e0168825be4779091fb1035747eac2b9f685600a7e84dfc7dc3929c3a8017b2e

Analysis

max time kernel
119s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_2_0/windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe
Size

1.7MB
MD5

76974b990f52405522b0f38f43b9e973
SHA1

2e4c67a8772b5bf86b563602b252e3957da7d923
SHA256

90846154abe13934aded2cdeb432394148240531ebd58abf5197ae0be73e854d
SHA512

74604af64a9bd99e632ecc97c1be8a951fe35d66ada60be57cd5c431578537044a62614817e7361948a0f5ba5a6b689b721b83eea1712c66347faaedcb4fe06d
SSDEEP

24576:S7FUDowAyrTVE3U5F/sLuHhCLogeQo40gBxnBJ4sxtMXBCYk:SBuZrEUfRFXgznBJZ1

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 12 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\SOFTWARE\AVAST Software\Avast	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\SOFTWARE\Avira\Browser\Installed	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\SOFTWARE\AVG\AV\Dir	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup_x64.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdateCore.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdateSetup.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_vi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_fa.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_fi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\@PaxHeader	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ar.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_pt-BR.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_sk.dll	AVGBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_en-GB.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ro.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_am.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_it.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ro.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_kn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_bn.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_hr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_lv.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_pl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_gu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_hr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_zh-TW.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\acuapi_64.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\acuapi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ca.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_fi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_is.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_sr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_am.dll	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\GUTDBEF.tmp	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_da.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_fr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ru.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdate.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_uk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ja.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sv.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_es.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_it.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdateHelper.msi	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_nl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ru.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_el.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_es-419.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_te.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_et.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_en.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_is.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_zh-CN.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_lv.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_uk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\acuapi_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_et.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ko.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pt-PT.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_th.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ca.dll	AVGBrowserUpdate.exe

Executes dropped EXE 7 IoCs

pid	Process
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
1628	avg_antivirus_free_setup.exe
1944	avg_secure_browser_setup.exe
2612	AVGBrowserUpdateSetup.exe
2924	AVGBrowserUpdate.exe
2008	avg_antivirus_free_setup_x64.exe
2568	AVGBrowserUpdate.exe

Loads dropped DLL 29 IoCs

pid	Process
2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1628	avg_antivirus_free_setup.exe
1628	avg_antivirus_free_setup.exe
2612	AVGBrowserUpdateSetup.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2568	AVGBrowserUpdate.exe
2008	avg_antivirus_free_setup_x64.exe
2008	avg_antivirus_free_setup_x64.exe
2008	avg_antivirus_free_setup_x64.exe
2008	avg_antivirus_free_setup_x64.exe
2008	avg_antivirus_free_setup_x64.exe
2008	avg_antivirus_free_setup_x64.exe
2568	AVGBrowserUpdate.exe
2568	AVGBrowserUpdate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_antivirus_free_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdateSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1304	AVGBrowserUpdate.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avg_antivirus_free_setup_x64.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0"	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService.1.0\CLSID\ = "{82C85EAA-7C94-4702-AA75-DF39403AE358}"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "71"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78"	avg_antivirus_free_setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService\CurVer\ = "AVGUpdate.Update3COMClassService.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\ProgID\ = "AVGUpdate.Update3COMClassService.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\LocalService = "avgm"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7"	avg_antivirus_free_setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{82C85EAA-7C94-4702-AA75-DF39403AE358}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService.1.0	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService.1.0\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AVGBrowserUpdate.exe\AppID = "{82C85EAA-7C94-4702-AA75-DF39403AE358}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService\CLSID\ = "{82C85EAA-7C94-4702-AA75-DF39403AE358}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\VersionIndependentProgID\ = "AVGUpdate.Update3COMClassService"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\ServiceParameters = "/comsvc"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService\CLSID	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "28"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "64"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "50"	avg_antivirus_free_setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\LocalService = "avg"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\AppID = "{82C85EAA-7C94-4702-AA75-DF39403AE358}"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57"	avg_antivirus_free_setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{30612A81-C10F-498E-9163-C2B2A3F81A14}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\ = "ServiceModule"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\ProgID	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "14"	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AVGBrowserUpdate.exe\AppID = "{30612A81-C10F-498E-9163-C2B2A3F81A14}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\ = "ServiceModule"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService.1.0\ = "Update3COMClass"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\ = "Update3COMClass"	AVGBrowserUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0\CLSID\ = "{30612A81-C10F-498E-9163-C2B2A3F81A14}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\ServiceParameters = "/comsvc"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService\ = "Update3COMClass"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35"	avg_antivirus_free_setup_x64.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg_secure_browser_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	avg_antivirus_free_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg_secure_browser_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	avg_antivirus_free_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	avg_secure_browser_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg_secure_browser_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2924	AVGBrowserUpdate.exe
2008	avg_antivirus_free_setup_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 32	2008	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	2924	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	2924	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	2924	AVGBrowserUpdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2136 wrote to memory of 2432	2136	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	29
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1628	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	30
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 2432 wrote to memory of 1944	2432	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	31
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1944 wrote to memory of 2612	1944	avg_secure_browser_setup.exe	32
PID 1628 wrote to memory of 2008	1628	avg_antivirus_free_setup.exe	33
PID 1628 wrote to memory of 2008	1628	avg_antivirus_free_setup.exe	33
PID 1628 wrote to memory of 2008	1628	avg_antivirus_free_setup.exe	33
PID 1628 wrote to memory of 2008	1628	avg_antivirus_free_setup.exe	33
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2612 wrote to memory of 2924	2612	AVGBrowserUpdateSetup.exe	34
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35
PID 2924 wrote to memory of 2568	2924	AVGBrowserUpdate.exe	35

