e0168825be4779091fb1035747eac2b9f685600a7e84dfc7dc3929c3a8017b2e

Analysis

max time kernel
691s
max time network
619s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_1_0/windows-movie-maker_ih-8Ta1.exe
Size

2.4MB
MD5

d8ad93ef2790aa264ab569f5ba8a67cb
SHA1

67b01f6a855b6c5def8863b0d2ef157a44762a28
SHA256

94375dbac8e6dfd152a3c3b9e33d1c6fc18d5f86e2b486124cc4f67dbef68ce6
SHA512

5fdc98ed246ada2f1db0335fed19eb72b776bf7075ebd3e0c4d16cdc448e285a9e63141c487e3c96297b876313ccc7ed135689ece9223e3d0d9526169e6d0d95
SSDEEP

49152:nBuZrEUJje0NQq5rISAGFncaWt+ugsv6fhcUiVoX:BkLxNNC7e9Wt+ugsv6fhcsX

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 11 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\SOFTWARE\AVAST Software\Avast	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\SOFTWARE\AVG\AV\Dir	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe

Downloads MZ/PE file

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WeatherZero\WeatherZero.exe	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\WeatherZero.exe.config	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\wz.ico	WZSetup.exe
File created	C:\Program Files (x86)\WeatherZero\uninstall.exe	WZSetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Windows Live\.cache	windows-movie-maker.exe

Executes dropped EXE 11 IoCs

pid	Process
2984	windows-movie-maker_ih-8Ta1.tmp
3008	avg_antivirus_free_setup.exe
2552	WZSetup.exe
2796	avg_antivirus_free_setup_x64.exe
2904	WeatherZeroService.exe
2452	instup.exe
1104	WeatherZeroService.exe
2696	instup.exe
1120	WeatherZeroService.exe
948	WeatherZero.exe
1784	windows-movie-maker.exe

Loads dropped DLL 57 IoCs

pid	Process
488	windows-movie-maker_ih-8Ta1.exe
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
3008	avg_antivirus_free_setup.exe
3008	avg_antivirus_free_setup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2452	instup.exe
2696	instup.exe
2696	instup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
2552	WZSetup.exe
1120	WeatherZeroService.exe
948	WeatherZero.exe
948	WeatherZero.exe
948	WeatherZero.exe
2984	windows-movie-maker_ih-8Ta1.tmp
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000400000001950e-368.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1132	2984	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WZSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZero.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker_ih-8Ta1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_antivirus_free_setup.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00040000000191c8-214.dat	nsis_installer_1
behavioral1/files/0x00040000000191c8-214.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows-movie-maker_ih-8Ta1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	windows-movie-maker_ih-8Ta1.tmp
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avg_antivirus_free_setup_x64.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09a5479790adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000004f8df929c234838d4030f0c42346848ce68fe60fb139eece8f74757d248c8cdc000000000e800000000200002000000090c0f1a10dddf694ad7fae83a3b06d5ff03130d6e298ffbf09b3f647aaaad0b5900000002396ac3bc86fb1179ebc97095f3c7e199b83257fd9bdd18313b672c4c300b8099fc0431e47764a82b4cd3fa9ef80223dd57a226db6c675e2d0390cd8b53be23f2e99893c773a9ac035b2d26f65e7d4572ceae3ee92b7388d97141ed4dd7711ca5a3e200df9c1e1c9df90a9aa54fd52e2e5ca56fdc9d5a704144844108924546380079f9aaac847f01823431fe94dcbc640000000fccc7cf1a68b273fdb336e8e2db3a5c846b4f5886a9144c9cee07e43db4bc3fc05b9b8bf553ada1e5d8ea44f08e2f5053e823bcec34e2f7c675a26df0b143760	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432901308"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000c3411fdd5682b052036d9f8025d6fd0bd58a92195e20cf4617c290cce1f3e3ad000000000e80000000020000200000005f7ceeb15816ba72e3f067e2fee60cecc2e4551c4143aeb64b7266fdc377ce232000000089a9f3840a70eee2ad0b834ebaa72490d1ffe2aee906028235c7a05c1ac057c3400000009d38f3df00d52c08ac060d048e5897d5e145c37221f2a977e0a3f933a70596014d0a646f8ab6fc0b36d223160bd4aac15f936cd75f28391202f65bf960cb9aec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0432051-766C-11EF-9218-EAF933E40231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "71"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57"	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: part-setup_ais-15020c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "28"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "67"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	avg_antivirus_free_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker_ih-8Ta1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeatherZero.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker_ih-8Ta1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WeatherZero.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	windows-movie-maker_ih-8Ta1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	windows-movie-maker_ih-8Ta1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	avg_antivirus_free_setup.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2984	windows-movie-maker_ih-8Ta1.tmp
2796	avg_antivirus_free_setup_x64.exe
2796	avg_antivirus_free_setup_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2984	windows-movie-maker_ih-8Ta1.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 32	2796	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	2796	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	2452	instup.exe
Token: 32	2452	instup.exe
Token: SeDebugPrivilege	2696	instup.exe
Token: 32	2696	instup.exe
Token: SeTcbPrivilege	1120	WeatherZeroService.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2984	windows-movie-maker_ih-8Ta1.tmp
948	WeatherZero.exe
2252	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
948	WeatherZero.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2984	windows-movie-maker_ih-8Ta1.tmp
2252	iexplore.exe
2252	iexplore.exe
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 488 wrote to memory of 2984	488	windows-movie-maker_ih-8Ta1.exe	29
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 3008	2984	windows-movie-maker_ih-8Ta1.tmp	30
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 2984 wrote to memory of 2552	2984	windows-movie-maker_ih-8Ta1.tmp	31
PID 3008 wrote to memory of 2796	3008	avg_antivirus_free_setup.exe	33
PID 3008 wrote to memory of 2796	3008	avg_antivirus_free_setup.exe	33
PID 3008 wrote to memory of 2796	3008	avg_antivirus_free_setup.exe	33
PID 3008 wrote to memory of 2796	3008	avg_antivirus_free_setup.exe	33
PID 2552 wrote to memory of 2904	2552	WZSetup.exe	34
PID 2552 wrote to memory of 2904	2552	WZSetup.exe	34
PID 2552 wrote to memory of 2904	2552	WZSetup.exe	34
PID 2552 wrote to memory of 2904	2552	WZSetup.exe	34
PID 2796 wrote to memory of 2452	2796	avg_antivirus_free_setup_x64.exe	36
PID 2796 wrote to memory of 2452	2796	avg_antivirus_free_setup_x64.exe	36
PID 2796 wrote to memory of 2452	2796	avg_antivirus_free_setup_x64.exe	36
PID 2552 wrote to memory of 1104	2552	WZSetup.exe	37
PID 2552 wrote to memory of 1104	2552	WZSetup.exe	37
PID 2552 wrote to memory of 1104	2552	WZSetup.exe	37
PID 2552 wrote to memory of 1104	2552	WZSetup.exe	37
PID 2452 wrote to memory of 2696	2452	instup.exe	39
PID 2452 wrote to memory of 2696	2452	instup.exe	39
PID 2452 wrote to memory of 2696	2452	instup.exe	39
PID 1120 wrote to memory of 948	1120	WeatherZeroService.exe	41
PID 1120 wrote to memory of 948	1120	WeatherZeroService.exe	41
PID 1120 wrote to memory of 948	1120	WeatherZeroService.exe	41
PID 1120 wrote to memory of 948	1120	WeatherZeroService.exe	41
PID 948 wrote to memory of 2784	948	WeatherZero.exe	42
PID 948 wrote to memory of 2784	948	WeatherZero.exe	42
PID 948 wrote to memory of 2784	948	WeatherZero.exe	42
PID 948 wrote to memory of 2784	948	WeatherZero.exe	42
PID 2784 wrote to memory of 1544	2784	csc.exe	44
PID 2784 wrote to memory of 1544	2784	csc.exe	44
PID 2784 wrote to memory of 1544	2784	csc.exe	44
PID 2784 wrote to memory of 1544	2784	csc.exe	44
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 1784	2984	windows-movie-maker_ih-8Ta1.tmp	45
PID 2984 wrote to memory of 2252	2984	windows-movie-maker_ih-8Ta1.tmp	46
PID 2984 wrote to memory of 2252	2984	windows-movie-maker_ih-8Ta1.tmp	46
PID 2984 wrote to memory of 2252	2984	windows-movie-maker_ih-8Ta1.tmp	46
PID 2984 wrote to memory of 2252	2984	windows-movie-maker_ih-8Ta1.tmp	46
PID 2252 wrote to memory of 2828	2252	iexplore.exe	47
PID 2252 wrote to memory of 2828	2252	iexplore.exe	47

