DB746605CB91

Function 01182D20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 212fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(00000000,?,?), ref: 01182DED
CloseHandle.KERNEL32(00000000), ref: 01182DFB
CloseHandle.KERNEL32(FFFFFFFF), ref: 01182E0A
CloseHandle.KERNEL32(00000000), ref: 01182EF8
CloseHandle.KERNEL32(00000000), ref: 01182F0E

Strings

Unable to retrieve size of unmapped view!, xrefs: 01182E44

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID: Unable to retrieve size of unmapped view!
API String ID: 260491571-268701684
Opcode ID: b825eb9d53237b93f65ad8063c65dc09e38aa94002bcae2441b94419f9dc2e01
Instruction ID: 80f25e7fd2d00411fe1ce1e301710bd62c31e4cf27b0df374f52c97025495a45
Opcode Fuzzy Hash: b825eb9d53237b93f65ad8063c65dc09e38aa94002bcae2441b94419f9dc2e01
Instruction Fuzzy Hash: C0819371D0065AAFDB19DF98D848BAEBBB8FF55724F104219F821A73C0DB746944CB90

Function 0113DA90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0113DAE5
GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 0113DB0A
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0113DB39
GetLastError.KERNEL32(?,0123F910,00000000,Unable to retrieve a path of the known folder ({})!,00000033,?,?,?), ref: 0113DCE0
GetLastError.KERNEL32(?,0123F910,000000EA,Unable to retrieve a path of the known folder ({})!,00000033,?,?,0123F910,00000000,Unable to retrieve a path of the known folder ({})!,00000033,?,?,?), ref: 0113DD40

Strings

Unable to retrieve a path of the known folder ({})!, xrefs: 0113DCBE, 0113DCEF, 0113DD1A, 0113DD4F, 0113DD7A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: DirectoryErrorLast$FolderPathSystemWindows
String ID: Unable to retrieve a path of the known folder ({})!
API String ID: 1744653567-3064207712
Opcode ID: 1d6d6f22dad5d83e7b35c0c16472e63bf35f1c634bca5ea6122a31cb414d8032
Instruction ID: 5e55924f166a017765f2f2b7b37c385dea28744e40f874748428159903fe9ac4
Opcode Fuzzy Hash: 1d6d6f22dad5d83e7b35c0c16472e63bf35f1c634bca5ea6122a31cb414d8032
Instruction Fuzzy Hash: 24614971A10219ABDF3CDBD4EC89FEDB7BCAB95704F80019DE505A7184DBB0AB848B51

Function 01158710 Relevance: 10.7, APIs: 7, Instructions: 178COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0115878D
std::_Throw_Cpp_error.LIBCPMT ref: 01158798
std::_Throw_Cpp_error.LIBCPMT ref: 0115881D
std::_Throw_Cpp_error.LIBCPMT ref: 01158828

Part of subcall function 011952C7: ReleaseSRWLockExclusive.KERNEL32(?,?,01127DC1,?), ref: 011952DB

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: b6f85c7527b56dffff0e53c8264b8238ff326acb9bdc63bdbdf6586520a201f0
Instruction ID: 050e4d13e91b5743a26f326bf4b1a631e0b3bc5833eae505067a0d221688d7c2
Opcode Fuzzy Hash: b6f85c7527b56dffff0e53c8264b8238ff326acb9bdc63bdbdf6586520a201f0
Instruction Fuzzy Hash: 35514572A00A09EBDB19DF65DC01F9AB7A8FF14724F10062BF935A3680EB35B514CB91

Function 0113EF50 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?,0113EEBF,?,?,?,?,0113EED2,00000000,00000000,00000000), ref: 0113EFD6
MapViewOfFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0113EEBF,?,?,?,?,0113EED2,00000000,00000000,00000000), ref: 0113F002
GetLastError.KERNEL32(Unable to create mapping view!,?,0123F69C,?,0123F910,Unable to map a view of uninitialized mapping!,0113EEBF,?,?,?,?,0113EED2,00000000,00000000,00000000), ref: 0113F085

Strings

Unable to map a view of uninitialized mapping!, xrefs: 0113F040
Unable to create mapping view!, xrefs: 0113F080
Unable to map a view outside of the file mapping!, xrefs: 0113F021

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: FileView$ErrorLastUnmap
String ID: Unable to create mapping view!$Unable to map a view of uninitialized mapping!$Unable to map a view outside of the file mapping!
API String ID: 2514763941-1948104343
Opcode ID: 8d13125cde2ad82bbefc74241e3e7c8bc660a450d438c2ee7aae9cf7fcb1de36
Instruction ID: 27509b335163e10e0b0d5ab685d064c04bb3e6507c5829e098dfc2e30389e546
Opcode Fuzzy Hash: 8d13125cde2ad82bbefc74241e3e7c8bc660a450d438c2ee7aae9cf7fcb1de36
Instruction Fuzzy Hash: 0E31E231A007026FD328DF6AD840B5BFBE9AFD4604F044A2DF991C3254EB70F8498B62

Function 011D4276 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,88D0918B,?,011D4383,00000008,011434CA,?,00000000), ref: 011D4337

Strings

ext-ms-, xrefs: 011D42E1
api-ms-, xrefs: 011D42CD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 827dc3abd3caf1770796458970408744b80d436b64bc8022cb7f056706cd646a
Instruction ID: 401da97c1d6a5046efbb3bfc40e461177e5bd1a1e8503a5a9d29ff8cf956b537
Opcode Fuzzy Hash: 827dc3abd3caf1770796458970408744b80d436b64bc8022cb7f056706cd646a
Instruction Fuzzy Hash: 8D216D35A05231B7EB399BADEC45A5E37A8EB51770F150220EE11A7E84DB30ED01C7D0

Function 0113A3D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01139BE0: CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139BFD
Part of subcall function 01139BE0: GetLastError.KERNEL32(?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C0B
Part of subcall function 01139BE0: GetFileAttributesW.KERNELBASE(?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C21
Part of subcall function 01139BE0: SetLastError.KERNEL32(000000B7,?,?,0000000C,?,?,?,01117FD4,?,00000001,00000000,00000000,?,88D0918B,0000000C), ref: 01139C39

CreateFileW.KERNELBASE(?,00000006,00000007,00000000,00000003,02000000,00000000), ref: 0113A404
CloseHandle.KERNELBASE(00000000), ref: 0113A410
GetLastError.KERNEL32 ref: 0113A41D

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

GetLastError.KERNEL32(?,00000002), ref: 0113A444

Strings

Unable to open directory '{}' for writing!, xrefs: 0113A426
Unable to create directory '{}'!, xrefs: 0113A44D

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$CreateFile$AttributesCloseDirectoryDispatcherExceptionHandleUser
String ID: Unable to create directory '{}'!$Unable to open directory '{}' for writing!
API String ID: 4283016152-3801278387
Opcode ID: d91ca51fa8ba94c6d7b92e6434e91edb5bf345398e46acaa7a1d4b542a18f3f6
Instruction ID: cbc0a630867e8d6761fed94698b923889f35ce0fecaa64d501762097372378e6
Opcode Fuzzy Hash: d91ca51fa8ba94c6d7b92e6434e91edb5bf345398e46acaa7a1d4b542a18f3f6
Instruction Fuzzy Hash: 7901497165030277E238EAA8EC0AFCB379C9F54B10F400625F665E70D4CB70B645C7A2

Function 01191D80 Relevance: 9.3, APIs: 6, Instructions: 264registryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,88D0918B,00000000,?), ref: 01191DCF
RegOpenKeyExW.KERNEL32 ref: 01191E22
SetLastError.KERNEL32(00000000), ref: 01191E2D

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$Open
String ID:
API String ID: 1333505713-0
Opcode ID: a68f28d48c6c133315f61ec9c39c369f7d57d5b41da31e2a2d49d9d04693b8fd
Instruction ID: b2694ab5baff14166bdb094d5310fcfc612a6b9481d3386b9bf701c0815ada6c
Opcode Fuzzy Hash: a68f28d48c6c133315f61ec9c39c369f7d57d5b41da31e2a2d49d9d04693b8fd
Instruction Fuzzy Hash: C3A1647190112ABFDF29DF68DC88BADB7B9FB18310F144599D829A7240D770AE84CF91

Function 0118F110 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 368COMMON

Download Yara Rule

APIs

Part of subcall function 01190E20: GetProcessHeap.KERNEL32 ref: 01190E8A

MultiByteToWideChar.KERNEL32(00000003,00000000,00000001,000000FF,00000000,00000000), ref: 0118F222
MultiByteToWideChar.KERNEL32(00000003,00000000,00000001,000000FF,00000010,-00000001), ref: 0118F255
WideCharToMultiByte.KERNELBASE(00000003,00000000,00000010,000000FF,00000000,00000000,00000000,00000000), ref: 0118F2A6
WideCharToMultiByte.KERNEL32(00000003,00000000,00000010,000000FF,?,-00000001,00000000,00000000), ref: 0118F2DF

Strings

Microsoft Hv, xrefs: 0118F454

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ByteCharMultiWide$HeapProcess
String ID: Microsoft Hv
API String ID: 2590121937-2085137152
Opcode ID: f5a490baac0945e855424135ac152d2398e9123e6ff07e4a2c0ecd52147c523d
Instruction ID: 4ce08e1d6ffd72dacc69281bdac3930cb900b6862840a5db6f9506d36cf7f94d
Opcode Fuzzy Hash: f5a490baac0945e855424135ac152d2398e9123e6ff07e4a2c0ecd52147c523d
Instruction Fuzzy Hash: 3DD18071D0020ADFDB18DF98C894B9DFBB5FF58314F24826AE915AB280D771A945CF90

Function 011927A0 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01192812
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000004,?,00000000,00000000,00000000), ref: 01192836
SetLastError.KERNEL32(00000000), ref: 01192841
RegSetValueExW.KERNEL32 ref: 01192863
SetLastError.KERNEL32(00000000), ref: 0119286C
SetLastError.KERNEL32(00000057,?), ref: 011928A0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$Create$Value
String ID:
API String ID: 642683725-0
Opcode ID: 4749462dab67fb1c8b1d32131e89a90ffb54e6648e59e73879f2c522ddb0f45b
Instruction ID: 0b601d5cc5001e6d2a2ca94d7d1f06e24b514b7aaea93065c2b86e59eae009b7
Opcode Fuzzy Hash: 4749462dab67fb1c8b1d32131e89a90ffb54e6648e59e73879f2c522ddb0f45b
Instruction Fuzzy Hash: AB313E75E0021AABEF29CF98DC45BBEBBF8EF44700F104159F921AB280D77499418BA1

Function 01168300 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 316COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0116872F

Strings

DSA signature is invalid:'{}'., xrefs: 011686E0
6DC057E3, xrefs: 01168636
DSA verification check of downloaded data product-info.xml (url {}) fail., xrefs: 011686CA
Downloaded product-info.xml (url {}) is empty., xrefs: 01168657, 0116866F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID: 6DC057E3$DSA signature is invalid:'{}'.$DSA verification check of downloaded data product-info.xml (url {}) fail.$Downloaded product-info.xml (url {}) is empty.
API String ID: 2659868963-2262793315
Opcode ID: 18d1a0c3987b7e709442cb3147e70be9df95b84cdf711279b5721c2eff80e52e
Instruction ID: 5946e8193ab67293924d1ce0eab86286751eea46c7eae6fae4c19ded1e186eea
Opcode Fuzzy Hash: 18d1a0c3987b7e709442cb3147e70be9df95b84cdf711279b5721c2eff80e52e
Instruction Fuzzy Hash: 95C1AF71E1021D9FDB18DFA8C944B9DBBB9FF58314F14825AE418B7280DB74AA45CF90

Function 0113A060 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%TMP%,?,00000104,00000108,88D0918B), ref: 0113A0FF
GetLastError.KERNEL32(Unable to expand %TMP{} environment variable!), ref: 0113A388
GetLastError.KERNEL32(?,0123F910,00000000), ref: 0113A3A5

Strings

Unable to expand %TMP{} environment variable!, xrefs: 0113A383
%TMP%, xrefs: 0113A0FA

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandStrings
String ID: %TMP%$Unable to expand %TMP{} environment variable!
API String ID: 2871630417-2940734617
Opcode ID: 3cf909dd72b4d036058fb0cd4c415529250d413a9537038e683cdac3ba344105
Instruction ID: aed6c4ae791e4a99ad7fd8fede94fe87af4b53b5e156550871dc14fcaa7794ae
Opcode Fuzzy Hash: 3cf909dd72b4d036058fb0cd4c415529250d413a9537038e683cdac3ba344105
Instruction Fuzzy Hash: 6041A171D1020A9BDB18DFA9C444BEEFBF4FF58704F10812ED465B3280EBB466848B91

Function 01165E20 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 01165EEF

Strings

Header version is not supported, xrefs: 01165EAC
Version {} is not supported!, xrefs: 01165E97
4C48, xrefs: 01165E69
7FD9, xrefs: 01165E77

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID: 4C48$7FD9$Header version is not supported$Version {} is not supported!
API String ID: 2659868963-3929663962
Opcode ID: 5e54f914d08ade492b8e2be52b8184df98c629f859dc3b2b54473ee18ac9bb95
Instruction ID: 951530becb7e2dd608f5e938f5ed7565a9c6853657952ba90e5a0c6aa7f516c9
Opcode Fuzzy Hash: 5e54f914d08ade492b8e2be52b8184df98c629f859dc3b2b54473ee18ac9bb95
Instruction Fuzzy Hash: E321F771910305ABC704EF69D841C8AFBECAFA5614F00862AF45487251FBB0E558CBE1

Function 0113C150 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,01135FE4,00000000), ref: 0113C16D
WriteFile.KERNELBASE(00000000,00000000,01135FE4,01135FE4,00000000), ref: 0113C17E
SetEndOfFile.KERNELBASE(00000000,?,?,?,?,?,01135FE4,00000000), ref: 0113C189
GetLastError.KERNEL32(set_file_content,?,?,?,?,?,01135FE4,00000000), ref: 0113C1A4

Strings

set_file_content, xrefs: 0113C19F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$ErrorLastPointerWrite
String ID: set_file_content
API String ID: 972348794-1759716913
Opcode ID: 822ec38b2f372b1fe9f9738c66c0bd394f1b4eb4fa3ce94db483fd5187c13da7
Instruction ID: b37fa44ccd42f8ba62f8eb14142a71343c77f3c35dd96f28d9582cc6bcffd9eb
Opcode Fuzzy Hash: 822ec38b2f372b1fe9f9738c66c0bd394f1b4eb4fa3ce94db483fd5187c13da7
Instruction Fuzzy Hash: B7F0D631600109BBD728EBE59C09FFF7BBCEB85B10F000069F91596080CB305502C7A1

Function 011832B0 Relevance: 7.6, APIs: 5, Instructions: 126fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 01183302
SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0118331C
SetEndOfFile.KERNELBASE(?,?,?,?,00000000,00000000,?,00000000,00000000,?,00000001,01227204,01227204), ref: 01183327
SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0118333C
CloseHandle.KERNEL32(00000000), ref: 0118344A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$Pointer$CloseHandle
String ID:
API String ID: 1851150075-0
Opcode ID: 73dcf169b7c485ec0b4fd8e9cfe137940014065a7f9c1fae12b19811cc51825b
Instruction ID: 33ab507680335fe349a232e1da9ad5df0ca2a7c5c95d4f97ba8a79a3ce017d81
Opcode Fuzzy Hash: 73dcf169b7c485ec0b4fd8e9cfe137940014065a7f9c1fae12b19811cc51825b
Instruction Fuzzy Hash: 2941CA35A04209EBDB18DF99DC45BAEB7B8FB05B10F144129FD25A72C0DB70E9018BA5

Function 01193844 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0119384B
std::_Lockit::_Lockit.LIBCPMT ref: 01193856
std::_Lockit::~_Lockit.LIBCPMT ref: 011938C4

Part of subcall function 011939A7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 011939BF

std::locale::_Setgloballocale.LIBCPMT ref: 01193871
_Yarn.LIBCPMT ref: 01193887

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 01b2591a1c7faf9933769093b0c783e040256e101e5859b48cbe8eadaef919f3
Instruction ID: 8d4f8b8e1602c9693805cb62bddd5b75d09bac2a3d1d94e5f9027bcab77b01fd
Opcode Fuzzy Hash: 01b2591a1c7faf9933769093b0c783e040256e101e5859b48cbe8eadaef919f3
Instruction Fuzzy Hash: E0017C79A105169BDF1EEBB0E944A7D7BA2BFA4214B144109D8359B384DF38AA02CB81

Function 0113E960 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

FindVolumeClose.KERNEL32 ref: 0113EC6B

Part of subcall function 0113DA90: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0113DAE5
Part of subcall function 0113DA90: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 0113DB0A

Strings

\SystemRoot\, xrefs: 0113EA97
\Device\Mup\, xrefs: 0113EA3D
\Device\LanmanRedirector\, xrefs: 0113E9BD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseDirectoryFindFolderPathVolumeWindows
String ID: \Device\LanmanRedirector\$\Device\Mup\$\SystemRoot\
API String ID: 3371243582-816336259
Opcode ID: 2b21aabdb325112b6a532430732ce100030bb65408d20e8254561e2c360481cd
Instruction ID: a4cc7d8a4178c7aa4de3a1873c5fa9c520c5c1dd940fa30bf9658f882eebddf4
Opcode Fuzzy Hash: 2b21aabdb325112b6a532430732ce100030bb65408d20e8254561e2c360481cd
Instruction Fuzzy Hash: E2815DB1D0020DDFDF08DFA8D885ADDBBB5EF68318F508229E415B7284EB706649CB91

Function 0113E6D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

GetVolumePathNamesForVolumeNameW.KERNEL32(?,00000000,00000000,?), ref: 0113E7A8
GetVolumePathNamesForVolumeNameW.KERNEL32(?,00000000,00000000,00000000), ref: 0113E7E7
GetLastError.KERNEL32 ref: 0113E935

Strings

Unable to retrieve volume paths for volume '{}'!, xrefs: 0113E941

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Volume$NameNamesPath$ErrorLast
String ID: Unable to retrieve volume paths for volume '{}'!
API String ID: 1243668693-190204307
Opcode ID: 516f3670247bc698dc93a6b2eabd42ba004a5fe91c8efed4a653779f017921ce
Instruction ID: 3b209415425ab516d70640c3e3b3d490bb1fef0413842434f1c62604c623d768
Opcode Fuzzy Hash: 516f3670247bc698dc93a6b2eabd42ba004a5fe91c8efed4a653779f017921ce
Instruction Fuzzy Hash: 65817E71D00249DFDF19CFA8C844BEEBBB5EF98304F54461DE805A7284EB70A685CB91

Function 01118010 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 0113DA90: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 0113DAE5
Part of subcall function 0113DA90: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 0113DB0A

GetFileAttributesW.KERNELBASE(?,-00000088,88D0918B), ref: 011180AA

Strings

D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA), xrefs: 011181B5, 0111820F
D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU), xrefs: 011180CF
O:BAG:BAD:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;DTFRFW;;;BU), xrefs: 0111812C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AttributesDirectoryFileFolderPathWindows
String ID: D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)$D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)$O:BAG:BAD:P(A;CIOI;FA;;;SY)(A;CIOI;FA;;;BA)(A;CIOI;DTFRFW;;;BU)
API String ID: 4286144708-1970287685
Opcode ID: 9df568826de513dc5bdf3821b85492be5fdeca3e3e771bf8c908913d4d87d212
Instruction ID: e78d411a32b4582b4118edcc476ab2344d78768b173dbec3f33f2b3be7d6e875
Opcode Fuzzy Hash: 9df568826de513dc5bdf3821b85492be5fdeca3e3e771bf8c908913d4d87d212
Instruction Fuzzy Hash: E2613C71D1425DDAEF18EBA0D854BEDFBB4AF24308F50826CD405672C5EF742A4ACB62

Function 01168E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,04000100,00000000), ref: 01168F07
CloseHandle.KERNEL32(00000000), ref: 01168F7C
GetLastError.KERNEL32 ref: 01168FB8