C:\Users\Admin\AppData\Local\Temp\entry_2_0\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe
"C:\Users\Admin\AppData\Local\Temp\entry_2_0\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\is-SPSIT.tmp\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SPSIT.tmp\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp" /SL5="$A0150,837598,832512,C:\Users\Admin\AppData\Local\Temp\entry_2_0\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component0_extract\avg_antivirus_free_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fcXHC9qkFRcd1xTFo3LG7sMsPZ4WxfTSuQJGZjXOJrvGjbfwp6KNczq6El3lHeVi0LUaQ1ii
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\Temp\asw.557402d0948063db\avg_antivirus_free_setup_x64.exe
      "C:\Windows\Temp\asw.557402d0948063db\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:92pTu5fcXHC9qkFRcd1xTFo3LG7sMsPZ4WxfTSuQJGZjXOJrvGjbfwp6KNczq6El3lHeVi0LUaQ1ii /cookie:mmm_irs_ppi_902_451_o /ga_clientid:b8cfc418-2967-47ad-898a-5eadf0c48346 /edat_dir:C:\Windows\Temp\asw.557402d0948063db
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
    - - C:\Windows\Temp\asw.1987d8e8c1539948\instup.exe
        
        "C:\Windows\Temp\asw.1987d8e8c1539948\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.1987d8e8c1539948 /edition:15 /prod:ais /stub_context:97876b61-a539-4a29-9df3-8d7e135b11c3:11128544 /guid:9f723b42-c68d-4c61-8269-9fb368b815e8 /ga_clientid:b8cfc418-2967-47ad-898a-5eadf0c48346 /no_delayed_installation /silent /ws /psh:92pTu5fcXHC9qkFRcd1xTFo3LG7sMsPZ4WxfTSuQJGZjXOJrvGjbfwp6KNczq6El3lHeVi0LUaQ1ii /cookie:mmm_irs_ppi_902_451_o /ga_clientid:b8cfc418-2967-47ad-898a-5eadf0c48346 /edat_dir:C:\Windows\Temp\asw.557402d0948063db
        5⤵
        
        PID:1712
      - C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\instup.exe
        
        "C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.1987d8e8c1539948 /edition:15 /prod:ais /stub_context:97876b61-a539-4a29-9df3-8d7e135b11c3:11128544 /guid:9f723b42-c68d-4c61-8269-9fb368b815e8 /ga_clientid:b8cfc418-2967-47ad-898a-5eadf0c48346 /no_delayed_installation /silent /ws /psh:92pTu5fcXHC9qkFRcd1xTFo3LG7sMsPZ4WxfTSuQJGZjXOJrvGjbfwp6KNczq6El3lHeVi0LUaQ1ii /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.557402d0948063db /online_installer
        6⤵
        
        PID:2596
        
        C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\sbr.exe
        
        "C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\sbr.exe" 2596 "AVG Antivirus setup" "AVG Antivirus is being installed. Do not shut down your computer!"
        7⤵
        
        PID:1312
- - C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component1_extract\avg_secure_browser_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component1_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV6dENww5wUJmPEpMnXQTlyRZWK9gBYb0BmMKPjDG9EwSWro8Z5cqH57Ny0EYEVWD2I64RO34UDTA /make-default
    3⤵
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\AVGBrowserUpdateSetup.exe
      AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9263&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9263&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        6⤵
        
        PID:1928
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:540
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:396
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:1656
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezdGMTZFREZGLUQ5MTktNENFMC05QkVDLTUzODIzMEVBRkFBM30iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntEMzg4MjQ5Qi1ENzhGLTRCMzgtOUJCOS1DRDIwNUQwOTMxQzN9IiB1c2VyaWRfZGF0ZT0iMjAyNDA5MTkiIG1hY2hpbmVpZD0iezAwMDBDQkM0LUFBNTMtOTMyRC1GNjQ2LTgzNTZEQzZDRUMyNH0iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDkxOSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntEQzlFMzRCQy00QkZCLTRDQkQtQUQ2MC05ODhCNUE3QjY5QkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTI2MyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTE2NCIvPjwvYXBwPjwvcmVxdWVzdD4
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1304
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9263&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{7F16EDFF-D919-4CE0-9BEC-538230EAFAA3}" /silent
        6⤵
        
        PID:1940

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GUMDBEE.tmp\@PaxHeader

Filesize
28B

MD5
5edbbb20eb0133e8c8a007596c356395

SHA1
d7e14a734f48c1d49f21316d30006c22db6432ac

SHA256
1648aef0b448cd2c986689ce9d2e2f30afb88bff3ed37985c789a1e819c1391c

SHA512
f2de099205a38faf62fd48284e69f6ac75c03a2ac9746930abd895dbea0f39c895fc6ba6f6d867099a013f1324a382023866de45bbdb14fa4a5df2b3e33ab6d6

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserCrashHandler.exe

Filesize
149KB

MD5
f73e60370efe16a6d985e564275612da

SHA1
2f829a0a611ac7add51a6bc50569e75181cdfd58

SHA256
9cf076866935a0c64366efaeff2ec76d45ac816030ebd616fd5defb1870bc30e

SHA512
2e44e87c285bb7b72d45c8119d08ea6f2d13cea77cf0005a3cf530790bb86c7f2df7c5edac9d86c9d7214abb224738c3bf6b31f6bf104051512bb1de133042dc

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserCrashHandler64.exe

Filesize
170KB

MD5
deef1e7382d212cd403431727be417a5

SHA1
fac0e754a5734dd5e9602a0327a66e313f7473bb

SHA256
7d410e9eabd086827b16c89ee953a643c3e2f7929616c0af579253fd8ca60088

SHA512
6b472a57fb89b128aad9ab6313a9ce8b171f7d73264c67f669adc5cf1f0421d81f654dad1419b620476abb59dd54e1aa03a74a26c5c93813f6fb8575fbd97d4d

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdate.exe

Filesize
204KB

MD5
cbcdf56c8a2788ed761ad3178e2d6e9c

SHA1
bdee21667760bc0df3046d6073a05d779fdc82cb

SHA256
e9265a40e5ee5302e8e225ea39a67d452eaac20370f8b2828340ba079abbbfd3

SHA512
5f68e7dffdd3424e0eb2e5cd3d05f8b6ba497aab9408702505341b2c89f265ebb4f9177611d51b9a56629a564431421f3ecb8b25eb08fb2c54dfeddecb9e9f2e

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdateComRegisterShell64.exe

Filesize
428KB

MD5
2a3ad7362e6c8808fbb4d4ccaba4ed4a

SHA1
3f896f7df7fe202f4a717713c503665bb4dcaed6

SHA256
4dcd341907880c8dea840819628b19c5ea42ca2b5c61ad57147d0ac7da9b6759

SHA512
892042ac713e4d5b488262a584355dafa18d967035788799c1773eb39a4616461beb9d79a230d9f85cdefd1b4076b8a5e1d4bde17254bff1f08c3eba56469679

