hxxps://www[.]avast[.]com/c-malware-removal-tool

Analysis

max time kernel
210s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.avast.com/c-malware-removal-tool

Score

10^/10

bootkit discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3440 created 2064 3440 svchost.exe aswOfferTool.exe
PID 3440 created 4100 3440 svchost.exe aswOfferTool.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3440 created 2064	3440	svchost.exe	aswOfferTool.exe
PID 3440 created 4100	3440	svchost.exe	aswOfferTool.exe

Drops file in Drivers directory 64 IoCs

Processes:

instup.exe

description	ioc	process
File created	C:\Windows\system32\drivers\aswd8a0ba9511beff4d.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw0e7222e30c12bdff.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbunivx.sys	instup.exe
File created	C:\Windows\system32\drivers\aswKbd.sys	instup.exe
File created	C:\Windows\system32\drivers\aswa8dc875dfb9cc088.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswNetHub.sys	instup.exe
File created	C:\Windows\system32\drivers\aswbidsdriver.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswblogx.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswd8e46b17d7077d41.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbidsha.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbidsdriverx.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswNet.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbidsh.sys	instup.exe
File created	C:\Windows\system32\drivers\asw10f1b63a8a9ecc22.tmp	instup.exe
File created	C:\Windows\system32\drivers\aswb5427cf9faedcd5e.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbidsdriver.sys	instup.exe
File created	C:\Windows\system32\drivers\aswSnx.sys	instup.exe
File created	C:\Windows\system32\drivers\aswRdr2.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw10f1b63a8a9ecc22.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswSnx.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswMonFlt.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswVmm.sys	instup.exe
File created	C:\Windows\system32\drivers\aswElam.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw4aedf4814b041127.tmp	instup.exe
File created	C:\Windows\system32\drivers\asw8f39857360ca08bb.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswd8a0ba9511beff4d.tmp	instup.exe
File created	C:\Windows\system32\drivers\asw3a058d06ddf6fe2d.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswRdr2.sys	instup.exe
File created	C:\Windows\system32\drivers\aswNetHub.sys	instup.exe
File created	C:\Windows\system32\drivers\aswSP.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswa8dc875dfb9cc088.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw3a058d06ddf6fe2d.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbdiska.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbloga.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbuniva.sys	instup.exe
File created	C:\Windows\system32\drivers\aswMonFlt.sys	instup.exe
File created	C:\Windows\system32\drivers\aswRvrt.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw2675850f851f7799.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswRvrt.sys	instup.exe
File created	C:\Windows\system32\drivers\asw2675850f851f7799.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswSP.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswStm.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw8f39857360ca08bb.tmp	instup.exe
File created	C:\Windows\system32\drivers\asw689cfcaa413d491d.tmp	instup.exe
File created	C:\Windows\system32\drivers\aswArDisk.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswb5427cf9faedcd5e.tmp	instup.exe
File created	C:\Windows\system32\drivers\aswbuniv.sys	instup.exe
File created	C:\Windows\system32\drivers\aswStm.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswbdiskx.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw51c923f45f20640e.tmp	instup.exe
File created	C:\Windows\system32\drivers\aswbidsh.sys	instup.exe
File created	C:\Windows\system32\drivers\aswVmm.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw2c54cbc1841c8a49.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw39d3d1815a396804.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\asw689cfcaa413d491d.tmp	instup.exe
File created	C:\Windows\system32\drivers\asw51c923f45f20640e.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswArPot.sys	instup.exe
File created	C:\Windows\system32\drivers\aswArPot.sys	instup.exe
File created	C:\Windows\system32\drivers\asw4aedf4814b041127.tmp	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswFsBlk.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswArDisk.sys	instup.exe
File opened for modification	C:\Windows\system32\drivers\aswKbd.sys	instup.exe
File created	C:\Windows\system32\drivers\asw2c54cbc1841c8a49.tmp	instup.exe
File created	C:\Windows\system32\drivers\asw39d3d1815a396804.tmp	instup.exe

Executes dropped EXE 34 IoCs

Processes:

avast_one_free_antivirus.exeavast_one_essential_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exeChromeRecovery.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeAvEmUpdate.exeavBugReport.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeAvastNM.exeSetupInf.exeavast_cleanup_setup.exeicarus.exeicarus.exepdfix.exeTuneupSvc.exe

pid	process
116	avast_one_free_antivirus.exe
3180	avast_one_essential_setup_online_x64.exe
3328	instup.exe
3496	instup.exe
2380	aswOfferTool.exe
4740	aswOfferTool.exe
3812	aswOfferTool.exe
5104	aswOfferTool.exe
2064	aswOfferTool.exe
2808	aswOfferTool.exe
4100	aswOfferTool.exe
3140	aswOfferTool.exe
1212	aswOfferTool.exe
3816	sbr.exe
3952	ChromeRecovery.exe
1364	SetupInf.exe
4856	SetupInf.exe
2656	SetupInf.exe
1912	SetupInf.exe
3996	SetupInf.exe
4072	AvEmUpdate.exe
4940	AvEmUpdate.exe
4168	avBugReport.exe
2260	RegSvr.exe
2068	RegSvr.exe
3456	RegSvr.exe
1648	RegSvr.exe
3136	AvastNM.exe
3688	SetupInf.exe
4956	avast_cleanup_setup.exe
4680	icarus.exe
1688	icarus.exe
1744	pdfix.exe
376	TuneupSvc.exe