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Strings

Unable to create temporary file '{}', xrefs: 01168FC4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
String ID: Unable to create temporary file '{}'
API String ID: 3278050421-3251441461
Opcode ID: 00127fb9b4b8a37432ae131079c53b621cdad86aa34731b37c43343c680f5ae0
Instruction ID: 96a7eae504413231d54f2e19d69b685f55f10c2a5bcd31b2f6d957b61195c383
Opcode Fuzzy Hash: 00127fb9b4b8a37432ae131079c53b621cdad86aa34731b37c43343c680f5ae0
Instruction Fuzzy Hash: 6D519171D00219AFDF18DFA8D844BDDBBB9FF18714F10422AE925B7280EB716A45CB91

Function 01117EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,88D0918B,0000000C,?,?,?,?,?,00000020,01195501,00000000,00000080,?,?,?,01146C58), ref: 01117EE9
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,00000000,00000000), ref: 01117FBD

Strings

SeTakeOwnershipPrivilege, xrefs: 01117F1E, 01117F66
SeRestorePrivilege, xrefs: 01117F0E, 01117F75

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: DescriptorSecurity$AttributesConvertFileString
String ID: SeRestorePrivilege$SeTakeOwnershipPrivilege
API String ID: 2746451971-3495689257
Opcode ID: 95b9d4e7ecfbb0cead86b61801f13324ed25b05f6ffd40affe09fbb2701363b5
Instruction ID: 4ede56a2937b8d2af22681c157264911472cc24bb86919c4e42afe9ab12716cf
Opcode Fuzzy Hash: 95b9d4e7ecfbb0cead86b61801f13324ed25b05f6ffd40affe09fbb2701363b5
Instruction Fuzzy Hash: A341C471D0421A9BDB18DFA8D448BAEFBF5EF48708F000529D825773C4DB355949CBA2

Function 01171700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0010000,00000001,00000000,00000002,00000080,00000000), ref: 01171750
CloseHandle.KERNEL32(00000000), ref: 0117178A

Strings

Unable to create file '{}'!, xrefs: 011717D9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: Unable to create file '{}'!
API String ID: 3498533004-787908802
Opcode ID: c8408ce50498e7dd7bfc9932c454711c54c116515416cfd448f3bdc62d3fd035
Instruction ID: 72cf5045d31e4ae28b8c63806953cc81eb3693ff46764c540d3ffa26138e5f1a
Opcode Fuzzy Hash: c8408ce50498e7dd7bfc9932c454711c54c116515416cfd448f3bdc62d3fd035
Instruction Fuzzy Hash: 2E21D475A00209BFDB18DFA9DC49FDEB7F8EB48B14F10022AF915A7380DB7469008B90

Function 01167CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0010000,00000001,00000000,00000002,00000080,00000000), ref: 01167D00
CloseHandle.KERNEL32(00000000), ref: 01167D25

Strings

Unable to create file '{}'!, xrefs: 01167D74

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: Unable to create file '{}'!
API String ID: 3498533004-787908802
Opcode ID: 67cbd58a30afc082ddb60ecb3aed2d9161f8b54e98b75a8cd21d581622506d3b
Instruction ID: 9050d5fe764c441b8f945edb31eec560ba1a20323590c17a16376ff44a738954
Opcode Fuzzy Hash: 67cbd58a30afc082ddb60ecb3aed2d9161f8b54e98b75a8cd21d581622506d3b
Instruction Fuzzy Hash: 1411A271A00619BBDB24DB99DC45F9EB7B8FB48B14F10062AF525A72C0DB756A00CB51

Function 01169E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,C0010000,00000001,00000000,00000002,00000080,00000000), ref: 01169ED0
CloseHandle.KERNEL32(00000000), ref: 01169EF5

Strings

Unable to create file '{}'!, xrefs: 01169F44

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: Unable to create file '{}'!
API String ID: 3498533004-787908802
Opcode ID: 99def62be6d9625682e6f9292ebcb07152c53b54ea2ad0cbce0ec7042b8c9fce
Instruction ID: c6ea7c3d62f29eeedfef93be46e9ad67e58cf21e5a1fdf43273c0b995347f705
Opcode Fuzzy Hash: 99def62be6d9625682e6f9292ebcb07152c53b54ea2ad0cbce0ec7042b8c9fce
Instruction Fuzzy Hash: 9711E471A00219BFDB24DB99DC45F9EBBF8EB48B14F10062AF515A72C0DB746A00CB91

Function 0116E140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0116E194
CloseHandle.KERNEL32(00000000), ref: 0116E1B5
GetLastError.KERNEL32(?,?,?,?,00000000,011EABDD,000000FF), ref: 0116E1D8

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Strings

get_file_content '{}', xrefs: 0116E1E6

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
String ID: get_file_content '{}'
API String ID: 3278050421-465338922
Opcode ID: 0a68b2b89c224514e31666e22c6fc8a92dfcfd788408f2b4802b098443445d30
Instruction ID: f2b6d406c4ccfdedc8ea30fba55a888981cabc1a5cd87affc5e9cf69f405850d
Opcode Fuzzy Hash: 0a68b2b89c224514e31666e22c6fc8a92dfcfd788408f2b4802b098443445d30
Instruction Fuzzy Hash: 2611B771E0021AAFCB28DF99DC09FAEB7F9EB49710F10062AF511B72D0DB7456008B90

Function 011BBA63 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(0111D903,00000000,00000800,?,011BBA14,?,?,00000000,?,?,?,011BBB3E,00000002,FlsGetValue,01211960,FlsGetValue), ref: 011BBA70
GetLastError.KERNEL32(?,011BBA14,?,?,00000000,?,?,?,011BBB3E,00000002,FlsGetValue,01211960,FlsGetValue,?,?,011B40BB), ref: 011BBA7A
LoadLibraryExW.KERNEL32(0111D903,00000000,00000000,?,0111D903), ref: 011BBAA2

Strings

api-ms-, xrefs: 011BBA87

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 045a0b0959465b3ef95c177b3ffe41f274af21de98de772002f89a1e666e0ac4
Instruction ID: 41c1fe1a4cd1757607760fe88055baa664a7f7e5efc58e71ac33f82cc6ad5083
Opcode Fuzzy Hash: 045a0b0959465b3ef95c177b3ffe41f274af21de98de772002f89a1e666e0ac4
Instruction Fuzzy Hash: B5E04831748209BBEB251FF1DC46B9D3F95EB20A62F140030FD0DA8495D771D5919754

Function 01126BC0 Relevance: 6.2, APIs: 4, Instructions: 250COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000003,?,?,?,?), ref: 01126C7C
LeaveCriticalSection.KERNEL32(?), ref: 01126C9A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fda8f8917bfa6ef6aff47a231100c96263ee5286a28cb6d1513a741faccb4ce7
Instruction ID: e15bdcff1d86a30729a944c851673f94e1962dc7b12a01286e21cb955cccb139
Opcode Fuzzy Hash: fda8f8917bfa6ef6aff47a231100c96263ee5286a28cb6d1513a741faccb4ce7
Instruction Fuzzy Hash: 1091E270E002298FDF19DF68C884BAEBBA6FF05314F044169ED55AB3C0D735A966CB91

Function 01192E20 Relevance: 6.2, APIs: 4, Instructions: 151COMMON

Download Yara Rule

APIs

___scrt_release_startup_lock.LIBCMT ref: 01192F02
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 01192F17
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 01192F42
___scrt_uninitialize_crt.LIBCMT ref: 01192F99

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 3089971210-0
Opcode ID: 3af97315db4eef6329325e152d4bb5a4e996280b160ec503308ea19f08556a34
Instruction ID: 8c6e2437f2383d3aca51a0e98c3de80005ec14c2a64d702e1d4d77f792e1c26e
Opcode Fuzzy Hash: 3af97315db4eef6329325e152d4bb5a4e996280b160ec503308ea19f08556a34
Instruction Fuzzy Hash: F2417071A41256ABEF2DBFA89C057DE7BA5EF70608F140029E914B73C0D7321505C7A2

Function 01125A20 Relevance: 6.1, APIs: 4, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 011261E0: EnterCriticalSection.KERNEL32(?,88D0918B,?,?,?,?,?,?,?,?,?,?,?,?,011E47E5,000000FF), ref: 0112621C
Part of subcall function 011261E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011E47E5,000000FF), ref: 0112623A
Part of subcall function 011261E0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,011E47E5,000000FF), ref: 01126257
Part of subcall function 011261E0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,011E47E5,000000FF), ref: 01126296
Part of subcall function 011261E0: GetFileSizeEx.KERNEL32(01125A63,011E47E5,?,?,?,?,?,?,?,?,?,?,?,?,011E47E5,000000FF), ref: 011262B6

Part of subcall function 0112AEB0: FileTimeToSystemTime.KERNEL32(?,?,88D0918B,?,?), ref: 0112AF10

EnterCriticalSection.KERNEL32(?,?), ref: 01125A93
LeaveCriticalSection.KERNEL32(?), ref: 01125AB4
WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 01125AE9
FlushFileBuffers.KERNEL32 ref: 01125B10
GetLastError.KERNEL32 ref: 01125BA0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalFileSection$Enter$LeaveSizeTime$BuffersErrorFlushLastSystemWrite
String ID:
API String ID: 3948539269-0
Opcode ID: eedc7cff12ffd14baa8e63cb9a6ac9893e171c2b9333d57fc2604eb41197cf1d
Instruction ID: 762b2e29c20c653ac18561199a614ee2ed055abd3214395dfdeec6947a410ee9
Opcode Fuzzy Hash: eedc7cff12ffd14baa8e63cb9a6ac9893e171c2b9333d57fc2604eb41197cf1d
Instruction Fuzzy Hash: F9418D71A002199FDB18DFA8D884BADBBF6FF49310F148229E915E7240DB34E951CF90

Function 0112B650 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01142690: GetModuleHandleW.KERNEL32(00000000,{9C7565A2-47C2-4869-B388-8C7F9AD8E577},00000030,88D0918B,00000005,00000000), ref: 011426EB
Part of subcall function 01142690: GetClassInfoExW.USER32 ref: 011426F2
Part of subcall function 01142690: GetLastError.KERNEL32 ref: 01142700
Part of subcall function 01142690: Sleep.KERNELBASE(00000001), ref: 0114270A
Part of subcall function 01142690: GetProcessHeap.KERNEL32 ref: 01142722
Part of subcall function 01142690: HeapAlloc.KERNEL32(00000000,00000000,00000034), ref: 01142737
Part of subcall function 01142690: InitializeCriticalSection.KERNEL32(00000000), ref: 0114275A
Part of subcall function 01142690: GetProcessHeap.KERNEL32 ref: 01142760
Part of subcall function 01142690: GetProcessHeap.KERNEL32 ref: 0114277E
Part of subcall function 01142690: RegisterClassExW.USER32(00000030), ref: 011427A0
Part of subcall function 01142690: HeapFree.KERNEL32(?,00000000,00000000), ref: 011427D4
Part of subcall function 01142690: DeleteCriticalSection.KERNEL32(?), ref: 011427FF
Part of subcall function 01142690: GetProcessHeap.KERNEL32 ref: 01142805

EnterCriticalSection.KERNEL32(00000000,88D0918B), ref: 0112B69B

Part of subcall function 011B1C88: ___unDName.LIBVCRUNTIME ref: 011B1CB5

Part of subcall function 0112B860: GetProcessHeap.KERNEL32(0121D3E4,?,?,?,?,?,?,?,?,?,?,?,?,0112B6C8), ref: 0112B874
Part of subcall function 0112B860: HeapAlloc.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,0112B6C8), ref: 0112B8AA

HeapFree.KERNEL32(?,00000000,?), ref: 0112B6FB
asw_process_storage_deallocate_connector.AVG_TUNEUP_ONLINE_SETUP ref: 0112B70B
LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 0112B713

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Heap$Process$CriticalSection$AllocClassFree$DeleteEnterErrorHandleInfoInitializeLastLeaveModuleNameRegisterSleep___unasw_process_storage_deallocate_connector
String ID:
API String ID: 1926385501-0
Opcode ID: 69a2bf531cf2d80d676f5d61f852528e4ea6ecaf8920a8d69a671dc2a4e277ec
Instruction ID: e83b0e360b0187a6322d6488f43dc4bbb539a7a913b558cef2e884bff1c8d80c
Opcode Fuzzy Hash: 69a2bf531cf2d80d676f5d61f852528e4ea6ecaf8920a8d69a671dc2a4e277ec
Instruction Fuzzy Hash: F4214771E042099FDB18DFA8DC45BEEBBF8EB18610F104229EC11B7280DB3069508BA5

Function 0114FB30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

std::generic_category.LIBCPMTD ref: 0114FCB9

Strings

temp-base-dir, xrefs: 0114FC43
tmp-path, xrefs: 0114FC11

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::generic_category
String ID: temp-base-dir$tmp-path
API String ID: 2374251199-2455490265
Opcode ID: ff921d41a73c775a95208bb8a51c63dc450f9e679a4be59d9991ceb3a135c9f0
Instruction ID: 9d7c299e0ba1f37991a586fd8bb2ad5be1af8db7b5ecb978d03a9a8a55542fe8
Opcode Fuzzy Hash: ff921d41a73c775a95208bb8a51c63dc450f9e679a4be59d9991ceb3a135c9f0
Instruction Fuzzy Hash: 16514675A0012E9FCB18DF94D945BEEBBF9EF58704F044099E90AA7380DB70AA45CF91

Function 0114A850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,?), ref: 0114A8FD

Strings

get_available_disk_space, xrefs: 0114A94A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: DiskFreeSpace
String ID: get_available_disk_space
API String ID: 1705453755-1899927582
Opcode ID: c669c0e3c5ff26e8680ad1fd4289177f368e276f597fad621d9025f55e7ddb3e
Instruction ID: 9c2e70c804721be0ec46a6f62450fa2ecc6f96fc61ec3c4f0eefe4b1f7962dca
Opcode Fuzzy Hash: c669c0e3c5ff26e8680ad1fd4289177f368e276f597fad621d9025f55e7ddb3e
Instruction Fuzzy Hash: 1741C375E00209AFDB1CCF94E844FEEB7B8EF54704F158169E912A7250EB30A905CBA1

Function 010F8A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(88D0918B), ref: 010F8AAF

Part of subcall function 0111B9F0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000,00000000), ref: 0111BA23

GetCurrentProcess.KERNEL32 ref: 010F8AD4

Strings

%d-%s, xrefs: 010F8B08

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Process$Current$InformationQuery
String ID: %d-%s
API String ID: 3761803441-1781338863
Opcode ID: 7e5d0e1854995eea44b3089f2c12a0fce36525df94b426f5947dadbd385c3e24
Instruction ID: 9c0c9c15d42ffd0a83535673dde035f5004bf9d4032d85bf96e2b0981edac2f6
Opcode Fuzzy Hash: 7e5d0e1854995eea44b3089f2c12a0fce36525df94b426f5947dadbd385c3e24
Instruction Fuzzy Hash: A2318E71D0524A9BDB14DFA8D5047EEFBF4FF58308F20462EE445A3280EB756A88CB91

Function 011D69D2 Relevance: 4.7, APIs: 3, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 011D6B81

Part of subcall function 011D2037: RtlAllocateHeap.NTDLL(00000000,?,?,?,01195E9C,?,?,011434CA,00000008,88D0918B), ref: 011D2069

__freea.LIBCMT ref: 011D6B96
__freea.LIBCMT ref: 011D6BA6

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 6458e3ed021aec7cc31109ee82795a25e5d4c6bbeb91b2ff897c2e4c236a0778
Instruction ID: 502e83c9f982dc320a31ea34c1769ff00f7f91b1d66558bb3af334a55eea1ade
Opcode Fuzzy Hash: 6458e3ed021aec7cc31109ee82795a25e5d4c6bbeb91b2ff897c2e4c236a0778
Instruction Fuzzy Hash: 9351A072600216AFEF299F69CC80EBF3BAAEF54358B154129FD18E6150EB71DD10C7A1

Function 0113A6E0 Relevance: 4.7, APIs: 3, Instructions: 171sleepCOMMON

Download Yara Rule

APIs

SetFileInformationByHandle.KERNELBASE(?,00000003,00000000,?,?,?,88D0918B,?,?), ref: 0113A7E8
GetLastError.KERNEL32(?,?,88D0918B,?,?), ref: 0113A7FC
Sleep.KERNEL32(000000C8,?,?,88D0918B,?,?), ref: 0113A817

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileHandleInformationLastSleep
String ID:
API String ID: 3034249586-0
Opcode ID: 5fc6187483713ed7faa9e14cb67c4e1faad97b468f95642c22478a95eee42466
Instruction ID: 2edcafadfdaefe72e85799389a54322c2496d6eecc39d71ee9b3ac3859fed977
Opcode Fuzzy Hash: 5fc6187483713ed7faa9e14cb67c4e1faad97b468f95642c22478a95eee42466
Instruction Fuzzy Hash: 9D618030A0060A8FDB29DF68D8447ADB7F5FF98324F14865DE466D72D0DB75A942CB80

Function 0112ACE0 Relevance: 4.6, APIs: 3, Instructions: 145timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0112AE6C
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0112AE80
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0112AE89

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CurrentTime$FileProcessSystemThread
String ID:
API String ID: 2426501826-0
Opcode ID: 9d08233e5f2297b90a9ff8c2134b45503a698f970d9dce7a55c6a4bcf630ca8a
Instruction ID: c11fac0a124a35feaea9ea9be5533c103a889d6b8b161c7962dd7def2e4acad3
Opcode Fuzzy Hash: 9d08233e5f2297b90a9ff8c2134b45503a698f970d9dce7a55c6a4bcf630ca8a
Instruction Fuzzy Hash: 5951CCB1D107198FC718CF68D844AAAFBF4FF59314F00865EE855AB741EB70A984CB91

Function 0111B2B0 Relevance: 4.6, APIs: 3, Instructions: 113registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01140670: RegOpenKeyExW.KERNEL32 ref: 0114072E

RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 0111B347

Part of subcall function 0113F5C0: ___std_exception_copy.LIBVCRUNTIME ref: 0113F6FF

RegCloseKey.ADVAPI32(?), ref: 0111B382
SetLastError.KERNEL32(00000000), ref: 0111B38D

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseErrorLastOpenQueryValue___std_exception_copy
String ID:
API String ID: 941120629-0
Opcode ID: 856027f6cb41d286520c95162a0a7348dc7d529dab741d423b5214d23ec0b8b2
Instruction ID: cc29c101e992767eb52509be2b6c434d9a28c287c9a47acbdce606126284c8e4
Opcode Fuzzy Hash: 856027f6cb41d286520c95162a0a7348dc7d529dab741d423b5214d23ec0b8b2
Instruction Fuzzy Hash: 18415DB1D14208AFDF14DFA8D944BDEFBF8FB08714F004169E915A7245EB74A9048BA5

Function 01125BD0 Relevance: 4.6, APIs: 3, Instructions: 88fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00010005,00000007,00000000,00000003,00000080,00000000), ref: 01125C46

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 86b3e7e8e901069babfd72e5f7b1ec3962f9d554c4099362f2c07523c90439a2
Instruction ID: 7ba7f07f9c8428c6d5ca68a5b1f360f3485471a2b6e8d332e41ae41346a173a1
Opcode Fuzzy Hash: 86b3e7e8e901069babfd72e5f7b1ec3962f9d554c4099362f2c07523c90439a2
Instruction Fuzzy Hash: 203194B0910315EFEB25CF65CC49B9ABBF4FF05714F108299E518AB281E7B1AA84CB50

Function 01140A30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(8q:,?), ref: 01140A51
LeaveCriticalSection.KERNEL32(8q:), ref: 01140B08

Part of subcall function 01196256: AcquireSRWLockExclusive.KERNEL32(0124D9D4,?,?,?,01107AB1,0124E600,88D0918B,00000000,011E2D51,000000FF,?,0113E9DE,\Device\LanmanRedirector\,00000019,88D0918B), ref: 01196261
Part of subcall function 01196256: ReleaseSRWLockExclusive.KERNEL32(0124D9D4,?,?,?,01107AB1,0124E600,88D0918B,00000000,011E2D51,000000FF,?,0113E9DE,\Device\LanmanRedirector\,00000019,88D0918B), ref: 0119629B

Part of subcall function 01140810: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0114083A
Part of subcall function 01140810: GetCurrentProcessId.KERNEL32 ref: 01140853
Part of subcall function 01140810: GetCurrentThreadId.KERNEL32 ref: 0114086F
Part of subcall function 01140810: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 011408AC
Part of subcall function 01140810: GetDiskFreeSpaceExW.KERNELBASE(00000000,?,00000000,00000000), ref: 011408E3
Part of subcall function 01140810: GetSystemTimes.KERNEL32 ref: 0114090C