C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\Temp\is-CVHIL.tmp\windows-movie-maker_ih-8Ta1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CVHIL.tmp\windows-movie-maker_ih-8Ta1.tmp" /SL5="$401AE,1583351,832512,C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod0_extract\avg_antivirus_free_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fcXHC9qkFS61dQDNYKn8dzmodoMgl77oOM2GDHBCFR3ayt4yoH5BLUd8mAfL6uxe33kR6ys2
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\Temp\asw.e568bd8b298ee0ad\avg_antivirus_free_setup_x64.exe
      "C:\Windows\Temp\asw.e568bd8b298ee0ad\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:92pTu5fcXHC9qkFS61dQDNYKn8dzmodoMgl77oOM2GDHBCFR3ayt4yoH5BLUd8mAfL6uxe33kR6ys2 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:5aac9565-b965-470b-bbba-115fc6978734 /edat_dir:C:\Windows\Temp\asw.e568bd8b298ee0ad
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\Temp\asw.ac3d0c33363e0773\instup.exe
        
        "C:\Windows\Temp\asw.ac3d0c33363e0773\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ac3d0c33363e0773 /edition:15 /prod:ais /stub_context:789adf5d-cd13-4064-baad-07fdab69bd42:11128544 /guid:b35fe8fc-aec3-4a96-867c-6bd32f91ed26 /ga_clientid:5aac9565-b965-470b-bbba-115fc6978734 /no_delayed_installation /silent /ws /psh:92pTu5fcXHC9qkFS61dQDNYKn8dzmodoMgl77oOM2GDHBCFR3ayt4yoH5BLUd8mAfL6uxe33kR6ys2 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:5aac9565-b965-470b-bbba-115fc6978734 /edat_dir:C:\Windows\Temp\asw.e568bd8b298ee0ad
        5⤵
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\Temp\asw.ac3d0c33363e0773\New_15020c62\instup.exe
        
        "C:\Windows\Temp\asw.ac3d0c33363e0773\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.ac3d0c33363e0773 /edition:15 /prod:ais /stub_context:789adf5d-cd13-4064-baad-07fdab69bd42:11128544 /guid:b35fe8fc-aec3-4a96-867c-6bd32f91ed26 /ga_clientid:5aac9565-b965-470b-bbba-115fc6978734 /no_delayed_installation /silent /ws /psh:92pTu5fcXHC9qkFS61dQDNYKn8dzmodoMgl77oOM2GDHBCFR3ayt4yoH5BLUd8mAfL6uxe33kR6ys2 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.e568bd8b298ee0ad /online_installer
        6⤵
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
- - C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod1_extract\WZSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod1_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
      "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
      "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1104
- - C:\Users\Admin\Downloads\windows-movie-maker.exe
    "C:\Users\Admin\Downloads\windows-movie-maker.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://en.download.it/?typ=1
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 484
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1132

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files (x86)\WeatherZero\WeatherZero.exe
  "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=18355878C83A652CE07D13A1824D0556
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgbfpogp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C1A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C0A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

Filesize
3.2MB

MD5
2b149ba4c21c66d34f19214d5a8d3067

SHA1
8e02148b86e4b0999e090667ef9b926a19b5ca7d

SHA256
95f0e021c978ddd88e2218a7467579255a5ae9552af2508c4243a4adec52d2b8

SHA512
c626f89bc01fdb659f4ee2cf86ba978f04e4bf0dec2624170c83c21d5ad29e20335566b1f7545d9badc4e47ca2ea90535c4cb08b4afa3457b72a5801053706d8

