Information Discovery
Reads data out of its own binary image Show sources
| api_process_name | process: 67eb0a16282599d3ead2977d264598fa31dd83f0.exe, pid: 2208, offset: 0x00000000, length: 0x00001000 |
| api_process_name | process: 67eb0a16282599d3ead2977d264598fa31dd83f0.exe, pid: 2208, offset: 0x00000080, length: 0x00000200 |
Networking
Attempts to connect to a dead IP:Port (2 unique times) Show sources
| network_host_ip | 23.215.131.176:80 (United States) |
| network_host_ip | 72.21.91.29:80 (United States) |
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a GET request with no user-agent header |
| network_anomaly | http://storage.googleapis.com/ss-installers/windows/avirasdk/3.0.0/avira32redist.zip |
| network_anomaly | http://crl.globalsign.net/primobject.crl |
| network_anomaly | http://storage.googleapis.com/savapi/vdf.zip |
Performs some HTTP requests Show sources
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEA3Q4zdKyVvb%2BmtDSypI7AY%3D |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSHRqVSKsocqbcuJkRZwJjSAmttHAQUrWkGcPyAGxazqRiUa5QChl73J4wCEA8DpEdAc3HbUzijkx9jirc%3D |
| network_url | http://storage.googleapis.com/ss-installers/windows/avirasdk/3.0.0/avira32redist.zip |
| network_url | http://crl.globalsign.net/primobject.crl |
| network_url | http://storage.googleapis.com/savapi/vdf.zip |
Installs WinPCAP Show sources
| file | C:\Windows\sysnative\drivers\npf.sys |
Lowering of HIPS/ PFW/ Operating System Security Settings
Attempts to block SafeBoot use by removing registry keys Show sources
| registry_delete | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option |
Cryptography
At least one IP Address, Domain, or File Name was found in a crypto call Show sources
| ioc | www.digicert.com1 |
| ioc | http://ocsp.digicert.com0I |
| ioc | http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0 |
| ioc | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
| ioc | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 |
| ioc | http://www.digicert.com/ssl-cps-repository.htm0 |
| ioc | http://crl3.digicert.com/EVCodeSigning-g1.crl03 |
| ioc | http://crl4.digicert.com/EVCodeSigning-g1.crl0K |
| ioc | https://www.digicert.com/CPS0 |
| ioc | http://ocsp.digicert.com0C |
| ioc | http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0 |
| ioc | http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
| ioc | http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
| ioc | http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
| ioc | http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08 |
| ioc | http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w |
| ioc | http://ocsp.digicert.com0A |
| ioc | http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt |
Stealing of Sensitive Information
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences |
| file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences |
| file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\extensions.json |
Spam, Unwanted Advertisements and Ransom Demands
Exhibits possible ransomware file modification behavior Show sources
| file_modifications | Performs 114 file moves indicative of a potential file encryption process |
| appends_new_extension | Appends a new file extension to multiple modified files |
| new_appended_file_extension | .dll |
| new_appended_file_extension | .dat |
| new_appended_file_extension | .conf |
| new_appended_file_extension | .exe |
| new_appended_file_extension | .avr |
| new_appended_file_extension | .crt |
| new_appended_file_extension | .cmd |
| new_appended_file_extension | .inf |
| new_appended_file_extension | .sys |
| new_appended_file_extension | .cat |
| new_appended_file_extension | .PendingOverwrite |
Hooking and other Techniques for Hiding Protection
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Malware Analysis System Evasion
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | 67eb0a16282599d3ead2977d264598fa31dd83f0.exe, PID 2208 |
A process attempted to delay the analysis task. Show sources
| api_process_name | 67eb0a16282599d3ead2977d264598fa31dd83f0.exe tried to sleep 747 seconds, actually delayed analysis time by 0 seconds |
| api_process_name | WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds |
Checks the CPU name from registry, possibly for anti-virtualization Show sources
| registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString |
Detects VirtualBox through the presence of a file Show sources
| file_query | C:\Windows\sysnative\drivers\VBoxGuest.sys |
| file_query | C:\Windows\sysnative\drivers\VBoxMouse.sys |
| file_query | C:\Windows\sysnative\drivers\VBoxSF.sys |
| file_query | C:\Windows\sysnative\drivers\VBoxVideo.sys |
Attempts to repeatedly call a single API many times in order to delay analysis time Show sources
| api_process_name | services.exe (460) called API GetSystemTimeAsFileTime 3147680 times |
HIPS/ PFW/ Operating System Protection Evasion
Attempts to identify installed AV products by installation directory Show sources
| file_query | C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip |
| file_query | C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip |
| file_query | C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip |
| file_query | C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip |
| file_query | C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip |
| file_query | C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\vista\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.cat |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win8\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.inf |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\xp\avgntflt.sys |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win64\win7\avgio.dll |
| file_query | C:\Users\user\AppData\Local\Temp\avgio.dll.old |
| file_query | C:\Users\user\AppData\Local\Temp\SAVAPI\avgio.dll.old |
| file_query | C:\Program Files\Sandboxie\SbieDrv.sys |