Part of subcall function 01196205: AcquireSRWLockExclusive.KERNEL32(0124D9D4,?,?,01107AD8,0124E600), ref: 0119620F
Part of subcall function 01196205: ReleaseSRWLockExclusive.KERNEL32(0124D9D4,?,01107AD8,0124E600), ref: 01196242
Part of subcall function 01196205: WakeAllConditionVariable.KERNEL32(0124D9D0,?,01107AD8,0124E600), ref: 0119624D

Strings

8q:, xrefs: 01140A4C, 01140B03

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireCriticalCurrentReleaseSectionSystemTime$ConditionDiskEnterFileFreeGlobalLeaveMemoryProcessSpaceStatusThreadTimesVariableWake
String ID: 8q:
API String ID: 1939839377-621935679
Opcode ID: 3914c74d6289d257900b6a1ea1fb3d13b8f5e07c7abe8949989198a826ac66d0
Instruction ID: af63e8b4084edc33680a916dfb9d500d38b945bf8301eabae4d60d03b8137515
Opcode Fuzzy Hash: 3914c74d6289d257900b6a1ea1fb3d13b8f5e07c7abe8949989198a826ac66d0
Instruction Fuzzy Hash: 30212C769143608BC318EF6DEA0599A73A0FBD8714F44462EF96AD7254EB30F544CB82

Function 0112AE00 Relevance: 4.6, APIs: 3, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0112AE6C
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0112AE80
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0112AE89

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CurrentTime$FileProcessSystemThread
String ID:
API String ID: 2426501826-0
Opcode ID: 44e96dcfb5c126c80806821b8270f92d249451d5b65c0d8767ff1552f75cf65a
Instruction ID: 411b83ab0799ae18564d3370b9477d1f45069b432cc6fdd6d126906b5abdc89c
Opcode Fuzzy Hash: 44e96dcfb5c126c80806821b8270f92d249451d5b65c0d8767ff1552f75cf65a
Instruction Fuzzy Hash: 3F216D759047069FC724DF68E504496BBF5FF89710B00CA5EEC9A8B711EB30E554CB91

Function 011C22EC Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000D2190,00000000,00000000,00000000), ref: 011C2335
GetLastError.KERNEL32(?,01146C0F,00000000,00000000), ref: 011C2341
__dosmaperr.LIBCMT ref: 011C2348

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 5578d6dbc76986adb1bff914c4052a4d1c97b00be83163cfc0cc8d5b20a9d37b
Instruction ID: df45f69916c107f70c93590c21e575297dd7d907bb1ac019ba18e6fd77d0463f
Opcode Fuzzy Hash: 5578d6dbc76986adb1bff914c4052a4d1c97b00be83163cfc0cc8d5b20a9d37b
Instruction Fuzzy Hash: EF01883660420AEBDF1EAFE4DC04AEE7BA9EF28A64F00406CF80196150DB31CA40DB90

Function 0112AA30 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0112AAB2

Part of subcall function 0112B650: EnterCriticalSection.KERNEL32(00000000,88D0918B), ref: 0112B69B
Part of subcall function 0112B650: HeapFree.KERNEL32(?,00000000,?), ref: 0112B6FB
Part of subcall function 0112B650: LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 0112B713

Part of subcall function 0112ACE0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0112AE6C
Part of subcall function 0112ACE0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0112AE80
Part of subcall function 0112ACE0: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0112AE89

Strings

{{{}}} {}, xrefs: 0112AB98

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalCurrentSectionTime$EnterFileFreeHeapLeaveProcessSystemThreadValue
String ID: {{{}}} {}
API String ID: 4134713035-2117331405
Opcode ID: 83e99a2503bad696d2a0701bdcab9ff3b6f79744dc6cef95789dfb22a42ab6c8
Instruction ID: 4b32151301565d43341ce1ebe83bdb6aecc05683b9dc5d68df205f5808bee3fd
Opcode Fuzzy Hash: 83e99a2503bad696d2a0701bdcab9ff3b6f79744dc6cef95789dfb22a42ab6c8
Instruction Fuzzy Hash: FE81F871E002189FCB1DCF6CE9946ADBBB6FF44314F14421AE825AB781EB709955CB81

Function 01160F40 Relevance: 3.2, APIs: 2, Instructions: 216registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 01160F9C
RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000003,00000000,0000012C), ref: 01161016

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 716c8d679c58483bc1b1da9c99d24e48791b9d53dc4b6c904217b497e19674ab
Instruction ID: 8cb1ae4a9cbd372c62c30dc908db0ba75100c9dfee549be7a3e7bf883e11d57e
Opcode Fuzzy Hash: 716c8d679c58483bc1b1da9c99d24e48791b9d53dc4b6c904217b497e19674ab
Instruction Fuzzy Hash: 8F81A170E00289EFDF19CFA8C844BEEBBB9AF55304F144119E811BB285D771A955CB92

Function 011D3B29 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 011D323C: GetConsoleOutputCP.KERNEL32 ref: 011D329F

WriteFile.KERNELBASE(?,011E6F0C,428D0824,0123F360,00000000), ref: 011D3C92
GetLastError.KERNEL32(?,00000008), ref: 011D3C9C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 01ec9c6386ac8b4cb3d9bc881f4d675d9a3be21d1b4888d91e1d8385fe5b5ec3
Instruction ID: 92b6718eb5084c20b5c3e69b63c35ae5737e7329134fcf0e8944a695d63f5521
Opcode Fuzzy Hash: 01ec9c6386ac8b4cb3d9bc881f4d675d9a3be21d1b4888d91e1d8385fe5b5ec3
Instruction Fuzzy Hash: F96190F5D14259AFEF198FA9C884AEEBFB8BF19308F054155E920A7252D331D901CB62

Function 011D8C8B Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 011D87B7: GetOEMCP.KERNEL32(00000000,?,?,011D1F89,4D88C033), ref: 011D87E2

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,011D8ACE,?,00000000,?,011D1F89,4D88C033), ref: 011D8CEC
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,011D8ACE,?,00000000,?,011D1F89,4D88C033), ref: 011D8D2E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0e940c5772cd59ee1d0b06bf1606e8638c6e25b75ce4d831b8f0bec41a46d2c1
Instruction ID: 416ddc31916a5da7cea37c463a65db0249b0e01b3cebaef0506162ebb69b610e
Opcode Fuzzy Hash: 0e940c5772cd59ee1d0b06bf1606e8638c6e25b75ce4d831b8f0bec41a46d2c1
Instruction Fuzzy Hash: 13514670A00B559FDB29CF39C880BAEBBF5FF95304F18456EC0868B292E7749546CB90

Function 011476B0 Relevance: 3.1, APIs: 2, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2d7912937126f2f564c468a4d2c0c0cd946ed49077e5d78b6dcba9c05fb133
Instruction ID: 490360cc2e81a016824ddfb7c2570026702429d07a2ae22e9c9ec9af7417a487
Opcode Fuzzy Hash: fa2d7912937126f2f564c468a4d2c0c0cd946ed49077e5d78b6dcba9c05fb133
Instruction Fuzzy Hash: E941C2705007059FE738DF29D484B6BBBF9EF10718F10091DE1969BAC1D775E9448BA2

Function 01118670 Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 011187AA
SetLastError.KERNEL32(00000000), ref: 011187B5

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseErrorLast
String ID:
API String ID: 3262646002-0
Opcode ID: 6d2e8700482695c57174b195fe62d75ef4c6fda8940161f05497da7deb9cad82
Instruction ID: c0ff503ab39cbfdc8fd4dbd2d4c6c7032b341ea917e53c398d1d249352ee137a
Opcode Fuzzy Hash: 6d2e8700482695c57174b195fe62d75ef4c6fda8940161f05497da7deb9cad82
Instruction Fuzzy Hash: 0F415874D012199FDB28DFA8D988B9DFBF8FB18218F0041A9D819E7244EB309A84CF51

Function 011BB9C3 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,011BBB3E,00000002,FlsGetValue,01211960,FlsGetValue,?,?,011B40BB), ref: 011BBA46
GetProcAddress.KERNEL32(00000000,?,?,00000000,?,?,?,011BBB3E,00000002,FlsGetValue,01211960,FlsGetValue,?,?,011B40BB), ref: 011BBA50

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: f7ccfa084026ce270fb9876ec1c7badf42477ed5257e792ba24c6891e058ae89
Instruction ID: 2493407ddcaaeec4c2165ffa7049ede681a09b5bff1806919660c7b7402f79e5
Opcode Fuzzy Hash: f7ccfa084026ce270fb9876ec1c7badf42477ed5257e792ba24c6891e058ae89
Instruction Fuzzy Hash: DA11BE36A091299F9B2BCFB8E8C08EA77A4FF463517150169E9069B600E770D902CB94

Function 011958E3 Relevance: 3.1, APIs: 2, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(011164E0,?,011939E7,01193A50,?,01193876,00000000,00000000,00000000,00000004,011164E0,00000001,?,88D0918B,00000000,00000000), ref: 011958F6
IsProcessorFeaturePresent.KERNEL32(00000017), ref: 011CC72D

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: 9844b6732825fccfba4ef6f639276fdf2ba2f3367465e1ff7cb27dfac40ea9f3
Instruction ID: 298bccefd8015b1a638009a6f460543823102bf34a1b15e7299677a0a503f9d3
Opcode Fuzzy Hash: 9844b6732825fccfba4ef6f639276fdf2ba2f3367465e1ff7cb27dfac40ea9f3
Instruction Fuzzy Hash: FA012B75214745ABFB39AB4CF849B953BA9E764B14F04002DF90C9A1C5DBB49881C7D0

Function 011C2190 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0123EFB8,0000000C), ref: 011C21A3
ExitThread.KERNEL32 ref: 011C21AA

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: bbc6fdc314b6693514ca34ef9c4bd9e35d99eb4bea2082c08e8b9c967a1e7f04
Instruction ID: 7c0652d49916af9feba56e66def29133bf06c81c26a2d895f201f117ecf78222
Opcode Fuzzy Hash: bbc6fdc314b6693514ca34ef9c4bd9e35d99eb4bea2082c08e8b9c967a1e7f04
Instruction Fuzzy Hash: 3FF02275900206EFDB1DBFF4C809AAE3BB4FF94A40F200059E4129B690CB309941CBA0

Function 011B4163 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 011B4181
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 011B418C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: a7b2bc61f56f660c0b9c77a9f839a2bebc862b9f5021eb4154ffa102dc757431
Instruction ID: 75987594fc180ef819aaefed315bbb0596a515d3ec197de3c04e185abfc697a5
Opcode Fuzzy Hash: a7b2bc61f56f660c0b9c77a9f839a2bebc862b9f5021eb4154ffa102dc757431
Instruction Fuzzy Hash: 4FD022ADF0C303085C3CE6BCB8C14CC234069728BC3A0C35AC02286CD7EB50A0026233

Function 01192340 Relevance: 2.6, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 01191D80: SetLastError.KERNEL32(00000057,88D0918B,00000000,?), ref: 01191DCF

GetLastError.KERNEL32 ref: 011923CB
SetLastError.KERNEL32(00000000), ref: 01192404

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: fc87e2fad8327c0bea7b5251e4293b8bbd85d93786877a4e400ce5a34c28412b
Instruction ID: 35e1fb41eb50a0afb9e796bfa72a65216b27d43914640826814562f916d9f756
Opcode Fuzzy Hash: fc87e2fad8327c0bea7b5251e4293b8bbd85d93786877a4e400ce5a34c28412b
Instruction Fuzzy Hash: 66219171D0025AABDF18DFA4DC44BEEBBB5FF88714F144619E821B7240D778AA408BA1

Function 011D1C1A Relevance: 2.5, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000), ref: 011D1C30
GetLastError.KERNEL32(?,?,011DC44A,?,00000000,?,?,011DC6EB,?,00000007,?,?,011DCBEE,?,?), ref: 011D1C3B

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 5979cb76256d514cbec006769aa5400a28f1cf01c9c21d4ffd720cddbeb4ca6c
Instruction ID: 09538cd6d7f5bc3f4aee985e5f6ece26762d13fa980b91b9c630a21e7841d462
Opcode Fuzzy Hash: 5979cb76256d514cbec006769aa5400a28f1cf01c9c21d4ffd720cddbeb4ca6c
Instruction Fuzzy Hash: 12E08631140605FBEB292BE4A80CBD93BD8BB00755F444038FA088A150DB34D881C780

Function 011D888B Relevance: 1.6, APIs: 1, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,011D8ADA,011D8ACE,00000000), ref: 011D88BD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 79574021faed9848f096735fd64497220f953ccbca193f40a40bb79db93c9e26
Instruction ID: 6c08a33abfaa115c064c793058bb7a45ba2b4bd749a935a220ecda0f854e0355
Opcode Fuzzy Hash: 79574021faed9848f096735fd64497220f953ccbca193f40a40bb79db93c9e26
Instruction Fuzzy Hash: 69514B715082589ADB2A8F28CC84BEA7BBCEB56304F1405EDD5DAD7142D331AE46CF21

Function 0113F5C0 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0113F6FF

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 67ce3aab036681e4ac257d305044a2723f60d1122ffc80a94d0e7db2a03b4512
Instruction ID: ce051007d92c1483e6b6c36f05d7b65b9359f4ef9c7739c64e28622f8ee6d6a8
Opcode Fuzzy Hash: 67ce3aab036681e4ac257d305044a2723f60d1122ffc80a94d0e7db2a03b4512
Instruction Fuzzy Hash: F84185B6D1020AAFCB18EFE4D940EDDF7BDEF59714F404529E515A7250EB30AA08CB62

Function 01140670 Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 0114072E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0a3392332d38742e91b8f88a3c7a67afbfe668d8d97f1988fc64b706e7be35f1
Instruction ID: 8ca10e45b2e339160f307e99773c19e904225fc13de44e8aa0d0d530e78ba3ef
Opcode Fuzzy Hash: 0a3392332d38742e91b8f88a3c7a67afbfe668d8d97f1988fc64b706e7be35f1
Instruction Fuzzy Hash: 1C418BB0D046599FDB18DFA8C848BEEFBF4FB08704F1082A9D818A7240D7756A44CF91

Function 01195E82 Relevance: 1.6, APIs: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43140e620e31e8236a2641166b84d99955201c7dc4c055d827aeb1e0ccd7e29e
Instruction ID: b3f377a95a43ef594f75f3c3fa1f250fce18b985470154c1c7fafec756043347
Opcode Fuzzy Hash: 43140e620e31e8236a2641166b84d99955201c7dc4c055d827aeb1e0ccd7e29e
Instruction Fuzzy Hash: AF11207550020B9BDF2C6F78E8045EDF7ADEF20264710457BEA6C97690EB32E55487C2

Function 0116FA40 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::generic_category.LIBCPMTD ref: 0116FAEB

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::generic_category
String ID:
API String ID: 2374251199-0
Opcode ID: 6f75d047448f438d07de63c9e2316f4757228ec0b5aaf881e769000aa13f8f93
Instruction ID: 7ed6444b62b892b026bc28524633b5204d3e0a2767e0303f6e7a4e0382e19ee3
Opcode Fuzzy Hash: 6f75d047448f438d07de63c9e2316f4757228ec0b5aaf881e769000aa13f8f93
Instruction Fuzzy Hash: F811E2313009076BD70CAB34DC55BDDF729BFA0344F148225E22CA6290DB71B96687E4

Function 01120070 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 011200E0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: f4fe84664b791fb08ceeb1a52d242829ee2d0355c1fb79cce8acc38797bcaff7
Instruction ID: e216005682ee33ef617a6bdd063269d5b9219b915b17617254fdbb3fb2e3a765
Opcode Fuzzy Hash: f4fe84664b791fb08ceeb1a52d242829ee2d0355c1fb79cce8acc38797bcaff7
Instruction Fuzzy Hash: C90175B26016275FD304DFA9D400599F7D8EF682617148137E658D3700E775D4B1C7D5

Function 011D4341 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e9375de0f89dae3d873de347a82420f5d335376c796e1c34a85110b9dd6940
Instruction ID: 1ca9d2d5673ca234cb2a0292347b77a5e928cd9f10e66eeb1857bb09ee0d7a6b
Opcode Fuzzy Hash: 46e9375de0f89dae3d873de347a82420f5d335376c796e1c34a85110b9dd6940
Instruction Fuzzy Hash: 7D01B5376042366FAF2ECE6EFC45A5A37A6BB856707154124FA04CBD48DF30D4018791

Function 011A85F0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

std::ctype_base::ctype_base.LIBCPMT ref: 011A8621

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::ctype_base::ctype_base
String ID:
API String ID: 139608259-0
Opcode ID: 7cacd0561f25e02fb69961ea20fb0c698d821a9a30f7da64a4e2a84df837ed65
Instruction ID: bbadaedb2e5f973efd55f3237ea952c9fb364bc117ece2dca34570abb9a5d8db
Opcode Fuzzy Hash: 7cacd0561f25e02fb69961ea20fb0c698d821a9a30f7da64a4e2a84df837ed65
Instruction Fuzzy Hash: 2B010476C04609AFDF19DF54DD01BDEBBA8FB15618F00016AFC05A3340EB36AA108695

Function 011B21A0 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d733c6417f1500afc4473bcec0ac282553f8cc31bddfac9edf05937bacce61d
Instruction ID: a775a67828126ad1252547c3da102de20dadb1ff3a1159ddb54835db1a1c2d7d
Opcode Fuzzy Hash: 8d733c6417f1500afc4473bcec0ac282553f8cc31bddfac9edf05937bacce61d
Instruction Fuzzy Hash: D801847A9002099BE7099F9CD980B9EBFF9FF44704F154059EE159B391D770EA01CB90

Function 01192990 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?), ref: 011929DD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c0555f35e112a81c40a12c0bd8b3d0480177264f7145909efc99a2eb029ed852
Instruction ID: 9c05e533ba0369d3e5eeecc6cedf30d39f8326d0f7200a554ca0b974680ca816
Opcode Fuzzy Hash: c0555f35e112a81c40a12c0bd8b3d0480177264f7145909efc99a2eb029ed852
Instruction Fuzzy Hash: C901A276640744EFCB28CF59D885B6ABBF8FB09A20F11466DE42697B50D739A800CB50

Function 01117B20 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01117B70

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 71ffb56669d83ba678237d39e6602dc3fec4b4943ad5c638b65f4d6884e80e89
Instruction ID: 357d8541890a20a34ed7d7dcda336a1dd516bd4dd5dac8fa76041146b54951ed
Opcode Fuzzy Hash: 71ffb56669d83ba678237d39e6602dc3fec4b4943ad5c638b65f4d6884e80e89
Instruction Fuzzy Hash: BFF0A3B35002060AE70CE7749811E6FF2C86F302247184136E725C77C4FB36D590C15E

Function 011D1C54 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,88D0918B,?,?,011D1AC7,00000001,00000364,?,00000004,000000FF,?,011C1A56,011D207A,?,?,01195E9C), ref: 011D1C95

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4cb8bf9af50edaa1841fb95d0b00c66f4ed595ffe0fc227ea0f6d2019115afef
Instruction ID: 08f31c6e0827dae06369fd21ed2ed149f0399f77c9ac97bebf912724550dce34
Opcode Fuzzy Hash: 4cb8bf9af50edaa1841fb95d0b00c66f4ed595ffe0fc227ea0f6d2019115afef
Instruction Fuzzy Hash: 1EF0E236A41622BBAB3E5B6AAC44A6B3B88AF41670F158122ED04DB180DB30D80082E0

Function 0114A7E0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01149022), ref: 0114A810

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8a154537885e106b0352c296257dd0a4492caef0b050291182ce35453fe6b848
Instruction ID: ecab54de9b794474ae3433f76c95b6e1c0e46c341c923ab3875f3a6f6e923aed
Opcode Fuzzy Hash: 8a154537885e106b0352c296257dd0a4492caef0b050291182ce35453fe6b848
Instruction Fuzzy Hash: E3F0C2716143044BD714EF70DC46B2EB3E9EB85614F444A2DAA999B280EB35E8008787

Function 011D2037 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,01195E9C,?,?,011434CA,00000008,88D0918B), ref: 011D2069