Download Submit
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

Filesize
5KB

MD5
26adc5c8109ef1ff1221e856b9af8472

SHA1
f7c8f651e42a850b37db0b452b942eb8f5ca325e

SHA256
675f953d3d0154dcf5a70fc7f8e7ebbab7b316eaaff48961dd3f51a37ed05a84

SHA512
f23ada0c6c281514b00a88d48b23160ab5992dc6fce6ea7c70e7e4da559e4e1bca0893228be4c5393d6b0fc2d6f471175aa6188fe6a521afbab4999a14977bf7

Download Submit
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

Filesize
28KB

MD5
b1959b101636c3072e42f86be97eef9c

SHA1
b336f57b8833d2f1acd045009f2a336d74c2c6f7

SHA256
b3ef666badbe2cce19702e407861b31df3448ea0e3d53d816af019a89538ffe4

SHA512
a6d3e4d698448936db933dd93dbaf44a4c87c219a58889da9742f0afcbcee7dc8365daf08d54b3324f47ef7d8b91e9adda9a3990153e33145a1a330c2bbb6f78

Download Submit
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

Filesize
50KB

MD5
430670c75a3e5dbf53f568b5563c14d5

SHA1
98ca4033fdc1d0829190d89acbdba9cf4adfb0f9

SHA256
dc34719adfe549a540732aa3d5c152f9cc61a235bc4ef15ca0cb82ad42c67117

SHA512
e6cdbd77f916cf3c6256efb88e6b209502400b241484a0d7613ca3bd7c16b860d92619636fca8447c3ed09f74fc5b92604d51be5db25f85f79e115cf36120550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7d9c5f8db1273ffc5e3230f62e7cf6e

SHA1
f7b885da86e95cd8b306c2669b70346d2bd90154

SHA256
2a9bf83210025e5bdc8b4ffa2b67e26c3570d9fe3a967bfd83709cd71268d483

SHA512
aefa5b029c1990476c499519d2789957dc9566dd7c8f32520a495cd48b97ce0f658f7a8acc1afcbd28f6a99cb469dfdd76e18ff68bb289167b813171ca538ef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3807ce07caabfda444590527e8e1a565

SHA1
03bc406cf02d5171b21ae8a7ba0cdb41bd605b4d

SHA256
095bdc5c12ef364ef66224575ac7fb28fdab79cd0787f1b015d674acbda20bd2

SHA512
ab33d6fadfc2ff02dc0a1d45ff56b78560e30d673cfabdc0f633b4cd4f51b73a1e60b269cf47c1d3138d9f53d3d0df17bbe7c7fbe05d5383f16d8caabc24a243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71a28f4fb9f17f25c83b0ce9e6a28bc0

SHA1
a0ae31a59e4a83a21428d859d4cd69472b0cf83e

SHA256
b7c37e5db00d8b810edd65500c4d970989c587d709139147df16fe0839a3baa1

SHA512
ddaa3750f13bc68cf71cb107b1d387c58e9869416b2ccfc97b8d6059e63d7326962c53ce14b2786fb9baeb3584806748132af4e476294e5493717d5921791ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff2b2cb667b0f96a0506181cbe473d01

SHA1
65cbb4ea3fc91c9b9d35e203afb16b5b9288c84a

SHA256
9fff34fb9b959749eec8b6741c9499bf9f7bced9bdbec27245c2ae643579341e

SHA512
14cf469ace77a1137dd3f6670ddf43679c1546f6c117e75854356e4a71e490356a38f24e758b6a74a3e38527c6164d1695fa23040ad0e313ea799fb7a07f2c35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34523e39d707912b108ee8b365d13674

SHA1
931bdee5c57b3bcc8c26436005f416f3e9678542

SHA256
51680e6f89fd8f3c71fed143ebe1d4db3668736bfd6043b9803cda2520821658

SHA512
43fd69213b8973db55636dc87c34cfc6819840053c63369d27cbd865425b61990be224ce3148b53c3263fca6fbd506a90144b58ed19676b5390f97d7c2f548a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
333ad3c972f54f160718d04fe8040d83

SHA1
fc767a8f94265b9adb099fa1633f22e6e414be58

SHA256
5c3a21007f1b9c2a72ab7476b68345687a3e85d32d799595c12b1da8ea7f8c92

SHA512
481d8342b8651fb25a0ef6ff50c4c4ab7ab3eb7f9be1c5011ffe3e99349bd39748bacdeb574e12453cf169614d41e42851c169273d2bd94576f58807665acb9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1afbb6a502cc33c070c4e4f953bbb5f0

SHA1
a3c7f487fd5791cb88664674b3c469e5f45eb63c

SHA256
ad568b7a1efb8c937aeec0a81438343424ec4de107c5036eab971dc40c19c427

SHA512
00327e65e2304c8fe6c9a42fa3471d85ef950f13494194cafd0a1eb8d5abe382010cf262c427c0f375aa2736adb7ba9a2e8b877c33f0f4da37b04d861de74e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81c7d374ccc2381e430d17ab1ba52223

SHA1
74f0bed50e48ff973f01af43a0e7595d6b81f979

SHA256
fbc733a088c67c75e329e606502333bb307fc886888830f9dea89bd532f71091

SHA512
a1713ce9bb456164c6469fe3fc5e7f8ea1985bfb52c8fea90c210cfe3e764315f61a140330b4ca583ce3dba2a7091642009920d5f72331c3f21ca48f5313e76a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4de584fa5f16382c7db3110044945fc7

SHA1
01dbfda6f7f5e9ad628aff7b359ba32097e4f783

SHA256
3a406d535329e4ef14945972b287c29073fb1134cb4bc50371f1e5ffeb9d0698

SHA512
c89601e182e9f4962ba532dd7627f9a47c6d1fbbf433751de926a2d1b12746a81a466c8eecab076bb7ecc7c9fb2cb1b1b417bd9cc9423a1b2ae2c465174f7afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aff1704ddcf7ca9da97656665a750af

SHA1
eeaa87967d266dc66b4cc4b3b6287a7d6e1713db

SHA256
00116704283995809ede9adba8e56bfe709ffa1317d688ea9a4acc01d148767e

SHA512
ebb547a093a3e49363f9aa10a1fdf66a368915c5c0bb163e447d60999a42f3614f518eca4d5895bcdafb38ebff13397f378f2c60e62e263592dbb431cf32deb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c926716ac70b1dc159fddafe0fb6a5ab

SHA1
bc462033253030fbdebe27090405d1df61517ce7

SHA256
7a736776e93e15b66acc5d0349993ee245b1886850b02c9f8a9888af7fc67de8

SHA512
467b3aea3834e6cc300d0726474dcb544af2f55fff7214e3ff1ac67b2a6bf536ce258f401cbf04742694c6b177857b911b8bfc41b0fb5ef8c9cfb4b329193a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e9d2e89058752fc3df43876239f20cc

SHA1
3e0f1579ad5a9f9446c7c251ce96bf67c7e94dd9

SHA256
5ab085355161f92ababa54b148889b431e8e6ee025a0421f7e01596620b1baff

SHA512
46b2111af24d01bc6306e6f062bbd03c5be69bc5823deafb418788984eb5224e037c945bc27f8720ede200d03590542ec3eecaeb286e660aa2a3ac4d970a34bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f32dab91fcc5eefefa31bb31cf2f4dc

SHA1
fcc18ce10ada2d9763e70e2fe7793f05fa1f83e5

SHA256
8e3d3c4b9f2344917608014230a0e6437a18dfa6a4a540df60872f964f2cd669

SHA512
99db135f8bf1e4a3b9ffd3e1bb8710060925312f22ed040152cff5e5a815d3f141baad9efe72d16c62de872d6a7f895db067f2ba3a19c5a001c7d69337beec8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47f092bd6ec1f4e9bc8ca49ad866ffb2

SHA1
f539c5682b52316c8d455e7192c3c013f39e13fd

SHA256
852fe45f9edf626da21d1926e7934cb7beb19d54ae356a4e76f1c32a86c33d1c

SHA512
2567a23214bdf849ec158c559f01256306e18a48978607a15047e1601aaca0e48c5c9b551dbec8100998cc9b9d1aa12b8383be25895d046146ea62b0a6dc556a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c660bfaa161f541fda64da75cae399d6

SHA1
0c2319f19cafec0995cb10c9ea133a32f8b1e7e8

SHA256
418469eb6f4847c0ea794b2357e68a2bc077794144354c69c8b6a01594e8bb32

SHA512
f608afae2e83e7783448c04e63596ae42fbae41eac0874bf859d678ecd14427d4f9d8834d02c07f5293b09b396900a5acabd17c2df477fbf42372e26aeaed3ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2c5fcb46aa9ec243b1df87b0a61c277

SHA1
f5e48d7731d0f70cd622a56209dee742f6d23f95

SHA256
1e1d8db03c3f1430f6f3284d669a8e805603944431aa0f58fc7e83b0808bb785

SHA512
1d0a8a997201b72be2ff1bd2b240eb64c52f38aa2e0f7d9cbf28b7a8630230ba51bb788e6ab8f5ac86cca8b942ee882c14c4a9608098f7616d4982531c84ca43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c048c6909c055cbd3bb47ebc2cbab6d

SHA1
d60b4f2a889553d1f01c359a20c54799d5794b69

SHA256
1911c3c678124c01e7e40c09e0a7cfcc9ef6c230ddb353a0fde28d37467256de

SHA512
6bdc92e0e0153771e1be859f2afa1457467ac4b4ad28bc6b5048c4954cafa9f74ee45fdf65b9c349b61ec45e9c994861ee80642dd74134a2f34687b4d18636bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9a2b72733adbef452768dd8038c348e

SHA1
a06197414d7624848f17a080b5f2ba5c404bf04c

SHA256
1c120bfadeeb00f3b8c1c4893097f420d795aaa49a68b9a49b210f0eb8cfa5af

SHA512
c9991020877bc543fe7175acfafc32a5a39a27ab4ba4e6b6628017a5048eab9f0880c7bf86588cf4b6616fa018b434fdc678cc1832f3900c2c7936cb590ab0d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e660d96b40e1a2cff00dc76a4ac856ac

SHA1
e16cc92a55595cb832aeafb9a02b448d566edd00

SHA256
2d8b8f09068ac93f90a0d7bdfccc1fae50f2ddd2cb63376978e68cbdb894c7b0

SHA512
00ae43c96338b5ed68ad81382fb96208119fed0677a11681da262719d46c8f899726d191c89fe2fb3cb7160be441dcbc20d7a0e593fdb14af452bf09ddc01915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81765375335461c2f09ec17cbc6859a5

SHA1
386e395c541a9b8727730aa87adbca83d98bb9ff

SHA256
5003b20c18eb63c59c01a58aa68f3cb3f768b11d68c0992c132b826039050124

SHA512
9627a1c32f8089fb68f032c906565d8b3ce4e0291afffd84781f37724f6cd15ec7758d81593e9f799f5b5ac23905ff71b28e402027f4e7b785c97fd154858bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c3847c9934d4a25bee6427b1ffc00bb

SHA1
4b37755ed9fd23a7849a19a0041db0f515b98a8f

SHA256
e27da25ce52d376405e73f301e745bfd24175ca3270eea3a44a7370669f0d78b

SHA512
a35f8599379eaa63574b6a38d3cf87181dff4b42ea4baad7fad6b4a133fbd744cb51001df589aaf0921241e0359a47d6beca66563a5b01b3b0faf1647d2c68c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a09041678b1175cc1269a1818b20106e

SHA1
cabf13c8f2a159a0db778a69173a5a40e78e5876

SHA256
64741f0e81c288507109012337a07da1a9c9eaba87452b48d0d4368a3d2a6ad2

SHA512
d9d6e31edc4d08bf031e199b00f0032e69f620d87e73ea1f7493f59f91264ac71ba6c1b406e2110252f5c2d1b9d3d1a1a2050b56c6090ecbf5a20fca4e6fe6b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f082c762264196d91d74d43741934ffc

SHA1
fef68a90656fcc72782a2875efc656d72f41755f

SHA256
b024e4cf42f86b43c80053927715027b08f62cb042d537d4ff436662778ef871

SHA512
737d7199a93d75aee2809d5b88d6dafe511e43fc3c106e7796f71e88cb3b5ba2911b1d35fbb8252bc9060befe6d802f88c783bc615f755cf94b955c7de6a54d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7313eedaf887fd0592cc9601cf0774b

SHA1
76731d5ba6dd842a19990aaee6be519b1cd33df6

SHA256
edfe1a88e20e3a9bbe053abc0f488aaa6c3de22b6f453c11898276b50bc406ba

SHA512
f48d1be42ebc92aeaf17c08f028f938848968d01faa67328a8eb3ff01c086a81b3c8ed1bbb0fd21ee20bee0e60e8e4becfae423d08b4aea8b09389ee5aa3f541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd053c7430989b41ca877bc88a68fc3

SHA1
b984f41fd8b59882db27ed958a97364b86623a8d

SHA256
94e51b7204b3cdd4353775228bcce100443916b94be187ed14fe87ee04858596

SHA512
58440f6d7b6e4cebc72a7e411165ed36146daae6a13c4e122dd99c9fcdcad4c197a56665932aa3dab505971a4e614d2f640c8ac35b2bd8c3bab3f864ebe73941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf01f04f6594ebcd18f7b095dc86bd8a

SHA1
99d647d85b1f1b2c42426347ac43e85f046b5412

SHA256
541498c677f122f56f3fddd6ef2dad265f661eff2d1208cfc05475f36eb00e62

SHA512
66a29590d196d843ef300cd7bc2f9fd306f4060c00f55d73d214281cca9b716dfb48afbbaeab14655c66c66e614dbd8ff97c9c870027b75a7157bdd28692ee6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4b742cfd3b7d307f36e147faa7bff40

SHA1
68ace43d5261c8b02a5148120d5527ce4d5441b7

SHA256
7a137f27731bc92070616397456428553b5273ea7011540273b4cfb0ee67218a

SHA512
f98b90563e3a60ea8d494037459846c71e9f11a2e251e184024c8536109a79b52bfa3e560b36b1c123713d212e1ca3ca6e015f491c6940c6eb5d3a3cc61dbf7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a704e0505f5be9a47d568d5dc2226ab9

SHA1
c3923b2d51aad647b61a37b5bb66ec1f0336ee55

SHA256
a9df255fd0de6282f9f52a7fc6983c922766768849e5f66474a043d7f878ee06

SHA512
4be12afeb881bd507a60e90c0c246b24e8e233699a25fe6ef0fff80dd2026ede87c08950115a065a1514b4490c62078af31b13915a3b3260b18f86b22dc04525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29efc31066893c8514532a8412e55b36

SHA1
b3eb8ab0b77ecf5cae19496a40a1ef1e74248a40

SHA256
cda4c4e3e70ff527e69a6ab21a224e54662280cc9fd2cf800d6bf168658ddbe6

SHA512
5b65488715cf7ff0cbf002f8839739ffcea6a523dbac1d60bcd8fcf352ea369a6bd838845aeb52ae41bcce9af3bfb6b48ce9262a770fa776585c3509ee1de300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13017ad177a0b29f0158fa1a7a3b2c52

SHA1
f0ef446a28ca4b057c5d8cb4490a2952006e8a3f

SHA256
50a9f449f5f2ef17c3ec8970daeefcd7f74c021c45f282e628d484b8611c35db

SHA512
3ee303d3339a544e07e155501942389d1e46932e11f3641e1ffc2a7e08f42a5b63738b702c74448b2a5dfce5a6170fdb400992a84b093cccb53b6cd12a17cf4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9abdeb7214f8ca7bea39fc3aa2de84d

SHA1
b501e4142b538565c4ed681f7104536a44949cd0

SHA256
39c0fd6858b36503f1604a306afee6de5eab08375c310af0e98268981f9b7f5e

SHA512
cf32108d833501b55a0137e74ec857a10763f58846299cd84fe408233a83dfd1dcb4463083d66c8fe379896e4b4727e22ced8954f5ede2cbad6ccf83eecd18fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\favicon-32x32[1].png

Filesize
947B

MD5
ee68a08b526f9f223c0a77ca0b1db826

SHA1
ace232139d88086f9971fd80cf85ac84bae2da7a

SHA256
486042f1d958eb079cfc0aea20ae5723d4fc39c4a8550889b9d1b13dbba1fdb5

SHA512
14febc2d48eda65bf039298f411af3ff14e1985ae60a9772bd754b19df69a5faed210043fbb33ca7737f50ade96cfa6cddfdd6ffbc40dccf77f9b0e34315a7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\09190955-000006f8-svrut7195o\Files\2024-09-19_09-50_6f8-vy9qde02.log

Filesize
24KB

MD5
6a79a71a69a40e727fa8269c72b94539

SHA1
9fe8cd70ae197afe2fb527811c8a0910d665cac5

SHA256
382c214ef748794cf0245692e8cad04f86b78d6ea574a03b45f6bde65ce4f3fe

SHA512
a1fb0754cc3c9301c8f24164a1ecad6eb6402deccb4d4b94fece5252dd624103efa09ed2aa5c3cec216c46aa7a76182f54d4c7d77fbfe67b2ce69d484c539a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\091909~1\tmpCD7C.tmp

Filesize
38KB

MD5
8274c233094ab59f40135619f32848cc

SHA1
cb588154fc7e951e0199d2a56dc494010e7a994f

SHA256
ac1a5b92fc478ed69aec3d94c6c0ba328789bb4e44a9c56598a4f961edfcb09c

SHA512
08434975e41233ac9efe507d87743fa3962321b2b556b1066514745d9a885f62ceab2d0bb6eb8d045186e5b9d1efee561851a7fdd5726495658ebf4d7693d105

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2177.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\AVG_AV.png

Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\WeatherZero.png

Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\loader.gif

Filesize
10KB

MD5
12d7fd91a06cee2d0e76abe0485036ee

SHA1
2bf1f86cc5f66401876d4e0e68af8181da9366ac

SHA256
a6192b9a3fa5db9917aef72d651b7ad8fd8ccb9b53f3ad99d7c46701d00c78cb

SHA512
17ab033d3518bd6d567f7185a3f1185410669062d5ec0a0b046a3a9e8a82ee8f8adb90b806542c5892fc1c01dd3397ea485ebc86e4d398f754c40daf3c333edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\mainlogo.png

Filesize
12KB

MD5
dd90682ef1b7d5890c8c5a3d3d65d3f0

SHA1
1297970e3d54afa50cb787ca76e211623f88a383

SHA256
42fea3730803d445b175774bd62a89112df551424e04755b0b8a5238153a6f77

SHA512
f828389557f4ea065c26cb18e47f8161ebabc8a5b824560531602adaa0c5c6c66b79ab3c932b933038d98316bdb6dcf2ffbb85ecb331ab94b7de63f28e58c3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod0.zip

Filesize
122KB

MD5
56b0d3e1b154ae65682c167d25ec94a6

SHA1
44439842b756c6ff14df658befccb7a294a8ea88

SHA256
434bfc9e005a7c8ee249b62f176979f1b4cde69484db1683ea07a63e6c1e93de

SHA512
6f7211546c6360d4be8c3bb38f1e5b1b4a136aa1e15ec5ae57c9670215680b27ff336c4947bd6d736115fa4dedea10aacf558b6988196f583b324b50d4eca172

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod0_extract\avg_antivirus_free_setup.exe

Filesize
229KB

MD5
26816af65f2a3f1c61fb44c682510c97

SHA1
6ca3fe45b3ccd41b25d02179b6529faedef7884a

SHA256
2025c8c2acc5537366e84809cb112589ddc9e16630a81c301d24c887e2d25f45

SHA512
2426e54f598e3a4a6d2242ab668ce593d8947f5ddb36aded7356be99134cbc2f37323e1d36db95703a629ef712fab65f1285d9f9433b1e1af0123fd1773d0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod1.zip

Filesize
5.9MB

MD5
7cc0288a2a8bbe014f9e344f3068c8f1

SHA1
eb47d401ae30a308dd66bdcafde06cdd35e25c94

SHA256
200e9bc4fcf2c6682ddc8c7f172a0d02befecd25ca882f66c6abc868a54b8975

SHA512
869f0a01ef0bcbbfc501c1786e14bffeaa2daaa00210c312874fc67a724c77ef61394bb5854b9a02af654cd045c4d39ae30d73f1b4ec8aa9e531dfeea1714476

Download Submit
C:\Users\Admin\Downloads\windows-movie-maker.exe

Filesize
1.2MB

MD5
8423b539d6dcecf2d710c210f01d6c6a

SHA1
24bcef46ea3ed47158c72a753f6b1b6005468879

SHA256
7d9c68b11e45a763facc7577a51c8c00b7fb654b9ba044deb223e7140a2efe50

SHA512
4db21d0f283e3539c649f6eda114f48a5aaddf32b483bdccfeb5d00859c58b94d4153ea4bce92f39cd26d6042cd3ceccebc74e3ae2a8482eeb975459f9684b02

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\Instup.dll

Filesize
21.7MB

MD5
28c9db78d385f048d1308543aa0b6dc8

SHA1
b94e6adf0a9be060cb8164e74335602e3d931f88

SHA256
09d3c5a849005005a6c0b4f905e78ef25c917ba832aecd7a17ca0588f3bb4e96

SHA512
5a3fa72e40cc98e8236f018d68a6091246c6ce0452fcfab4c4d8528b82d00a51597d2b6c260f73ca1f6b6e70ff50d341f9e775a5525e332d78759e2a26d0ee6d

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\New_15020c62\asw821c791f5e9f815f.tmp

Filesize
19.1MB

MD5
917a284494cbe4a4ec85e1ec768339c9

SHA1
47ccc0a04ecc7c3c1ff79bf42d424cfda356137c

SHA256
57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772

SHA512
90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\New_15020c62\aswb3055951cb7a7d80.tmp

Filesize
3.8MB

MD5
0b830444a6ef848fb85bfbb173bb6076

SHA1
27964cc1673ddb68ca3da8018f0e13e9a141605e

SHA256
63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f

SHA512
31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\New_15020c62\aswbe52f6c49f89719b.tmp

Filesize
3.1MB

MD5
c545527e69a46359a4a45f58794a0fe5

SHA1
e233e5837bfe5d1429300fb33f12f5b54689781b

SHA256
8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9

SHA512
754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\asw304f81962563821f.ini

Filesize
666B

MD5
f161504a55506d7dbe33fe1679d5a8ef

SHA1
ca78d9b64f35d2561d1d0a54b188a97483c34e1c

SHA256
641a390b954cf0cab6f6a6290e71600ccf5eb7a48a7fda6d6157c8a149f713bd

SHA512
03b2874fc1ad66cd7595b382810828c93d22b1fa36f7959d5d1908bfb8ac4c718887a2bfa2bfad9544b304de47d35e5ace766b526e0d45a44d249cd6c257da48

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\asw7a07c980c0c809ba.ini

Filesize
1KB

MD5
afda259daa91ff4aeb2ccef8bf0750ef

SHA1
d93e05d0232baa575c86f70a1096eeba40811c78

SHA256
c91d867c3531a9bea21b71241253f75169ff892b92a9ab4e9f752c57aa8964e5

SHA512
b1f7e8ef93d4443b667b55db5003a89b3f0fcea93c682b642422bcdcd5718e7ec4ce134ede1a8b838bece08deaf68d08fc0575a0aa7a8daafba154aa89e379d6

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\avbugreport_x64_ais-c62.vpx

Filesize
4.5MB

MD5
bbb61ad0f20d3fe17a5227c13f09e82d

SHA1
01700413fc5470aa0ba29aa1a962d7a719a92a82

SHA256
39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e

SHA512
c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\avdump_x64_ais-c62.vpx

Filesize
907KB

MD5
43dc9e69f1e9db4059cf49a5e825cfda

SHA1
519298f8a681b41d2d70db2670cc7543f1ee6da4

SHA256
98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d

SHA512
d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\config.def

Filesize
18KB

MD5
4b347d5388b66a283210d558b16b1442

SHA1
458d2b2b47894a0ae5f54276e8d4ed264cd73bc7

SHA256
8e5a4c7af575d57a658894a3599a1f373cb145fe770bcec5df87374ae34bc5d1

SHA512
dc8745f7534ea80044883715f8fc4b9a94b03c3b609593f6b5a3873978af97c074bde5aab4031dccfa0f333da9144a869bb218cb83d89a9d4d4ea5a54ea52d42

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\config.def

Filesize
19KB

MD5
2b2408df7f3b311fdca2fb87feb44a45

SHA1
efa5403c61f563b6d341bd0099191877c1b65f0c

SHA256
1e7120498eb4b3bd2b641914b527430376e6fba63f7d520e96960de600aa7fcc

SHA512
93c480e23513ad542fa9fd6cecbc12dc5e2f6172794cbac292a20ada095dcd5ec39fab8750ba8cb989486d85cf086d14ac1cfa69cdc7ae52ba0f6a035e2bd086

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\config.def

Filesize
23KB

MD5
5d59ed8172042c7901fc24850491045c

SHA1
27536253cac2becfa74420d11d1acdf97704dbeb

SHA256
06ad9fc05a99997900b02003a586c23311f5869070b4cbf3309b37368a2ce114

SHA512
667ed55d86c8e652907c8f439332dd8ce565eb7a66d7acc447ff57e2bee369545ac100480e7d51ba282dff3165c1b92e5af4ca46ea4b3c36b46b1f4c58586c00

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\offertool_x64_ais-c62.vpx

Filesize
831KB

MD5
ce4d45d0b684f591d5a83fdbd99bd306

SHA1
e89637b905c37033950afadaca2161bd5b09fb5e

SHA256
907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7

SHA512
af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\part-jrog2-14d0.vpx

Filesize
674B

MD5
135b59042a908dbaea5cc561d0386448

SHA1
f3c071e10e87c24a149365730295296c1a5b3485

SHA256
528077e913ef7684c48382096f45b64fd9b74d75a1e79313724e703b080908c6

SHA512
466d939c181e32537a2afcc4f9cbf6b684702fc467b7fd89f04f1d874974e2a5a5251403af4a58e2128da649cfebfcb29bd7eed86c27eb83845dadab4c7c1291

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\part-prg_ais-15020c62.vpx

Filesize
175KB

MD5
29b9bfd25fabf42939e3a6877f9b3ece

SHA1
c30d865bc2d680311c68eb0bed0e356845f700f9

SHA256
ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475

SHA512
a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\part-setup_ais-15020c62.vpx

Filesize
5KB

MD5
d5b798d8816b252e7d718195dfeb8a8c

SHA1
860c5807fd491aeeb12d661d8cf2ecca4ca1639b

SHA256
75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499

SHA512
16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\part-vps_windows-24091902.vpx

Filesize
12KB

MD5
48eb4910638da61841eec96a1e584f13

SHA1
609bd0f21795f0016ac2921af806f78a76234347

SHA256
e29359d0fb5eaf054313065572f4ff8f3792a802123bc14c044aec3e3760ab04

SHA512
13bac60411680c330ab4935c7eb7c527928a64b1ec207ce4c0abacd52c6034b5297a1dac6d5e056be8b02541b6bda5f4aa2748358ef61e4107d1d053d5203a3d

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\prod-pgm.vpx

Filesize
572B

MD5
999754d694d00b2319ebc83bad47ad55

SHA1
1f4a09d7506648b5f257dc3bf5fbe6629d85d1ba

SHA256
a44174fe5fae6797f814c6b0f34a7a40967247abea3f8ac3c2e053d75778402d

SHA512
5f035e60b0f58d988af62b3c245a5bbb2c364df3e65255f37743fddf5d357ba5515eb4bdb1bf95e922dbc994f031da6e84ed26b3ee884863efd5d4854547b59d

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\prod-vps.vpx

Filesize
343B

MD5
c3f29a734e383ec053cbed7569a6d9a2

SHA1
5b07d18fd0aa113399ea59d092a54a60ed1b9080

SHA256
222d3a2e50840f889b8a01d0d3570a0523604bba549051352a668b405f6d809b

SHA512
c11731dce8670da15a6028c64d9778e05b4bedc0bf8f02f4ab6ba7d84148cb83934df0ac7d7163e7fb10612b5800640e68a3338c0a70c84c5dfdb577b2c9ea60

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\prod-vps.vpx

Filesize
343B

MD5
32019de041abf7ca7a11c545585e1459

SHA1
b6e082f6c186a7a1339451222cf9a08b61a8116d

SHA256
664b9e54bd3b9da8a46a02622f051dd396e56d39a7f3f684aee2b77344fdd544

SHA512
a8cb99834b7bd62d994ebd64a61876491ac663c7710317d9674c81db1a515373fbca1aa98ea83c4bab91bda87f9c2f5083edd9fce3977c82ceee856bf930f679

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\sbr_x64_ais-c62.vpx

Filesize
15KB

MD5
e38cc92cd980a55d811316ac62883e14

SHA1
fa83737abe11ee825c3da6843cc4d8e3b459729a

SHA256
be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87

SHA512
1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\servers.def

Filesize
27KB

MD5
6685e1a7edfaf040ce933daaa271b33f

SHA1
b1bfca6f357cc75b10d2b59f228da51097c02d15

SHA256
842b0d709b81589d1ee5f24f421e531f512e46bc0b770b97afd2774a45ec7a97

SHA512
4f958804cbd1ff13b29a5539400ba3263d03e434d59365727997f7dd9bf5f6f61a6fa77d869eeb0f3b33b3f1f7fa76bd1ee5c26b055d2446640ba761507c72e2

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\servers.def.vpx

Filesize
1KB

MD5
68fa59ad1f9f4f9c9bb28b865e09518c

SHA1
5264ddce5171dbb3d8639fc3b2796d2043f0714d

SHA256
6f9fffe858e1631105c8432f785acdde98cf61b9ab657a9f3b6a21daf37f9230

SHA512
07e0d192119656867797a4f55836975a0dcf01bf7de096569e72c34b1ae2efdfcd1622ade600b3f46c5579cc84517adc694a6e6a5d283396b7d9dcf6d261162f

Download Submit
C:\Windows\Temp\asw.ac3d0c33363e0773\uat64.vpx

Filesize
12KB

MD5
859c080245a39c701981f84287e0ee92

SHA1
59bd07b9a4d04aa88861263240cb2695e0ffa5d7

SHA256
7d13e1c324f8d2335943f3416c73acfd7f197c3ce53981bf4c26cf822797f91d

SHA512
2c23a3758ad830c6191e20ab4aec4cad42ebad1cfc309efc6fc48f4733de2278cf8c26f4d6e7cf378218ccbcc327e4d3b6c0357219934d7074b4a393e9a68eae

Download Submit
C:\Windows\Temp\asw.e568bd8b298ee0ad\ecoo.edat

Filesize
21B

MD5
3f44a3c655ac2a5c3ab32849ecb95672

SHA1
93211445dcf90bb3200abe3902c2a10fe2baa8e4

SHA256
51516a61a1e25124173def4ef68a6b8babedc28ca143f9eee3e729ebdc1ef31f

SHA512
d3f95262cf3e910dd707dfeef8d2e9db44db76b2a13092d238d0145c822d87a529ca58ccbb24995dfcf6dad1ffc8ced6d50948bb550760cd03049598c6943bc0

Download Submit
\Users\Admin\AppData\Local\Temp\is-CVHIL.tmp\windows-movie-maker_ih-8Ta1.tmp

Filesize
3.1MB

MD5
52263ba53784a017b4c47b092643dd24

SHA1
f12942694efc30db81b938702af1ebc5b8d68415

SHA256
30848b34a4fba4a601332f90a6f4327ef3c1c9f943dc35c764ee3aeaba412600

SHA512
754f8f18090297ee5815b48aa745feed2b54cd6fb555645a607ea42400b6149e4556be6403b927e848e595c07377585355e173ad7f52795112029ee4f6923e40

Download Submit
\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
\Users\Admin\AppData\Local\Temp\is-QKEJC.tmp\prod1_extract\WZSetup.exe

Filesize
6.0MB

MD5
3c17f28cc001f6652377d3b5deec10f0

SHA1
eeb13cf47836ff0a0d5cc380618f33e7818f9d75

SHA256
fa352552306b80f3f897f8f21d8579ae642c97d12298e113ae1adc03902c69b8

SHA512
240b31f29d439c09a56d3bf8d4a3ea14f75c2286e209e7df3f4ff301bfa3ad8228d7bebe01acea6f2f702a0ba7ecdb5583b97372725c77ef497e749740f644b3

Download Submit
\Users\Admin\AppData\Local\Temp\nskCB2D.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nskCB2D.tmp\WeatherZeroNSISPlugin.dll

Filesize
695KB

MD5
2eaf88651d6de968bf14ec9db52fd3b5

SHA1
1c37626526572fdb6378aa4bedbf7b941886a9a1

SHA256
070190292df544da87f84dc8cf8ecc0a0337085a3fe744fa60ce00a6879b6146

SHA512
15754a8f097f9c8d7bda65fb881720af5e4c4db1e35f555563b9bafe6426a6a0e50953a47f628fe3dc0f461e48abbf77db7c997902ff483cf33396d0d8e2cd17

Download Submit
\Windows\Temp\asw.ac3d0c33363e0773\Instup.exe

Filesize
3.7MB

MD5
9ff8fadc76f9bf63f91362e07ce45608

SHA1
f3214a70eff7c29deb29219692e673b2df0ecbea

SHA256
3cb90d4f86a49a9290ea0417179182bc2c8e0f7d8dab2de180db3dd1146d80c3

SHA512
716ad876b6704801d50e015dfdbd81edde17e47eb9c28d3af53ad0feed4d28be185d026f8a64e3ed735fec1d2659e1b59cd5976bb156b0df826c8f13247ecc3b

Download Submit
\Windows\Temp\asw.ac3d0c33363e0773\uat64.dll

Filesize
23KB

MD5
d4cb0514285ec27a18ac6e74159fb695

SHA1
3b5d445c2162c3723ae73e3bf6cf3acf37019d5e

SHA256
8f204d870ec74423be8c7f05b9822392eb9f675c676ac8646e944645a5e9aa0f

SHA512
25ce4398012d86eed44a66cd96cd3790df05c44d8480b4ee5c702ef5e005950cace265ea2a65fe5fc25a49d93f1a5eaabd28b6fc350428baccbc141bd69b2988

Download Submit
\Windows\Temp\asw.e568bd8b298ee0ad\avg_antivirus_free_setup_x64.exe

Filesize
10.6MB

MD5
64b8e930e0e649a7b8302380a2fa6dd0

SHA1
3390e6f86293032053d0d712a613b8e3608b237c

SHA256
f30810d4be51461cda07872416d2cb9bd14ef555cc4f5d859a48abce1727de16

SHA512
5b2ae05de9366bb8665220dc337ef678f2f611375ab94689ceb417f4fe869ea9a1045ba8ed1df0498c56c991ce020a9d28de0504c4f07cbab19efde22c547710

Download Submit
memory/488-129-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/488-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/488-2195-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/488-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2984-205-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-158-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-227-0x0000000003530000-0x0000000003670000-memory.dmp

Filesize
1.2MB

Download
memory/2984-2193-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-156-0x0000000003530000-0x0000000003670000-memory.dmp

Filesize
1.2MB

Download
memory/2984-152-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-150-0x0000000003530000-0x0000000003670000-memory.dmp

Filesize
1.2MB

Download
memory/2984-146-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-143-0x0000000003530000-0x0000000003670000-memory.dmp

Filesize
1.2MB

Download
memory/2984-348-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-130-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-131-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-464-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-731-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2984-1020-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download