Analysis Overview
SHA256
2e1e9fcdf5c97ef55077a8c62ee0b60f614fa76e0fc5c06a7ac8a262ae67b21f
Threat Level: Known bad
The file 3c5d9ac0741850b5e6bf3af8c807b7ccfdb1bfc702cd75d8897a27b1387031c7.zip was found to be: Known bad.
Malicious Activity Summary
PlugX
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-01 15:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-01 15:37
Reported
2024-02-01 17:35
Platform
win10v2004-20231215-en
Max time kernel
593s
Max time network
601s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 1744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 15:37
Reported
2024-02-01 17:29
Platform
win7-20231215-en
Max time kernel
580s
Max time network
592s
Command Line
Signatures
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 264" | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 264" | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| File opened (read-only) | \??\F: | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\ms-pu | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\ms-pu | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ms-pu | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 43004100460034004600390041003100310046004400380033003800310038000000 | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 812 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
| PID 812 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
| PID 812 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
| PID 812 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe
"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"
C:\ProgramData\AvastSvcyHA\AvastSvc.exe
C:\ProgramData\AvastSvcyHA\AvastSvc.exe 264
Network
| Country | Destination | Domain | Proto |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp |
Files
memory/812-2-0x0000000000420000-0x0000000000520000-memory.dmp
memory/812-1-0x0000000001200000-0x0000000004E37000-memory.dmp
C:\ProgramData\AvastSvcyHA\wsc.dll
| MD5 | fd866f6e1b997c31bdb6ba24361663e5 |
| SHA1 | fdf4296522e9ad7ed6d2b7a8aa53debb15566c19 |
| SHA256 | 28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34 |
| SHA512 | 05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c |
C:\ProgramData\AvastSvcyHA\AvastSvc.exe
| MD5 | a72036f635cecf0dcb1e9c6f49a8fa5b |
| SHA1 | 049813b955db1dd90952657ae2bd34250153563e |
| SHA256 | 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654 |
| SHA512 | e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2 |
C:\ProgramData\AvastSvcyHA\AvastAuth.dat
| MD5 | 03a75e4fd64e9b46d0dfff2589d27822 |
| SHA1 | 099199fe7bf4e7245e44e9a977178348a37a4f61 |
| SHA256 | 5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028 |
| SHA512 | 0d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1 |
memory/2416-18-0x0000000000510000-0x0000000000610000-memory.dmp
memory/2416-17-0x0000000000710000-0x0000000004347000-memory.dmp
memory/2416-19-0x0000000000710000-0x0000000004347000-memory.dmp
memory/2416-20-0x0000000000710000-0x0000000004347000-memory.dmp
memory/2416-21-0x0000000000510000-0x0000000000610000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 15:37
Reported
2024-02-01 17:31
Platform
win10v2004-20231215-en
Max time kernel
586s
Max time network
607s
Command Line
Signatures
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 748" | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 748" | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| File opened (read-only) | \??\F: | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 31004500340038003600340030004300460035003500440030003000380038000000 | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\ms-pu | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\ms-pu | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\ms-pu | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| N/A | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\AvastSvcyHA\AvastSvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3324 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
| PID 3324 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
| PID 3324 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe | C:\ProgramData\AvastSvcyHA\AvastSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe
"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"
C:\ProgramData\AvastSvcyHA\AvastSvc.exe
C:\ProgramData\AvastSvcyHA\AvastSvc.exe 748
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| HK | 103.192.226.100:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| HK | 103.192.226.100:8000 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| HK | 103.192.226.100:8080 | tcp | |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| HK | 103.192.226.100:110 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| HK | 103.192.226.100:80 | tcp | |
| HK | 103.192.226.100:8000 | tcp | |
| HK | 103.192.226.100:8080 | tcp | |
| HK | 103.192.226.100:110 | tcp | |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| HK | 103.192.226.100:80 | tcp |
Files
memory/3324-1-0x0000000000D90000-0x0000000000E90000-memory.dmp
memory/3324-2-0x0000000000F90000-0x0000000004BC7000-memory.dmp
C:\ProgramData\AvastSvcyHA\AvastSvc.exe
| MD5 | a72036f635cecf0dcb1e9c6f49a8fa5b |
| SHA1 | 049813b955db1dd90952657ae2bd34250153563e |
| SHA256 | 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654 |
| SHA512 | e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2 |
C:\ProgramData\AvastSvcyHA\wsc.dll
| MD5 | fd866f6e1b997c31bdb6ba24361663e5 |
| SHA1 | fdf4296522e9ad7ed6d2b7a8aa53debb15566c19 |
| SHA256 | 28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34 |
| SHA512 | 05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c |
C:\ProgramData\AvastSvcyHA\AvastAuth.dat
| MD5 | 03a75e4fd64e9b46d0dfff2589d27822 |
| SHA1 | 099199fe7bf4e7245e44e9a977178348a37a4f61 |
| SHA256 | 5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028 |
| SHA512 | 0d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1 |
memory/1500-14-0x0000000000760000-0x0000000000860000-memory.dmp
memory/1500-13-0x0000000000DB0000-0x00000000049E7000-memory.dmp
memory/1500-15-0x0000000000DB0000-0x00000000049E7000-memory.dmp
memory/1500-16-0x0000000000DB0000-0x00000000049E7000-memory.dmp
memory/1500-17-0x0000000000760000-0x0000000000860000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-01 15:37
Reported
2024-02-01 17:35
Platform
win7-20231215-en
Max time kernel
361s
Max time network
364s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2884 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1