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a6a5768e42fdf30fe5063bdcdbde5922dba645ea9e06f03830a5506d8cfe462f
Instruction ID: 112acc5cba3b4605d05df58fd71144d2c222edb608ffce681da08cc97b8debfd
Opcode Fuzzy Hash: a6a5768e42fdf30fe5063bdcdbde5922dba645ea9e06f03830a5506d8cfe462f
Instruction Fuzzy Hash: 33E09B31141616BBFB3D276D5C08B9B7E4FAF567A1F164124ED3497180EB74C801C2E1

Function 0119305F Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01193108: AcquireSRWLockExclusive.KERNEL32(?,011932B6), ref: 01193125

DloadProtectSection.DELAYIMP ref: 01193087

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AcquireDloadExclusiveLockProtectSection
String ID:
API String ID: 3680172570-0
Opcode ID: 5e80175c0701029f7e1fcedb17542220ca31d1baa280d50536288dc27d2b9673
Instruction ID: 784a962567f27d3eeed4ac3bd3c71b73269ffd90665fbe299e74606c8d021c0a
Opcode Fuzzy Hash: 5e80175c0701029f7e1fcedb17542220ca31d1baa280d50536288dc27d2b9673
Instruction Fuzzy Hash: C8D0C9782651069FDF3EE7B8B68DB18AAA0F324709B540049A172AA149CBA494808742

Function 01119720 Relevance: 1.4, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 0111983A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 511aadac6fb8ee0e6ecdeb67506a01223291665cbcec0c048cca5cbcb7187070
Instruction ID: 3655b359f6cb214790dad79e663498be39e922c53020b4c7a0622dcbd58792b0
Opcode Fuzzy Hash: 511aadac6fb8ee0e6ecdeb67506a01223291665cbcec0c048cca5cbcb7187070
Instruction Fuzzy Hash: 9131C371E00609ABC728DF6CD89099EF7A9EF85264B20067AE925D7384D7319E408B91

Function 011928C0 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D), ref: 011928E4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b511e7d7ef18e318373796bb3fc4429e9c463cd35c2975e485aa407ab389971d
Instruction ID: d045db079f7973eb85ab4773063c1b3f243a987860bd6ebfc62ce86afee6455b
Opcode Fuzzy Hash: b511e7d7ef18e318373796bb3fc4429e9c463cd35c2975e485aa407ab389971d
Instruction Fuzzy Hash: 5011D232D01225BBCF298F9CD8804AEBBA4FB85250B1541A8DD249B241E330DD80C7D0

Function 010FCC60 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 010FCC9F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5bdf134e3aebfb4a4124a14e21fdf03a271658fca49701d1581ce94ab7e87b0f
Instruction ID: 397177d450b14ae5a73a7571f9d70b806fc9b6d4afcbe59cf8fa24e9decd789a
Opcode Fuzzy Hash: 5bdf134e3aebfb4a4124a14e21fdf03a271658fca49701d1581ce94ab7e87b0f
Instruction Fuzzy Hash: 8AF09071904309EFC724CF99DD46B9ABBF8FB45A20F10426EF41597690D33159008B90

Function 011769D0 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 01176A08

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f23f28a48c1c1095dfc8b2da3033dfade7d9ab6ffc9e8019e5831129ef969b63
Instruction ID: d40e7f60e9c3c464365fb2ae65fdf51385dd383be463d6b88d4fed85aaa604fb
Opcode Fuzzy Hash: f23f28a48c1c1095dfc8b2da3033dfade7d9ab6ffc9e8019e5831129ef969b63
Instruction Fuzzy Hash: 1DE06D3290020AEF9F08DF88E8448DB3BB6EB58304B408452FD154B211E332EAB1DBA1

Function 01176B70 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 01176BA6

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 95915e24c3a1234da1e0e4246f04b9a08e4b890ca6dab13a1ad44a75fcd562fd
Instruction ID: 0cabd51641486a3d2f89e32ffb52cb0b8ec63c513882ceb84d5456ca906dc1f2
Opcode Fuzzy Hash: 95915e24c3a1234da1e0e4246f04b9a08e4b890ca6dab13a1ad44a75fcd562fd
Instruction Fuzzy Hash: 2EE06D75A0020AEF9F08DFD8E844CAB37B5EB49310B004451F9154B221D331E9A0DBA1

Non-executed Functions

Function 01164F10 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 407fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,00000000,?,0121F95C,00000002,88D0918B,00000000,?), ref: 01164FD1
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0116524E
GetLastError.KERNEL32(?,?,?,?,00000000,?,0121F95C,00000002,88D0918B,00000000,?), ref: 0116525C
FindNextFileW.KERNEL32(00000000,?,?,00000000,?,0121F95C,00000002,88D0918B,00000000,?), ref: 01165302
GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0121F95C,00000002,88D0918B,00000000,?), ref: 0116531B
GetLastError.KERNEL32(00000000,?), ref: 011653B5
MoveFileExW.KERNEL32(00000000,00000000,00000004), ref: 0116544C
GetLastError.KERNEL32 ref: 01165456
FindClose.KERNEL32(00000000,?,00000000,?,0121F95C,00000002,88D0918B,00000000,?), ref: 011654DA

Strings

isfx, xrefs: 011654A4
Folder '{}' delete after reboot fail, {}!, xrefs: 0116549F
Could not delete file '{}', {}!, xrefs: 0116528C
Could not delete directory '{}', {}, plan it for restart!, xrefs: 011653E5
Cannot remove empty directory, xrefs: 01165548
F0D6, xrefs: 0116550F
4C6F, xrefs: 01165503
SFX temp folder '{}' deleted., xrefs: 01165375

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$ErrorFindLast$Move$AttributesCloseFirstNext
String ID: 4C6F$Cannot remove empty directory$Could not delete directory '{}', {}, plan it for restart!$Could not delete file '{}', {}!$F0D6$Folder '{}' delete after reboot fail, {}!$SFX temp folder '{}' deleted.$isfx
API String ID: 7471230-295976553
Opcode ID: 281f2cf6f2a38ffa40a51b96f03c7b366bb0ffd52f7349ef361f4625676ba210
Instruction ID: fbfa673c1f518b62c38ac2ca0d89d309249a95f77c9cf01c7399afb4a76346fe
Opcode Fuzzy Hash: 281f2cf6f2a38ffa40a51b96f03c7b366bb0ffd52f7349ef361f4625676ba210
Instruction Fuzzy Hash: 8D02BE70E002199FDB68DF68CC49BEDB7B9BF15344F5082D9D809A7290EB329A94CF51

Function 010FC570 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 367windowCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000001,88D0918B), ref: 010FC5EE
GetUserDefaultUILanguage.KERNEL32 ref: 010FC641
MessageBoxW.USER32 ref: 010FCA9A

Strings

string too long, xrefs: 010FC77E
@Sfx_MsgBoxTitle, xrefs: 010FC7BF
silent, xrefs: 010FC605
language, xrefs: 010FC670, 010FC6F7, 010FC734
@Sfx_Download_Fail, xrefs: 010FC8A1
@Sfx_LogInfo, xrefs: 010FC975
%s:'%d'.%s:'%s'., xrefs: 010FCA26
lang-id, xrefs: 010FC652, 010FC692, 010FC6AD, 010FC6EE
@Sfx_ErrCode, xrefs: 010FC910

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CommandDefaultLanguageLineMessageUser
String ID: %s:'%d'.%s:'%s'.$@Sfx_Download_Fail$@Sfx_ErrCode$@Sfx_LogInfo$@Sfx_MsgBoxTitle$lang-id$language$silent$string too long
API String ID: 1083715854-2384245383
Opcode ID: e4e246d012126b8b96101ca25f6a3ee547e1277c7b1d80832553274107cf399c
Instruction ID: 9b9352620b5fafcc0ebb68f50fa911aedba16517878fd837657adfb99f9e28b5
Opcode Fuzzy Hash: e4e246d012126b8b96101ca25f6a3ee547e1277c7b1d80832553274107cf399c
Instruction Fuzzy Hash: EDF19C70D0025DDBEB28DF64C945BEDBBF4AF64304F1082D9E94967281EB706A89CF91

Function 0111D040 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 257processtimeCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0111D0C1
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0111D107
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0111D1A2
K32GetProcessImageFileNameW.KERNEL32 ref: 0111D1C9
GetPriorityClass.KERNEL32(00000000), ref: 0111D203
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 0111D228
K32GetProcessMemoryInfo.KERNEL32(00000000,?,00000028), ref: 0111D238
CloseHandle.KERNEL32(00000000), ref: 0111D3ED
Process32NextW.KERNEL32(?,?), ref: 0111D418
CloseHandle.KERNEL32(00000000), ref: 0111D427
GetLastError.KERNEL32(Unable to take a snapshot of the running processes!), ref: 0111D44F

Strings

Unable to take a snapshot of the running processes!, xrefs: 0111D44A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Process$CloseHandleProcess32$ClassCreateErrorFileFirstImageInfoLastMemoryNameNextOpenPrioritySnapshotTimesToolhelp32
String ID: Unable to take a snapshot of the running processes!
API String ID: 1056882056-3314903396
Opcode ID: 180705d80b5adc701523dba13e21531db8d21383ded4807dc561abd1aa25d381
Instruction ID: 8c0694e6479a44a5853a5099a363cd4f04ab3c7b73d9384c7483f47a35297b5e
Opcode Fuzzy Hash: 180705d80b5adc701523dba13e21531db8d21383ded4807dc561abd1aa25d381
Instruction Fuzzy Hash: 72B14A71C1166A9ADB24DBA4CD48BEDF7B4BF59304F0082DAD908A3240EB746BC5CF54

Function 0111CCB0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

DuplicateTokenEx.ADVAPI32(?,0000000B,00000000,00000002,00000001,00000000,88D0918B), ref: 0111CD05
CreateProcessAsUserW.ADVAPI32 ref: 0111CDBA
CloseHandle.KERNEL32(00000000), ref: 0111CE25
GetLastError.KERNEL32(Unable to duplicate the access token!,?,0000000B,00000000,00000002,00000001,00000000,88D0918B), ref: 0111CE5D
GetLastError.KERNEL32(Unable to retrieve environment of the user!,?,0123F910,00000000,?,0000000B,00000000,00000002,00000001,00000000,88D0918B), ref: 0111CE85
GetLastError.KERNEL32(?,0123F910,00000000,?,0000000B,00000000,00000002,00000001,00000000,88D0918B), ref: 0111CEA8

Strings

Unable to duplicate the access token!, xrefs: 0111CE58
Unable to create process '{}'!, xrefs: 0111CEB4
D, xrefs: 0111CD5C
Unable to retrieve environment of the user!, xrefs: 0111CE80

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$CloseCreateDuplicateHandleProcessTokenUser
String ID: D$Unable to create process '{}'!$Unable to duplicate the access token!$Unable to retrieve environment of the user!
API String ID: 1320202031-252241759
Opcode ID: f59242849288ce5ffde3112794ebf0ed57e7406cb85b8a85ac2524eca5c5d2d9
Instruction ID: a6973367519d334ccf34de6082008489172e79c8367295b83310815e3f04fe9e
Opcode Fuzzy Hash: f59242849288ce5ffde3112794ebf0ed57e7406cb85b8a85ac2524eca5c5d2d9
Instruction Fuzzy Hash: 61615CB0D5021AAEEF24CFA4DC85BDEBBF9AB08704F104529E515A7280D774AA448BA0

Function 0113C2C0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 338COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(011E60EA,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000001,?,88D0918B), ref: 0113C49F
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000001,?,88D0918B), ref: 0113C4B3

Strings

Unable to enumerate directory '{}'!, xrefs: 0113C73C, 0113C764
, xrefs: 0113C69B

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID: $Unable to enumerate directory '{}'!
API String ID: 873889042-717667250
Opcode ID: 004a8bc13dac6c9d9f8c7a7ff4516cd65d79f00fecea77cdacf9d1d1ff835577
Instruction ID: e99f57e4dc0dd3d4c2d6595ee05d98e9654bec3cf5e61423f93acf0118abc434
Opcode Fuzzy Hash: 004a8bc13dac6c9d9f8c7a7ff4516cd65d79f00fecea77cdacf9d1d1ff835577
Instruction Fuzzy Hash: 49D1927090121A9FEB29DF64CD49BEEB7B4EF54304F10419AE409A7295EB71AA84CF90

Function 01160080 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 367COMMON

Download Yara Rule

APIs

std::generic_category.LIBCPMTD ref: 0116061D

Strings

.lzma, xrefs: 011602E3
defs, xrefs: 01160126
cookie, xrefs: 011605B4
base-url, xrefs: 011600C7
.xml, xrefs: 01160285, 01160461

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::generic_category
String ID: .lzma$.xml$base-url$cookie$defs
API String ID: 2374251199-1041975956
Opcode ID: 1c3b254fe99d440d08470d3810b1cee43a4060c43c3c99093ef27004b05618e3
Instruction ID: 99c5b7ef58ed2f973a7863640bccf86d2f78f85b27a5ef0da368848fc6cb092d
Opcode Fuzzy Hash: 1c3b254fe99d440d08470d3810b1cee43a4060c43c3c99093ef27004b05618e3
Instruction Fuzzy Hash: 28027C71D10759DFDB19DFA4C844BEDB7B4FF68304F00829AD4096B291EB74AA88CB51

Function 011D218A Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 011D2217

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 5e9cfe9ac73dbb81afda8178522ed55d2f56e59e26ad68eddae53c4f75b1b76e
Instruction ID: ea227f8cd76c4b5ed7449530f151e0998004ac2c27f713ba4353725fd34fb50d
Opcode Fuzzy Hash: 5e9cfe9ac73dbb81afda8178522ed55d2f56e59e26ad68eddae53c4f75b1b76e
Instruction Fuzzy Hash: EBB17A32E042569FDB1DCF6CC880BEEBFB5EF59314F15816AE924AB241D7349901CBA1

Function 01196700 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0119670C
IsDebuggerPresent.KERNEL32 ref: 011967D8
SetUnhandledExceptionFilter.KERNEL32 ref: 011967F1
UnhandledExceptionFilter.KERNEL32(?), ref: 011967FB

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cb3b21cc0456e513f7e3c034176d1e6c83ba57e24bcf37f59aa8a9560ebb8f33
Instruction ID: 27fb1b3b520c5e1cf54e13d2f137bf713e6756b638bc7e35dfe24febc0cfe82b
Opcode Fuzzy Hash: cb3b21cc0456e513f7e3c034176d1e6c83ba57e24bcf37f59aa8a9560ebb8f33
Instruction Fuzzy Hash: C53116B5D053199BDF24DFA4D9897CDBBF8AF08304F1041AAE90CAB240EB709A85CF54

Function 011D40AD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 011CC1A1: EnterCriticalSection.KERNEL32(?,?,011CE0CA,00000000,0123F220,0000000C,011CE091,88D0918B,?,011D1C87,88D0918B,?,011D1AC7,00000001,00000364,?), ref: 011CC1B0

EnumSystemLocalesW.KERNEL32(011D40A0,00000001,0123F3A0,0000000C,011D450F,00000000), ref: 011D40E5

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 726482f968e0138096adc2b6e06a9c19d967f52f8e71194a4b1a5c93c6d7c459
Instruction ID: f21e44387b72d09ae3dd70eaf4ec13618abcf59493abdaf54a65adf5b3240572
Opcode Fuzzy Hash: 726482f968e0138096adc2b6e06a9c19d967f52f8e71194a4b1a5c93c6d7c459
Instruction Fuzzy Hash: B5F06D76A00205DFEB14EF99E446B9D77F0FB64B69F10422AF420DB690C7759900CF40

Function 011D4613 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,011D08AA,?,20001004,00000000,00000002,?,?,011CFEAC), ref: 011D4647

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9370ecf4a75434e69cb72493c7063e5251eeb5bb2f34b60bd20863bb8aacf1c7
Instruction ID: 873d20707f4dd0bbb7ea3dc21faa11ee7c82941780dccd76de6296125cefd994
Opcode Fuzzy Hash: 9370ecf4a75434e69cb72493c7063e5251eeb5bb2f34b60bd20863bb8aacf1c7
Instruction Fuzzy Hash: 8DE0DF3250019AFBCF1A2FE0DC04E9E3F6AEF40720F004020FC0926960CB3289219B98

Function 01178D60 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 180libraryloaderregistryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 01178DE4
RegisterClassExW.USER32(00000030), ref: 01178E35
CreateWindowExW.USER32 ref: 01178E65
GetModuleHandleW.KERNEL32(user32.dll), ref: 01178E86
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilterEx), ref: 01178E96
LoadLibraryW.KERNEL32(dwmapi.dll), ref: 01178EC7
GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 01178ED9

Strings

dwmapi.dll, xrefs: 01178EC2
user32.dll, xrefs: 01178E81
aswSfxSplashClass, xrefs: 01178E18, 01178E5E, 01178F2B, 01178F7B
ChangeWindowMessageFilterEx, xrefs: 01178E90
DwmSetWindowAttribute, xrefs: 01178ED3
0, xrefs: 01178DD3

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressLoadProc$ClassCreateCursorHandleLibraryModuleRegisterWindow
String ID: 0$ChangeWindowMessageFilterEx$DwmSetWindowAttribute$aswSfxSplashClass$dwmapi.dll$user32.dll
API String ID: 4148564498-3650145448
Opcode ID: e24f6c246157d6cec9a39dbadf928b1b503a138046bbd188607346606d461087
Instruction ID: 6bf3b627a61e16772d559c2d02ecfbf0fc8a99e518b54f45ab81747de69a037a
Opcode Fuzzy Hash: e24f6c246157d6cec9a39dbadf928b1b503a138046bbd188607346606d461087
Instruction Fuzzy Hash: 1E616071E1031AABDB299FE5C84CB9DBBF9FF04704F004129EA11AB280DB74A581CB95

Function 01144340 Relevance: 33.5, APIs: 1, Strings: 18, Instructions: 270COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 01144434

Strings

no proxy, xrefs: 011445E8
proxy_ini, xrefs: 011443E3, 01144405
isfx, xrefs: 0114451D, 01144523
HTTP proxy (rfc2616,2617), xrefs: 011445F6
Proxy-Port: '{}', xrefs: 01144722
BC97, xrefs: 01144775
Loading Proxy settings:, xrefs: 01144585
Preconfig (use IE settings), xrefs: 011445FD
Proxy-Name: '{}', xrefs: 0114477F
Proxy-Type: '{}', xrefs: 01144630
no authentication, xrefs: 01144678
A3BA, xrefs: 0114475A
NTLM, xrefs: 0114467F
SOCKS proxy (rfc1928,1929), xrefs: 011445EF
Detection of IE proxy settings failed, use direct connection., xrefs: 01144518
4, xrefs: 011447A8
basic, xrefs: 01144686
Proxy-Authorization: '{}', xrefs: 011446B9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AttributesFile
String ID: 4$A3BA$BC97$Detection of IE proxy settings failed, use direct connection.$HTTP proxy (rfc2616,2617)$Loading Proxy settings:$NTLM$Preconfig (use IE settings)$Proxy-Authorization: '{}'$Proxy-Name: '{}'$Proxy-Port: '{}'$Proxy-Type: '{}'$SOCKS proxy (rfc1928,1929)$basic$isfx$no authentication$no proxy$proxy_ini
API String ID: 3188754299-123032032
Opcode ID: 835784e57bc15f57a0aaa3a13bae3e61cdcd89b8f02862263ccc75ff66976e2f
Instruction ID: c766c2f77aa4c40012bcf975c88def8fec68f6596c63dc0e6bc6a4a5a7f2f82d
Opcode Fuzzy Hash: 835784e57bc15f57a0aaa3a13bae3e61cdcd89b8f02862263ccc75ff66976e2f
Instruction Fuzzy Hash: 32D16DB0D0026ADBDB28CF99C954BEEBBB0BF04704F108599D5197BB80E7745A89CF91

Function 011808D0 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 288COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 01180978

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Strings

file, xrefs: 0118094F, 01180B7B, 01180C9E
exists, xrefs: 01180B0B
{}: The {} '[{}]{{{}}}' {}., xrefs: 01180B73
D7D6, xrefs: 01180B51
Unable to query file object '{}'!, xrefs: 01180BC0
does not exist, xrefs: 01180B10
D7D6, xrefs: 01180C81
{}: The file '{}' is{} empty., xrefs: 01180C8F
6, xrefs: 01180B87
B, xrefs: 01180CAC
not, xrefs: 01180C4B
84FD, xrefs: 01180B66
84FD, xrefs: 01180C64

