Malware Analysis Report

2025-01-02 08:03

Sample ID 240510-efejeahd3s
Target 63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics
SHA256 fa651641cbd17ff9541a1cf4f8c1519b6dd2672739d602bc6dae394689751b6f
Tags
bootkit persistence privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa651641cbd17ff9541a1cf4f8c1519b6dd2672739d602bc6dae394689751b6f

Threat Level: Known bad

The file 63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

bootkit persistence privateloader loader

PrivateLoader

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 03:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 03:52

Reported

2024-05-10 03:55

Platform

win7-20240221-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "65" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "30" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "99" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-c62.vpx" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-c62.vpx" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "5" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: part-setup_ais-15020c62.vpx" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "43" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "82" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "91" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "44" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "70" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "69" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "9" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "45" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "20" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "8" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "63" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-c62.vpx" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "87" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "97" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-c62.vpx" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "64" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "16" C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe
PID 2944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe
PID 2944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe
PID 2944 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe
PID 3044 wrote to memory of 2924 N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.127291e3f34561c0\instup.exe
PID 3044 wrote to memory of 2924 N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.127291e3f34561c0\instup.exe
PID 3044 wrote to memory of 2924 N/A C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.127291e3f34561c0\instup.exe
PID 2924 wrote to memory of 924 N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe
PID 2924 wrote to memory of 924 N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe
PID 2924 wrote to memory of 924 N/A C:\Windows\Temp\asw.127291e3f34561c0\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2464 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2560 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2952 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
PID 924 wrote to memory of 2564 N/A C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe"

C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe

"C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_012_999_a8c_m /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /edat_dir:C:\Windows\Temp\asw.441ea1f8a4e03789

C:\Windows\Temp\asw.127291e3f34561c0\instup.exe

"C:\Windows\Temp\asw.127291e3f34561c0\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.127291e3f34561c0 /edition:15 /prod:ais /stub_context:97984933-4102-4a34-a022-35a76e496078:10042744 /guid:d9facd5f-33be-4bb1-bb7c-c06decdf1d20 /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /cookie:mmm_bav_012_999_a8c_m /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /edat_dir:C:\Windows\Temp\asw.441ea1f8a4e03789

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe

"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.127291e3f34561c0 /edition:15 /prod:ais /stub_context:97984933-4102-4a34-a022-35a76e496078:10042744 /guid:d9facd5f-33be-4bb1-bb7c-c06decdf1d20 /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.441ea1f8a4e03789 /online_installer

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFA

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.avg.u.avcdn.net udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
SE 184.31.15.51:443 iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:443 iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:443 iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:443 iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:443 iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
GB 142.250.179.238:80 www.google-analytics.com tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 b0017156.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b0017156.iavs9x.avg.u.avcdn.net udp
SE 184.31.15.81:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.51:80 d7509631.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
SE 184.31.15.81:80 d7509631.iavs9x.avg.u.avcdn.net tcp
SE 184.31.15.81:80 d7509631.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 f4973661.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 f4973661.avi18tiny.u.avcdn.net udp
SE 184.31.15.41:80 s8784910.avi18tiny.u.avcdn.net tcp
SE 184.31.15.41:80 s8784910.avi18tiny.u.avcdn.net tcp
SE 184.31.15.41:80 s8784910.avi18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 alpha-license-dealer.ff.avast.com udp
BE 34.140.0.190:443 alpha-license-dealer.ff.avast.com tcp
US 8.8.8.8:53 alpha-iqs.ff.avast.com udp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp

Files

\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe

MD5 5cacb3856cd146894444d49a4273f09b
SHA1 ed172dd3f4151752cd75de4cfcdae194b78a9630
SHA256 498b992280fcddeb6aa3fbf8fd1069664af94c7d64483782b40d0bd63d3e3b9a
SHA512 8ab0bd49c41cc978a579b682bde09b3e6602fe00b534e6f97c9f924e8b5c903572a4168187899bd69882aabaea4cee71742d985dfd9bbf5da8f4aa6c06d0fd97

C:\Windows\Temp\asw.441ea1f8a4e03789\eref.edat

MD5 cc5ae76be83c26a4e95ca1e92e6446b1
SHA1 42b62bc817930ea7fe8326cb893d71f7034fec18
SHA256 7a6736a7df5c741f30dd7234340e2423848b9172ef7c375c8c4ba3750edb44fa
SHA512 a76a41477a0a01f2bfc7fc1787d0d8ba4e2192703d492da9e60733fe9350fb3254d30c4dd81286645b36de7ea5c7bc970084b07ec944dea8657b88a3c5870c64