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\AVGBrowserUpdateCore.exe

Filesize
512KB

MD5
dd5dc945cd848bf503862d0a68c3ea5d

SHA1
9b277a0c733ed5698b0656da8c3b99d2f90c7ef8

SHA256
8cc98345e367b083f545ace66d93bf69e03a4fa08b84805a9925fa4c94ef3f8f

SHA512
f6eab8422bde24d89a7723c6175b4197a50e18aa0bb5b8f419e5a23b265d85dcaacaf136b8f6ef6bbf2bd6c0eaecd8f86093f594fb98e596f4b39e9c6ff227e1

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdate.dll

Filesize
1.4MB

MD5
04a6438c50564146e880c5eb9d57905e

SHA1
edf5d454de99159d832cc9bd0d8dbe132d749804

SHA256
26109d47bf9960e531888e6c545ca8cfc24fee2202b549df29fb8bf9c58e0812

SHA512
8705d0ab2f8a6c1ef567ad00b33ff2cca01391b105eb0ade201d981f091e4ba87e709860ab9849bf9781698fb42ab8efe53ea731af310781766bace1eb1dc19d

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_am.dll

Filesize
42KB

MD5
ba03b29d5d44341084eb06bea8f1e702

SHA1
7d8dd7556ea5e299b55ddc7477ca758fe2c64f48

SHA256
6a6aad33e2910c29a6d919aad074d89359c5e6723ced7ba4e215a62e9513749b

SHA512
29f902587b7078deb12bee6bf9993748109749ec12e6490d5f84bc9c532a5a1f414149d5760641ef052611bf2d441423d115dfb5a4c4c6f5e6d6a1f386924cf2

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ar.dll

Filesize
41KB

MD5
9c77be0843f0fe4864a04f8d5f24a593

SHA1
be03adb4d3c33520e652c7a6ee45f09d5ff54a54

SHA256
39547fa5d7b93856235288b1021699b4f36f0bea10b10d6b89ea184a3ad77bb1

SHA512
f504c98b03a5d72c078b38a2cc4fdd94dbed159f5a2ed47c2c4a53fc6ec8a3b1fd969d5ad85fc7503e64427a36adee7a14f15f1275a9194103e43c8a8ee45d28

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_bg.dll

Filesize
44KB

MD5
c0b41217fc33a6a53ec69ae7399460f2

SHA1
d7dd8d543b7297f1a1e138efa1806972c9489c3f

SHA256
d75a1a41ad7e5277576e3bdf35a858be3a6f540d21c8ab4156c842d8f1b3295b

SHA512
37abb726b78421aaccdbc94b358cda6b581e89ac519258eb39c6a7f0706cfc64c3a96f5c29539ba67c6e2d2afd6f10b6b0c063b54366c03376ce234d132a8253

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_bn.dll

Filesize
44KB

MD5
aedf6d96ccb64f488379bb1fe65f697a

SHA1
901bbb7873d8f698f49c4b6be74fb50b353d7b5e

SHA256
941d22186ef1bfe27052e78d21944d6088cea152d1ede51452f04fb032c92f90

SHA512
d1d889a1fe75924f3569e07d9ee3f552afc02165210f5c439d4697be898b72db397bb89e7d0706259f92c1cb5759009f9e1ba5c52f764e63514b3da41dada1cc

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ca.dll

Filesize
44KB

MD5
f951cf3ca93e5ae5fc1ce2da93121d98

SHA1
15bc869406857437babe41cd3f500c356913499b

SHA256
eb00cad19ed1d16f52928962f2cc6231d65eb74b2314976ebeb1ec860103e746

SHA512
b77086ad2b39723d697d7839d9243c1c0769a2cb0f6287cd3f2d64eabd6a48d8fc2d253e9089c6586637ed5dc5970c2608615fe77cef5003f0c4d53401ef73bc

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_cs.dll

Filesize
43KB

MD5
7f3dcd851645d3d75f636c8440fb057f

SHA1
85debe41ddcb46555a0d00795e41e460a35583c2

SHA256
0b31785d1931580cad5ef16d4ff5723802d12c38b56746e70fcf91d71162e043

SHA512
d0d21c397899aaa6a718b77195a6af1556309615616fd6583ecb84b04aa7087e76eb5fdd6cae0a4ff1c0f85bf72e1f51ae002042078095f640eb95da363889e4

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_da.dll

Filesize
43KB

MD5
9a421423686559027e4301d36bcf58b2

SHA1
9669424f4e7c765ddb917a515d5a8b1486f87daf

SHA256
9d8ff148793d99974fab93f38027e1999323a48620b303f82170751be5dd6b69

SHA512
f5d62fe17a820323c4b1832cd3bd9c8fa291d44dceb88a8a1a8f94c6166e550ab9baf9357c5ec3388230bc75f0ccd3aa2d5247fa5d242013d22c61001128a951

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_de.dll

Filesize
45KB

MD5
1c15851d9dd22e4ae3f3bf249da79035

SHA1
60fc5652b5e1c55056c961d4d3b961492cb3432b

SHA256
a9dd72a08c0c58a71b2289d76efae681a5c8eb5faf73e49b873f15ba4050baa6

SHA512
6da386c35b317f39613da73340631f927606bccd0a8c626537eda896eb32c9a2ed1d71c7cf838f1a4b90553f3f788eeb5e02fe84774fb0ad2f574bf4e4d7e248

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_el.dll

Filesize
45KB

MD5
0d15748f01df49dae986f1e27dc098ef

SHA1
35a435bdaaf47795977b28cdae2e4ea1fdae73a3

SHA256
df13c38061cb0b02dd8a9023a17da0bbe1cda6fdedad5203129fc702c7fdd9b1

SHA512
290e9936f50e3bd11c1b9d28decf3b43f5e23bbff16801e7b0491690773d057b6bcdcf48c48a7ee16fa2400723b3e974e2b74e3899590a8e660c2e9c78b9d141