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AttributesDispatcherExceptionFileUser
String ID: not$6$84FD$84FD$B$D7D6$D7D6$Unable to query file object '{}'!$does not exist$exists$file${}: The file '{}' is{} empty.${}: The {} '[{}]{{{}}}' {}.
API String ID: 2361805496-4106911783
Opcode ID: f8a88ff7c013c7fba9eacf68a54fb2215020b15554f437d0b62f8fc2a5af345d
Instruction ID: 0f6a3f254eb006d2d588dc38be0defdf1a9bbc84b5073ab8535fa627de6613a7
Opcode Fuzzy Hash: f8a88ff7c013c7fba9eacf68a54fb2215020b15554f437d0b62f8fc2a5af345d
Instruction Fuzzy Hash: 4DB1C371D01359AFDB24DFA8D840A9EBBF5FF49314F10865AF854A7281E730A948CF91

Function 0116EF40 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 173windowregistryCOMMON

Download Yara Rule

APIs

#17.COMCTL32(00000000,?,?,88D0918B), ref: 0116EFEF
GetModuleHandleW.KERNEL32(00000000), ref: 0116EFF7
LoadImageW.USER32 ref: 0116F034
LoadImageW.USER32 ref: 0116F04F
GetSystemMetrics.USER32 ref: 0116F06F
GetSystemMetrics.USER32 ref: 0116F079
LoadImageW.USER32 ref: 0116F08D
RegisterClassExW.USER32(00000030), ref: 0116F09A
CreateWindowExW.USER32 ref: 0116F0D1
GetMessageW.USER32 ref: 0116F0E8
IsDialogMessageW.USER32 ref: 0116F0FE
TranslateMessage.USER32(?), ref: 0116F10C
DispatchMessageW.USER32(?), ref: 0116F116
GetMessageW.USER32 ref: 0116F126

Strings

{32f2b598-6055-4f5b-b0eb-fed112efa9b7}, xrefs: 0116F068, 0116F0CA
0, xrefs: 0116F00E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Message$ImageLoad$MetricsSystem$ClassCreateDialogDispatchHandleModuleRegisterTranslateWindow
String ID: 0${32f2b598-6055-4f5b-b0eb-fed112efa9b7}
API String ID: 889922848-477262938
Opcode ID: 24a59a52e3176aad43e84c126573f51773e8db414e4772284cb90470cfd7de52
Instruction ID: 1ed21715ad87922848ab56fedf975e76019a219f3c8fa499f1b1b6c61ba2d914
Opcode Fuzzy Hash: 24a59a52e3176aad43e84c126573f51773e8db414e4772284cb90470cfd7de52
Instruction Fuzzy Hash: 06514B71A4020AABDB28DFE4DC49F9DBBF8FB04710F104129FA15AB2C0DB75A945CB94

Function 011053B0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01105439
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01105485
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0110555D
std::_Lockit::~_Lockit.LIBCPMT ref: 011055F2
Concurrency::cancel_current_task.LIBCPMT ref: 01105617
Concurrency::cancel_current_task.LIBCPMT ref: 0110561C
Concurrency::cancel_current_task.LIBCPMT ref: 01105621
std::_Lockit::_Lockit.LIBCPMT ref: 01105666
std::_Lockit::_Lockit.LIBCPMT ref: 01105689
std::_Lockit::~_Lockit.LIBCPMT ref: 011056A9
std::_Lockit::~_Lockit.LIBCPMT ref: 0110573D

Strings

false, xrefs: 0110550B
bad locale name, xrefs: 0110560D
true, xrefs: 01105535

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_taskLockit::_Lockit::~_$Locinfo::_$Locinfo_ctorLocinfo_dtor
String ID: bad locale name$false$true
API String ID: 3080755909-1062449267
Opcode ID: 77e8289a307570658f9c1f135d61484e4b3c461c9e429ded7628f8aa91b13df4
Instruction ID: 5773be5f271e31018e7dd6c43d8636f4bb51ffa718f31222760883b7e87d6b33
Opcode Fuzzy Hash: 77e8289a307570658f9c1f135d61484e4b3c461c9e429ded7628f8aa91b13df4
Instruction Fuzzy Hash: 92A1ADB1D002499FEF29DFA8E844B9EBBB5BF14318F144119D814A7381EBB5AA04CF91

Function 011609B0 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 283libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,012183B4,00000000,88D0918B), ref: 01160A3E
GetProcAddress.KERNEL32(00000000,CheckChannelCompatibility), ref: 01160A55
FreeLibrary.KERNEL32(?), ref: 01160B8F
FreeLibrary.KERNEL32(?,?,?,00000064,00000000), ref: 01160C3B
FreeLibrary.KERNEL32(?), ref: 01160CEC
GetLastError.KERNEL32 ref: 01160CF4

Strings

d, xrefs: 01160A6D
CheckChannelCompatibility, xrefs: 01160A4F
Loading MOD:'{}' fail {}., xrefs: 01160D23
BD219561, xrefs: 01160B55
MOD.dll function not found, xrefs: 01160C9A
Calling MOD.dll function fail {}, xrefs: 01160B58
isfx, xrefs: 01160C9F, 01160CA2

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Library$Free$AddressErrorLastLoadProc
String ID: BD219561$Calling MOD.dll function fail {}$CheckChannelCompatibility$Loading MOD:'{}' fail {}.$MOD.dll function not found$d$isfx
API String ID: 1432623064-2297557278
Opcode ID: 1488e0654edc6e24d9f161eca46bed2d82f685e2a0c44758fbb56f234de65223
Instruction ID: eda3708fd6d9a9839823f0c2f3deb5305c123ecff49726e71baf998c259c4fa5
Opcode Fuzzy Hash: 1488e0654edc6e24d9f161eca46bed2d82f685e2a0c44758fbb56f234de65223
Instruction Fuzzy Hash: 5FC157B0E01209EFDF18DFD4D954AAEBBB6FF48304F104129E415AB284DB71AA55CF91

Function 011B8553 Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 011B861C
DName::operator+.LIBCMT ref: 011B8659
DName::DName.LIBVCRUNTIME ref: 011B866D
DName::operator+.LIBCMT ref: 011B867C
DName::operator+.LIBCMT ref: 011B870A
DName::DName.LIBVCRUNTIME ref: 011B8732
DName::operator+.LIBCMT ref: 011B8740
DName::operator+.LIBCMT ref: 011B877A
DName::operator+.LIBCMT ref: 011B87BB
UnDecorator::getReturnType.LIBCMT ref: 011B87EB
operator+.LIBVCRUNTIME ref: 011B88ED

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
String ID:
API String ID: 2932655852-0
Opcode ID: 941e7714ea6031330dcb0f55d3e06707ba94782b3b524ee0be95132e540d967d
Instruction ID: 11610334622936944f7162433480e7413bd317a73180029df551db6041a93f70
Opcode Fuzzy Hash: 941e7714ea6031330dcb0f55d3e06707ba94782b3b524ee0be95132e540d967d
Instruction Fuzzy Hash: 8DC161B5D00209AFDB5CEFA8E8D5DEDBBB9EF28704F04415EE646A7280DB309945CB50

Function 01152D00 Relevance: 19.8, APIs: 2, Strings: 11, Instructions: 294COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(Unable to set WinHTTP proxy information!,?,?,?,?,?,http,00000004,88D0918B,00000000,00000000), ref: 0115318B
GetLastError.KERNEL32(Unable to set proxy credentials!,?,0123F910,00000000,?,?,?,?,?,http,00000004,88D0918B,00000000,00000000), ref: 011531AD

Strings

https, xrefs: 01152E19
Unsupported proxy type '{}'., xrefs: 011530DE
isfx, xrefs: 01152E93, 01152E99
Unable to set proxy credentials!, xrefs: 011531A8
http, xrefs: 01152E02
E759, xrefs: 011530BC
The WinHttp does not support to use the SOCKS protocol for communication with the proxy server!, xrefs: 01152E8E
Unable to set WinHTTP proxy information!, xrefs: 01153186
{}://{}:{}, xrefs: 01152F23
isfx, xrefs: 011530CC
A976, xrefs: 011530D4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID: A976$E759$The WinHttp does not support to use the SOCKS protocol for communication with the proxy server!$Unable to set WinHTTP proxy information!$Unable to set proxy credentials!$Unsupported proxy type '{}'.$http$https$isfx$isfx${}://{}:{}
API String ID: 1452528299-4272895606
Opcode ID: 5f3fa297f30b0bf1406378cccfac5d4ee2218faf4b4326fd4edb1a0c44efa352
Instruction ID: 3886451d440de6f3bae06db0d1e605edf4b8d885505cee18ad309d7e56fc7cf3
Opcode Fuzzy Hash: 5f3fa297f30b0bf1406378cccfac5d4ee2218faf4b4326fd4edb1a0c44efa352
Instruction Fuzzy Hash: 49D15871D10369DBDB28DFA4C844BEEF7B4BF54304F1042AAD459A7281EB706A89CF52

Function 01122FA0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01123023
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0112306F
__Getctype.LIBCPMT ref: 01123088
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 011230A4
std::_Lockit::~_Lockit.LIBCPMT ref: 01123139
std::_Lockit::_Lockit.LIBCPMT ref: 011231A6
std::_Lockit::_Lockit.LIBCPMT ref: 011231C9
std::_Lockit::~_Lockit.LIBCPMT ref: 011231E9
std::_Lockit::~_Lockit.LIBCPMT ref: 0112327D

Strings

bad locale name, xrefs: 01123157

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$GetctypeLocinfo_ctorLocinfo_dtor
String ID: bad locale name
API String ID: 810752134-1405518554
Opcode ID: 564b4ce27de5163565dfb5b40765d539574af8bf9f0a9f53f4d4d4f212e34eee
Instruction ID: 5b368b6bd5c38505e3e23383166e33d60d79eade455b9c3bf661cb145b094273
Opcode Fuzzy Hash: 564b4ce27de5163565dfb5b40765d539574af8bf9f0a9f53f4d4d4f212e34eee
Instruction Fuzzy Hash: 6381C0B1D102599FEF19DFA8D884B9EFBB4FF18314F144129D824A7381E739A904CBA1

Function 01157160 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01157196
std::_Lockit::_Lockit.LIBCPMT ref: 011571B8
std::_Lockit::~_Lockit.LIBCPMT ref: 011571D8
std::_Lockit::~_Lockit.LIBCPMT ref: 011571FF
std::_Lockit::_Lockit.LIBCPMT ref: 01157278
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 011572C4
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 011572DE
std::_Lockit::~_Lockit.LIBCPMT ref: 01157373
std::_Facet_Register.LIBCPMT ref: 01157380

Strings

bad locale name, xrefs: 011573A4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: ec89129407e5aad91aa7475c08487bf14e331688eb0f367a81a1d14977e185c9
Instruction ID: 10627f8da29496555207e0acd92a72fa594e59454439ad5362c243cfa241bc46
Opcode Fuzzy Hash: ec89129407e5aad91aa7475c08487bf14e331688eb0f367a81a1d14977e185c9
Instruction Fuzzy Hash: 1D71AD71D00259DFEF59DFA8D985B9EBBB4BF14318F044019EC24AB381EB35A904CB91

Function 0115AE20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0115AE56
std::_Lockit::_Lockit.LIBCPMT ref: 0115AE78
std::_Lockit::~_Lockit.LIBCPMT ref: 0115AE98
std::_Lockit::~_Lockit.LIBCPMT ref: 0115AEBF
std::_Lockit::_Lockit.LIBCPMT ref: 0115AF38
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0115AF84
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0115AF9E
std::_Lockit::~_Lockit.LIBCPMT ref: 0115B033
std::_Facet_Register.LIBCPMT ref: 0115B040

Strings

bad locale name, xrefs: 0115B064

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: fa89d41e8a80a36c3bce7717601dd63ad32229ee4f7ee0b42690b694ac9edb09
Instruction ID: 74f650f46f13f6b2fbc8bf5efe1303897dd5566225714529f07f58369babfbc2
Opcode Fuzzy Hash: fa89d41e8a80a36c3bce7717601dd63ad32229ee4f7ee0b42690b694ac9edb09
Instruction Fuzzy Hash: 7C718CB1D00259CFEF19DFA8E884B9EBBB4FF14318F144119D825AB381E735A905CB92

Function 011B6CFC Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 011B6D6F
shared_ptr.LIBCMT ref: 011B6DB7
shared_ptr.LIBCMT ref: 011B6DD6
operator+.LIBVCRUNTIME ref: 011B6F04
DName::operator=.LIBVCRUNTIME ref: 011B6F16
shared_ptr.LIBCMT ref: 011B715B
DName::operator+.LIBCMT ref: 011B719D
operator+.LIBVCRUNTIME ref: 011B71E3

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 1138725672d8b9d805d155c3c8fb4eb1f9c30e8942911b075dc716b762a0fd8d
Instruction ID: a4c376278069109b8dd93d2663cd65fa39f63512ef9401a11ba3e137e890012b
Opcode Fuzzy Hash: 1138725672d8b9d805d155c3c8fb4eb1f9c30e8942911b075dc716b762a0fd8d
Instruction Fuzzy Hash: 26E17EB1C0020ADFDB1CDFA8D4D8AFEBBB5EB64304F14815AD612A7284D7358649CFA1

Function 01182A00 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 193COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 01182A8D
GetLastError.KERNEL32(Unable to retrieve the size of the input file!), ref: 01182BD9
GetLastError.KERNEL32(Unable to write to the output file!,?,0123F910,00000000,Unable to write LZMA properties!,?,0123F910,00000000,Unable to store LZMA props into the encoder!,?,?,00000000), ref: 01182C56

Strings

Unable to compress LZMA stream!, xrefs: 01182C75
Unable to store LZMA props into the encoder!, xrefs: 01182C15
Unable to retrieve the size of the input file!, xrefs: 01182BD4
Unable to create the LZMA encoder!, xrefs: 01182BF8
Unable to write LZMA properties!, xrefs: 01182C33
Unable to write to the output file!, xrefs: 01182C51

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID: Unable to compress LZMA stream!$Unable to create the LZMA encoder!$Unable to retrieve the size of the input file!$Unable to store LZMA props into the encoder!$Unable to write LZMA properties!$Unable to write to the output file!
API String ID: 3064237074-4248839720
Opcode ID: 0e7da64a83dcb64a66e16ea51f93a607b51d4978f7501db3542bda9732563c7b
Instruction ID: ad5e3fbf8db7e1467d67605c10e9ff21e06804ff6ae18d2539dfe0065a9ac14e
Opcode Fuzzy Hash: 0e7da64a83dcb64a66e16ea51f93a607b51d4978f7501db3542bda9732563c7b
Instruction Fuzzy Hash: 4E6172B1514301AFD729EF65D984A9BB7ECBF54604F40492DFA95D3250EB30E908CF62

Function 011BB3CB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 185COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBCMT ref: 011BB408

Strings

generic-type-, xrefs: 011BB48E
template-parameter-, xrefs: 011BB467

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Replicator::operator[]
String ID: generic-type-$template-parameter-
API String ID: 3676697650-13229604
Opcode ID: 5c99f57c32253d2cc86acd915a01440999d74a0c21f2b6ac2b449e24fa35729f
Instruction ID: e0c3f37e3ccb6bc9f7acff9d157e9ba4581f0a581dda50026ef65e263c8e7857
Opcode Fuzzy Hash: 5c99f57c32253d2cc86acd915a01440999d74a0c21f2b6ac2b449e24fa35729f
Instruction Fuzzy Hash: F861D5B1D0420ADFDB1CDFA8D8C5BEEBBB9AF28314F04401AE645A7290DB749A05CB55

Function 01164AE0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 175COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(88D0916B,88D0918B,00000000,?), ref: 01164B2D
GetWindowsDirectoryW.KERNEL32(?,00000104,00000104,00000000,88D0918B,00000000,?), ref: 01164BA5
GetLastError.KERNEL32 ref: 01164CDC
GetLastError.KERNEL32(Get window directory fail), ref: 01164D30

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Strings

Get window directory fail, xrefs: 01164D2B
Get window directory fail {}!, xrefs: 01164D1B
F0D6, xrefs: 01164CF1
4C6F, xrefs: 01164CEA

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$AttributesDirectoryDispatcherExceptionFileUserWindows
String ID: 4C6F$F0D6$Get window directory fail$Get window directory fail {}!
API String ID: 2036401197-582953929
Opcode ID: 83b747de5728695ac1663ecefd7446043a72a22033e6bce8603b9dbfabe6b57f
Instruction ID: 972b428772ab8c9f626c180b4eff9134e5cb2940dc310b03ce50f97108bf189b
Opcode Fuzzy Hash: 83b747de5728695ac1663ecefd7446043a72a22033e6bce8603b9dbfabe6b57f
Instruction Fuzzy Hash: 3C715A71D10249DBDB18DFE8C954BEEB7B4FF58304F10862AD815B7290EB74A688CB91

Function 01128130 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 01128154
GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 01128164
GetLastError.KERNEL32 ref: 0112817E
GetLastError.KERNEL32(?,0123F910,00000000,GetModuleHandleW ({}),00000015,?), ref: 011281A9

Strings

GetProcAddress ({}), xrefs: 011281B1
ntdll.dll, xrefs: 01128145, 0112814C
GetModuleHandleW ({}), xrefs: 0112818B
NtSetInformationFile, xrefs: 0112815E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: GetModuleHandleW ({})$GetProcAddress ({})$NtSetInformationFile$ntdll.dll
API String ID: 1762409328-413960078
Opcode ID: 47dd5262aee6757d59b8f0204e4cf26ee16f631f871c9b76dc62486fd7d0a6b0
Instruction ID: 8a2b77519b1875e0d91ca97b368e2660d16c118a7dfedb08d87e8ad27911c588
Opcode Fuzzy Hash: 47dd5262aee6757d59b8f0204e4cf26ee16f631f871c9b76dc62486fd7d0a6b0
Instruction Fuzzy Hash: 1B01E571114306AFD32CEFE1DC49DAB7BECBB58618F040A2CF95996094EB70E245C792

Function 011BA627 Relevance: 13.8, APIs: 9, Instructions: 297COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 011BA6FD
UnDecorator::getSignedDimension.LIBCMT ref: 011BA708
UnDecorator::getSignedDimension.LIBCMT ref: 011BA7F4
UnDecorator::getSignedDimension.LIBCMT ref: 011BA811
UnDecorator::getSignedDimension.LIBCMT ref: 011BA82E
DName::operator+.LIBCMT ref: 011BA843
UnDecorator::getSignedDimension.LIBCMT ref: 011BA85D
DName::operator+.LIBCMT ref: 011BA932

Part of subcall function 011B6721: DName::DName.LIBVCRUNTIME ref: 011B677F

DName::DName.LIBVCRUNTIME ref: 011BA9A9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
String ID:
API String ID: 3679549980-0
Opcode ID: 573aff1a63911e1af1f3e00a430c2e1088134b3589ec28fb8311dee05d7b8911
Instruction ID: f3e17a9bc4542b55f974de76c836363c515d3fe488fbf82d695dca19104824c7
Opcode Fuzzy Hash: 573aff1a63911e1af1f3e00a430c2e1088134b3589ec28fb8311dee05d7b8911
Instruction Fuzzy Hash: 9E91CBB1D0420A9ADF1DEFB8E9D89FE7BB8AF65304F11001AD202E7584EB359A05CB51

Function 0111CA90 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0111CBA2
CloseHandle.KERNEL32(?), ref: 0111CBB7
CloseHandle.KERNEL32(?), ref: 0111CBCC
CloseHandle.KERNEL32(?), ref: 0111CBE1
CloseHandle.KERNEL32(?), ref: 0111CBF6
CloseHandle.KERNEL32(?), ref: 0111CC0B
CloseHandle.KERNEL32(?), ref: 0111CC7B
CloseHandle.KERNEL32(?), ref: 0111CC96