Registers COM server for autorun 1 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

RegSvr.exeRegSvr.exeinstup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ThreadingModel = "Both"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ThreadingModel = "Apartment"	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ThreadingModel = "Apartment"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ThreadingModel = "Both"	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll"	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\asOutExt.dll"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ReleaseName = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll"	instup.exe

Sets service image path in registry 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

instup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswKbd\ImagePath = "system32\\drivers\\aswKbd.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswNetHub\ImagePath = "system32\\drivers\\aswNetHub.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSP\ImagePath = "system32\\drivers\\aswSP.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbuniv\ImagePath = "system32\\drivers\\aswbuniv.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswStm\ImagePath = "system32\\drivers\\aswStm.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsdriver\ImagePath = "system32\\drivers\\aswbidsdriver.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArDisk\ImagePath = "system32\\drivers\\aswArDisk.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRvrt\ImagePath = "system32\\drivers\\aswRvrt.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSnx\ImagePath = "system32\\drivers\\aswSnx.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswElam\ImagePath = "system32\\drivers\\aswElam.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt\ImagePath = "system32\\drivers\\aswMonFlt.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsh\ImagePath = "system32\\drivers\\aswbidsh.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswVmm\ImagePath = "system32\\drivers\\aswVmm.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRdr\ImagePath = "system32\\drivers\\aswRdr2.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArPot\ImagePath = "system32\\drivers\\aswArPot.sys"	instup.exe

Uses Session Manager for persistence 2 TTPs 2 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

icarus.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000	icarus.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	icarus.exe

Loads dropped DLL 51 IoCs

Processes:

avast_one_free_antivirus.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeAvEmUpdate.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeicarus.exeTuneupSvc.exe

pid	process
116	avast_one_free_antivirus.exe
3328	instup.exe
3328	instup.exe
3328	instup.exe
3328	instup.exe
3328	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
4740	aswOfferTool.exe
5104	aswOfferTool.exe
2808	aswOfferTool.exe
3140	aswOfferTool.exe
1212	aswOfferTool.exe
4940	AvEmUpdate.exe
4940	AvEmUpdate.exe
4940	AvEmUpdate.exe
4940	AvEmUpdate.exe
2260	RegSvr.exe
2068	RegSvr.exe
3456	RegSvr.exe
3456	RegSvr.exe
3456	RegSvr.exe
3456	RegSvr.exe
1648	RegSvr.exe
1648	RegSvr.exe
1648	RegSvr.exe
1648	RegSvr.exe
1648	RegSvr.exe
1688	icarus.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe
376	TuneupSvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

instup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\Avast Software\\Avast\\setup\\instup.exe\" /instop:repair /wait"	instup.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

SetupInf.exeAvEmUpdate.exeavBugReport.exeSetupInf.exeicarus.exeAvastNM.exeSetupInf.exeSetupInf.exeinstup.exeRegSvr.exeRegSvr.exeinstup.exeSetupInf.exeAvEmUpdate.exeSetupInf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Version	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupFolder	avBugReport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	icarus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	AvastNM.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Version	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	SetupInf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	SetupInf.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	avBugReport.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	avBugReport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common\FirstInstalledBuildNumber	avBugReport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	AvEmUpdate.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\CrashGuard	avBugReport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Version	SetupInf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupVersion	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	SetupInf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupFolder	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	SetupInf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\IDP\Setting	instup.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode	avBugReport.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast\properties	AvastNM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages\Engine	AvEmUpdate.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus\DeleteFlag	instup.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\InstallerPhase2	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Version	avBugReport.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\IDP\Setting	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	SetupInf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\AlphaMigrationFlag = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast\properties	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common\PropertyCommunity	avBugReport.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MicroUpdates	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupFolder	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	SetupInf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	SetupInf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 19 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

SetupInf.exeavBugReport.exeRegSvr.exeavast_one_essential_setup_online_x64.exeinstup.exeSetupInf.exeRegSvr.exeavast_cleanup_setup.exeicarus.exeavast_one_free_antivirus.exeSetupInf.exeRegSvr.exeSetupInf.exeicarus.exeSetupInf.exeSetupInf.exeRegSvr.exeinstup.exeAvEmUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	avBugReport.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	avast_one_essential_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	avast_cleanup_setup.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	avast_one_free_antivirus.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	AvEmUpdate.exe

Drops file in System32 directory 5 IoCs

Processes:

SetupInf.exeicarus.exeinstup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	SetupInf.exe
File created	C:\Windows\system32\icarus_rvrt.exe	icarus.exe
File opened for modification	C:\Windows\system32\icarus_rvrt.exe	icarus.exe
File opened for modification	C:\Windows\system32\aswd833bb24924f61d7.tmp	instup.exe
File created	C:\Windows\system32\aswd833bb24924f61d7.tmp	instup.exe

Drops file in Program Files directory 64 IoCs

Processes:

instup.exeicarus.exeAvEmUpdate.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Licenses\asw489ce86c56b2275f.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\22092303\db_o7c.map	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswacc821d47e11cba9.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-core-processthreads-l1-1-0.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\22092303\asw98e214ff4aac9895.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Licenses\aswe333b60bb4f31219.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Cleanup\dll_loader.dll.ipending.df7af126	icarus.exe
File created	C:\Program Files\Avast Software\Avast\setup\part-prg_ais-16091792.vpx	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\22092303\exts.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswef6efd0271e35346.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw1c5e63bed23fc253.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Setup\38ce7089-5566-456e-9e37-d828fb4cbf57	AvEmUpdate.exe
File opened for modification	C:\Program Files\Common Files\Avast Software\Icarus\avast-tu\icarus_rvrt.exe	icarus.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\ais_cmp_idp_x64-8cd.vpx	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Inf\x64\asw1193f34c4920bf59.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\asw781a7334da22056e.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\asw4ae3ff401673e236.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw2eb5258de318da6c.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw843cf78c6f7880e0.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\anen.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\msvcp140_1.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\setgui_x64_ais-9eb.vpx	instup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir904_149319513\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Avast Software\Cleanup\avast.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll.ipending.df7af126	icarus.exe
File opened for modification	C:\Program Files\Avast Software\Cleanup\serialization.dll	icarus.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswavdetection.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Inf\x86\aswblogx.sys	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\wsc_proxy.exe	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswavdetection.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\mfc140u.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-core-errorhandling-l1-1-0.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-crt-math-l1-1-0.dll	instup.exe
File created	C:\Program Files\Avast Software\Avast\defs\22092303\asw8128eb98b78e4878.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\nos.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\setup.ini.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Cleanup\avast.local_vc142.crt\avast.local_vc142.crt.manifest.ipending.df7af126	icarus.exe
File opened for modification	C:\Program Files\Avast Software\Avast\asw47e77b395be0a454.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\event_manager_ga.dll.sum	instup.exe
File created	C:\Program Files\Avast Software\Avast\setup\Inf\x64\aswRdr2.sys	instup.exe
File created	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw7030a71516356b04.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\features_manager.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Licenses\Crypto++.txt	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\asOutExt.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\resources_abs	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\adnmCommon.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\AhResStd.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Setup\e61c749b-052d-4bf2-a194-3c7f29d2cd52\update.xml	AvEmUpdate.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\22092303\aswea03ecf180dd60fb.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw008a55b3e5140b22.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\defs\22092303\asw4cf08588997271c8.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw458942472d225405.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw86df7e6e9c5ab623.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Inf\x64\aswNetHub.sys	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswRunDll.exe.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\ais_cmp_swhealth_x64-882.vpx	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswf841b47e2ae6899e.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\asw6b71f7597ba9fe0e.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw97d5ce39193cd39b.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\aswb42f50c457d7e957.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\aswb7c7e7a6e14d414a.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\1033\Base.dll	instup.exe
File created	C:\Program Files\Avast Software\Avast\setup\Inf\x64\aswbidsh.sys	instup.exe
File created	C:\Program Files\Avast Software\Avast\Licenses\asw5557ea16f10c28d5.tmp	instup.exe

Drops file in Windows directory 2 IoCs

Processes:

instup.exe

description	ioc	process
File opened for modification	C:\Windows\ELAMBKUP\asw9da8ad911dec530c.tmp	instup.exe
File created	C:\Windows\ELAMBKUP\asw9da8ad911dec530c.tmp	instup.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

instup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	instup.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

avBugReport.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeinstup.exeRegSvr.exeavast_one_essential_setup_online_x64.exeinstup.exeAvastNM.exeSetupInf.exeAvEmUpdate.exeRegSvr.exeRegSvr.exeTuneupSvc.exeSetupInf.exeicarus.exeicarus.exeRegSvr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	avBugReport.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_one_essential_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	avBugReport.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AvastNM.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_one_essential_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RegSvr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TuneupSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	AvastNM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_one_essential_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AvastNM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RegSvr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

RegSvr.exeRegSvr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80}	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80}	RegSvr.exe