C:\Windows\Temp\asw.441ea1f8a4e03789\ecoo.edat

MD5 bd117cbe667d86069ac0cbf9c8a9c45f
SHA1 1d2b2e7cdb32e24faa526125212b0c749083fcef
SHA256 f83087ba36b8e0b7acb5ea14cef4bb28c7536d1bcbb66dab63c253cb69c1f984
SHA512 2f1466f565ab6d8f27de75ecf9a15cdec392939f1628c13c579a0266057fc2e21f192c532f1fa6f4e1668bdfb5e0c2e74e6a2226d15c3a245603dc43e5131aea

C:\Windows\Temp\asw.127291e3f34561c0\servers.def

MD5 dc9bf0c453a6711dca0192e10e256716
SHA1 6a5298059286b9cb31ff625b9d1f3742bec1df8c
SHA256 2b4c0f6f217a8b5239c130ea75fb2119b16c435c1bda62da33b49a1edf6cc8da
SHA512 22ad3bf3be9dc90863808380fed2d1e31df19842bd93796dbc9bf4a4d4855465964945451890f22f9d0187050cbb305df14b9ef361f5452141978707a00e7218

C:\Windows\Temp\asw.127291e3f34561c0\Instup.dll

MD5 145afe196a4112f88acb5a7965d0e1a5
SHA1 23a1a97116088efe5252375eb6da165139fb9a53
SHA256 5d67bc18cec66c1469271543698fe6cfcaad58854dcc1d06fac37bc6d3693041
SHA512 5caed6ca85a9187a93f7663b3224dd4a054ac4c95a137c4f5a2e2344bd6884f940a7620eaa84e540657894fc47fab9fccaa74ec899fb8a7506b27b2f955a9b56

C:\Windows\Temp\asw.127291e3f34561c0\Instup.exe

MD5 4d0396f9a5a80d5adb4bf1910d088905
SHA1 e946cd46ddd9451ac804aa6ecf8ef1d8e58bd851
SHA256 947f0bf77177419dd6d3c266042ee3d08702e79f3c797a20405722abdd73193e
SHA512 b988d687bb99718c4256a20f3ccae17c4bd88690c6003c6dc9700cab5b7c700c88e918cedb55c79215c9fcd9591c5add73e057a9c1c5efe558e02dae0ef32c12

C:\Windows\Temp\asw.127291e3f34561c0\config.def

MD5 329966c8fb59c4bc69ba4c4ff0235c96
SHA1 f24ee4ccc5f4a3bf6db004cabaf6078496f30e44
SHA256 ca0cc7b840860f27f97863f4b479a642f59b0aeb14e308912723fc4706f31f23
SHA512 a5e7dcb140604c0f8e10729821e98271a06ad86dd6d1e3c011a432057b81150652b264a45617ecbb65b134d139502f21c91b7baab5ac2e03179d6828d3455f7b

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

MD5 042fc1149f2b34e13c505bd5ec19d5ed
SHA1 e83c84b9ea2319af38e06e018341e37b5ffc51db
SHA256 46be852cf5448baafcae040b6aa17049999256e8c316b0d01294d9407cdf271c
SHA512 1485f1fefda018bc550a3044740f7fae286ed01d37fe2396eab6055d00d2f3d9c8783ce82d3c53ee995ecf724d931a9811eeedc0f78a409663b3c26fd438a7b7

C:\Windows\Temp\asw.127291e3f34561c0\aswdfb6c403c94f1526.ini

MD5 ab5e653c46f63fd3482cf80c153fd814
SHA1 d5737d0e923e196a88c1fccf44540c4710b32634
SHA256 5080e29eaf07299e2ddfbb8daaba04e24ffb46c34d6b45f4bb0d5aefdc91c6c7
SHA512 918d96d54356e9bdd916b2c8affef23b3c77501934b2d09c028f7aab2d5db28a9c2edbd4539a8fdc71582fb010f79f052fae878e0620e8e5a113c1a65138f901

C:\Windows\Temp\asw.127291e3f34561c0\config.def

MD5 dbcb63ea437e657237bbbbcf0988210f
SHA1 3c0dd7aa4132b29fb6f188e15fad15d064b13791
SHA256 7179ad18b6fc40868e167723587692569ae8e0bc10366fa825b50f478a5efa54
SHA512 a89c4e442fbb5f4787005e9d28335980b9f351ffde4b4c3ae9a3dc8eff61c0f6646eb3252a0ac9fe40a8a521b1afd9112a2b020f11b8b012aa5424b50b9822d1