Strings

D, xrefs: 0111CB2D

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle
String ID: D
API String ID: 2962429428-2746444292
Opcode ID: 1bd1ae97186ee1be165ecd3d3f65b170fbed6621310f3d68bc475ec2fa3b5909
Instruction ID: f2faa31ade1cc0a7af2bfb707520f23d6a5811956f958bbdcd97e15f3cd64403
Opcode Fuzzy Hash: 1bd1ae97186ee1be165ecd3d3f65b170fbed6621310f3d68bc475ec2fa3b5909
Instruction Fuzzy Hash: 48515374E0035A8BDB24DFA4C944BAEFBF4BF44314F0441A9E919A7384DB749985CF91

Function 01176E70 Relevance: 13.6, APIs: 9, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 01176EC6
SetLastError.KERNEL32(00000000), ref: 01176ED1
RegCloseKey.ADVAPI32(00000000), ref: 01176EDF
RegDeleteValueW.ADVAPI32 ref: 01176EF0
SetLastError.KERNEL32(00000000), ref: 01176EF9
RegCloseKey.ADVAPI32(00000000), ref: 01176F07
SetLastError.KERNEL32(00000000), ref: 01176F12
SetLastError.KERNEL32(00000057), ref: 01176F31
GetLastError.KERNEL32 ref: 01176F37

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$Close$DeleteOpenValue
String ID:
API String ID: 3233424315-0
Opcode ID: f10764d9e3d0e775e34d9c6f0c346d560f5562ec9047a27c89057903c5b8f338
Instruction ID: 30f8920bb107f845548a2ae187787bae15d3f2b57664a2423b9c26ac1ecc6bf3
Opcode Fuzzy Hash: f10764d9e3d0e775e34d9c6f0c346d560f5562ec9047a27c89057903c5b8f338
Instruction Fuzzy Hash: A4218334611605ABEB3CDFA8D818A6F7BB9FF04301F444469EC12EB240DB71D981CB61

Function 011B4408 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 011B4635
CatchIt.LIBVCRUNTIME ref: 011B4686
_UnwindNestedFrames.LIBCMT ref: 011B4787
CallUnexpected.LIBVCRUNTIME ref: 011B47A2

Strings

csm, xrefs: 011B455E
csm, xrefs: 011B44B2
csm, xrefs: 011B4445

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 944608866-393685449
Opcode ID: cdf4ca22840924fac3581f0274eedea9de5d417adc6c772ef9aee81d0cc45de3
Instruction ID: bd4038e19531add349bb6229a810f4e373ff4a429a9299f0ccb1e27fc0629df1
Opcode Fuzzy Hash: cdf4ca22840924fac3581f0274eedea9de5d417adc6c772ef9aee81d0cc45de3
Instruction Fuzzy Hash: 47B18C7580060AEFDF2DDFA8C9C09EEBBB5BF14314B14815AE9126BA03D731DA51CB91

Function 011382B0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,?,88D0918B,?,?), ref: 01138328
ReadFile.KERNEL32(?,000000FF,?,00000000,?), ref: 011383BB
GetLastError.KERNEL32(get_file_content: GetFileSizeEx), ref: 01138440
GetLastError.KERNEL32(get_file_content: ReadFile,0123F910,0123F910,00000000), ref: 01138462

Strings

get_file_content: ReadFile, xrefs: 0113845D
get_file_content: GetFileSizeEx, xrefs: 0113843B
get_file_content, xrefs: 0113842F

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorFileLast$ReadSize
String ID: get_file_content$get_file_content: GetFileSizeEx$get_file_content: ReadFile
API String ID: 3509033087-2648918662
Opcode ID: 5b4325aa9a5e8f0e0b4577fd0ea16149b2c7b095d424bb39fec536e9b317fa59
Instruction ID: 5d125976f1e6db620503ed643d6b5881a9a1dc9013579087049048455442f051
Opcode Fuzzy Hash: 5b4325aa9a5e8f0e0b4577fd0ea16149b2c7b095d424bb39fec536e9b317fa59
Instruction Fuzzy Hash: 5151B471E102099FCB18CFA9D944BAEBBF9FF94704F10462EF426A3254EB70A9448B50

Function 011440D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 011440E5
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 011440EF
GetProcessHeap.KERNEL32(00000000,00000100), ref: 01144127
HeapAlloc.KERNEL32(00000000), ref: 0114412E
GetSystemDirectoryW.KERNEL32(00000000,00000060), ref: 0114413D
lstrcpyW.KERNEL32(?,\b86362a5.exe), ref: 01144157

Strings

\b86362a5.exe, xrefs: 0114414E

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Heap$AllocProcess$DirectorySystemlstrcpy
String ID: \b86362a5.exe
API String ID: 2190664303-3123522761
Opcode ID: a73b106b5c8d76ba7ba3b8de8b2a60823d133183550abb294295edd575304288
Instruction ID: 53093546f4920430956da39c78f9dcfbac799a8cbfaccdfb0584c7762550e3d8
Opcode Fuzzy Hash: a73b106b5c8d76ba7ba3b8de8b2a60823d133183550abb294295edd575304288
Instruction Fuzzy Hash: E811BF76600717ABD3249BEADC48A5AB7E8FF58B41B044129FE05CBA40DB70E851C7A4

Function 011910F0 Relevance: 12.1, APIs: 8, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 01191121
SetFileAttributesW.KERNEL32(?,00000000), ref: 0119114C
MoveFileExW.KERNEL32(?,?,?), ref: 01191172
GetLastError.KERNEL32 ref: 01191181
Sleep.KERNEL32(000000C8), ref: 0119119C
GetLastError.KERNEL32 ref: 011911AA
GetFileAttributesW.KERNEL32(?), ref: 011911C4
SetFileAttributesW.KERNEL32(?,00000000), ref: 011911E6

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$Attributes$ErrorLast$MoveSleep
String ID:
API String ID: 2113869211-0
Opcode ID: 978db4b9fd96d723c2ecb5e2c7eab3d6825e3397cf6807eeaa77044be4f5b563
Instruction ID: 631a9c4ee2b5ce6b09723cd49ca7db28c24670a492878a261e6091ea63dc2177
Opcode Fuzzy Hash: 978db4b9fd96d723c2ecb5e2c7eab3d6825e3397cf6807eeaa77044be4f5b563
Instruction Fuzzy Hash: F83172B5A01116BBDF388FB8E8445AA77F9FF45321B144A39E865C7280D730E985CB61

Function 01150B30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,88D0918B,00000000,0000000C,?), ref: 01150B6D
FindResourceW.KERNEL32(00000000,0000012C,LZMA), ref: 01150B80
LoadResource.KERNEL32(00000000,00000000), ref: 01150B92
LockResource.KERNEL32(00000000), ref: 01150BA1
SizeofResource.KERNEL32(00000000,00000000), ref: 01150BB3

Strings

LZMA, xrefs: 01150B73

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof
String ID: LZMA
API String ID: 1601749889-3584152497
Opcode ID: 27745cb3c6c032e8945ca151d120492a3ff646282c1186a8899aeed4a499502d
Instruction ID: eb4537fae2b2497a59c7e313634696a71a23d3a4b001464b16d757a774299869
Opcode Fuzzy Hash: 27745cb3c6c032e8945ca151d120492a3ff646282c1186a8899aeed4a499502d
Instruction Fuzzy Hash: 5671C471E002199FEF1CCFA8CD49BAEBBB5EF49314F04825DE915A7284DB3499848F60

Function 011B6AB0 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 011B6B3E
DName::operator+.LIBCMT ref: 011B6B91

Part of subcall function 011B5764: shared_ptr.LIBCMT ref: 011B5780

Part of subcall function 011B568F: DName::operator+.LIBCMT ref: 011B56B0

DName::operator+.LIBCMT ref: 011B6B82
DName::operator+.LIBCMT ref: 011B6BE2
DName::operator+.LIBCMT ref: 011B6BEF
DName::operator+.LIBCMT ref: 011B6C36
DName::operator+.LIBCMT ref: 011B6C43

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: e411470d5a141181ab85b6630e8cb1f254ce6340abfe591e62e8d2d0e0a0a552
Instruction ID: 5f0e72e774c89a28ecce2036574401e045fa47fdecd199c76b44436655079bfb
Opcode Fuzzy Hash: e411470d5a141181ab85b6630e8cb1f254ce6340abfe591e62e8d2d0e0a0a552
Instruction Fuzzy Hash: 3C5162B1E00209AFDF1DDF98D9D5EEEBBB9EF28704F44405AE605A7180DB309644CBA0

Function 011080B0 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 011080E6
std::_Lockit::_Lockit.LIBCPMT ref: 01108109
std::_Lockit::~_Lockit.LIBCPMT ref: 01108129

Part of subcall function 01107EA0: std::_Lockit::_Lockit.LIBCPMT ref: 01107F29
Part of subcall function 01107EA0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01107F7E
Part of subcall function 01107EA0: __Getctype.LIBCPMT ref: 01107F97
Part of subcall function 01107EA0: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01107FE1

std::_Facet_Register.LIBCPMT ref: 0110819B
std::_Lockit::~_Lockit.LIBCPMT ref: 011081BD
Concurrency::cancel_current_task.LIBCPMT ref: 011081E0
__Towlower.LIBCPMT ref: 011081FA

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Locinfo::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo_ctorLocinfo_dtorRegisterTowlower
String ID:
API String ID: 1467388372-0
Opcode ID: 05a27efec286c8036d855c33177cff4ddf5d3e70f5efaa74f9a6d7a28505b1b1
Instruction ID: 9733bf5c146dcbf1584eae740373b8e53a7ebe3828f0d8eb722467e33e68907c
Opcode Fuzzy Hash: 05a27efec286c8036d855c33177cff4ddf5d3e70f5efaa74f9a6d7a28505b1b1
Instruction Fuzzy Hash: 9241C076D0021ADFCF1ADF98E844AAEB7B5FF64324F144119D819A7381D774BA01CBA1

Function 0113A5D0 Relevance: 10.6, APIs: 7, Instructions: 102sleepfileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,0113AEE4,?,?,?,0113AEE4,00000001,00000001,tmp,00000003,?,88D0918B,00000002,00000000), ref: 0113A605
SetFileAttributesW.KERNEL32(?,00000000,?,?,0113AEE4,?,?,?,0113AEE4,00000001,00000001,tmp,00000003,?,88D0918B,00000002), ref: 0113A630
CopyFileW.KERNEL32 ref: 0113A656
GetLastError.KERNEL32(?,?,0113AEE4,?,?,?,0113AEE4,00000001,00000001,tmp,00000003,?,88D0918B,00000002,00000000), ref: 0113A665
Sleep.KERNEL32(000000C8,?,?,0113AEE4,?,?,?,0113AEE4,00000001,00000001,tmp,00000003,?,88D0918B,00000002,00000000), ref: 0113A680
GetFileAttributesW.KERNEL32(?,?,?,0113AEE4,?,?,?,0113AEE4,00000001,00000001,tmp,00000003,?,88D0918B,00000002,00000000), ref: 0113A6A5
SetFileAttributesW.KERNEL32(?,00000000,?,?,0113AEE4,?,?,?,0113AEE4,00000001,00000001,tmp,00000003,?,88D0918B,00000002), ref: 0113A6C7

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$Attributes$CopyErrorLastSleep
String ID:
API String ID: 3159088608-0
Opcode ID: b696f745aa218170dae63669717ae7825600e46cef676acccf72e475ed51d98a
Instruction ID: a6c0fd19cf6e68ddca88e180476f4a358e34485ed81b50959c636a626815da68
Opcode Fuzzy Hash: b696f745aa218170dae63669717ae7825600e46cef676acccf72e475ed51d98a
Instruction Fuzzy Hash: B931E4B1A001059BCB3C8FACE8085ADBBF9EFC5314B144A69E8A5CB284D730DD85DB50

Function 01150950 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,88D0918B,?), ref: 011509B8
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 011509CA
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 011509D9

Strings

kernel32.dll, xrefs: 011509AD
Wow64DisableWow64FsRedirection, xrefs: 011509C4
Wow64RevertWow64FsRedirection, xrefs: 011509D0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 667068680-4169039593
Opcode ID: 97a283940cbe33778ed73e5ebf323d23681b58cfba2b5e54aeb5cd5add7165d1
Instruction ID: 9aa4970c67f91f2cd0f9aaa8a2d4485838cab963f684a6cdd8d34dcb4a576015
Opcode Fuzzy Hash: 97a283940cbe33778ed73e5ebf323d23681b58cfba2b5e54aeb5cd5add7165d1
Instruction Fuzzy Hash: 7021B076500759DFD725CFA9C808B5AFBF8FB48B14F008A2EE86A93740D775A544CB90

Function 01193092 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0119310D,011932B6), ref: 011930A9
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive,?,?,0119310D,011932B6), ref: 011930BF
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive,?,?,0119310D,011932B6), ref: 011930D4

Strings

KERNEL32.DLL, xrefs: 011930A4
ReleaseSRWLockExclusive, xrefs: 011930C9
AcquireSRWLockExclusive, xrefs: 011930B9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: be2f747d49f8095ee79170c8fa1db17a195d85ce124e94264c8fbd03e17da238
Instruction ID: 9ee4dc5ff47307c09964c410625d8f5915d574ebdaec9ae66dee4a9209b9f14a
Opcode Fuzzy Hash: be2f747d49f8095ee79170c8fa1db17a195d85ce124e94264c8fbd03e17da238
Instruction Fuzzy Hash: C3F0F676720217ABDF3D5FF968C95B66BE8BA01245309013DDE32E7204EB11C88687D1

Function 01123170 Relevance: 9.2, APIs: 6, Instructions: 179COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 011231A6
std::_Lockit::_Lockit.LIBCPMT ref: 011231C9
std::_Lockit::~_Lockit.LIBCPMT ref: 011231E9

Part of subcall function 01122FA0: std::_Lockit::_Lockit.LIBCPMT ref: 01123023
Part of subcall function 01122FA0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0112306F
Part of subcall function 01122FA0: __Getctype.LIBCPMT ref: 01123088
Part of subcall function 01122FA0: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 011230A4

std::_Facet_Register.LIBCPMT ref: 0112325B
std::_Lockit::~_Lockit.LIBCPMT ref: 0112327D
Concurrency::cancel_current_task.LIBCPMT ref: 011232A0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Locinfo::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID:
API String ID: 490166356-0
Opcode ID: ff6782fa64da2083a594bd09338ae79c0bd2a879fb0f55bc0f52a8087857695f
Instruction ID: 3795121935f881f530615ed6e0d0725f2196cc660849858e7eed5f7af74bc432
Opcode Fuzzy Hash: ff6782fa64da2083a594bd09338ae79c0bd2a879fb0f55bc0f52a8087857695f
Instruction Fuzzy Hash: 4151F275E0021A9FCB19DF98D844BAEFBB5FF98724F14415AD825A7381DB38AD01CB90

Function 011042C0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 383COMMON

Download Yara Rule

APIs

___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 011044B1

Part of subcall function 01194F77: MultiByteToWideChar.KERNEL32(010FED13,00000008,?,00000001,?,00000001,?,?,011044B6,000004E4,?,00000001,?,00000001,true,010FED13), ref: 01194F8C
Part of subcall function 01194F77: GetLastError.KERNEL32 ref: 01194F98

Strings

\x{, xrefs: 011045E3
String pointer is null., xrefs: 011042A6
\u{, xrefs: 01104530
true, xrefs: 011042E0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide___std_fs_convert_narrow_to_wide@20
String ID: String pointer is null.$\u{$\x{$true
API String ID: 426171095-604247206
Opcode ID: 86e0f5ca5213abf14e7509c1c125d1dd168b6cc74cd3d34fd0efdfcbfdd626fd
Instruction ID: ff035410e6112228e668d01a07d7abd295f473d7dd133a228839e4cbdc04e016
Opcode Fuzzy Hash: 86e0f5ca5213abf14e7509c1c125d1dd168b6cc74cd3d34fd0efdfcbfdd626fd
Instruction Fuzzy Hash: 03E1DE34904649DFCB2ACF98D4D09AEBBF5FF59300B04844DE99A9BB92C770B846CB51

Function 011BB277 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 011BB2BB
DName::operator+.LIBCMT ref: 011BB2C7

Part of subcall function 011B5764: shared_ptr.LIBCMT ref: 011B5780

DName::operator+=.LIBCMT ref: 011BB385

Part of subcall function 011B9B05: DName::operator+.LIBCMT ref: 011B9B70
Part of subcall function 011B9B05: DName::operator+.LIBCMT ref: 011B9E3A

Part of subcall function 011B568F: DName::operator+.LIBCMT ref: 011B56B0

DName::operator+.LIBCMT ref: 011BB342

Part of subcall function 011B57BC: DName::operator=.LIBVCRUNTIME ref: 011B57DD

DName::DName.LIBVCRUNTIME ref: 011BB3A9
DName::operator+.LIBCMT ref: 011BB3B5

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: 20e16331da3a4c7387dda79faea74127fc369a64d935d535d85ecc25a34ac0c9
Instruction ID: c3b417536b7c5b8d123d9b38b22ec4cee9d28b53bbd08d248b43571d9a2947a1
Opcode Fuzzy Hash: 20e16331da3a4c7387dda79faea74127fc369a64d935d535d85ecc25a34ac0c9
Instruction Fuzzy Hash: F44115B0A09248AFDB19DFACD8D4AED7BFAAF19300F444449D586D7694D7319940CB14

Function 011161A0 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 011161D6
std::_Lockit::_Lockit.LIBCPMT ref: 011161F9
std::_Lockit::~_Lockit.LIBCPMT ref: 01116219

Part of subcall function 01115E00: std::_Lockit::_Lockit.LIBCPMT ref: 01115EA6
Part of subcall function 01115E00: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01115F01

std::_Facet_Register.LIBCPMT ref: 0111628B
std::_Lockit::~_Lockit.LIBCPMT ref: 011162AD
Concurrency::cancel_current_task.LIBCPMT ref: 011162D0

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID:
API String ID: 2294326227-0
Opcode ID: 8f45107aec7b2c5cf2a5017ed6550591f777053042896547e5507b208c95e67e
Instruction ID: d78746b6ce4c4f33350ffea6df5b8526b9c79119d1546bd990fd0c9e51e7efa3
Opcode Fuzzy Hash: 8f45107aec7b2c5cf2a5017ed6550591f777053042896547e5507b208c95e67e
Instruction Fuzzy Hash: 06410075D0025ADFCF29DF98D544AAEFBB4FF94318F144129C825A7345DB75A901CB80

Function 011B409A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,011B4091,011B1B8F,01194B64,88D0918B,?,?,?,00000000,011EDC8D,000000FF,?,0111DC2A,?,?), ref: 011B40A8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 011B40B6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 011B40CF
SetLastError.KERNEL32(00000000,?,00000000,011EDC8D,000000FF,?,0111DC2A,?,?,0111D907,?,?,?,?,0111D903), ref: 011B4121

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e831d97f61dc122342a81909682adcd006115df7566239a2b216c8848b463af3
Instruction ID: bf6eceb8f4230d77bec7474d19fba0759cdfc11a80a1b7e995c394b1c775a6dc
Opcode Fuzzy Hash: e831d97f61dc122342a81909682adcd006115df7566239a2b216c8848b463af3
Instruction Fuzzy Hash: 3901703630C3231FA73D5ABC7CC89EE2BA4FB216743204339F915458E6EF529801A755

Function 01177200 Relevance: 9.1, APIs: 6, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 01177243
SetLastError.KERNEL32(00000000), ref: 0117724C
RegCloseKey.ADVAPI32(00000000), ref: 0117725A
SetLastError.KERNEL32(00000000), ref: 01177265
SetLastError.KERNEL32(00000057), ref: 01177284
GetLastError.KERNEL32 ref: 0117728A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast$CloseCreate
String ID:
API String ID: 3491956904-0
Opcode ID: 8c8097b9a3379b4f58ede4d7023611917e78c45f078216160c882a50b9cf44ff
Instruction ID: 02d764437c72e086d21844c9ee7d84bddf2895213b20f594231077fdee2adb72
Opcode Fuzzy Hash: 8c8097b9a3379b4f58ede4d7023611917e78c45f078216160c882a50b9cf44ff
Instruction Fuzzy Hash: 00119E34740209ABEB78DFA4D84DB6E3BB8FF44701F104129FD16AB2C4DBB1A9808B50