Modifies registry class 64 IoCs

Processes:

instup.exeRegSvr.exeinstup.exeRegSvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "74"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: vps_binaries-a4.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Creating directory: C:\\Recovery\\AutoApply\\CustomizationFiles"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\dbghelp.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EDDBDEA4-5C07-453F-BE8C-81D738984381}\1.0\HELPDIR\ = "C:\\Program Files\\Avast Software\\Avast\\x86"	RegSvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "59"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_dex.sig"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswInfTg.txt"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: GSL.txt"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswUtil.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: ais_x64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File extracted: part-vps_windows-22092303.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-processthreads-l1-1-1.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\resources"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: part-prg_ais-16091792.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_fn.nmp"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswW8ntf.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: mfc140u.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "17"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: ais_gen_core_x64-882.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-crt-filesystem-l1-1-0.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: Base.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: streamback.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\gui_cache.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswWebRepIE.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.avastlic\Content Type = "application/avast-license"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: ais_res"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Downloading file: 'https://honzik.avcdn.net/setup/avast-tu/release-one/avast_cleanup_online_setup.exe' to 'C:\\Program Files\\Avast Software\\Avast\\avast_cleanup_setup.exe'"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_mx4.sig"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-console-l1-1-0.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: swhealthex2.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\Inf\\x64\\aswbuniva.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\Cef_Renderer.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\ais_cmp_ng-*.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "51"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: ais_gen_streamfilter_x64-908.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File extracted: prod-pgm.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Installing service: aswbIDSAgent"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: offertool_x64_ais"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\ProgID	RegSvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "66"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Starting kernel driver: aswArPot"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Installing kernel driver: aswVmm"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\avastvpnfile\EditFlags = "65536"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\avastconfigfile\shell\open\command\ = "\"C:\\Program Files\\Avast Software\\Avast\\aswChLic.exe\" \"%1\""	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\00asw\ = "{472083B0-C522-11CF-8763-00608CC02F24}"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\x86\\aswRegSvr64.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Starting kernel driver: aswSP"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: msvcp140_codecvt_ids.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswcert.dll"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.avastvpn	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "90"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswSnx.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\Inf\\aswVmm.cat"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Unregistering file: C:\\Program Files\\Avast Software\\Avast\\asOutExt64.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswStrm.dll"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}	RegSvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1"	instup.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeavast_one_essential_setup_online_x64.exechrome.exeinstup.exechrome.exe

pid	process
4824	chrome.exe
4824	chrome.exe
1112	chrome.exe
1112	chrome.exe
4932	chrome.exe
4932	chrome.exe
2544	chrome.exe
2544	chrome.exe
3340	chrome.exe
3340	chrome.exe
4008	chrome.exe
4008	chrome.exe
3496	chrome.exe
3496	chrome.exe
4644	chrome.exe
4644	chrome.exe
4500	chrome.exe
4500	chrome.exe
3180	avast_one_essential_setup_online_x64.exe
3180	avast_one_essential_setup_online_x64.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
3496	instup.exe
2732	chrome.exe
2732	chrome.exe

Suspicious behavior: LoadsDriver 11 IoCs

Processes:

pid process

660
660
660
660
660
660
660
660
660
660
660

pid	process
660
660
660
660
660
660
660
660
660
660
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

chrome.exe

pid	process
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

avast_one_essential_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exesvchost.exeaswOfferTool.exe

description	pid	process
Token: 32	3180	avast_one_essential_setup_online_x64.exe
Token: SeDebugPrivilege	3328	instup.exe
Token: 32	3328	instup.exe
Token: SeDebugPrivilege	3496	instup.exe
Token: 32	3496	instup.exe
Token: SeDebugPrivilege	2064	aswOfferTool.exe
Token: SeImpersonatePrivilege	2064	aswOfferTool.exe
Token: SeTcbPrivilege	3440	svchost.exe
Token: SeTcbPrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeDebugPrivilege	4100	aswOfferTool.exe
Token: SeImpersonatePrivilege	4100	aswOfferTool.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: SeBackupPrivilege	3440	svchost.exe
Token: SeRestorePrivilege	3440	svchost.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe
Token: 35	3496	instup.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exeinstup.exe

pid	process
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
3496	instup.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

avast_one_free_antivirus.exeavast_one_essential_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeAvEmUpdate.exeavBugReport.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeAvastNM.exeSetupInf.exeavast_cleanup_setup.exeicarus.exeicarus.exepdfix.exe

pid	process
116	avast_one_free_antivirus.exe
3180	avast_one_essential_setup_online_x64.exe
3328	instup.exe
3328	instup.exe
3496	instup.exe
3496	instup.exe
2380	aswOfferTool.exe
4740	aswOfferTool.exe
3812	aswOfferTool.exe
5104	aswOfferTool.exe
2064	aswOfferTool.exe
4100	aswOfferTool.exe
1212	aswOfferTool.exe
3816	sbr.exe
1364	SetupInf.exe
4856	SetupInf.exe
2656	SetupInf.exe
1912	SetupInf.exe
3996	SetupInf.exe
4072	AvEmUpdate.exe
4940	AvEmUpdate.exe
4168	avBugReport.exe
2260	RegSvr.exe
2068	RegSvr.exe
3456	RegSvr.exe
1648	RegSvr.exe
3136	AvastNM.exe
3688	SetupInf.exe
4956	avast_cleanup_setup.exe
4680	icarus.exe
1688	icarus.exe
1744	pdfix.exe
1744	pdfix.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1112 wrote to memory of 4816	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4816	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 2080	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4824	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4824	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe
PID 1112 wrote to memory of 4620	1112	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.avast.com/c-malware-removal-tool
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca1034f50,0x7ffca1034f60,0x7ffca1034f70
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:344
- C:\Users\Admin\Downloads\avast_one_free_antivirus.exe
  "C:\Users\Admin\Downloads\avast_one_free_antivirus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:116
- - C:\Windows\Temp\asw.095f3dba005d3592\avast_one_essential_setup_online_x64.exe
    "C:\Windows\Temp\asw.095f3dba005d3592\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_999_999_a6i_m /ga_clientid:8755827c-8432-43e0-83d9-1e5151083dd7 /edat_dir:C:\Windows\Temp\asw.095f3dba005d3592
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3180
  - - C:\Windows\Temp\asw.4794986d48333567\instup.exe
      "C:\Windows\Temp\asw.4794986d48333567\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.4794986d48333567 /edition:21 /prod:ais /guid:c3f1c0ee-1a40-4faf-89d9-f4fdcbc62fa1 /ga_clientid:8755827c-8432-43e0-83d9-1e5151083dd7 /cookie:mmm_aon_999_999_a6i_m /ga_clientid:8755827c-8432-43e0-83d9-1e5151083dd7 /edat_dir:C:\Windows\Temp\asw.095f3dba005d3592
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3328
    - - C:\Windows\Temp\asw.4794986d48333567\New_16091792\instup.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.4794986d48333567 /edition:21 /prod:ais /guid:c3f1c0ee-1a40-4faf-89d9-f4fdcbc62fa1 /ga_clientid:8755827c-8432-43e0-83d9-1e5151083dd7 /cookie:mmm_aon_999_999_a6i_m /edat_dir:C:\Windows\Temp\asw.095f3dba005d3592 /online_installer
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Registers COM server for autorun
        Sets service image path in registry
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3496
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" -checkGToolbar -elevated
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4740
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" /check_secure_browser
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3812
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5104
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2808
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4100
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3140
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1212
      - C:\Windows\Temp\asw.4794986d48333567\New_16091792\sbr.exe
        
        "C:\Windows\Temp\asw.4794986d48333567\New_16091792\sbr.exe" 3496 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3816
      - C:\Program Files\Avast Software\Avast\SetupInf.exe
        
        "C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswRdr2.cat
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:1364
      - C:\Program Files\Avast Software\Avast\SetupInf.exe
        
        "C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswHwid.cat
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4856
      - C:\Program Files\Avast Software\Avast\SetupInf.exe
        
        "C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswVmm.cat
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:2656
      - C:\Program Files\Avast Software\Avast\SetupInf.exe
        
        "C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswRvrt.cat
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:1912
      - C:\Program Files\Avast Software\Avast\SetupInf.exe
        
        "C:\Program Files\Avast Software\Avast\SetupInf.exe" /elaminst C:\Windows\system32\drivers\aswElam.sys
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3996
      - C:\Program Files\Avast Software\Avast\AvEmUpdate.exe
        
        "C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /installer /reg
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4072
      - C:\Program Files\Avast Software\Avast\AvEmUpdate.exe
        
        "C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /installer1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Program Files\Avast Software\Avast\avBugReport.exe
        
        "C:\Program Files\Avast Software\Avast\avBugReport.exe" --send "dumps|report" --silent --path "C:\ProgramData\Avast Software\Avast" --logpath "C:\ProgramData\Avast Software\Avast\log" --guid c3f1c0ee-1a40-4faf-89d9-f4fdcbc62fa1
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4168
      - C:\Program Files\Avast Software\Avast\x86\RegSvr.exe
        
        "C:\Program Files\Avast Software\Avast\x86\RegSvr.exe" "C:\Program Files\Avast Software\Avast\x86\aswAMSI.dll"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2260
      - C:\Program Files\Avast Software\Avast\RegSvr.exe
        
        "C:\Program Files\Avast Software\Avast\RegSvr.exe" "C:\Program Files\Avast Software\Avast\aswAMSI.dll"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2068
      - C:\Program Files\Avast Software\Avast\x86\RegSvr.exe
        
        "C:\Program Files\Avast Software\Avast\x86\RegSvr.exe" "C:\Program Files\Avast Software\Avast\x86\asOutExt.dll"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3456
      - C:\Program Files\Avast Software\Avast\RegSvr.exe
        
        "C:\Program Files\Avast Software\Avast\RegSvr.exe" "C:\Program Files\Avast Software\Avast\asOutExt.dll"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1648
      - C:\Program Files\Avast Software\Avast\AvastNM.exe
        
        "C:\Program Files\Avast Software\Avast\AvastNM.exe" /install
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3136
      - C:\Program Files\Avast Software\Avast\SetupInf.exe
        
        "C:\Program Files\Avast Software\Avast\SetupInf.exe" /catinstall:"C:\Program Files\Avast Software\Avast\setup\crts.cat" /basename:pkg_{af98c830-4f53-4176-a7b0-ec21fc603adc}.cat /crtid:9809A3351150669332CDB2A1412622D9FCFBC440
        6⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3688
      - C:\Program Files\Avast Software\Avast\avast_cleanup_setup.exe
        
        "C:\Program Files\Avast Software\Avast\avast_cleanup_setup.exe" /silent /nouiafterinstall /source:avast_one /edat_dir:C:\Windows\Temp\asw.095f3dba005d3592
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:4956
        
        C:\Windows\Temp\asw-8e28122e-16c3-462c-98d5-bf92b08063cc\common\icarus.exe
        
        C:\Windows\Temp\asw-8e28122e-16c3-462c-98d5-bf92b08063cc\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-8e28122e-16c3-462c-98d5-bf92b08063cc\icarus-info.xml /install /silent /nouiafterinstall /source:avast_one /edat_dir:C:\Windows\Temp\asw.095f3dba005d3592
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Windows\Temp\asw-8e28122e-16c3-462c-98d5-bf92b08063cc\avast-tu\icarus.exe
        
        C:\Windows\Temp\asw-8e28122e-16c3-462c-98d5-bf92b08063cc\avast-tu\icarus.exe /silent /nouiafterinstall /source:avast_one /edat_dir:C:\Windows\Temp\asw.095f3dba005d3592 /er_master:master_ep_6e8429df-9557-4fcd-9ae6-701f6d7ebb19 /er_ui:ui_ep_05445c63-c48c-425f-90ed-2cf885b05935 /er_slave:avast-tu_slave_ep_ca0149ff-25d2-46fe-b5ae-7c8b2ee86931 /slave:avast-tu
        8⤵
        Executes dropped EXE
        Uses Session Manager for persistence
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Drops file in Program Files directory
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files\Avast Software\Cleanup\pdfix.exe
        
        "C:\Program Files\Avast Software\Cleanup\pdfix.exe" /fixifeo
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5452 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,8309322579907845296,6889605324107855747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:904
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir904_149319513\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir904_149319513\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={28e18b4d-6fab-4171-92de-37043a0ecd1f} --system
  2⤵
  - Executes dropped EXE
  PID:3952

C:\Program Files\Avast Software\Cleanup\TuneupSvc.exe
"C:\Program Files\Avast Software\Cleanup\TuneupSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
4KB

MD5
0422f529d30aab0a093ea92bdcda7839

SHA1
293a215d145a158d4f9949464b60d62f7b68e6fb

SHA256
9bad051737e9df4f5c3c4805a330399c694fc08011f89068764a05467e4432df

SHA512
6f18e335b245775572cb16d5b80a9b5081534c0ef5eda7ad445d9139f43e56d4b1d4998a454ccbc36ae1d0ed1cc52f2eeb54cf6ef6ff7dd0ae9cbcf7b7414ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\avast_one_free_antivirus.exe

Filesize
262KB

MD5
efff813bf04eb81571158098edd0d760

SHA1
63fd6d4d7ada4e63ba44d9acad19c5871dcb81b3

SHA256
2d963d0ac1a323828e291183214d7e6df86569e54f814eb3e7e44b5c03328e1d

SHA512
9938c751731640a070d7284e41014650ae9d8952d2f4f7ca1d7b93c91f61a9246492d61bf5ada8296944cb569e84bcde50fc565d8866129ae13f8053259aaf83

Download Submit
C:\Users\Admin\Downloads\avast_one_free_antivirus.exe

Filesize
262KB

MD5
efff813bf04eb81571158098edd0d760

SHA1
63fd6d4d7ada4e63ba44d9acad19c5871dcb81b3

SHA256
2d963d0ac1a323828e291183214d7e6df86569e54f814eb3e7e44b5c03328e1d

SHA512
9938c751731640a070d7284e41014650ae9d8952d2f4f7ca1d7b93c91f61a9246492d61bf5ada8296944cb569e84bcde50fc565d8866129ae13f8053259aaf83

Download Submit
C:\Windows\Temp\asw.095f3dba005d3592\avast_one_essential_setup_online_x64.exe

Filesize
9.3MB

MD5
5b6eff947184c8cf998ea6a2e418b674

SHA1
09504db44358cc1e32d5992475b7f461d6a60238

SHA256
4232208444c5c3b76ba4ad1fc32bb3483d5eeb9ac77539e76205f51a4fb3e31d

SHA512
561c544d91543ebe1314de5c9fb26af8cfc4c9667fd5f82fef1035c5516b4c3cb96aebce8bed8b6844ce34b10ddb9880e3962d3092f1fbf42574df2d4abd96f5

Download Submit
C:\Windows\Temp\asw.095f3dba005d3592\avast_one_essential_setup_online_x64.exe

Filesize
9.3MB

MD5
5b6eff947184c8cf998ea6a2e418b674

SHA1
09504db44358cc1e32d5992475b7f461d6a60238

SHA256
4232208444c5c3b76ba4ad1fc32bb3483d5eeb9ac77539e76205f51a4fb3e31d

SHA512
561c544d91543ebe1314de5c9fb26af8cfc4c9667fd5f82fef1035c5516b4c3cb96aebce8bed8b6844ce34b10ddb9880e3962d3092f1fbf42574df2d4abd96f5

Download Submit
C:\Windows\Temp\asw.095f3dba005d3592\avast_one_essential_setup_online_x64.exe

Filesize
9.3MB

MD5
5b6eff947184c8cf998ea6a2e418b674

SHA1
09504db44358cc1e32d5992475b7f461d6a60238

SHA256
4232208444c5c3b76ba4ad1fc32bb3483d5eeb9ac77539e76205f51a4fb3e31d

SHA512
561c544d91543ebe1314de5c9fb26af8cfc4c9667fd5f82fef1035c5516b4c3cb96aebce8bed8b6844ce34b10ddb9880e3962d3092f1fbf42574df2d4abd96f5

Download Submit
C:\Windows\Temp\asw.095f3dba005d3592\ecoo.edat

Filesize
21B

MD5
e45f114602f5dc736515f22121f167e8

SHA1
42a26fc0aa3b0fe1b697d7b49d50ae1030817a64

SHA256
84cae5fc103e4a16df95224c351386db251281292e9b4b301b38ae77f6c09780

SHA512
7ec67fd274be919df2a3c35a24670bd91666527c08deca5a264e7d174a1db5791e9c5e59d5dfbadb831cbfc4661c07e59310a10a4aa0d438b594c36a2b1f8c62

Download Submit
C:\Windows\Temp\asw.4794986d48333567\HTMLayout.dll

Filesize
3.8MB

MD5
46766c2980fabbe18891f34015eb6448

SHA1
18c10f90379038eea21b665dc2d9c9943ef5466a

SHA256
d0e2d5b5cb1db0a0fffd1947595e5dd684eb99b5b38c0514cf9c210b9e62787c

SHA512
6597ec2f8c4b6fe0bea8a86ba5a145c77f27d472fdd9967c81612e3cd373cb9e1f3f98c5cf3712b3bf8a3f852ab62d8e0e804430347cf0a007046e8e79b152d4

Download Submit
C:\Windows\Temp\asw.4794986d48333567\HTMLayout.dll

Filesize
3.8MB

MD5
46766c2980fabbe18891f34015eb6448

SHA1
18c10f90379038eea21b665dc2d9c9943ef5466a

SHA256
d0e2d5b5cb1db0a0fffd1947595e5dd684eb99b5b38c0514cf9c210b9e62787c

SHA512
6597ec2f8c4b6fe0bea8a86ba5a145c77f27d472fdd9967c81612e3cd373cb9e1f3f98c5cf3712b3bf8a3f852ab62d8e0e804430347cf0a007046e8e79b152d4

Download Submit
C:\Windows\Temp\asw.4794986d48333567\Instup.dll

Filesize
20.3MB

MD5
bd903d66bfefd015993b0bae58ed9dd9

SHA1
ac9d8584ede4db6b4e8e75fd7b9fe295e4f5635a

SHA256
9f4c0f979cf6451cfecc2ab60b0c504a02acf4548923a923e5ed5b7a4580bccf

SHA512
4260cae21eb082c606aa09b4e870939f87e2adc1e593b9ba7f347a9217ddcadd667e65f72ba6ae2d2dfc031ad9a14fbcdb672656b4726f1ccf91724bc2b3e309

Download Submit
C:\Windows\Temp\asw.4794986d48333567\Instup.dll

Filesize
20.3MB

MD5
bd903d66bfefd015993b0bae58ed9dd9

SHA1
ac9d8584ede4db6b4e8e75fd7b9fe295e4f5635a

SHA256
9f4c0f979cf6451cfecc2ab60b0c504a02acf4548923a923e5ed5b7a4580bccf

SHA512
4260cae21eb082c606aa09b4e870939f87e2adc1e593b9ba7f347a9217ddcadd667e65f72ba6ae2d2dfc031ad9a14fbcdb672656b4726f1ccf91724bc2b3e309

Download Submit
C:\Windows\Temp\asw.4794986d48333567\Instup.dll

Filesize
20.3MB

MD5
bd903d66bfefd015993b0bae58ed9dd9

SHA1
ac9d8584ede4db6b4e8e75fd7b9fe295e4f5635a

SHA256
9f4c0f979cf6451cfecc2ab60b0c504a02acf4548923a923e5ed5b7a4580bccf

SHA512
4260cae21eb082c606aa09b4e870939f87e2adc1e593b9ba7f347a9217ddcadd667e65f72ba6ae2d2dfc031ad9a14fbcdb672656b4726f1ccf91724bc2b3e309

Download Submit
C:\Windows\Temp\asw.4794986d48333567\Instup.exe

Filesize
3.4MB

MD5
954bacaf8c8b28cc1f3993619dceb362

SHA1
f3e0a5fd31212eab7d7fdca85f1d362744d05ddb

SHA256
a2bb7c45815f3359b5886fa0099e56a7622b699e340d428e8e924ee1993f48f5

SHA512
41e8e353580f82a6b02ab2c0f15d859d8a962206bb4eb7d7c2d8a50e17891fda559af7ef919b1b1c887c44e530f63b20cd5fbc743c741ac1f859a4af43fd8897

Download Submit
C:\Windows\Temp\asw.4794986d48333567\config.def

Filesize
24KB

MD5
a75eee45a03497944d9238a661acd66d

SHA1
35bd746be9276167d15be70fe29995b24742b366

SHA256
19751b4db72a8b48fc072e5d3d25e56cacbe7922c8a0e2eb7dc4172589a4f1b0

SHA512
69d0b7f89fae1db8ce3f2e7fbdfb84de5897d32696e49f102c94fc56cc8af4927687bae049f50266f1d01f87af7cfd9550901c15de2bab2e047adb506325c2e0

Download Submit
C:\Windows\Temp\asw.4794986d48333567\instup.exe

Filesize
3.4MB

MD5
954bacaf8c8b28cc1f3993619dceb362

SHA1
f3e0a5fd31212eab7d7fdca85f1d362744d05ddb

SHA256
a2bb7c45815f3359b5886fa0099e56a7622b699e340d428e8e924ee1993f48f5

SHA512
41e8e353580f82a6b02ab2c0f15d859d8a962206bb4eb7d7c2d8a50e17891fda559af7ef919b1b1c887c44e530f63b20cd5fbc743c741ac1f859a4af43fd8897

Download Submit
C:\Windows\Temp\asw.4794986d48333567\servers.def

Filesize
29KB

MD5
2bac3d81306aaa10e8b07c90172c6dff

SHA1
dab46d826105cf9d7615d93bda3ad625e687052d

SHA256
a210b0c6d0ad739cfb186e57bbf6360f1d47f7b8090a74340e812a68deb71a38

SHA512
cc6b759b4ff1334fa2e19a03aacb77c37f5459c613351cdbe1a9fefe4a4c21f587045041fd7b44c77e8142341bcee3bb3e6ccf4dc8a1600b55665b2041c94ab8

Download Submit
\??\pipe\crashpad_1112_TIFESESQQEJQRYHJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-134-0x0000000000000000-mapping.dmp

Download
memory/1212-163-0x0000000000000000-mapping.dmp

Download
memory/1364-166-0x0000000000000000-mapping.dmp

Download
memory/1648-177-0x0000000000000000-mapping.dmp

Download
memory/1688-182-0x0000000000000000-mapping.dmp

Download
memory/1744-183-0x0000000000000000-mapping.dmp

Download
memory/1912-169-0x0000000000000000-mapping.dmp

Download
memory/2064-159-0x0000000000000000-mapping.dmp

Download
memory/2068-175-0x0000000000000000-mapping.dmp

Download
memory/2260-174-0x0000000000000000-mapping.dmp

Download
memory/2380-155-0x0000000000000000-mapping.dmp

Download
memory/2656-168-0x0000000000000000-mapping.dmp

Download
memory/2808-160-0x0000000000000000-mapping.dmp

Download
memory/3136-178-0x0000000000000000-mapping.dmp

Download
memory/3140-162-0x0000000000000000-mapping.dmp

Download
memory/3180-138-0x0000000000000000-mapping.dmp

Download
memory/3328-142-0x0000000000000000-mapping.dmp

Download
memory/3456-176-0x0000000000000000-mapping.dmp

Download
memory/3496-153-0x0000000000000000-mapping.dmp

Download
memory/3688-179-0x0000000000000000-mapping.dmp

Download
memory/3812-157-0x0000000000000000-mapping.dmp

Download
memory/3816-164-0x0000000000000000-mapping.dmp

Download
memory/3952-165-0x0000000000000000-mapping.dmp

Download
memory/3996-170-0x0000000000000000-mapping.dmp

Download
memory/4072-171-0x0000000000000000-mapping.dmp

Download
memory/4100-161-0x0000000000000000-mapping.dmp

Download
memory/4168-173-0x0000000000000000-mapping.dmp

Download
memory/4680-181-0x0000000000000000-mapping.dmp

Download
memory/4740-156-0x0000000000000000-mapping.dmp

Download
memory/4856-167-0x0000000000000000-mapping.dmp

Download
memory/4940-172-0x0000000000000000-mapping.dmp

Download
memory/4956-180-0x0000000000000000-mapping.dmp

Download
memory/5104-158-0x0000000000000000-mapping.dmp

Download