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_en-GB.dll

Filesize
43KB

MD5
02465169cd873c4492196e03457f2771

SHA1
837ca5e54a8c12577d0d05a32996dfc04067c5ea

SHA256
4eb9edf550bf1f66382e5d8bd4958438891cd2ca46557d14f4b945dc176ec025

SHA512
e73b5f3951050f2903b80b89d2b9fd9ebf69adb922eb8238ef4c01f413ae67727d7598d4ac15f7ac8b9257aef0139e0924c70c5898357142a303d7e2b15394c3

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_es-419.dll

Filesize
44KB

MD5
3e5971e8559c77e8901ce30d14034730

SHA1
04cc21ac4a84abd29f7d7585282345881fd81721

SHA256
613418b8779f7440b88f1734d6c514706df9dc9a58a623966cc1c9ba4e29c28f

SHA512
b4592b25cf676db6d6de1be811c39bdeecc24bbfd4dc72fa4b3f97de866f9b0fec7c85f7d56f048f61829c1d8b4109e4a0c7e14a9e410e30a6a8da702941e00e

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_es.dll

Filesize
45KB

MD5
5f8ea18786d5ef1927cd95537abc3ae0

SHA1
5530650ecc719d83b7aa89e0b326b5698e8adda2

SHA256
fa416294b078226a8919dbb8f75533a6ef96d63d5bd17aac854eae68791433cf

SHA512
577dc7d19e4443e8aede759a781826c091c17d12fb06e89b1306133f21e01dab919045183a916e1b5647ddf485134a8459745a9199df5c7e36abe192645d8e25

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_et.dll

Filesize
43KB

MD5
5029406d9202d6f2f279fdd3a06f55a1

SHA1
dcca8bf9392faa0038c6cb5d25929726b16804af

SHA256
cac545e04d701c39f4a730aec4c3dad177d8ea4baca10651f150925644874864

SHA512
519538e05f8e21966e4878291692cf25057bba3c993c0034a33b1da7c9eb0a8fb881565717ceb6c1139fd601b73b1f1e2aa46e20aeb6b93f897cd2ef93172934

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_fa.dll

Filesize
42KB

MD5
8564514501256ff045cf7aa6c1b5a797

SHA1
40b9aa8d04c48fe2ecf193c2089418ccc938676d

SHA256
f3f46a6da6c8ccb3ce7fdd0cb5882f45523decca95852b8c775bb90f8e92c1b3

SHA512
701077c8a1c70c1bd0c35f54aa838dba7b7b6f832e0ef2776673092fca546276166c3638676451c9655086b740b9e193cd54f952fd5fca481b964083b881bcc2

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_fi.dll

Filesize
43KB

MD5
57dad7c22bd635a5af8fcdcd63d4e530

SHA1
8aa11ea5c1cacd9b23c29989f22e82c43c827d0e

SHA256
1e0d05927a455115265db9308e0f78ffb7bbb5442f36b8483549efbe415454a2

SHA512
4236609e37ec41bf46d0f45e228c9021c1624e2f98a642eab513d290a4482da13764fcc2d044f78ebdc09e0cfc63a251678d169cb33e251d6f6d5de9b96c31b6

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_fil.dll

Filesize
44KB

MD5
5ed0105f4043466a99557dde1f70e97f

SHA1
c57c935cc4b25b6375ab3fcdfbb265f4c586ec3e

SHA256
cfbe0120ddf8d5574f7c44c85488f53aecec4df9bfb25f1cefbabcad5af46096

SHA512
4fa641810f758e0031388ec146467fc130780e2f2cc8495b6a2fff0679d7bcbe7526356f85a97b5338e84d791ba14e812b2c182fdae01763640be3324fb59526

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_fr.dll

Filesize
45KB

MD5
8ddc3f7276c12ac407cadcda6e2a3e12

SHA1
78c5e802f67c8b6ae3fe13202e6a54d3cca69df4

SHA256
7f2f0f9f443a022f5aedacc40c28d0654fec488f34435c75979118464256a8b7

SHA512
0d05bdd2d5e9f36eb09182e8b13507ba03e256c4aadb77bbfedf29584a47fd1e0733a825a3f687d3058e53c8075caf6dd9d24ec93f1bdd58ca97106827323540

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_gu.dll

Filesize
45KB

MD5
a4061e8408cc59cb898adfdc4f173278

SHA1
ae34e3058a40449481590bb3a63aa0225b4f6f98

SHA256
e033c950ecc6333dfcb944e70622e77a6498ba0e23fd144117dbe9a2a0c15be6

SHA512
d8a847e9a21c86c7b9b072e16914f42185e3c0e1d99f6ea5259382eb0fb89578c7a7f9f62f892f1d20be180dfc327bc076ea038057895c8b92cb1f0c053e0b2a

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_hi.dll

Filesize
43KB

MD5
38525b8a1b15a8aeb4fcfc8bee8358bc

SHA1
ac2ba33b8ad778a8165c87b579dad0dbef5bed75

SHA256
271e83bc86e490cd5b6cb9cb34057c7684d233c56a53f4f553aa07507c9dae52

SHA512
ad8df196174ceeadce4588dcd365066665267b922078d92b328ba661a4ebfa6d06b4263a4b8a28e4efb4d86e1140d71a3c3bf4b7b60970aa20552aa7f0c73acb

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_hr.dll

Filesize
44KB

MD5
27c0dbd61a71420bb4d1a0be2373a175

SHA1
47b4c107b711caf5a6b2978bd6fd6b53ebdec5e3

SHA256
43191a4c507a112e96e06f959b6cf78406bf970b021ad8d7db59d1b9c52779bd

SHA512
d1f20e9a628bdcbd26b8d5de89b87bdbc8dab871651c86d47c023daea86c7ada0a565fdd05b48c7643a63db044639f4eb89d1640e58c9b32722e4926c3c5e72a

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_hu.dll

Filesize
44KB

MD5
114cc594fab2e564ccb24a826f3623e4

SHA1
c3c3fb4ef6ea6ff0e7a1e0289320b2fd2788b03b

SHA256
c89e223a42d7173f915dd088ebc84b0048cec772bd4221b4b90ce4c0e419ffe6

SHA512
9a7eb5710340cecb2d32de26322dc862812e185b6d260d76c0c7f642f30cf9e43c88aec76b515148ef986db0c77fd0e31f71c8fd26d56a4cc72dff0d023abb5d

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_id.dll

Filesize
43KB

MD5
7e7deef6ac35c9d52410fc356391c7e4

SHA1
43b3d918867a93ba109a3e4eacb45f3cd5c40b93

SHA256
963f4d2ad7ddcdcfb6185521c0590a92f2014897d5f5f525471ac81f3807fc5e

SHA512
9eb0e9be0a973693b4bd167f6c1118dd9d702b1951a90f0a3a6103e77c43ee6afa173b79d3ab21fe94a98c320b17ab0b787cf5b6ec47d9dde9e3e8c14b8cadc7

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_is.dll

Filesize
43KB

MD5
dae35fa037b6248876347521c5298566

SHA1
8358fc05a675ea56f720052fbb4b384d97b94d86

SHA256
ce0652b8dfaf21b6192b66bf75e140b3d72aa545e0edf62d9e82e9b0878ac5c5

SHA512
4158b8fef0da76ead12b5d6e421c5709664ba84d1ddde44ef6bbd1023084cad3820a37abea03b206635a945a2435b301234cf5bac3c8e2861a852b2699036ade

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_it.dll

Filesize
45KB

MD5
3ae3106694098f8420b182ad5e3354ab

SHA1
bc9dab621b03d4126b97c260becd7f4525255462

SHA256
59b406b29538c3c3d0f060b5fc0ccd36556f8a6278327935a5475c6b21741dc9

SHA512
f3625be57976083d642b01a41a53d6db6cad3bfc584a50de3565fe10975a5d7d2cf4f8b41bcdaa5ac70f8fc4ada113084de07e2ed45f26401dc2d4f8f4c322a9

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_iw.dll

Filesize
41KB

MD5
31227325c8617b308ccd268c2be7e72a

SHA1
71e369f26e644e643fcd538d933e4087dd593f1f

SHA256
4a98e34a528eff04c2baf4e9e50489086e58d2e32e1851f33674abbe5e104c68

SHA512
ba8d94dde5b7b74a39ed54a5f3e47a558e0c1deb632018c82423c06806071143851bb1d8c7a7bada6f13e71734e7a29457f3741266972b777cded41c953a9645

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ja.dll

Filesize
40KB

MD5
0cfc5b7b3f86d6bfaec9a0713da74df3

SHA1
81a278fdee9edc302fe4e7a88c9addb230ce6df2

SHA256
1d7fd1b6a614538530385e7a40efc95d3b8be75057ae03bf999aa2419d1f9f24

SHA512
8b8f834ccee41c69c581f0b80f26b0cdb536f87bebd5a6b1f02cdf6f1aea5cf5b29c356e82c7a8fd591bb16c0938a790ac8f90f6d27edc95fc48a5aa3c30cbf0

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_kn.dll

Filesize
45KB

MD5
49000b4a101e635b05123f21b360b492

SHA1
635f697f41c0591168e0eee10930728d9dec5a53

SHA256
a2aab58a4397c040bff69d45bef4ede6842034bf897799a9347232c4b6c9c7a5

SHA512
9b62c2048e9c132089cce7da02ea5c95b5856f1c6e28d5581f4a0b1748e681bdd78c7d537d273a64f9d476e4ec62da5c6021cc1ccb69f7bee216e7bec6ddc6e0

Download Submit
C:\Program Files (x86)\GUMDBEE.tmp\goopdateres_ko.dll

Filesize
39KB

MD5
dd2f783c0017630f9a2969957f4eb84e

SHA1
d42218de12a7c1c48fb5e7d60e61e32ce0cd9ac6

SHA256
07e63e0e3d23f192ac131efc459c2d9f79a4ecdc39403d43fbff320c4b5fa261

SHA512
689f625df8aec45a6343249739ec094cbb1245a9dd8847ffe6bf62fd2d7042d529f77216dd22e8b33830cf21b158f0ef6ea42af2248051c8d97205eb0229a22b

Download Submit
C:\Program Files\AVG\Antivirus\setup\Stats.ini

Filesize
2KB

MD5
34337a7f370b1d4ddaeaaff526943c28

SHA1
24d6495b565bd50f83088c51ea06061172948c2c

SHA256
5bead349d8b4b7648230b7459c275e03c4fb29a92db9bf24391cc2f77a44f847

SHA512
463921c5b86b61c38cbeee6d97fb00a8956f4ba4396bf8f0a7f09e744eee44e72c1f85b09aa5c05994d41c0e24ce7aada75040ab159a60f6ca6d7d5860bfa7ba

Download Submit
C:\Program Files\AVG\Antivirus\setup\Stats.ini

Filesize
2KB

MD5
eed5118a000dbea298af82081b1887d6

SHA1
265972019e59d9423ff52a9bfde436b361d10432

SHA256
245297246e8cc3e5f2ec070402517e6d7a52426e34b5a89d35ad307e14138ce0

SHA512
40ad5f9e00ea65cddd77da2ba1b9983e5b6d43ff40dc794536d2557bc44a279b2bd6321809f020619e9be4a6f107a381b166e07eba313b6560f75d4de229d110

Download Submit
C:\Program Files\AVG\Antivirus\setup\ais_cmp_bpc-7cc.vpx

Filesize
263B

MD5
370fb8113ca63fa92f7037df74050faf

SHA1
2ed9d4164c5dafbd38dc0dee0f3edf7ccabfe411

SHA256
79421461dd25e721147e2e676b0c33c5fc3897126bb5f700e8f60e0d34175ce4

SHA512
c197ad2368d138af4f0f220ffa16d47e29bbe8456e19bd097ac3fbf16fd47439218a77546312d5eeb356f7fe6ab5ecdc16f010710b1b89f75f6175a6632c3909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77375f6716626b2e0fa792ef3434ce65

SHA1
108374a6bb941554f45dbb9f7a9b46634499267d

SHA256
dda6cd51ab3b91defb008b4e3ff8080c5f097a07483894ede1879d51b836ef3a

SHA512
1aadd8a627964cae29b112c65ddcafaf0389033b21fed9269ddef1f1c1ae26ca62c2103d57cad76d949832192c284860579341c6c05e8d75f30aba108fd2107e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1ea72bd50b8997e9f4349d0c2196958

SHA1
9fe79d318cbcfaaef186a75fb4dcebf16ac2fbd0

SHA256
a2c60f7d58cbf64b1be7152664e86f84870963b9de1c8a91fdaab12c51ac4615

SHA512
91284a12768688039e14bf2a003b07ec4773d40cff35fa07198777c7c9999d6df1d0111270d3380e446c0b6cb043c33b8738190e1801d0ce746f3da3aa9b7fc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f00f9964708a6c6d31997c6117fb96

SHA1
a9855ddc3cc420e6ab1880def68b277ccd8ee9b3

SHA256
e54ea12f23c353bd4d5d8171d87f456720014539eee9cb75ad0f74287cc511e0

SHA512
1c7ea1fbd847a22e9c277d4702929b527676fe44d1ae914b7fbf9e236b5f3314d1625e47e5b3815b617a775153898d52b6137e923f98a1a9999d3891c02908ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3C95.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D15.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\100.png

Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\101.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component0.zip

Filesize
122KB

MD5
56b0d3e1b154ae65682c167d25ec94a6

SHA1
44439842b756c6ff14df658befccb7a294a8ea88

SHA256
434bfc9e005a7c8ee249b62f176979f1b4cde69484db1683ea07a63e6c1e93de

SHA512
6f7211546c6360d4be8c3bb38f1e5b1b4a136aa1e15ec5ae57c9670215680b27ff336c4947bd6d736115fa4dedea10aacf558b6988196f583b324b50d4eca172

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component0_extract\avg_antivirus_free_setup.exe

Filesize
229KB

MD5
26816af65f2a3f1c61fb44c682510c97

SHA1
6ca3fe45b3ccd41b25d02179b6529faedef7884a

SHA256
2025c8c2acc5537366e84809cb112589ddc9e16630a81c301d24c887e2d25f45

SHA512
2426e54f598e3a4a6d2242ab668ce593d8947f5ddb36aded7356be99134cbc2f37323e1d36db95703a629ef712fab65f1285d9f9433b1e1af0123fd1773d0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component1.zip

Filesize
5.7MB

MD5
6406abc4ee622f73e9e6cb618190af02

SHA1
2aa23362907ba1c48eca7f1a372c2933edbb7fa1

SHA256
fd83d239b00a44698959145449ebfcb8c52687327deac04455e77a710a3dfe1b

SHA512
dd8e43f8a8f6c6e491179240bdfefdf30002f3f2900b1a319b4251dfa9ca7b7f87ddf170ba868ab520f94de9cc7d1854e3bcfd439cad1e8b4223c7ee06d649f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\FF.places.tmp

Filesize
5.0MB

MD5
8691a71035e8ba85d578cb944c864a93

SHA1
4bf9b4ee3c56798a001ba56e80f14f4a23e21385

SHA256
1a1c0276d17e3a92faca1511e99fdceaa7f7c389dbb7e476e6d908466ce0a26d

SHA512
d3b18883d070a38c4abf7a060460f99f23ee5e2a08081275e324b4b2bd3c76368b80db433b8c58fd8fc69dc148216ce5acf534ba57e486bc7a7a057baac93bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\StdUtils.dll

Filesize
195KB

MD5
7602b88d488e54b717a7086605cd6d8d

SHA1
c01200d911e744bdffa7f31b3c23068971494485

SHA256
2640e4f09aa4c117036bfddd12dc02834e66400392761386bd1fe172a6ddfa11

SHA512
a11b68bdaecc1fe3d04246cfd62dd1bb4ef5f360125b40dadf8d475e603e14f24cf35335e01e985f0e7adcf785fdf6c57c7856722bc8dcb4dd2a1f817b1dde3a

Download Submit
C:\Users\Admin\Downloads\windows-movie-maker-16.4.3528.331-installer.exe

Filesize
1.2MB

MD5
8423b539d6dcecf2d710c210f01d6c6a

SHA1
24bcef46ea3ed47158c72a753f6b1b6005468879

SHA256
7d9c68b11e45a763facc7577a51c8c00b7fb654b9ba044deb223e7140a2efe50

SHA512
4db21d0f283e3539c649f6eda114f48a5aaddf32b483bdccfeb5d00859c58b94d4153ea4bce92f39cd26d6042cd3ceccebc74e3ae2a8482eeb975459f9684b02

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\asw29a62228f7bcc1bb.tmp

Filesize
4.5MB

MD5
bbb61ad0f20d3fe17a5227c13f09e82d

SHA1
01700413fc5470aa0ba29aa1a962d7a719a92a82

SHA256
39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e

SHA512
c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\asw73c7fc02aa50da82.tmp

Filesize
907KB

MD5
43dc9e69f1e9db4059cf49a5e825cfda

SHA1
519298f8a681b41d2d70db2670cc7543f1ee6da4

SHA256
98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d

SHA512
d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\asw78b9a90b413bd4f9.tmp

Filesize
3.8MB

MD5
0b830444a6ef848fb85bfbb173bb6076

SHA1
27964cc1673ddb68ca3da8018f0e13e9a141605e

SHA256
63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f

SHA512
31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\aswb7eec41bfc95a822.tmp

Filesize
19.1MB

MD5
917a284494cbe4a4ec85e1ec768339c9

SHA1
47ccc0a04ecc7c3c1ff79bf42d424cfda356137c

SHA256
57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772

SHA512
90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\New_15020c62\aswf71c1be656263a12.tmp

Filesize
3.1MB

MD5
c545527e69a46359a4a45f58794a0fe5

SHA1
e233e5837bfe5d1429300fb33f12f5b54689781b

SHA256
8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9

SHA512
754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\config.def

Filesize
19KB

MD5
cab86ff9a11888628c2962c25aece09b

SHA1
6c695bd44405406c3b63ba457cf8415f07c2021f

SHA256
90a9d8272ca388e4fdef152efea4c5eaf63c1a388cf8249ad1c923c2032364d2

SHA512
09a5d63d5aacbe7e0a8a104fc20dbe3c7ef28388c9fda52f8f7b43196690ef136ff8b3ca8e37585bd1b17adeb34200b16d322740b5b1ca95fe34a0e961329673

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\config.def

Filesize
23KB

MD5
8ab0e481e0881e9c1f601b8f8d6adb91

SHA1
dd0cb3ad4036859b41f0a99c8f92b84fce2af7a5

SHA256
5efd10985ecb82a5685bd7f6537b2824a84d6fc7826e62ab24531fd4d30f14f6

SHA512
4877d7fe23cb3173c03b3f5d4ebb64a5a35d9f48b810519d9cc676e9fb638ba01bbb8d462ed9797b926fedc977ec033dea77fae73b886ec27499ef2a4ff2021e

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\config.ini

Filesize
666B

MD5
238a7f97f7be8fe89c662791ca0d4b13

SHA1
da612059ceb45fdc5f3fef2769619a2e8042cfbe

SHA256
b9a5b16e9feb8a91c87f5e1cf04a80980496c27ad1f5d2d71042d6089c1890f1

SHA512
5d8d9577789157912167953c6712dc0609a1f7f37831ce27e1fb33946c3a064eb03dd0e62fd62011bbf7e519e36257eada0c6c3b3a3fdc41602a9c3e281dbbc1

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\offertool_x64_ais-c62.vpx

Filesize
831KB

MD5
ce4d45d0b684f591d5a83fdbd99bd306

SHA1
e89637b905c37033950afadaca2161bd5b09fb5e

SHA256
907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7

SHA512
af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\part-jrog2-14d0.vpx

Filesize
674B

MD5
135b59042a908dbaea5cc561d0386448

SHA1
f3c071e10e87c24a149365730295296c1a5b3485

SHA256
528077e913ef7684c48382096f45b64fd9b74d75a1e79313724e703b080908c6

SHA512
466d939c181e32537a2afcc4f9cbf6b684702fc467b7fd89f04f1d874974e2a5a5251403af4a58e2128da649cfebfcb29bd7eed86c27eb83845dadab4c7c1291

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\part-prg_ais-15020c62.vpx

Filesize
175KB

MD5
29b9bfd25fabf42939e3a6877f9b3ece

SHA1
c30d865bc2d680311c68eb0bed0e356845f700f9

SHA256
ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475

SHA512
a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\part-setup_ais-15020c62.vpx

Filesize
5KB

MD5
d5b798d8816b252e7d718195dfeb8a8c

SHA1
860c5807fd491aeeb12d661d8cf2ecca4ca1639b

SHA256
75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499

SHA512
16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\part-vps_windows-24091902.vpx

Filesize
12KB

MD5
48eb4910638da61841eec96a1e584f13

SHA1
609bd0f21795f0016ac2921af806f78a76234347

SHA256
e29359d0fb5eaf054313065572f4ff8f3792a802123bc14c044aec3e3760ab04

SHA512
13bac60411680c330ab4935c7eb7c527928a64b1ec207ce4c0abacd52c6034b5297a1dac6d5e056be8b02541b6bda5f4aa2748358ef61e4107d1d053d5203a3d

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\prod-pgm.vpx

Filesize
572B

MD5
999754d694d00b2319ebc83bad47ad55

SHA1
1f4a09d7506648b5f257dc3bf5fbe6629d85d1ba

SHA256
a44174fe5fae6797f814c6b0f34a7a40967247abea3f8ac3c2e053d75778402d

SHA512
5f035e60b0f58d988af62b3c245a5bbb2c364df3e65255f37743fddf5d357ba5515eb4bdb1bf95e922dbc994f031da6e84ed26b3ee884863efd5d4854547b59d

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\prod-vps.vpx

Filesize
343B

MD5
32019de041abf7ca7a11c545585e1459

SHA1
b6e082f6c186a7a1339451222cf9a08b61a8116d

SHA256
664b9e54bd3b9da8a46a02622f051dd396e56d39a7f3f684aee2b77344fdd544

SHA512
a8cb99834b7bd62d994ebd64a61876491ac663c7710317d9674c81db1a515373fbca1aa98ea83c4bab91bda87f9c2f5083edd9fce3977c82ceee856bf930f679

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\sbr_x64_ais-c62.vpx

Filesize
15KB

MD5
e38cc92cd980a55d811316ac62883e14

SHA1
fa83737abe11ee825c3da6843cc4d8e3b459729a

SHA256
be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87

SHA512
1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\servers.def

Filesize
27KB

MD5
6685e1a7edfaf040ce933daaa271b33f

SHA1
b1bfca6f357cc75b10d2b59f228da51097c02d15

SHA256
842b0d709b81589d1ee5f24f421e531f512e46bc0b770b97afd2774a45ec7a97

SHA512
4f958804cbd1ff13b29a5539400ba3263d03e434d59365727997f7dd9bf5f6f61a6fa77d869eeb0f3b33b3f1f7fa76bd1ee5c26b055d2446640ba761507c72e2

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\servers.def.vpx

Filesize
1KB

MD5
68fa59ad1f9f4f9c9bb28b865e09518c

SHA1
5264ddce5171dbb3d8639fc3b2796d2043f0714d

SHA256
6f9fffe858e1631105c8432f785acdde98cf61b9ab657a9f3b6a21daf37f9230

SHA512
07e0d192119656867797a4f55836975a0dcf01bf7de096569e72c34b1ae2efdfcd1622ade600b3f46c5579cc84517adc694a6e6a5d283396b7d9dcf6d261162f

Download Submit
C:\Windows\Temp\asw.1987d8e8c1539948\uat_2596.dll

Filesize
23KB

MD5
d4cb0514285ec27a18ac6e74159fb695

SHA1
3b5d445c2162c3723ae73e3bf6cf3acf37019d5e

SHA256
8f204d870ec74423be8c7f05b9822392eb9f675c676ac8646e944645a5e9aa0f

SHA512
25ce4398012d86eed44a66cd96cd3790df05c44d8480b4ee5c702ef5e005950cace265ea2a65fe5fc25a49d93f1a5eaabd28b6fc350428baccbc141bd69b2988

Download Submit
C:\Windows\Temp\asw.557402d0948063db\avg_antivirus_free_setup_x64.exe

Filesize
10.6MB

MD5
64b8e930e0e649a7b8302380a2fa6dd0

SHA1
3390e6f86293032053d0d712a613b8e3608b237c

SHA256
f30810d4be51461cda07872416d2cb9bd14ef555cc4f5d859a48abce1727de16

SHA512
5b2ae05de9366bb8665220dc337ef678f2f611375ab94689ceb417f4fe869ea9a1045ba8ed1df0498c56c991ce020a9d28de0504c4f07cbab19efde22c547710

Download Submit
\Program Files (x86)\GUMDBEE.tmp\goopdateres_en.dll

Filesize
42KB

MD5
418853fe486d8c021d0cca2e85a63d63

SHA1
9504500a7b5076579d74c23294df4bdb1b7c517d

SHA256
4cbb2591c1eeda32bcf295685c993ce4d16acc968697fa12e2a00a1b7c4b37a3

SHA512
dc2ab4e2056e6d73a274d700bc16f75c7c687b35874029c1908b183428dec010373045d4a52eb3f5745f8b91d624cf5d40cd7f37e353f3a41348e2a054a266a3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8E11V.tmp\component1_extract\avg_secure_browser_setup.exe

Filesize
5.8MB

MD5
591059d6711881a4b12ad5f74d5781bf

SHA1
33362f43eaf8ad42fd6041d9b08091877fd2efba

SHA256
99e8de20a35a362c2a61c0b9e48fe8eb8fc1df452134e7b6390211ab19121a65

SHA512
6280064a79ca36df725483e3269bc1e729e67716255f18af542531d7824a5d76b38a7dcefca048022c861ffcbd0563028d39310f987076f6a5da6c7898c1984c

Download Submit
\Users\Admin\AppData\Local\Temp\is-SPSIT.tmp\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Filesize
3.1MB

MD5
b672b72cb0c230a5cc12e924195093bd

SHA1
ea87c78a1673cf7e6036ea0407ce044e0d0a5219

SHA256
a6cc6e1e93465bfc464956e22cea45f5015ab91bfccccdf98b2fdf3a6ded9295

SHA512
93159e50fd2de40bbf950677d352fa9d2dcb5c56bc5d447cabfeb2804c15de972be559eeb9cbe014e9ece42471905256200b66bf73edf2431eb32b69af9cb479

Download Submit
\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\AVGBrowserUpdateSetup.exe

Filesize
1.6MB

MD5
9750ea6c750629d2ca971ab1c074dc9d

SHA1
7df3d1615bec8f5da86a548f45f139739bde286b

SHA256
cd1c5c7635d7e4e56287f87588dea791cf52b8d49ae599b60efb1b4c3567bc9c

SHA512
2ecbe819085bb9903a1a1fb6c796ad3b51617dd1fd03234c86e7d830b32a11fbcbff6cdc0191180d368497de2102319b0f56bfd5d8ac06d4f96585164801a04b

Download Submit
\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
bd94620c8a3496f0922d7a443c750047

SHA1
23c4cb2b4d5f5256e76e54969e7e352263abf057

SHA256
c0af9e25c35650f43de4e8a57bb89d43099beead4ca6af6be846319ff84d7644

SHA512
954006d27ed365fdf54327d64f05b950c2f0881e395257b87ba8e4cc608ec4771deb490d57dc988571a2e66f730e04e8fe16f356a06070abda1de9f3b0c3da68

Download Submit
\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\Midex.dll

Filesize
126KB

MD5
581c4a0b8de60868b89074fe94eb27b9

SHA1
70b8bdfddb08164f9d52033305d535b7db2599f6

SHA256
b13c23af49da0a21959e564cbca8e6b94c181c5eeb95150b29c94ff6afb8f9dd

SHA512
94290e72871c622fc32e9661719066bafb9b393e10ed397cae8a6f0c8be6ed0df88e5414f39bc528bf9a81980bdcb621745b6c712f4878f0447595cec59ee33d

Download Submit
\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\jsis.dll

Filesize
127KB

MD5
4b27df9758c01833e92c51c24ce9e1d5

SHA1
c3e227564de6808e542d2a91bbc70653cf88d040

SHA256
d37408f77b7a4e7c60800b6d60c47305b487e8e21c82a416784864bd9f26e7bb

SHA512
666f1b99d65169ec5b8bc41cdbbc5fe06bcb9872b7d628cb5ece051630a38678291ddc84862101c727f386c75b750c067177e6e67c1f69ab9f5c2e24367659f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\nsJSON.dll

Filesize
36KB

MD5
ddb56a646aea54615b29ce7df8cd31b8

SHA1
0ea1a1528faafd930ddceb226d9deaf4fa53c8b2

SHA256
07e602c54086a8fa111f83a38c2f3ee239f49328990212c2b3a295fade2b5069

SHA512
5d5d6ee7ac7454a72059be736ec8da82572f56e86454c5cbfe26e7956752b6df845a6b0fada76d92473033ca68cd9f87c8e60ac664320b015bb352915abe33c8

Download Submit
\Users\Admin\AppData\Local\Temp\nsfC39F.tmp\thirdparty.dll

Filesize
93KB

MD5
070335e8e52a288bdb45db1c840d446b

SHA1
9db1be3d0ab572c5e969fea8d38a217b4d23cab2

SHA256
c8cf0cf1c2b8b14cbedfe621d81a79c80d70f587d698ad6dfb54bbe8e346fbbc

SHA512
6f49b82c5dbb84070794bae21b86e39d47f1a133b25e09f6a237689fd58b7338ae95440ae52c83fda92466d723385a1ceaf335284d4506757a508abff9d4b44c

Download Submit
memory/2136-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2136-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2136-122-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2432-153-0x00000000033B0000-0x00000000034F0000-memory.dmp

Filesize
1.2MB

Download
memory/2432-155-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2432-124-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2432-224-0x00000000033B0000-0x00000000034F0000-memory.dmp

Filesize
1.2MB

Download
memory/2432-139-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2432-137-0x00000000033B0000-0x00000000034F0000-memory.dmp

Filesize
1.2MB

Download
memory/2432-131-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2432-289-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2432-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2432-129-0x00000000033B0000-0x00000000034F0000-memory.dmp

Filesize
1.2MB

Download
memory/2432-123-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2596-1015-0x000007FEF3700000-0x000007FEF4A26000-memory.dmp

Filesize
19.1MB

Download