Function 01134050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,01133F3F,?,?,?,?,?,01133B5D), ref: 0113406C
CloseHandle.KERNEL32(00000000), ref: 0113408D
GetLastError.KERNEL32(?,?,?,?,01133F3F,?,?,?,?,?,01133B5D), ref: 011340A1
CloseHandle.KERNEL32(00000000), ref: 011340DE

Strings

Cannot create event, xrefs: 011340A7

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID: Cannot create event
API String ID: 3743700123-3475436419
Opcode ID: e21a20a93c26c7d4ab83f2fc80970580e565ebdcf3681da061676a11166b1713
Instruction ID: 8ab47f3df8d6d332b4c7c79d2cbc0510f10418a3b2e632ae80ceb066790816b9
Opcode Fuzzy Hash: e21a20a93c26c7d4ab83f2fc80970580e565ebdcf3681da061676a11166b1713
Instruction Fuzzy Hash: FE01D435B102271BEB39E6BDAE04AB772EC9F84601B040079BE19E6244EF20C84087A1

Function 01177030 Relevance: 7.6, APIs: 5, Instructions: 127registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 01177132
RegCloseKey.ADVAPI32(00000000), ref: 01177151
SetLastError.KERNEL32(00000000), ref: 0117715C
RegCloseKey.ADVAPI32(?), ref: 011771A7
SetLastError.KERNEL32(00000000), ref: 011771B2

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseErrorLast$Open
String ID:
API String ID: 1674861978-0
Opcode ID: 2a8909828735eadb5011d37320ba54d7ab875631cac204b9339a1600bad656a1
Instruction ID: 24f6a6899f807317a7736453225bd98c11b72d575845752c5e6dbd70417c6b1d
Opcode Fuzzy Hash: 2a8909828735eadb5011d37320ba54d7ab875631cac204b9339a1600bad656a1
Instruction Fuzzy Hash: A6517F7190021A9FDB28DF64D95CBEEBBB9EF54704F0041ADD91AA7380DB749A84CF50

Function 011952E5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(01221434,000000FF,?,01146C6B,00000080,?,00000006,?,?,?,?,?,?,00000001,?,88D0918B), ref: 011952F9
AcquireSRWLockExclusive.KERNEL32(01221434,?,01146C6B,00000080,?,00000006,?,?,?,?,?,?,00000001,?,88D0918B,?), ref: 01195318
AcquireSRWLockExclusive.KERNEL32(01221434,?,?,?,01146C6B,00000080,?,00000006,?,?,?,?,?,?,00000001), ref: 01195346
TryAcquireSRWLockExclusive.KERNEL32(01221434,?,?,?,01146C6B,00000080,?,00000006,?,?,?,?,?,?,00000001), ref: 011953A1
TryAcquireSRWLockExclusive.KERNEL32(01221434,?,?,?,01146C6B,00000080,?,00000006,?,?,?,?,?,?,00000001), ref: 011953B8

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 4580345909498ed2d0c1f17e79b2df15c9be5901358cf5af29e680adde61da29
Instruction ID: f4d3a7a2351ca6bcba1f19672191a8af1062c030c993499dad2c3ba68e51d875
Opcode Fuzzy Hash: 4580345909498ed2d0c1f17e79b2df15c9be5901358cf5af29e680adde61da29
Instruction Fuzzy Hash: 84418A30A08606DFCF6ADF6AC48096AB7F6FF04315F60492BE566E7540E7B0E681CB51

Function 0112CCB0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,88D0918B), ref: 0112CCF1
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0112CD19
EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 0112CD6F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 0112CDA0

Strings

Module is being registered for the second time, xrefs: 0112CD3C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Module is being registered for the second time
API String ID: 3168844106-2588535507
Opcode ID: 2d08007d9294da00203fb235dac80acc77f4e540face1682dee5d5ec06b44bda
Instruction ID: d2fa670b0e9b0324ec83faf7c6138e55309a8ee86c8914910809e5b0d72c21a5
Opcode Fuzzy Hash: 2d08007d9294da00203fb235dac80acc77f4e540face1682dee5d5ec06b44bda
Instruction Fuzzy Hash: 2D31A17590021DAFCB29DF94D844BEEBBF8EF49614F10062AE512A7140DB74AA49CBA0

Function 01106A10 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 283COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0111D86A,00000000,00000000,00000000,00000000,88D0918B), ref: 01106C46
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,88D0918B,?), ref: 01106CB1

Strings

to_narrow<wchar_t> invalid arguments, xrefs: 01106D04
to_narrow<wchar_t>::WideCharToMultiByte, xrefs: 01106CE9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_narrow<wchar_t> invalid arguments$to_narrow<wchar_t>::WideCharToMultiByte
API String ID: 626452242-1534530176
Opcode ID: fb937126cb85046d9c32898bf2137737cc2eabca9ce81de97f54039114295ef5
Instruction ID: 2672c70d9d227482828bd55d2d816403e053bee85e76a2fb5daf736b45b735da
Opcode Fuzzy Hash: fb937126cb85046d9c32898bf2137737cc2eabca9ce81de97f54039114295ef5
Instruction Fuzzy Hash: 3091F671E00206ABC719DFA9CD40BAEFBF5FF54310F20426AE515A7380D7B1AA54CB91

Function 01106B90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,0111D86A,00000000,00000000,00000000,00000000,88D0918B), ref: 01106C46
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,88D0918B,?), ref: 01106CB1

Strings

to_narrow<wchar_t> invalid arguments, xrefs: 01106D04
to_narrow<wchar_t>::WideCharToMultiByte, xrefs: 01106CE9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_narrow<wchar_t> invalid arguments$to_narrow<wchar_t>::WideCharToMultiByte
API String ID: 626452242-1534530176
Opcode ID: 2e5b1b1c3eaa65da814a068a06619af21c6d31047b877d691d127aa193e3bfa6
Instruction ID: c96514171f0db80e88e88fd102342a3474c3b9a4194c89982f1377452d4c895d
Opcode Fuzzy Hash: 2e5b1b1c3eaa65da814a068a06619af21c6d31047b877d691d127aa193e3bfa6
Instruction Fuzzy Hash: 3D411670E00306ABD729DFA9DD05BAEBBB5FF54704F10022AE910A72C0E7F1A954CB91

Function 01120F80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 01108AD0: CloseHandle.KERNEL32(003A9D78), ref: 01108B30
Part of subcall function 01108AD0: LeaveCriticalSection.KERNEL32(?,88D0918B,0124E60C,?), ref: 01108B6A

WaitForSingleObject.KERNEL32(?,000000FF,?,88D0918B), ref: 011210B7
CloseHandle.KERNEL32(?), ref: 011210D5

Part of subcall function 01133DE0: EnterCriticalSection.KERNEL32(00000000,?,?,?,00000000,011E550D,000000FF), ref: 01133E5E
Part of subcall function 01133DE0: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000), ref: 01133E92

Part of subcall function 01133720: SetEvent.KERNEL32(00000000,88D0918B,0124E60C,?,?,?,?,?,?,00000000,011E545D,000000FF,?,01109666), ref: 0113377A
Part of subcall function 01133720: CloseHandle.KERNEL32(00000000), ref: 01133794
Part of subcall function 01133720: LeaveCriticalSection.KERNEL32(?), ref: 011337B6

Strings

H:, xrefs: 01120FE3, 01121041, 0112107C, 01121089, 011210A2, 011210E6
lifetime_object must be allocated on static memory (static or global variable or member of such a variable)., xrefs: 0112110E, 01121129

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$CloseHandleLeave$EnterEventObjectSingleWait
String ID: H:$lifetime_object must be allocated on static memory (static or global variable or member of such a variable).
API String ID: 3951272266-3507237979
Opcode ID: debac82c608866bdee392e08e70571ba33e8143f68ce4566c02c6868342720f3
Instruction ID: 727c0976f0122fbf620dd321844133040e1dc33fd8202c6a6033463b03515060
Opcode Fuzzy Hash: debac82c608866bdee392e08e70571ba33e8143f68ce4566c02c6868342720f3
Instruction Fuzzy Hash: D45123B0E10359AFEB19DFA8E844B9EBBF4FB50714F104229D92467280D7785508CB91

Function 01134680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,?,00000007,00000000,011E557E,08000000,00000000), ref: 0113470A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,011E557E,000000FF,?,011358BC,80000000), ref: 01134724
CloseHandle.KERNEL32(00000064), ref: 0113477C

Part of subcall function 011B21A0: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01117C8C,?,?,?,?,01117C8C,88D0918B,0123F8F0,88D0918B), ref: 011B2200

Strings

couldn't open file, xrefs: 011347AE

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseCreateDispatcherErrorExceptionFileHandleLastUser
String ID: couldn't open file
API String ID: 3278050421-3645828643
Opcode ID: ef12b709832a3c1983786c1e18dd4093f0cd7c462f0c41d95561c8b32019fe3b
Instruction ID: 15620605cf968338528df5c000b33830502938fed625f10dc769338181d55553
Opcode Fuzzy Hash: ef12b709832a3c1983786c1e18dd4093f0cd7c462f0c41d95561c8b32019fe3b
Instruction Fuzzy Hash: 41418FB5D002099FCB18DFE8D884BDEBBF4FB48724F20062AE925E7294DB359944CB50

Function 011B47AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 011B47D2
CatchIt.LIBVCRUNTIME ref: 011B48B8

Strings

MOC, xrefs: 011B47E4
RCC, xrefs: 011B47EC

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: a848fb264f02530f3ba3ce0f1872321e7307c7c2629a730bb4d29a40a2b877df
Instruction ID: e77bef468712fa88bacde1df48b34e8a61e1814f45ae311b21fb978c0b2befaa
Opcode Fuzzy Hash: a848fb264f02530f3ba3ce0f1872321e7307c7c2629a730bb4d29a40a2b877df
Instruction Fuzzy Hash: 38418A31900249AFDF1ACFD8CD80AEEBBB5FF48304F198069FA1667652D3359951CB90

Function 01178C80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll,88D0918B), ref: 01178CB1
GetProcAddress.KERNEL32(00000000,SHGetPropertyStoreForWindow), ref: 01178CC5

Strings

shell32.dll, xrefs: 01178CAC
SHGetPropertyStoreForWindow, xrefs: 01178CBF

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SHGetPropertyStoreForWindow$shell32.dll
API String ID: 1646373207-1874690567
Opcode ID: 553345918401791b7ce6217477d860bd78e6549df215a3e06deb97bdc054b6c2
Instruction ID: 0015014a0ace5367d00c4de218ee39b712cfa4e4d167fddfd2f47bbf2b68acab
Opcode Fuzzy Hash: 553345918401791b7ce6217477d860bd78e6549df215a3e06deb97bdc054b6c2
Instruction Fuzzy Hash: 4E218331D0025A9FDB18CFA9D849BEEBBF8FB04614F00012AEC15A7350DB74A944CB90

Function 010F8830 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(`q:,00000FA0,88D0918B,?,011ED059,000000FF), ref: 010F8897

Strings

`q:, xrefs: 010F8876
y:, xrefs: 010F8852
`y:, xrefs: 010F8863

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: y:$`q:$`y:
API String ID: 2593887523-3729484907
Opcode ID: c2d3e67fd16ac435893980afff7d4d7368b369e7a4e7cd92f792593585dd6201
Instruction ID: f42dde7fe6e33a9fde9dab277c036647fac5a08458c471c19093eba83ecfa414
Opcode Fuzzy Hash: c2d3e67fd16ac435893980afff7d4d7368b369e7a4e7cd92f792593585dd6201
Instruction Fuzzy Hash: 2701D175A48684EBD72DCBACFA19B1ABBE0E791B28F040299D414D77C4CB7D1504C3A2

Function 011D323C Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 011D329F

Part of subcall function 011D7650: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,011D6B77,?,00000000,-00000008), ref: 011D76FC

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 011D34FA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 011D3542
GetLastError.KERNEL32 ref: 011D35E5

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 20de89dd7a87116331f684e8bcf36ac91a9898c4e6d28189628f004302ff512a
Instruction ID: ca4fa5f5f416efdbc64e51cf1f65e1860bee650ef031df72c286190fce94e217
Opcode Fuzzy Hash: 20de89dd7a87116331f684e8bcf36ac91a9898c4e6d28189628f004302ff512a
Instruction Fuzzy Hash: AAD18AB5D102489FDF19CFA8D8809EDBBB4FF09314F18452AE926EB341D730A941CB61

Function 011B8227 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 011B835C

Part of subcall function 011B54A0: __aulldvrm.LIBCMT ref: 011B54D1

DName::operator+.LIBCMT ref: 011B82BD
DName::operator=.LIBVCRUNTIME ref: 011B83A1
DName::DName.LIBVCRUNTIME ref: 011B83D3

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=__aulldvrm
String ID:
API String ID: 2973644308-0
Opcode ID: 5001cd98e1cdbfb3cf6f00c5cfef61a440703558e310ba6210999c68686a2bab
Instruction ID: accf9b341f825e6f0dff2c392610811840774f1bf1331db51f0bd9d5f55eebcf
Opcode Fuzzy Hash: 5001cd98e1cdbfb3cf6f00c5cfef61a440703558e310ba6210999c68686a2bab
Instruction Fuzzy Hash: D461BEB5D05219DFDB18DF98D8C0AEEBBB9FB14B00F04809AD945AB364D7709A41CF90

Function 011B41B1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 011B4278
___AdjustPointer.LIBCMT ref: 011B429B
___AdjustPointer.LIBCMT ref: 011B4337

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3cc33aa5e111f6c147da1bc6b19aba4e70d34d22e7460d69697fb31db2f1777a
Instruction ID: 9b6c400a7f20a7cb537b3a7db27cdd20d041d255b519d7b45b92e3eb47f4089f
Opcode Fuzzy Hash: 3cc33aa5e111f6c147da1bc6b19aba4e70d34d22e7460d69697fb31db2f1777a
Instruction Fuzzy Hash: 66512676A04206AFEB2D8F59E4C1BF977B4EF10204F14856DED0647992E730E840D790

Function 01107240 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,88D0918B,?), ref: 011072DD
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,0000FDE9,00000000,00000000,?,?,00000000,00000000,88D0918B,?), ref: 01107344

Strings

to_wide<char> invalid arguments, xrefs: 01107397
to_wide<char>::MultiByteToWideChar, xrefs: 0110737C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: to_wide<char> invalid arguments$to_wide<char>::MultiByteToWideChar
API String ID: 626452242-363086301
Opcode ID: 7349ca89dca48e74d52f65fb8091bf09ad8de6367bb725adc77ade06caf9e287
Instruction ID: 9d8a1a1c6014497a081cd512ef609605a014fb3e6421e43b8dea566360bd4d9b
Opcode Fuzzy Hash: 7349ca89dca48e74d52f65fb8091bf09ad8de6367bb725adc77ade06caf9e287
Instruction Fuzzy Hash: 3541B670D04706ABEB1DCFA9D845BAEBBB9FF94304F104229E851A72D0D7B1B944CB91

Function 01143230 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,88D0918B,?), ref: 0114328A
LeaveCriticalSection.KERNEL32(?,00000001,?), ref: 0114332E
LeaveCriticalSection.KERNEL32(?), ref: 0114337D

Strings

Provided module is invalid or already unloaded, xrefs: 01143203

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: Provided module is invalid or already unloaded
API String ID: 2978645861-250373487
Opcode ID: d424f523e8d874f046596e536a440de465c861927a3c5878c353dc490e1299d0
Instruction ID: 27ed11dc943d6cece2efdb1d73cefa3d397acb6ab9869eb539a7bfaedc863a31
Opcode Fuzzy Hash: d424f523e8d874f046596e536a440de465c861927a3c5878c353dc490e1299d0
Instruction Fuzzy Hash: FF515A74A002199FCB14DFA9C484BAEF7F9BF48710F14866AE816A7380DB34A945CB90

Function 01135360 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 01195713: QueryPerformanceFrequency.KERNEL32(00000000,?,?,?,01135377,?,00000000,00000001,?,88D0918B,?,?,00000000), ref: 01195731

Part of subcall function 011956FC: QueryPerformanceCounter.KERNEL32(00000000,?,?,?,01135384,?,00000000,00000001,?,88D0918B,?,?,00000000), ref: 01195705

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011353D0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01135404
__alldvrm.LIBCMT ref: 01135423
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0113544B

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$PerformanceQuery$CounterFrequency__alldvrm
String ID:
API String ID: 2057067329-0
Opcode ID: 591e380f2de834c975a45299622410e476fa0b9f7a4c99f5a80607033fe7414e
Instruction ID: 8d8aa16477650e35f2bfdeaeca3dde6f1b4511e047342950988f6bd6ee5a1aa3
Opcode Fuzzy Hash: 591e380f2de834c975a45299622410e476fa0b9f7a4c99f5a80607033fe7414e
Instruction Fuzzy Hash: F3318FB17083016FDB1CDE2D9C45B3BAAEEDBC8694F05866DF909DB350E6709C0446A5

Function 01108AD0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 01133680: InitializeCriticalSection.KERNEL32(00000000,?,?,011095C7,?,88D0918B,?,?), ref: 011336A9
Part of subcall function 01133680: DeleteCriticalSection.KERNEL32(00000000,?,?,011095C7,?,88D0918B,?,?), ref: 011336C3
Part of subcall function 01133680: EnterCriticalSection.KERNEL32(003A9D58,0124E60C,0124E610,?,?,?,01108B13,88D0918B,0124E60C,?,?,?,011095C7,?,88D0918B,?), ref: 0113370D

CloseHandle.KERNEL32(003A9D78), ref: 01108B30
LeaveCriticalSection.KERNEL32(?,88D0918B,0124E60C,?), ref: 01108B6A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,011095C7,?,88D0918B,?), ref: 01108B98
LeaveCriticalSection.KERNEL32(?), ref: 01108BAD

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$Leave$CloseCreateDeleteEnterEventHandleInitialize
String ID:
API String ID: 3435541109-0
Opcode ID: 605a1f2053f37e968af8bdb5a978d727452bf329fc5eda00a81d2ccf82e19143
Instruction ID: 9d596872b19407a2d0cbb40f2f66fc0c04d02b5a90d0abbad1f5353bfabb5d04
Opcode Fuzzy Hash: 605a1f2053f37e968af8bdb5a978d727452bf329fc5eda00a81d2ccf82e19143
Instruction Fuzzy Hash: 4331C7B1D0071AAFDB269F98C845BAEFBB0FF15710F14422AE915772C0D7756580CB91

Function 0116EE40 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0116EE6A
SelectObject.GDI32(00000000,?), ref: 0116EE78
GetTextExtentPoint32W.GDI32(?,00000000,-00000002,?), ref: 0116EEDE
ReleaseDC.USER32(?,?), ref: 0116EF20

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ExtentObjectPoint32ReleaseSelectText
String ID:
API String ID: 4006923989-0
Opcode ID: a79686c36a503a53e2581eba563968faddd4b4b010587939a054178f3b1cf401
Instruction ID: 02833e24fcfd3ba82c7ddac6a6f24ee65b800aee4a5f833531a3370361ca1732
Opcode Fuzzy Hash: a79686c36a503a53e2581eba563968faddd4b4b010587939a054178f3b1cf401
Instruction Fuzzy Hash: FC216F76A002189FCB64DF98DC44E9A77F9FF59710F0481A9E949E7205EB30AE85CB90

Function 01178570 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0117859F
LoadResource.KERNEL32(?,00000000), ref: 011785C5
LockResource.KERNEL32(00000000), ref: 011785D0
SizeofResource.KERNEL32(?,00000000), ref: 011785E1

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ea8c70deaab0e8bb5c674d3a61b3c4c017da55e904fa630206d01429cf9eabb6
Instruction ID: fb2f158d1163c4ada8d9b0e3ea1e006f6863beb3a7bb29607d4dffa7c78d85f8
Opcode Fuzzy Hash: ea8c70deaab0e8bb5c674d3a61b3c4c017da55e904fa630206d01429cf9eabb6
Instruction Fuzzy Hash: FE2130B0A0060AAFD714DF95D844A6AFBF8FF49301F10862DE85597644D731E950CBA1

Function 0111EA20 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0111EA6E
___std_exception_destroy.LIBVCRUNTIME ref: 0111EA7E
___std_exception_copy.LIBVCRUNTIME ref: 0111EA88
___std_exception_destroy.LIBVCRUNTIME ref: 0111EA9B