\Windows\Temp\asw.127291e3f34561c0\HTMLayout.dll

MD5 ac0c1a0c733887c4744fc5a22d14d17f
SHA1 2ed68fc4970b2f94a2deb5b30bfd7d53b8a76b29
SHA256 9489bdbd1009785756032d047f67976b4122800a565f5abc60fbbb92550db014
SHA512 d11e1bdca2a0e09859134f73735e94e28d8edd468e5956c3ee3aac553993eed37d1b7d70fba3129c9288cd24cfb0919959a9705091372e3c5aad6d7ea89dc6eb

C:\Windows\Temp\asw.127291e3f34561c0\config.ini

MD5 1d4f25365e41fe20a6df1493b9c89080
SHA1 fe5494ef4d08f786ae4faca67044d92fa6b126af
SHA256 cfad3a43b91ee685d7a16007637f985f4f9a452f4840a4a57d0670b8992d185b
SHA512 fbc8e63c1db8c6c198a183146646c9ee16e7a17a715620c46cd2f9c59a3e08634cba371720d9b410c18956eb59fd402cd9966b18a3812c32e00d2dd8bb72ca91

C:\Windows\Temp\asw.127291e3f34561c0\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.127291e3f34561c0\servers.def.vpx

MD5 2df0afe29f09b1904b48e0bf66c15646
SHA1 fef3cadd4c307884d8d7de1234ac93aa825db06a
SHA256 5efcbe825750ddacd5d3cb6ad48c0d7fbb6008d0c22add33eb9c60554f3b66e4
SHA512 0dee6385fe3d825d77ac4035f26febdda7bf4a65f2242459073e07ed3411f7de8524ce606994772dfdf396b402fc833b474915d2d460a2501a5f27b918ab11ac

\Windows\Temp\asw.127291e3f34561c0\uat64.dll

MD5 378c94a0d4af38c28217e98e38d5c1f6
SHA1 acb2dbfb6477768ba1526d368542513aafc5e581
SHA256 24d8f567aef2b6cddae262aee4f0b04aa0ff695660c4c98aac15de403f100994
SHA512 9b0698ed4be62a5f4fb27a5995e128f90aadf3eeecbc4cd0eb1cf004c1681da009d0202618b4b25512dd4c2029e9019c7f35c4d42ab581edb2975f49990f9ccf

C:\Windows\Temp\asw.127291e3f34561c0\uat64.vpx

MD5 e0cd7b9c9d603fe65a7920e07b171237
SHA1 9308f810b664eafd810f3d58fbcbf867004ebfe3
SHA256 52bcaf5399965a26765aa0b1c597649c265a49a80f891a2d62e111a007b7d52c
SHA512 98dbfee8a7ae35165b8138bff0e857e0011f14963c02c2963703be3f1e45b8cdcff42f9397f89dab9c1443aa97e2a6ee418d60892cad9e2e7d2f7d71ca0471ce

C:\Windows\Temp\asw.127291e3f34561c0\prod-pgm.vpx

MD5 718b9df691b86269bbeaaa755dcbea71
SHA1 340ca5c4f3ea045df917095608f4153befb4a4bd
SHA256 a915dcc4615dc978dc9ccd9d89b35717751bdef8ecd7fd6b750fa7e0f377bf5c
SHA512 ccbbac0db57e2f3a98cd122f2181c1cc9d289dc12afab9b69c76d02bbe92bb1fee25ebbfa19b9026369b5d0be18c4488ea17b48c94c53f6f036f46789d87249b

C:\Windows\Temp\asw.127291e3f34561c0\part-setup_ais-15020c62.vpx

MD5 d5b798d8816b252e7d718195dfeb8a8c
SHA1 860c5807fd491aeeb12d661d8cf2ecca4ca1639b
SHA256 75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499
SHA512 16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

C:\Windows\Temp\asw.127291e3f34561c0\prod-vps.vpx

MD5 6904bbfa395ec2222d756a5e8d6fd068
SHA1 7384f58dcabc9a9cab6e2f5a77873fabddf795a2
SHA256 540f6473930df7e815701cbdb575e26c7a38fa8db345c3ca714671dcad01ed1e
SHA512 c7221b2a9fd1993d1a6436a63fde656830b511ef361ace989b66a49a7bf8685a4f3deb5eaac428c1732502ed4c73c5f1e82d50474cb54db93fa8c41232177976

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswaed6a361866faebd.tmp

MD5 bbb61ad0f20d3fe17a5227c13f09e82d
SHA1 01700413fc5470aa0ba29aa1a962d7a719a92a82
SHA256 39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e
SHA512 c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\asw545ed5d3deb42017.tmp

MD5 43dc9e69f1e9db4059cf49a5e825cfda
SHA1 519298f8a681b41d2d70db2670cc7543f1ee6da4
SHA256 98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d
SHA512 d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswe6dedbe519c8fd92.tmp

MD5 c545527e69a46359a4a45f58794a0fe5
SHA1 e233e5837bfe5d1429300fb33f12f5b54689781b
SHA256 8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9
SHA512 754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswd45e5e6a0730333c.tmp

MD5 917a284494cbe4a4ec85e1ec768339c9
SHA1 47ccc0a04ecc7c3c1ff79bf42d424cfda356137c
SHA256 57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772
SHA512 90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswc02a2a504ca50ffc.tmp

MD5 ce4d45d0b684f591d5a83fdbd99bd306
SHA1 e89637b905c37033950afadaca2161bd5b09fb5e
SHA256 907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7
SHA512 af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\asw0b3222466656e202.tmp

MD5 e38cc92cd980a55d811316ac62883e14
SHA1 fa83737abe11ee825c3da6843cc4d8e3b459729a
SHA256 be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87
SHA512 1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswd346eb6be0aafb33.tmp

MD5 0b830444a6ef848fb85bfbb173bb6076
SHA1 27964cc1673ddb68ca3da8018f0e13e9a141605e
SHA256 63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f
SHA512 31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

MD5 86385be4d6c1fe37ef7197633a4a2208
SHA1 c4828fe4857b6b6d576d3335176353da82f90c37
SHA256 a31895c23b8b46b21620634181189c9417227d1508a1b2793bad877ffd070b0c
SHA512 52819581cfff5f55a202a09917aa0a00606bbebd33be4b5e8c5697d2bfa7ac1e5a59d54d844d156f34a55e9ba02b17baa7001df9d3a7ade060f7105878ea5699

C:\Windows\Temp\asw.127291e3f34561c0\part-prg_ais-15020c62.vpx

MD5 29b9bfd25fabf42939e3a6877f9b3ece
SHA1 c30d865bc2d680311c68eb0bed0e356845f700f9
SHA256 ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475
SHA512 a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e

C:\Windows\Temp\asw.127291e3f34561c0\setup.def

MD5 3fc9d055795a4c01893e5661f300c513
SHA1 29c64165afecea436a2dcb57dd5b54163a002df4
SHA256 425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0
SHA512 e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902

C:\Windows\Temp\asw.127291e3f34561c0\prod-vps.vpx

MD5 b1f191f22457f5f8639c95bcafb3c977
SHA1 2455528aa7452b1aa475f691c91d7661791e9e89
SHA256 d749a1a15652a9e35b70c312b230f29119dc12829e3af0fbb44d015ded3fb69e
SHA512 271fe8d231fa6fd2db97af7ae05e3704d636cd6488966f4beb0a8de6bff5dc0c5c80e55899be3d42a5d87b098bc65c3c50e2246e11196ac3751612125bfd4031

C:\Windows\Temp\asw.127291e3f34561c0\part-jrog2-52.vpx

MD5 f9ff91202390345d3f10929d2ce86d16
SHA1 703dceed1e052257f3c64627a2d340cef1b8e3de
SHA256 4c20e67a4b93f2fd303bb926970018810a3845638c09b9de1641b5f6a8c4ff66
SHA512 15c6c11ca22c04ba9b0231ea2830b06645615899c54b8a80f1c389fb575d2ecf8774a2737f868dbc112430599c3f6aa3e9e2b6f3184baae939a0e6b5fb722a0f

C:\Windows\Temp\asw.127291e3f34561c0\part-vps_windows-24050899.vpx

MD5 660a78179d22680ec21e14cb6419f33d
SHA1 78abcdc0436dae96890a2e7303d5d544e9187813
SHA256 97982b91e39b5289794e287d3c44cc0f82c457ce51f92776f1a7f00a5530cfdf
SHA512 c92c9a299781b674d5a2c97e5ef2a0ba9b8de391491357c1eb45bdbc4bf3fb87ce10193daed3cf664c3bfacc25b59b2bbb316d38eae64bcd2158008a041b36e4

C:\Windows\Temp\asw.127291e3f34561c0\config.def

MD5 ccc6b5e3bf4fd032214f771cfbdee204
SHA1 d86e8a3f4380ac4ed0d620538d901784f74ed928
SHA256 1e3425e811a76862c21ee5693b21f13f69921777fe34e80133914838616cd956
SHA512 98ed0229491a2ef6f6fd211ed12b44fa15533bb0a678fceddcf1c49d3cccc2e60e4415b66fcb463f978f8b8ef4e5a03b71f4c8eb9312c0a73d1e5fac7b20936d

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\event_manager.log

MD5 b7b4ea142810a326b6edb2fa6a46321b
SHA1 6b1263de393042a1a7d5410f90779c89f21559a2
SHA256 cd9638f8990b04db9cab50351b74fef2ab0a21936fba40d11a55dcca9c99ad08
SHA512 2c5da36e7ccd74343adb776c3b6266820e3284691e2e3d8e7fcc516861ddd0d327ef4f1c9c51aff07922135d746bcda91b41e380fe3fb5f19627c0659b5269f2

\Windows\Temp\asw.127291e3f34561c0\New_15020c62\gcapi_17153131902952.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

memory/924-324-0x000007FEF2D40000-0x000007FEF311A000-memory.dmp

memory/924-323-0x000007FEF3120000-0x000007FEF4446000-memory.dmp

memory/924-325-0x000007FEF3120000-0x000007FEF4446000-memory.dmp

memory/924-335-0x000007FEF3120000-0x000007FEF4446000-memory.dmp

memory/924-337-0x000007FEF3120000-0x000007FEF4446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 03:52

Reported

2024-05-10 03:55

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe"

Signatures

PrivateLoader

loader privateloader

Downloads MZ/PE file

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALGtvH5eavUSy3hlHE9rvpQQAAAACAAAAAAAQZgAAAAEAACAAAAAJlrXp90t7vY2jY1hD3gVzGLJjnixUqtcbgnCmHPZwngAAAAAOgAAAAAIAACAAAACNfUVu3g3C+ZWFO7KmK/bUMLp/y6WCi7Pw615XOLLozDAAAACWkb9WhOQn/dNu/oiN3L2UoKxixDVpfqF2YeRKsUSqukvV1ogR8NVQPDlubLgQ6oNAAAAANbjXo6fKthdUOF6NxzE9zuroBgeVBWoGwYrvJzYBoR5kIwVJMlB6TPjFA6M7C31Xpc2xDZvJyBmcNN3tf4C6oA==" C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe
PID 3016 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe
PID 3016 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe
PID 4824 wrote to memory of 4076 N/A C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe
PID 4824 wrote to memory of 4076 N/A C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe
PID 4076 wrote to memory of 2888 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe
PID 4076 wrote to memory of 2888 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe
PID 4076 wrote to memory of 4276 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe
PID 4076 wrote to memory of 4276 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe
PID 4076 wrote to memory of 2748 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe
PID 4076 wrote to memory of 2748 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe
PID 4276 wrote to memory of 3196 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
PID 4276 wrote to memory of 3196 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
PID 4276 wrote to memory of 3196 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
PID 4276 wrote to memory of 2044 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
PID 4276 wrote to memory of 2044 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
PID 4276 wrote to memory of 2044 N/A C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe"

C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe

"C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_012_999_a8c_m /ga_clientid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\icarus-info.xml /install /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824 /er_master:master_ep_1660bd1f-96f1-4da1-afe2-6c430f77b0d7 /er_ui:ui_ep_148c9e88-363d-4444-8ef2-7ed312acedb5

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824 /er_master:master_ep_1660bd1f-96f1-4da1-afe2-6c430f77b0d7 /er_ui:ui_ep_148c9e88-363d-4444-8ef2-7ed312acedb5 /er_slave:avg-av_slave_ep_3344f888-70dc-4b44-b3b4-ab0ef27daa15 /slave:avg-av

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824 /er_master:master_ep_1660bd1f-96f1-4da1-afe2-6c430f77b0d7 /er_ui:ui_ep_148c9e88-363d-4444-8ef2-7ed312acedb5 /er_slave:avg-av-vps_slave_ep_bcb8b2f3-9d68-4974-a4fa-d835f6e5e743 /slave:avg-av-vps

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe

"C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe

"C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
US 184.30.157.134:443 honzik.avcdn.net tcp
GB 142.250.179.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 134.157.30.184.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 184.30.157.134:443 honzik.avcdn.net tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 ipm.avcdn.net udp
US 34.111.24.1:443 ipm.avcdn.net tcp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 s-install.avcdn.net udp
US 184.30.157.134:443 s-install.avcdn.net tcp
US 184.30.157.134:443 s-install.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe

MD5 4ebfd5b14965fb15861a08884975a7cf
SHA1 6dea349f6afb95e3554e917f878693efd7e2a5e6
SHA256 c8c9a933462f6495a39cf80c51b3972a720d3bd301d1a0cc4472479f981a8a7e
SHA512 f61bddd116d9c86523c9a3fde06604a3aacbe6de77522cd1f6198dacc0f1bbd4fe46af54a27e89c30666beb222580a4bea2c7d97a42830a84841083d8c1bec6f

C:\Windows\Temp\asw.8ed8900335cf97d2\ecoo.edat

MD5 bd117cbe667d86069ac0cbf9c8a9c45f
SHA1 1d2b2e7cdb32e24faa526125212b0c749083fcef
SHA256 f83087ba36b8e0b7acb5ea14cef4bb28c7536d1bcbb66dab63c253cb69c1f984
SHA512 2f1466f565ab6d8f27de75ecf9a15cdec392939f1628c13c579a0266057fc2e21f192c532f1fa6f4e1668bdfb5e0c2e74e6a2226d15c3a245603dc43e5131aea

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_mod.dll

MD5 d1ff8db70f98609d6d77c1aaeaab3bcd
SHA1 0056e4e0532073fbcecb03d1787cf2c6c8c4a8e4
SHA256 62255ac0c16be448f7810180fe8977219015a788d12e739a2d7054896c67ce39
SHA512 5c506ee95b0781b621e5e996e14e9d0c7c849a6767993def2dd74c8f25d6f995a60ef77f831b42d4537a7d28a79924ba01a918e760446b65dc3a264de5b19299

C:\Windows\Temp\asw.8ed8900335cf97d2\eref.edat

MD5 cc5ae76be83c26a4e95ca1e92e6446b1
SHA1 42b62bc817930ea7fe8326cb893d71f7034fec18
SHA256 7a6736a7df5c741f30dd7234340e2423848b9172ef7c375c8c4ba3750edb44fa
SHA512 a76a41477a0a01f2bfc7fc1787d0d8ba4e2192703d492da9e60733fe9350fb3254d30c4dd81286645b36de7ea5c7bc970084b07ec944dea8657b88a3c5870c64

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe

MD5 97856ab19be2842f985c899ccde7e312
SHA1 4b33ff3baeba3b61ee040b1d00ebff0531cc21ef
SHA256 2569a72d3a55ea7ad690d708907245c221664c5c88cadbc19e1967135fa40514
SHA512 b2f57fd7c482977ebf52b49e50e57f60f1bf87be5bbf54c0dcfb3038c0f46b89c70f10161fab7585d01b90c4fdc00b86932444f32528fed04b514c6746bff29f

C:\ProgramData\AVG\Icarus\Logs\sfx.log

MD5 04411844f878cd2d1d6866d37efe7e40
SHA1 2e7780f23c2beda6fec8af8501696c366a19d688
SHA256 6f3680c1c6ac1d0712cc1248216648ecee298f2a491f982d1d66cb2f517f0a4d
SHA512 6e8422f73e742dddbc9d4ea8216fe8a36128a78feccf0cdef9b39cecb405590b24043029b94d7bfdf4a2279704356b57bfd2841c02c96ecd7f55bdebfa496f3d

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe

MD5 7ebae16a6ea514e55f7160c3539261cc
SHA1 ae74b3af4926b6932aea68a32c7c8727d53a94e7
SHA256 f27f92f003505dbca839513d233198211860de0ef487973a5ce0761d8e8ebfb9
SHA512 f7c7c084517785f21ae0bd82509ddc31e985edbe9e07f275414806afa3f696037340ea0e6091221a5d81250adf170ca0fa4345915d000eaba6034a9db0f61369

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\icarus-info.xml

MD5 ae90b4ede7fedb2e4c1b89f79f01e5f2
SHA1 f8b6a0206cb563985e921503aab7602801e8a0c9
SHA256 f4cc90f843fcc226f97b43ad9c3856b49c32ea3c3739918df2703e76eaa7fb19
SHA512 1aaae537cd117302af1a48e6b5e110eb207d6bb1494c7db09bf601fae12f28b963f2d787682902c72c4a63de2e81fce12ac34b29a9ec8401972ab3a3f611d2b0

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 168f03c5c241049561d93853fa2304dc
SHA1 ee086aa5bc60436a75015003cb2dd27ae57620ff
SHA256 374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e
SHA512 169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 f6650c873f9dc502e3ab090caeed262b
SHA1 7270b7fde5543bf5600f7feea906ed33dba158c7
SHA256 8abaf83b044fc671074d58c915f9fe216af9bc4cda614b5f181a13d702b752ea
SHA512 98883229e7b88f7cd3e307e54e2aa1a4d0099ec613604b02a0ed4b065253f5e5254d0056488027c6c53069454fc67fef1eed2036ba21c2ab6332cada0618aab1

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\config.def.edat

MD5 4bd76d327aaa89ff112d9a7bc99e34bb
SHA1 777c225d3b02c9d2a0c73453f27de2d7bfde30a6
SHA256 3c09cae25f464320bb5fc7853aa89d9538cf23c9de7763f2622516d2ebf9d1a6
SHA512 82fcfc869f59082525cd67b6f157f00016b841e1479e2b4eef4e461dc60602ea6244153343078c5e5e5cf28d32fd34ceb68c8c845501ebb9836c735941781538

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\product-info.xml

MD5 a0a024d730ff769527291351efdabb27
SHA1 351875cf5f84dd69113ad64532f9995b209930ac
SHA256 0ffad989a60a625f10dcc0cd8ac586767e6c68c2cf1ddec9eedfb66dcbe726ee
SHA512 da8e1c8c80491391658ffd2875501ed252f7930553d4cb6f26e8a8b9eca43821b7b75a342462ace579b354c57542853f90b80ed856288e05bd6ec4b1e8ce6a8a

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\edition.edat

MD5 9bf31c7ff062936a96d3c8bd1f8f2ff3
SHA1 f1abd670358e036c31296e66b3b66c382ac00812
SHA256 e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb
SHA512 9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\setupui.cont

MD5 50c6f100664620a3163b2166d436bd32
SHA1 096dd3b1d3a56d7f52751a7da69d6a59700bc283
SHA256 61edc543e208ddd4545fe3f62e02893d09185379a9c4a77a8e29ad4463f7088a
SHA512 bb0d61ab76749a7e657d66a42b34910d3dfab13d88e1f0273ff6675edb3d460400bcf6e7d17440b58bcc9357abb974177d5fbf314056e6fe293a567290657c78

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\dump_process.exe

MD5 c22d80d43019235520344972efec9ff2
SHA1 1a2b4b2a52d820f9233ca0201be9ee7f6d82adbc
SHA256 5841a3df4784e008b8f2c567f15bb28cdb4cb4ca35c750f1108dfb1ccb6011f0
SHA512 f1cadbc3077379a6d7e36b8cf3bc830f44b5e668d4a6c0ce6b62bde292498c4f41c6588c5eba2599aa67524acfd125b7f23c419ae2b4a8e4afea7708aad83edc

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\product-def.xml

MD5 d29cc35aeedc83b04874604da70e0f7c
SHA1 2d900b1705c5aca05801fb33cb53c15633e5c89e
SHA256 88554406caa420774a4798054a9ec22cbf7e4680cc7dda086ed54dd368adbcde
SHA512 59ea174fbfcb8b92fce26be35393d5844cfa3b0b770a1d880b9fd1e4ea7878166814494d1a22d74b485fd7a3ba132e0883e0526c0412df7cac56c40cf1507089

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\bug_report.exe

MD5 0c0f0ca2bb49dfa3743e9d4156007c70
SHA1 042fdfba346a89a83f0c782117038a82b29a28d1
SHA256 0e1865702916ae47aafc54c6199e3a73acb735ae888f9a8dd7bc4656268ef9ea
SHA512 e15f826ce67d4d5224cdcefc3194a5a9144e152ad16136f5774d2ca29484fc11e778e2e9d114af80ad2a99907bd4999e6eef95c7b7dbbe6a7829d67c1b6bbc92

C:\ProgramData\AVG\Icarus\Logs\sui.log

MD5 a274181405db7fc8e8e9c67f3c94d6b5
SHA1 f34032229247369d1f45158a36abfb94101294bd
SHA256 b4b013ce9e28d7aca57e6d4f87cef2a3291e5922d20e6d51d06d4ca064dfd420
SHA512 d9a0de2531a40310b3e57ab93cfd5cbc791554913ea04f4002aa92c94c2dcfe9cc451be8709d6ea5b85b24800e400475e61911d5d676e55b50514199efb982e4

C:\ProgramData\AVG\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 316cf9e0a49e428fba7b77d048118a4d
SHA1 111bdb1f301e165d24b206df3d940ca5bb622453
SHA256 bcc69c1e46790c5229caa9760860f09913eef5f7e207e8974de62cbf51c99232
SHA512 eb212a06b50d2c9a7e3cf1cdf196b7a13dbb0bd9a8707aabf1c781bc0d3e31cc54ff57a18d93bf8fb60ed9768bd5fbc716bb898d5b25982c418373dbd7689934

C:\ProgramData\AVG\Icarus\settings\proxy.ini

MD5 b8853a8e6228549b5d3ad97752d173d4
SHA1 cd471a5d57e0946c19a694a6be8a3959cef30341
SHA256 8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9
SHA512 cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 ae27bd6d38484f74e567a35ff959ed80
SHA1 ac97836d5f7ceee8ba353fb74d2823ee4d212737
SHA256 87c4d0d066b1a7e0ce5ab761573b57ec098c629cfc0ca7893883f28729bc5108
SHA512 fa23af17f9aeb2501c43aff8280f3a72da809945d2b32ab58d86dc833ce39cceee03a3ee3eaa2c4ccbe020e3153cdf24de9f54ed6846afa0e97dd4e2483aee89

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\config.def

MD5 264d61ef38e6f06891da07c11bf71436
SHA1 e4a258aa41ce4aaacdfa7f5c0f6f11d4859fe1b2
SHA256 96976bd5ecb653aded30321685e44a59886901652c031de101e3a13326d61387
SHA512 c818737bcb76b4d50673c8007118320f0b6081108f4934016a04167d5a8f4835393274438769e05276c5db79c5d9f5e4e3748788a1439c974bdf16b3d5dd6890

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus_product.dll

MD5 c759ccf61856d42470ce0cdb946ed5c1
SHA1 7cf21d64cec004b16d27edc5d9eaa606ff3f2093
SHA256 e5a82b8065ea7eb2689b9fe756ea781169a22736b6f706cfeecb1ab0d7fb0f53
SHA512 037260fb2fff4b1fc1402dc71a2527e5a8985de0c0af662fbc6d27453f875e90265a696d175f1ebb645ecca37dcaa1ef2cb415ef32f66454f44906deed0b1f07

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus_product.dll

MD5 8dea9113f06c772b694076eb05e24af3
SHA1 4136e3908af8c5d45bcb687bd908578d9b491bef
SHA256 06e5db8b67e8ec03a308d576a4c5b169767075b04a550d7be7f98c4f6531c0cf
SHA512 eb8e5e2b7d85c0dfaf01e6a8b6db8363d8c3b82800ad686e2ddfcb654ce403f854262b969705d69b684dab58053bbf033a8aa3ca826e1677b2461f163987d128

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 055945f0eec0e77d55cb975e1786292e
SHA1 2787877f8e3dbda82e88f6e01514eabae3d06b1e
SHA256 6905082fb24a58f8b330a8e88ea3503ddde264156f3f6ed7a504ef348b96c6dd
SHA512 a039d5daf2fcf5c33b98b8656a32397b76167269df2bc0e8efaea212803622e83179d78dd7e9b905f8d3887c1085b09745915f975acfb2df4787dadcba43c186

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\product-info.xml

MD5 4635b5fbcb1c6f8fcb6d533b47c3ef35
SHA1 6906e683fdabf48cb9d97ddb0e34d56d51183b76
SHA256 8eff397ceffa80d053e398860104160ca3348e15ef5625d6e63d3c5281cb1ff5
SHA512 558805190cfb816d2c8e3137a78a9749906b0d3ad12079794dd084f551803e0cabaa18e39842827acf827a08ba3411e7206a14735317d3eacc5fd3da3d0bd683

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\product-def.xml

MD5 0cee874dff0fd4424dc21752c3644103
SHA1 2e975e58d3a6c35aef793449eec98e0c87ad78b1
SHA256 dff72d48fe1f71d6937579c2c849e9308c264a1d52bf83c929c1d6ecef80dfc1
SHA512 c3ab22359056fe2b5d220a0f4b97e52384fbd9a366d72c9b2e2e3874f7cb7c35e7fd0e39040bb1ea2db8b77212f470323e7738a4f57d439891adbb621be1476a

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\config.def

MD5 88b8bbca6adfb658e9f64786290b1508
SHA1 a7e19f0be671882e7c0de8d546482d20045139de
SHA256 a98977649c4c1e25f732e3023515cac1cf5d54df88d58c170dde6f895bc695fc
SHA512 b7329cac2951e04645771d207dc0c095fe81dfa17bd3df185f4da1e1cc4f726750a48921fd97345b6777638e212624d4f0d3824d39f363d9421bbbffd44f3968

C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe

MD5 4ba75fbdc944ce051b0caa31b354fe3a
SHA1 a20f3e601f311c9fff4de672eae5bb033ed6dc6f
SHA256 80b6f07ece1e64e25c8f9ce2f4074a6af344b1900bbe823ea5b295476a209136
SHA512 e51cd73f155d75b682245d226cb4d9276719070ddd0df5e1779f9e92a89e232f828f33d55cdb2df99d70a7aa21b161fbf9c4978c3a74212716f99b7dcd03319a

C:\Users\Public\Documents\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0