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID:
API String ID: 2970364248-0
Opcode ID: cd5a270141d3ed439b973e64327a23d1b81c0dce98d48144c0e051494c7ae2ed
Instruction ID: d8c344d994283eef410198f9f7c11805141a2375fe5c27a4c2d8f5d5764d3d58
Opcode Fuzzy Hash: cd5a270141d3ed439b973e64327a23d1b81c0dce98d48144c0e051494c7ae2ed
Instruction Fuzzy Hash: BE112EB5D0020AABCB14DFA8D8849EEB7F8BF55204F40866EE955A7200FB70A654CBD5

Function 0113A910 Relevance: 6.0, APIs: 4, Instructions: 44sleepfileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00000000,00000000,0113CC3C,88D0918B,?,00000000,00000000,88D0918B), ref: 0113A921
SetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000000,88D0918B), ref: 0113A941
DeleteFileW.KERNEL32(?,?,00000000,00000000,88D0918B), ref: 0113A952
Sleep.KERNEL32(000000C8,?,00000000,00000000,88D0918B), ref: 0113A966

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: File$Attributes$DeleteSleep
String ID:
API String ID: 3341637309-0
Opcode ID: bd430db95c14597d4d04d9f6da07e2cdd3d0d4a9a8f600163b03849bf45fcb74
Instruction ID: cd58a5da8d32e25f2afd3f8f322b3eb37d2d9fc4a5d77bc42c01d49fd64eab67
Opcode Fuzzy Hash: bd430db95c14597d4d04d9f6da07e2cdd3d0d4a9a8f600163b03849bf45fcb74
Instruction Fuzzy Hash: D6F0CD746422109BD7384FACF848A5A37E49F41765B160619F4E5DB2C8E331D8868761

Function 01129170 Relevance: 6.0, APIs: 4, Instructions: 40threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,?,?,01127DCF), ref: 01129180

Part of subcall function 01195516: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 01195522
Part of subcall function 01195516: GetExitCodeThread.KERNEL32(?,01127DCF,?,?,01129196,?,00000000,00000000,?,?,?,01127DCF), ref: 0119553B
Part of subcall function 01195516: CloseHandle.KERNEL32(?), ref: 0119554D

std::_Throw_Cpp_error.LIBCPMT ref: 011291A9
std::_Throw_Cpp_error.LIBCPMT ref: 011291B0
std::_Throw_Cpp_error.LIBCPMT ref: 011291B7

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: 13b22a6aa7dcbb110bf119d4c4613ecd7e22781f18db7d7befcb70641e3a10d6
Instruction ID: fb8783e2f999a8181c90eb8946b6346f8371ff587142873b0d5d1304a5a15e57
Opcode Fuzzy Hash: 13b22a6aa7dcbb110bf119d4c4613ecd7e22781f18db7d7befcb70641e3a10d6
Instruction Fuzzy Hash: 21F02B305003295AFB7E6BBC8C057017BC69F10719F34885EE6B86A8D1FB72A410CA92

Function 011E08B7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 011E08CE
GetLastError.KERNEL32(?,011DED88,00000000,00000001,00000000,00000008,?,011D3639,00000008,011E6F0C,00000000,00000008,00000008,?,011D3BF7,011E6F0C), ref: 011E08DA

Part of subcall function 011E08A0: CloseHandle.KERNEL32(FFFFFFFE), ref: 011E08B0

___initconout.LIBCMT ref: 011E08EA

Part of subcall function 011E0862: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E0875

WriteConsoleW.KERNEL32 ref: 011E08FF

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: da86c43b3b39b935e43c2cb4c7c1c4fc1ad8d5de27c05615de0a84b2e4b64bc9
Instruction ID: ff3fd2208827c71926c56207d2c1ca19c4ac63e5eca3679bcf9b27e0e0d3799b
Opcode Fuzzy Hash: da86c43b3b39b935e43c2cb4c7c1c4fc1ad8d5de27c05615de0a84b2e4b64bc9
Instruction Fuzzy Hash: 5DF0123A50052ABBCF265FD5EC0C9893FA6FB483B0B044120FD1985120D771C9A09B91

Function 01178A50 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationwindowthreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 01178A67
WaitForSingleObject.KERNEL32(00000000,00002710,?,?,?,?,?,?,?,?,?,?,?,?,01179A75,88D0918B), ref: 01178A7C
TerminateThread.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,01179A75,88D0918B), ref: 01178A8E
CloseHandle.KERNEL32(00000000), ref: 01178A97

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CloseHandleMessageObjectPostSingleTerminateThreadWait
String ID:
API String ID: 2369523621-0
Opcode ID: 616e0ef0911168bb18edc8584a35ffceee77956e8ddc84dba26ef00d95ca798c
Instruction ID: 05283f49e5611b185a18c833d8d1286ef01e119821a88ca6957d76c5f6e000f0
Opcode Fuzzy Hash: 616e0ef0911168bb18edc8584a35ffceee77956e8ddc84dba26ef00d95ca798c
Instruction Fuzzy Hash: 65F030301017219BE7345FA8DD4DB427BF1AF04B00F140828F75299AD4C7B6E4D1DB04

Function 01142900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,onexit_register_connector_avast_2,?,00000000,?,?,?,?,?,?,?,?,?,011E6825,000000FF), ref: 011429A5
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,011E6825,000000FF,?,01133BE3), ref: 011429AC

Strings

onexit_register_connector_avast_2, xrefs: 0114299A

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: onexit_register_connector_avast_2
API String ID: 1646373207-1395861777
Opcode ID: 13e046ff22cad581c52332fd00835000c8b55d343093e948fba654a063411e64
Instruction ID: 10f25e461a583b95f23ca952546a0e8937ec5771984c7a568d64d5ba5d133369
Opcode Fuzzy Hash: 13e046ff22cad581c52332fd00835000c8b55d343093e948fba654a063411e64
Instruction Fuzzy Hash: 6561C1709006198FCB19CFA8C844B9DBBF5FF88710F14825AEC15AB381EB74A985CF90

Function 0113E160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0111EA20: ___std_exception_copy.LIBVCRUNTIME ref: 0111EA6E
Part of subcall function 0111EA20: ___std_exception_destroy.LIBVCRUNTIME ref: 0111EA7E
Part of subcall function 0111EA20: ___std_exception_copy.LIBVCRUNTIME ref: 0111EA88
Part of subcall function 0111EA20: ___std_exception_destroy.LIBVCRUNTIME ref: 0111EA9B

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0113E283
GetLastError.KERNEL32 ref: 0113E28D

Strings

Unable to retrieve a path of the known folder ({})!, xrefs: 0113E2C9

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy$EnvironmentErrorExpandLastStrings
String ID: Unable to retrieve a path of the known folder ({})!
API String ID: 90833314-3064207712
Opcode ID: a9dc5130e4cee6284c363374ae9687d6030abe5b158cb14383f1c0d533d13182
Instruction ID: c7b5dc0d566d20e51eb15f10285abb86d1bef6d15f18b0c038baf98955c20077
Opcode Fuzzy Hash: a9dc5130e4cee6284c363374ae9687d6030abe5b158cb14383f1c0d533d13182
Instruction Fuzzy Hash: 6F41D871A002059FDB18DF99DC85AAEFBF9FF58710F004619F815AB394E770A950CB92

Function 01125200 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,?,?,88D0918B,00000000), ref: 01125368

Part of subcall function 01196256: AcquireSRWLockExclusive.KERNEL32(0124D9D4,?,?,?,01107AB1,0124E600,88D0918B,00000000,011E2D51,000000FF,?,0113E9DE,\Device\LanmanRedirector\,00000019,88D0918B), ref: 01196261
Part of subcall function 01196256: ReleaseSRWLockExclusive.KERNEL32(0124D9D4,?,?,?,01107AB1,0124E600,88D0918B,00000000,011E2D51,000000FF,?,0113E9DE,\Device\LanmanRedirector\,00000019,88D0918B), ref: 0119629B

RtlNtStatusToDosError.NTDLL ref: 01125361

Part of subcall function 01128130: GetModuleHandleW.KERNEL32 ref: 01128154
Part of subcall function 01128130: GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 01128164

Part of subcall function 01196205: AcquireSRWLockExclusive.KERNEL32(0124D9D4,?,?,01107AD8,0124E600), ref: 0119620F
Part of subcall function 01196205: ReleaseSRWLockExclusive.KERNEL32(0124D9D4,?,01107AD8,0124E600), ref: 01196242
Part of subcall function 01196205: WakeAllConditionVariable.KERNEL32(0124D9D0,?,01107AD8,0124E600), ref: 0119624D

Strings

NtSetInformationFile, xrefs: 0112526C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorRelease$AddressConditionHandleLastModuleProcStatusVariableWake
String ID: NtSetInformationFile
API String ID: 515452689-1659534519
Opcode ID: 1745353008d4fdbb76f7828b4b53e9338ce10d0fbd279cca44024e36e4e8a8b4
Instruction ID: 70a9001bd60dc6255fc188211229a8ef3cf838ca9d7270763947452e301fc392
Opcode Fuzzy Hash: 1745353008d4fdbb76f7828b4b53e9338ce10d0fbd279cca44024e36e4e8a8b4
Instruction Fuzzy Hash: FC518170D0061A9FCB14CFA8D984B9DBBF5FF58324F10822AE825A7380D7B0A950CF91

Function 01178B10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 01178B9A
std::_Throw_Cpp_error.LIBCPMT ref: 01178BA5

Strings

d, xrefs: 01178BED

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: d
API String ID: 2134207285-2564639436
Opcode ID: c2670109eaaf26aea96f20a38f01194ac0f3a147396c99c4b1897015a6084225
Instruction ID: 96e38836f962d2230dab7430922dfcfa69392d89337d06442d658f5f293f1030
Opcode Fuzzy Hash: c2670109eaaf26aea96f20a38f01194ac0f3a147396c99c4b1897015a6084225
Instruction Fuzzy Hash: 31410372604608EFEB19CF59DC45BAABBF8FB04724F10416EE91597780EB71B800CB90

Function 0113A470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,88D0918B,00000000,?), ref: 0113A582
GetFileAttributesW.KERNEL32(?,?,?,?,88D0918B,00000000,?), ref: 0113A5A3

Strings

{}\{}{:016x}.{}, xrefs: 0113A529

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: AttributesFile
String ID: {}\{}{:016x}.{}
API String ID: 3188754299-3450286142
Opcode ID: 2e5e9d8faa305414b993451d6cb675b8223113408e4b5d123f7c0717b7c70b00
Instruction ID: d621c6113ee6b7d38629ad7793ca0ac5b839fe00f13d5d7c4c30e1ee286c46f8
Opcode Fuzzy Hash: 2e5e9d8faa305414b993451d6cb675b8223113408e4b5d123f7c0717b7c70b00
Instruction Fuzzy Hash: 51418F70E00605DBDB28CF68D5047AEB7F4FF48318F104A2AE454E7280E775AA85CBD1

Function 0112B1F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,88D0918B,?,?), ref: 0112B240

Strings

{:04}-{:02}-{:02} {:02}:{:02}:{:02}.{:03}, xrefs: 0112B2BC, 0112B2F2
FTimeToSysTime fail, xrefs: 0112B255

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: Time$FileSystem
String ID: FTimeToSysTime fail${:04}-{:02}-{:02} {:02}:{:02}:{:02}.{:03}
API String ID: 2086374402-4033518044
Opcode ID: 773ee6a7bc867c49e7de8cce40f6c429290cbdbcef4b3c41ad0a98c18ae4f931
Instruction ID: 2912d8b1855bb45e206d38577a3ba951542fdf0cd6145c1e6b00d80b858ac550
Opcode Fuzzy Hash: 773ee6a7bc867c49e7de8cce40f6c429290cbdbcef4b3c41ad0a98c18ae4f931
Instruction Fuzzy Hash: 714127B1D00219DBEB24CFA5D9847AEFBF5FF18714F20422AE814AB280E7756944CF60

Function 011422F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,00000000,00008000,?,00000000,011E67AD,000000FF,?,0113DE18,88D0918B,00000024,0000000C), ref: 01142347
GetLastError.KERNEL32(?,00000000,011E67AD,000000FF,?,0113DE18,88D0918B,00000024,0000000C), ref: 0114239B

Strings

Unable to retrieve environment variable '{}'!, xrefs: 011423A7

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: EnvironmentErrorLastVariable
String ID: Unable to retrieve environment variable '{}'!
API String ID: 3114522214-1956155322
Opcode ID: 0563b588843ec8e869b1b25ea91f07efaabbc2e84cad8f803fdb2000b13cec75
Instruction ID: 205095d81a63278052be87d537963d98500a4b3c29ae86fa17ac191032cdbbf7
Opcode Fuzzy Hash: 0563b588843ec8e869b1b25ea91f07efaabbc2e84cad8f803fdb2000b13cec75
Instruction Fuzzy Hash: 1121F871E14219ABDB24DF95DC05B9FBBFCEF54B14F00052EF915A2280DBB0558487D1

Function 01183130 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000001,00000005,00000000,00000003,08000000,00000000), ref: 01183181
GetLastError.KERNEL32(?,88D0918B,011ECA2E,000000FF), ref: 011831B8

Strings

Unable to open file '{}'!, xrefs: 011831C4

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: Unable to open file '{}'!
API String ID: 1214770103-3496713056
Opcode ID: 54e00d2d3a07c5d515764f1a59a06d7db72dbd45b9b8e955615faa48a49ba791
Instruction ID: 3b4e3c44d941f61c5f01ed9d0b73b8f72442399851f8eea8eb6a774f4d9c67fb
Opcode Fuzzy Hash: 54e00d2d3a07c5d515764f1a59a06d7db72dbd45b9b8e955615faa48a49ba791
Instruction Fuzzy Hash: 7A11947094061AAFDB28DF99DC45B9EBBF8FB08B14F10061EF515A72C0E7B42644CB94

Function 011253E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,?,88D0918B,?,00000001,0000000D,88D0918B), ref: 01125494

Part of subcall function 01196256: AcquireSRWLockExclusive.KERNEL32(0124D9D4,?,?,?,01107AB1,0124E600,88D0918B,00000000,011E2D51,000000FF,?,0113E9DE,\Device\LanmanRedirector\,00000019,88D0918B), ref: 01196261
Part of subcall function 01196256: ReleaseSRWLockExclusive.KERNEL32(0124D9D4,?,?,?,01107AB1,0124E600,88D0918B,00000000,011E2D51,000000FF,?,0113E9DE,\Device\LanmanRedirector\,00000019,88D0918B), ref: 0119629B

RtlNtStatusToDosError.NTDLL ref: 0112548D

Part of subcall function 01128130: GetModuleHandleW.KERNEL32 ref: 01128154
Part of subcall function 01128130: GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 01128164

Part of subcall function 01196205: AcquireSRWLockExclusive.KERNEL32(0124D9D4,?,?,01107AD8,0124E600), ref: 0119620F
Part of subcall function 01196205: ReleaseSRWLockExclusive.KERNEL32(0124D9D4,?,01107AD8,0124E600), ref: 01196242
Part of subcall function 01196205: WakeAllConditionVariable.KERNEL32(0124D9D0,?,01107AD8,0124E600), ref: 0119624D

Strings

NtSetInformationFile, xrefs: 01125437

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorRelease$AddressConditionHandleLastModuleProcStatusVariableWake
String ID: NtSetInformationFile
API String ID: 515452689-1659534519
Opcode ID: b547d66a4e2b0d14f88ac620d43bb087a217ef98ccde5844877236e0617790c1
Instruction ID: ba606fb90a421dc1a32fac2f4d6f6be4d7d444125b4f8d040ffd35c0ffefeda8
Opcode Fuzzy Hash: b547d66a4e2b0d14f88ac620d43bb087a217ef98ccde5844877236e0617790c1
Instruction Fuzzy Hash: 1F21F971A00266DFDB24DFA8DD85F9AB7F8F704724F004636ED2597680EB746900CB61

Function 01193147 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 01193158
GetSystemInfo.KERNEL32(?), ref: 01193173

Strings

D, xrefs: 01193167

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 6cd2429af624b024cf2db3d6de0d8e42672da866bdbbfb7472ad036440c0d216
Instruction ID: d7f2017ae241131ae65ba8298c5ec2fa26ee255d07b2af9584f49a6eeea241b3
Opcode Fuzzy Hash: 6cd2429af624b024cf2db3d6de0d8e42672da866bdbbfb7472ad036440c0d216
Instruction Fuzzy Hash: 2C01D8726101095BDF28DE69DC05ADE7BF9AFC4224F0CC131AD69DA254D734D8468680

Function 01142DD0 Relevance: 5.3, APIs: 4, Instructions: 252COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,88D0918B,?,?,00000000), ref: 01142E50
LeaveCriticalSection.KERNEL32(?,?,?), ref: 01142EC7
EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 01143015
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 01143039

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9b332245a51596a0183218e28ff02673a7efe346bcd012a5b06992f14bf0b147
Instruction ID: cef071504b6ac68c9e8411617607873eeb4829980d74d47200c408d68dfcefa6
Opcode Fuzzy Hash: 9b332245a51596a0183218e28ff02673a7efe346bcd012a5b06992f14bf0b147
Instruction Fuzzy Hash: 8191A575A002168FDB18CFA8D4847ADBBF5FF88720F148269ED15AB385DB34AD45CB90

Function 011B0110 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 011B1020: WaitForSingleObject.KERNEL32(00000122,000000FF,?,011B0C84,00000122,?,00000008,000000D8,?,00000800,?,00000112,?), ref: 011B1028

Part of subcall function 011B0FB0: SetEvent.KERNEL32(00000126,?,011B0C7A,00000126,?,00000008,000000D8,?,00000800,?,00000112,?), ref: 011B0FB8

EnterCriticalSection.KERNEL32(?), ref: 011B0181
EnterCriticalSection.KERNEL32(?), ref: 011B018E
LeaveCriticalSection.KERNEL32(?), ref: 011B01B0
LeaveCriticalSection.KERNEL32(?), ref: 011B01B7

Part of subcall function 011B1070: ReleaseSemaphore.KERNEL32(00000132,00000001,00000000,?,011B0C29,00000132,?,00000008,000000D8,?,00000800,?,00000112,?), ref: 011B107C

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave$EventObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 3648152314-0
Opcode ID: 6a0bef880d42aa2920ab70b0a60889661c5d51b79f92ff96ef538414ada0975c
Instruction ID: 0b750c21916f76f1638a5e6cbc37bfdebbc57f973f317c5583373e8d60893a06
Opcode Fuzzy Hash: 6a0bef880d42aa2920ab70b0a60889661c5d51b79f92ff96ef538414ada0975c
Instruction Fuzzy Hash: B1519275900605AFCB19DFA8C884ADFB7F9EF48304F054179E84A8B616D731EA46CB91

Function 01176C60 Relevance: 5.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 01176D67
GetLastError.KERNEL32 ref: 01176D75
GetLastError.KERNEL32 ref: 01176DD5

Memory Dump Source

Source File: 00000006.00000002.762832926.00000000010F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 010F0000, based on PE: true

Associated: 00000006.00000002.762812304.00000000010F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762945404.00000000011EF000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762976183.0000000001243000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.762996444.0000000001245000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763009936.000000000124D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.763029476.0000000001251000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10f0000_avg_tuneup_online_setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7eb6a1534e6f6397c08731772445ec8c8d71c14de5bbd79b8f51cb4177c7c818
Instruction ID: 86142df879dcfe428e1714a286c49a66c69f1e9ef425f8fca2b3a9d8a0e3880d
Opcode Fuzzy Hash: 7eb6a1534e6f6397c08731772445ec8c8d71c14de5bbd79b8f51cb4177c7c818
Instruction Fuzzy Hash: 8241CB72D1061ADFDF18CF98D848BAFBBB5EF45324F100519E811AB340D734AA80CBA2

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll

C:\Program Files (x86)\WeatherZero\WeatherZero.exe

C:\Program Files (x86)\WeatherZero\WeatherZero.exe.config

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

C:\Program Files (x86)\WeatherZero\uninstall.exe

C:\Program Files (x86)\WeatherZero\wz.ico

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-1-0.dll.ipending.a168df30.lzma

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30

C:\Program Files\AVG\TuneUp\avg.local_vc142.crt\api-ms-win-core-console-l1-2-0.dll.ipending.a168df30.lzma

Windows Analysis Report
Team Fortress 2 Brotherhood Of Arms_aez-LU1.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre