Analysis Overview
SHA256
fa651641cbd17ff9541a1cf4f8c1519b6dd2672739d602bc6dae394689751b6f
Threat Level: Known bad
The file 63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks for any installed AV software in registry
Writes to the Master Boot Record (MBR)
Unsigned PE
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 03:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 03:52
Reported
2024-05-10 03:55
Platform
win7-20240221-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
Loads dropped DLL
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "65" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35" | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "30" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "99" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-c62.vpx" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-c62.vpx" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "5" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: part-setup_ais-15020c62.vpx" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "43" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "82" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85" | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "91" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "44" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "70" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "69" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "9" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "45" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "20" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "8" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "63" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-c62.vpx" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "62" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "87" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "97" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-c62.vpx" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "64" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "16" | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe"
C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe
"C:\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_012_999_a8c_m /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /edat_dir:C:\Windows\Temp\asw.441ea1f8a4e03789
C:\Windows\Temp\asw.127291e3f34561c0\instup.exe
"C:\Windows\Temp\asw.127291e3f34561c0\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.127291e3f34561c0 /edition:15 /prod:ais /stub_context:97984933-4102-4a34-a022-35a76e496078:10042744 /guid:d9facd5f-33be-4bb1-bb7c-c06decdf1d20 /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /cookie:mmm_bav_012_999_a8c_m /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /edat_dir:C:\Windows\Temp\asw.441ea1f8a4e03789
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe
"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.127291e3f34561c0 /edition:15 /prod:ais /stub_context:97984933-4102-4a34-a022-35a76e496078:10042744 /guid:d9facd5f-33be-4bb1-bb7c-c06decdf1d20 /ga_clientid:1b7b5098-4ecf-45dd-8163-6f455c73c54c /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.441ea1f8a4e03789 /online_installer
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" -checkGToolbar -elevated
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" /check_secure_browser
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" -checkChrome -elevated
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe
"C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFA
C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | iavs9x.avg.u.avcdn.net | udp |
| US | 34.117.223.223:80 | v7event.stats.avast.com | tcp |
| GB | 142.250.179.238:80 | www.google-analytics.com | tcp |
| SE | 184.31.15.51:443 | iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:443 | iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:443 | iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:443 | iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:443 | iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| GB | 142.250.179.238:80 | www.google-analytics.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | b0017156.iavs9x.avg.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b0017156.iavs9x.avg.u.avcdn.net | udp |
| SE | 184.31.15.81:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.51:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | b5006751.iavs9x.avg.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b5006751.iavs9x.avg.u.avcdn.net | udp |
| SE | 184.31.15.81:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| SE | 184.31.15.81:80 | d7509631.iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | f4973661.avi18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | f4973661.avi18tiny.u.avcdn.net | udp |
| SE | 184.31.15.41:80 | s8784910.avi18tiny.u.avcdn.net | tcp |
| SE | 184.31.15.41:80 | s8784910.avi18tiny.u.avcdn.net | tcp |
| SE | 184.31.15.41:80 | s8784910.avi18tiny.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | alpha-license-dealer.ff.avast.com | udp |
| BE | 34.140.0.190:443 | alpha-license-dealer.ff.avast.com | tcp |
| US | 8.8.8.8:53 | alpha-iqs.ff.avast.com | udp |
| BE | 34.76.203.183:443 | alpha-iqs.ff.avast.com | tcp |
| BE | 34.76.203.183:443 | alpha-iqs.ff.avast.com | tcp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
Files
\Windows\Temp\asw.441ea1f8a4e03789\avg_antivirus_free_setup_x64.exe
| MD5 | 5cacb3856cd146894444d49a4273f09b |
| SHA1 | ed172dd3f4151752cd75de4cfcdae194b78a9630 |
| SHA256 | 498b992280fcddeb6aa3fbf8fd1069664af94c7d64483782b40d0bd63d3e3b9a |
| SHA512 | 8ab0bd49c41cc978a579b682bde09b3e6602fe00b534e6f97c9f924e8b5c903572a4168187899bd69882aabaea4cee71742d985dfd9bbf5da8f4aa6c06d0fd97 |
C:\Windows\Temp\asw.441ea1f8a4e03789\eref.edat
| MD5 | cc5ae76be83c26a4e95ca1e92e6446b1 |
| SHA1 | 42b62bc817930ea7fe8326cb893d71f7034fec18 |
| SHA256 | 7a6736a7df5c741f30dd7234340e2423848b9172ef7c375c8c4ba3750edb44fa |
| SHA512 | a76a41477a0a01f2bfc7fc1787d0d8ba4e2192703d492da9e60733fe9350fb3254d30c4dd81286645b36de7ea5c7bc970084b07ec944dea8657b88a3c5870c64 |
C:\Windows\Temp\asw.441ea1f8a4e03789\ecoo.edat
| MD5 | bd117cbe667d86069ac0cbf9c8a9c45f |
| SHA1 | 1d2b2e7cdb32e24faa526125212b0c749083fcef |
| SHA256 | f83087ba36b8e0b7acb5ea14cef4bb28c7536d1bcbb66dab63c253cb69c1f984 |
| SHA512 | 2f1466f565ab6d8f27de75ecf9a15cdec392939f1628c13c579a0266057fc2e21f192c532f1fa6f4e1668bdfb5e0c2e74e6a2226d15c3a245603dc43e5131aea |
C:\Windows\Temp\asw.127291e3f34561c0\servers.def
| MD5 | dc9bf0c453a6711dca0192e10e256716 |
| SHA1 | 6a5298059286b9cb31ff625b9d1f3742bec1df8c |
| SHA256 | 2b4c0f6f217a8b5239c130ea75fb2119b16c435c1bda62da33b49a1edf6cc8da |
| SHA512 | 22ad3bf3be9dc90863808380fed2d1e31df19842bd93796dbc9bf4a4d4855465964945451890f22f9d0187050cbb305df14b9ef361f5452141978707a00e7218 |
C:\Windows\Temp\asw.127291e3f34561c0\Instup.dll
| MD5 | 145afe196a4112f88acb5a7965d0e1a5 |
| SHA1 | 23a1a97116088efe5252375eb6da165139fb9a53 |
| SHA256 | 5d67bc18cec66c1469271543698fe6cfcaad58854dcc1d06fac37bc6d3693041 |
| SHA512 | 5caed6ca85a9187a93f7663b3224dd4a054ac4c95a137c4f5a2e2344bd6884f940a7620eaa84e540657894fc47fab9fccaa74ec899fb8a7506b27b2f955a9b56 |
C:\Windows\Temp\asw.127291e3f34561c0\Instup.exe
| MD5 | 4d0396f9a5a80d5adb4bf1910d088905 |
| SHA1 | e946cd46ddd9451ac804aa6ecf8ef1d8e58bd851 |
| SHA256 | 947f0bf77177419dd6d3c266042ee3d08702e79f3c797a20405722abdd73193e |
| SHA512 | b988d687bb99718c4256a20f3ccae17c4bd88690c6003c6dc9700cab5b7c700c88e918cedb55c79215c9fcd9591c5add73e057a9c1c5efe558e02dae0ef32c12 |
C:\Windows\Temp\asw.127291e3f34561c0\config.def
| MD5 | 329966c8fb59c4bc69ba4c4ff0235c96 |
| SHA1 | f24ee4ccc5f4a3bf6db004cabaf6078496f30e44 |
| SHA256 | ca0cc7b840860f27f97863f4b479a642f59b0aeb14e308912723fc4706f31f23 |
| SHA512 | a5e7dcb140604c0f8e10729821e98271a06ad86dd6d1e3c011a432057b81150652b264a45617ecbb65b134d139502f21c91b7baab5ac2e03179d6828d3455f7b |
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log
| MD5 | 042fc1149f2b34e13c505bd5ec19d5ed |
| SHA1 | e83c84b9ea2319af38e06e018341e37b5ffc51db |
| SHA256 | 46be852cf5448baafcae040b6aa17049999256e8c316b0d01294d9407cdf271c |
| SHA512 | 1485f1fefda018bc550a3044740f7fae286ed01d37fe2396eab6055d00d2f3d9c8783ce82d3c53ee995ecf724d931a9811eeedc0f78a409663b3c26fd438a7b7 |
C:\Windows\Temp\asw.127291e3f34561c0\aswdfb6c403c94f1526.ini
| MD5 | ab5e653c46f63fd3482cf80c153fd814 |
| SHA1 | d5737d0e923e196a88c1fccf44540c4710b32634 |
| SHA256 | 5080e29eaf07299e2ddfbb8daaba04e24ffb46c34d6b45f4bb0d5aefdc91c6c7 |
| SHA512 | 918d96d54356e9bdd916b2c8affef23b3c77501934b2d09c028f7aab2d5db28a9c2edbd4539a8fdc71582fb010f79f052fae878e0620e8e5a113c1a65138f901 |
C:\Windows\Temp\asw.127291e3f34561c0\config.def
| MD5 | dbcb63ea437e657237bbbbcf0988210f |
| SHA1 | 3c0dd7aa4132b29fb6f188e15fad15d064b13791 |
| SHA256 | 7179ad18b6fc40868e167723587692569ae8e0bc10366fa825b50f478a5efa54 |
| SHA512 | a89c4e442fbb5f4787005e9d28335980b9f351ffde4b4c3ae9a3dc8eff61c0f6646eb3252a0ac9fe40a8a521b1afd9112a2b020f11b8b012aa5424b50b9822d1 |
\Windows\Temp\asw.127291e3f34561c0\HTMLayout.dll
| MD5 | ac0c1a0c733887c4744fc5a22d14d17f |
| SHA1 | 2ed68fc4970b2f94a2deb5b30bfd7d53b8a76b29 |
| SHA256 | 9489bdbd1009785756032d047f67976b4122800a565f5abc60fbbb92550db014 |
| SHA512 | d11e1bdca2a0e09859134f73735e94e28d8edd468e5956c3ee3aac553993eed37d1b7d70fba3129c9288cd24cfb0919959a9705091372e3c5aad6d7ea89dc6eb |
C:\Windows\Temp\asw.127291e3f34561c0\config.ini
| MD5 | 1d4f25365e41fe20a6df1493b9c89080 |
| SHA1 | fe5494ef4d08f786ae4faca67044d92fa6b126af |
| SHA256 | cfad3a43b91ee685d7a16007637f985f4f9a452f4840a4a57d0670b8992d185b |
| SHA512 | fbc8e63c1db8c6c198a183146646c9ee16e7a17a715620c46cd2f9c59a3e08634cba371720d9b410c18956eb59fd402cd9966b18a3812c32e00d2dd8bb72ca91 |
C:\Windows\Temp\asw.127291e3f34561c0\servers.def.vpx
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\Temp\asw.127291e3f34561c0\servers.def.vpx
| MD5 | 2df0afe29f09b1904b48e0bf66c15646 |
| SHA1 | fef3cadd4c307884d8d7de1234ac93aa825db06a |
| SHA256 | 5efcbe825750ddacd5d3cb6ad48c0d7fbb6008d0c22add33eb9c60554f3b66e4 |
| SHA512 | 0dee6385fe3d825d77ac4035f26febdda7bf4a65f2242459073e07ed3411f7de8524ce606994772dfdf396b402fc833b474915d2d460a2501a5f27b918ab11ac |
\Windows\Temp\asw.127291e3f34561c0\uat64.dll
| MD5 | 378c94a0d4af38c28217e98e38d5c1f6 |
| SHA1 | acb2dbfb6477768ba1526d368542513aafc5e581 |
| SHA256 | 24d8f567aef2b6cddae262aee4f0b04aa0ff695660c4c98aac15de403f100994 |
| SHA512 | 9b0698ed4be62a5f4fb27a5995e128f90aadf3eeecbc4cd0eb1cf004c1681da009d0202618b4b25512dd4c2029e9019c7f35c4d42ab581edb2975f49990f9ccf |
C:\Windows\Temp\asw.127291e3f34561c0\uat64.vpx
| MD5 | e0cd7b9c9d603fe65a7920e07b171237 |
| SHA1 | 9308f810b664eafd810f3d58fbcbf867004ebfe3 |
| SHA256 | 52bcaf5399965a26765aa0b1c597649c265a49a80f891a2d62e111a007b7d52c |
| SHA512 | 98dbfee8a7ae35165b8138bff0e857e0011f14963c02c2963703be3f1e45b8cdcff42f9397f89dab9c1443aa97e2a6ee418d60892cad9e2e7d2f7d71ca0471ce |
C:\Windows\Temp\asw.127291e3f34561c0\prod-pgm.vpx
| MD5 | 718b9df691b86269bbeaaa755dcbea71 |
| SHA1 | 340ca5c4f3ea045df917095608f4153befb4a4bd |
| SHA256 | a915dcc4615dc978dc9ccd9d89b35717751bdef8ecd7fd6b750fa7e0f377bf5c |
| SHA512 | ccbbac0db57e2f3a98cd122f2181c1cc9d289dc12afab9b69c76d02bbe92bb1fee25ebbfa19b9026369b5d0be18c4488ea17b48c94c53f6f036f46789d87249b |
C:\Windows\Temp\asw.127291e3f34561c0\part-setup_ais-15020c62.vpx
| MD5 | d5b798d8816b252e7d718195dfeb8a8c |
| SHA1 | 860c5807fd491aeeb12d661d8cf2ecca4ca1639b |
| SHA256 | 75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499 |
| SHA512 | 16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5 |
C:\Windows\Temp\asw.127291e3f34561c0\prod-vps.vpx
| MD5 | 6904bbfa395ec2222d756a5e8d6fd068 |
| SHA1 | 7384f58dcabc9a9cab6e2f5a77873fabddf795a2 |
| SHA256 | 540f6473930df7e815701cbdb575e26c7a38fa8db345c3ca714671dcad01ed1e |
| SHA512 | c7221b2a9fd1993d1a6436a63fde656830b511ef361ace989b66a49a7bf8685a4f3deb5eaac428c1732502ed4c73c5f1e82d50474cb54db93fa8c41232177976 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswaed6a361866faebd.tmp
| MD5 | bbb61ad0f20d3fe17a5227c13f09e82d |
| SHA1 | 01700413fc5470aa0ba29aa1a962d7a719a92a82 |
| SHA256 | 39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e |
| SHA512 | c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\asw545ed5d3deb42017.tmp
| MD5 | 43dc9e69f1e9db4059cf49a5e825cfda |
| SHA1 | 519298f8a681b41d2d70db2670cc7543f1ee6da4 |
| SHA256 | 98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d |
| SHA512 | d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswe6dedbe519c8fd92.tmp
| MD5 | c545527e69a46359a4a45f58794a0fe5 |
| SHA1 | e233e5837bfe5d1429300fb33f12f5b54689781b |
| SHA256 | 8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9 |
| SHA512 | 754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswd45e5e6a0730333c.tmp
| MD5 | 917a284494cbe4a4ec85e1ec768339c9 |
| SHA1 | 47ccc0a04ecc7c3c1ff79bf42d424cfda356137c |
| SHA256 | 57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772 |
| SHA512 | 90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswc02a2a504ca50ffc.tmp
| MD5 | ce4d45d0b684f591d5a83fdbd99bd306 |
| SHA1 | e89637b905c37033950afadaca2161bd5b09fb5e |
| SHA256 | 907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7 |
| SHA512 | af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\asw0b3222466656e202.tmp
| MD5 | e38cc92cd980a55d811316ac62883e14 |
| SHA1 | fa83737abe11ee825c3da6843cc4d8e3b459729a |
| SHA256 | be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87 |
| SHA512 | 1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16 |
C:\Windows\Temp\asw.127291e3f34561c0\New_15020c62\aswd346eb6be0aafb33.tmp
| MD5 | 0b830444a6ef848fb85bfbb173bb6076 |
| SHA1 | 27964cc1673ddb68ca3da8018f0e13e9a141605e |
| SHA256 | 63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f |
| SHA512 | 31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65 |
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log
| MD5 | 86385be4d6c1fe37ef7197633a4a2208 |
| SHA1 | c4828fe4857b6b6d576d3335176353da82f90c37 |
| SHA256 | a31895c23b8b46b21620634181189c9417227d1508a1b2793bad877ffd070b0c |
| SHA512 | 52819581cfff5f55a202a09917aa0a00606bbebd33be4b5e8c5697d2bfa7ac1e5a59d54d844d156f34a55e9ba02b17baa7001df9d3a7ade060f7105878ea5699 |
C:\Windows\Temp\asw.127291e3f34561c0\part-prg_ais-15020c62.vpx
| MD5 | 29b9bfd25fabf42939e3a6877f9b3ece |
| SHA1 | c30d865bc2d680311c68eb0bed0e356845f700f9 |
| SHA256 | ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475 |
| SHA512 | a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e |
C:\Windows\Temp\asw.127291e3f34561c0\setup.def
| MD5 | 3fc9d055795a4c01893e5661f300c513 |
| SHA1 | 29c64165afecea436a2dcb57dd5b54163a002df4 |
| SHA256 | 425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0 |
| SHA512 | e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902 |
C:\Windows\Temp\asw.127291e3f34561c0\prod-vps.vpx
| MD5 | b1f191f22457f5f8639c95bcafb3c977 |
| SHA1 | 2455528aa7452b1aa475f691c91d7661791e9e89 |
| SHA256 | d749a1a15652a9e35b70c312b230f29119dc12829e3af0fbb44d015ded3fb69e |
| SHA512 | 271fe8d231fa6fd2db97af7ae05e3704d636cd6488966f4beb0a8de6bff5dc0c5c80e55899be3d42a5d87b098bc65c3c50e2246e11196ac3751612125bfd4031 |
C:\Windows\Temp\asw.127291e3f34561c0\part-jrog2-52.vpx
| MD5 | f9ff91202390345d3f10929d2ce86d16 |
| SHA1 | 703dceed1e052257f3c64627a2d340cef1b8e3de |
| SHA256 | 4c20e67a4b93f2fd303bb926970018810a3845638c09b9de1641b5f6a8c4ff66 |
| SHA512 | 15c6c11ca22c04ba9b0231ea2830b06645615899c54b8a80f1c389fb575d2ecf8774a2737f868dbc112430599c3f6aa3e9e2b6f3184baae939a0e6b5fb722a0f |
C:\Windows\Temp\asw.127291e3f34561c0\part-vps_windows-24050899.vpx
| MD5 | 660a78179d22680ec21e14cb6419f33d |
| SHA1 | 78abcdc0436dae96890a2e7303d5d544e9187813 |
| SHA256 | 97982b91e39b5289794e287d3c44cc0f82c457ce51f92776f1a7f00a5530cfdf |
| SHA512 | c92c9a299781b674d5a2c97e5ef2a0ba9b8de391491357c1eb45bdbc4bf3fb87ce10193daed3cf664c3bfacc25b59b2bbb316d38eae64bcd2158008a041b36e4 |
C:\Windows\Temp\asw.127291e3f34561c0\config.def
| MD5 | ccc6b5e3bf4fd032214f771cfbdee204 |
| SHA1 | d86e8a3f4380ac4ed0d620538d901784f74ed928 |
| SHA256 | 1e3425e811a76862c21ee5693b21f13f69921777fe34e80133914838616cd956 |
| SHA512 | 98ed0229491a2ef6f6fd211ed12b44fa15533bb0a678fceddcf1c49d3cccc2e60e4415b66fcb463f978f8b8ef4e5a03b71f4c8eb9312c0a73d1e5fac7b20936d |
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\event_manager.log
| MD5 | b7b4ea142810a326b6edb2fa6a46321b |
| SHA1 | 6b1263de393042a1a7d5410f90779c89f21559a2 |
| SHA256 | cd9638f8990b04db9cab50351b74fef2ab0a21936fba40d11a55dcca9c99ad08 |
| SHA512 | 2c5da36e7ccd74343adb776c3b6266820e3284691e2e3d8e7fcc516861ddd0d327ef4f1c9c51aff07922135d746bcda91b41e380fe3fb5f19627c0659b5269f2 |
\Windows\Temp\asw.127291e3f34561c0\New_15020c62\gcapi_17153131902952.dll
| MD5 | 2973af8515effd0a3bfc7a43b03b3fcc |
| SHA1 | 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee |
| SHA256 | d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0 |
| SHA512 | b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e |
memory/924-324-0x000007FEF2D40000-0x000007FEF311A000-memory.dmp
memory/924-323-0x000007FEF3120000-0x000007FEF4446000-memory.dmp
memory/924-325-0x000007FEF3120000-0x000007FEF4446000-memory.dmp
memory/924-335-0x000007FEF3120000-0x000007FEF4446000-memory.dmp
memory/924-337-0x000007FEF3120000-0x000007FEF4446000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 03:52
Reported
2024-05-10 03:55
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
PrivateLoader
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALGtvH5eavUSy3hlHE9rvpQQAAAACAAAAAAAQZgAAAAEAACAAAAAJlrXp90t7vY2jY1hD3gVzGLJjnixUqtcbgnCmHPZwngAAAAAOgAAAAAIAACAAAACNfUVu3g3C+ZWFO7KmK/bUMLp/y6WCi7Pw615XOLLozDAAAACWkb9WhOQn/dNu/oiN3L2UoKxixDVpfqF2YeRKsUSqukvV1ogR8NVQPDlubLgQ6oNAAAAANbjXo6fKthdUOF6NxzE9zuroBgeVBWoGwYrvJzYBoR5kIwVJMlB6TPjFA6M7C31Xpc2xDZvJyBmcNN3tf4C6oA==" | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "e0be29cc-1b69-447c-a5ca-aa38aa1d0b9d" | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63bc79d4da2b11e944b54b977b0e0de0_NeikiAnalytics.exe"
C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe
"C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_012_999_a8c_m /ga_clientid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\icarus-info.xml /install /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824 /er_master:master_ep_1660bd1f-96f1-4da1-afe2-6c430f77b0d7 /er_ui:ui_ep_148c9e88-363d-4444-8ef2-7ed312acedb5
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus.exe /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824 /er_master:master_ep_1660bd1f-96f1-4da1-afe2-6c430f77b0d7 /er_ui:ui_ep_148c9e88-363d-4444-8ef2-7ed312acedb5 /er_slave:avg-av_slave_ep_3344f888-70dc-4b44-b3b4-ab0ef27daa15 /slave:avg-av
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus.exe /cookie:mmm_bav_012_999_a8c_m /edat_dir:C:\Windows\Temp\asw.8ed8900335cf97d2 /track-guid:86170e03-bb38-4d91-afd0-f3ee6b21b948 /sssid:4824 /er_master:master_ep_1660bd1f-96f1-4da1-afe2-6c430f77b0d7 /er_ui:ui_ep_148c9e88-363d-4444-8ef2-7ed312acedb5 /er_slave:avg-av-vps_slave_ep_bcb8b2f3-9d68-4974-a4fa-d835f6e5e743 /slave:avg-av-vps
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
"C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC
C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
"C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe" -checkChrome -elevated
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 34.117.223.223:80 | v7event.stats.avast.com | tcp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| GB | 142.250.179.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 223.223.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.157.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 8.8.8.8:53 | 28.176.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 8.8.8.8:53 | honzik.avcdn.net | udp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 184.30.157.134:443 | honzik.avcdn.net | tcp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | ipm.avcdn.net | udp |
| US | 34.111.24.1:443 | ipm.avcdn.net | tcp |
| US | 8.8.8.8:53 | 1.24.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s-install.avcdn.net | udp |
| US | 184.30.157.134:443 | s-install.avcdn.net | tcp |
| US | 184.30.157.134:443 | s-install.avcdn.net | tcp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\Temp\asw.8ed8900335cf97d2\avg_antivirus_free_online_setup.exe
| MD5 | 4ebfd5b14965fb15861a08884975a7cf |
| SHA1 | 6dea349f6afb95e3554e917f878693efd7e2a5e6 |
| SHA256 | c8c9a933462f6495a39cf80c51b3972a720d3bd301d1a0cc4472479f981a8a7e |
| SHA512 | f61bddd116d9c86523c9a3fde06604a3aacbe6de77522cd1f6198dacc0f1bbd4fe46af54a27e89c30666beb222580a4bea2c7d97a42830a84841083d8c1bec6f |
C:\Windows\Temp\asw.8ed8900335cf97d2\ecoo.edat
| MD5 | bd117cbe667d86069ac0cbf9c8a9c45f |
| SHA1 | 1d2b2e7cdb32e24faa526125212b0c749083fcef |
| SHA256 | f83087ba36b8e0b7acb5ea14cef4bb28c7536d1bcbb66dab63c253cb69c1f984 |
| SHA512 | 2f1466f565ab6d8f27de75ecf9a15cdec392939f1628c13c579a0266057fc2e21f192c532f1fa6f4e1668bdfb5e0c2e74e6a2226d15c3a245603dc43e5131aea |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_mod.dll
| MD5 | d1ff8db70f98609d6d77c1aaeaab3bcd |
| SHA1 | 0056e4e0532073fbcecb03d1787cf2c6c8c4a8e4 |
| SHA256 | 62255ac0c16be448f7810180fe8977219015a788d12e739a2d7054896c67ce39 |
| SHA512 | 5c506ee95b0781b621e5e996e14e9d0c7c849a6767993def2dd74c8f25d6f995a60ef77f831b42d4537a7d28a79924ba01a918e760446b65dc3a264de5b19299 |
C:\Windows\Temp\asw.8ed8900335cf97d2\eref.edat
| MD5 | cc5ae76be83c26a4e95ca1e92e6446b1 |
| SHA1 | 42b62bc817930ea7fe8326cb893d71f7034fec18 |
| SHA256 | 7a6736a7df5c741f30dd7234340e2423848b9172ef7c375c8c4ba3750edb44fa |
| SHA512 | a76a41477a0a01f2bfc7fc1787d0d8ba4e2192703d492da9e60733fe9350fb3254d30c4dd81286645b36de7ea5c7bc970084b07ec944dea8657b88a3c5870c64 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus.exe
| MD5 | 97856ab19be2842f985c899ccde7e312 |
| SHA1 | 4b33ff3baeba3b61ee040b1d00ebff0531cc21ef |
| SHA256 | 2569a72d3a55ea7ad690d708907245c221664c5c88cadbc19e1967135fa40514 |
| SHA512 | b2f57fd7c482977ebf52b49e50e57f60f1bf87be5bbf54c0dcfb3038c0f46b89c70f10161fab7585d01b90c4fdc00b86932444f32528fed04b514c6746bff29f |
C:\ProgramData\AVG\Icarus\Logs\sfx.log
| MD5 | 04411844f878cd2d1d6866d37efe7e40 |
| SHA1 | 2e7780f23c2beda6fec8af8501696c366a19d688 |
| SHA256 | 6f3680c1c6ac1d0712cc1248216648ecee298f2a491f982d1d66cb2f517f0a4d |
| SHA512 | 6e8422f73e742dddbc9d4ea8216fe8a36128a78feccf0cdef9b39cecb405590b24043029b94d7bfdf4a2279704356b57bfd2841c02c96ecd7f55bdebfa496f3d |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\icarus_ui.exe
| MD5 | 7ebae16a6ea514e55f7160c3539261cc |
| SHA1 | ae74b3af4926b6932aea68a32c7c8727d53a94e7 |
| SHA256 | f27f92f003505dbca839513d233198211860de0ef487973a5ce0761d8e8ebfb9 |
| SHA512 | f7c7c084517785f21ae0bd82509ddc31e985edbe9e07f275414806afa3f696037340ea0e6091221a5d81250adf170ca0fa4345915d000eaba6034a9db0f61369 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\icarus-info.xml
| MD5 | ae90b4ede7fedb2e4c1b89f79f01e5f2 |
| SHA1 | f8b6a0206cb563985e921503aab7602801e8a0c9 |
| SHA256 | f4cc90f843fcc226f97b43ad9c3856b49c32ea3c3739918df2703e76eaa7fb19 |
| SHA512 | 1aaae537cd117302af1a48e6b5e110eb207d6bb1494c7db09bf601fae12f28b963f2d787682902c72c4a63de2e81fce12ac34b29a9ec8401972ab3a3f611d2b0 |
C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3
| MD5 | 168f03c5c241049561d93853fa2304dc |
| SHA1 | ee086aa5bc60436a75015003cb2dd27ae57620ff |
| SHA256 | 374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e |
| SHA512 | 169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179 |
C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0
| MD5 | f6650c873f9dc502e3ab090caeed262b |
| SHA1 | 7270b7fde5543bf5600f7feea906ed33dba158c7 |
| SHA256 | 8abaf83b044fc671074d58c915f9fe216af9bc4cda614b5f181a13d702b752ea |
| SHA512 | 98883229e7b88f7cd3e307e54e2aa1a4d0099ec613604b02a0ed4b065253f5e5254d0056488027c6c53069454fc67fef1eed2036ba21c2ab6332cada0618aab1 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\config.def.edat
| MD5 | 4bd76d327aaa89ff112d9a7bc99e34bb |
| SHA1 | 777c225d3b02c9d2a0c73453f27de2d7bfde30a6 |
| SHA256 | 3c09cae25f464320bb5fc7853aa89d9538cf23c9de7763f2622516d2ebf9d1a6 |
| SHA512 | 82fcfc869f59082525cd67b6f157f00016b841e1479e2b4eef4e461dc60602ea6244153343078c5e5e5cf28d32fd34ceb68c8c845501ebb9836c735941781538 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\product-info.xml
| MD5 | a0a024d730ff769527291351efdabb27 |
| SHA1 | 351875cf5f84dd69113ad64532f9995b209930ac |
| SHA256 | 0ffad989a60a625f10dcc0cd8ac586767e6c68c2cf1ddec9eedfb66dcbe726ee |
| SHA512 | da8e1c8c80491391658ffd2875501ed252f7930553d4cb6f26e8a8b9eca43821b7b75a342462ace579b354c57542853f90b80ed856288e05bd6ec4b1e8ce6a8a |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\edition.edat
| MD5 | 9bf31c7ff062936a96d3c8bd1f8f2ff3 |
| SHA1 | f1abd670358e036c31296e66b3b66c382ac00812 |
| SHA256 | e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb |
| SHA512 | 9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\setupui.cont
| MD5 | 50c6f100664620a3163b2166d436bd32 |
| SHA1 | 096dd3b1d3a56d7f52751a7da69d6a59700bc283 |
| SHA256 | 61edc543e208ddd4545fe3f62e02893d09185379a9c4a77a8e29ad4463f7088a |
| SHA512 | bb0d61ab76749a7e657d66a42b34910d3dfab13d88e1f0273ff6675edb3d460400bcf6e7d17440b58bcc9357abb974177d5fbf314056e6fe293a567290657c78 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\dump_process.exe
| MD5 | c22d80d43019235520344972efec9ff2 |
| SHA1 | 1a2b4b2a52d820f9233ca0201be9ee7f6d82adbc |
| SHA256 | 5841a3df4784e008b8f2c567f15bb28cdb4cb4ca35c750f1108dfb1ccb6011f0 |
| SHA512 | f1cadbc3077379a6d7e36b8cf3bc830f44b5e668d4a6c0ce6b62bde292498c4f41c6588c5eba2599aa67524acfd125b7f23c419ae2b4a8e4afea7708aad83edc |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\common\product-def.xml
| MD5 | d29cc35aeedc83b04874604da70e0f7c |
| SHA1 | 2d900b1705c5aca05801fb33cb53c15633e5c89e |
| SHA256 | 88554406caa420774a4798054a9ec22cbf7e4680cc7dda086ed54dd368adbcde |
| SHA512 | 59ea174fbfcb8b92fce26be35393d5844cfa3b0b770a1d880b9fd1e4ea7878166814494d1a22d74b485fd7a3ba132e0883e0526c0412df7cac56c40cf1507089 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\bug_report.exe
| MD5 | 0c0f0ca2bb49dfa3743e9d4156007c70 |
| SHA1 | 042fdfba346a89a83f0c782117038a82b29a28d1 |
| SHA256 | 0e1865702916ae47aafc54c6199e3a73acb735ae888f9a8dd7bc4656268ef9ea |
| SHA512 | e15f826ce67d4d5224cdcefc3194a5a9144e152ad16136f5774d2ca29484fc11e778e2e9d114af80ad2a99907bd4999e6eef95c7b7dbbe6a7829d67c1b6bbc92 |
C:\ProgramData\AVG\Icarus\Logs\sui.log
| MD5 | a274181405db7fc8e8e9c67f3c94d6b5 |
| SHA1 | f34032229247369d1f45158a36abfb94101294bd |
| SHA256 | b4b013ce9e28d7aca57e6d4f87cef2a3291e5922d20e6d51d06d4ca064dfd420 |
| SHA512 | d9a0de2531a40310b3e57ab93cfd5cbc791554913ea04f4002aa92c94c2dcfe9cc451be8709d6ea5b85b24800e400475e61911d5d676e55b50514199efb982e4 |
C:\ProgramData\AVG\Icarus\Logs\report.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\AVG\Icarus\Logs\icarus.log
| MD5 | 316cf9e0a49e428fba7b77d048118a4d |
| SHA1 | 111bdb1f301e165d24b206df3d940ca5bb622453 |
| SHA256 | bcc69c1e46790c5229caa9760860f09913eef5f7e207e8974de62cbf51c99232 |
| SHA512 | eb212a06b50d2c9a7e3cf1cdf196b7a13dbb0bd9a8707aabf1c781bc0d3e31cc54ff57a18d93bf8fb60ed9768bd5fbc716bb898d5b25982c418373dbd7689934 |
C:\ProgramData\AVG\Icarus\settings\proxy.ini
| MD5 | b8853a8e6228549b5d3ad97752d173d4 |
| SHA1 | cd471a5d57e0946c19a694a6be8a3959cef30341 |
| SHA256 | 8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9 |
| SHA512 | cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787 |
C:\ProgramData\AVG\Icarus\Logs\icarus.log
| MD5 | ae27bd6d38484f74e567a35ff959ed80 |
| SHA1 | ac97836d5f7ceee8ba353fb74d2823ee4d212737 |
| SHA256 | 87c4d0d066b1a7e0ce5ab761573b57ec098c629cfc0ca7893883f28729bc5108 |
| SHA512 | fa23af17f9aeb2501c43aff8280f3a72da809945d2b32ab58d86dc833ce39cceee03a3ee3eaa2c4ccbe020e3153cdf24de9f54ed6846afa0e97dd4e2483aee89 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\config.def
| MD5 | 264d61ef38e6f06891da07c11bf71436 |
| SHA1 | e4a258aa41ce4aaacdfa7f5c0f6f11d4859fe1b2 |
| SHA256 | 96976bd5ecb653aded30321685e44a59886901652c031de101e3a13326d61387 |
| SHA512 | c818737bcb76b4d50673c8007118320f0b6081108f4934016a04167d5a8f4835393274438769e05276c5db79c5d9f5e4e3748788a1439c974bdf16b3d5dd6890 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\icarus_product.dll
| MD5 | c759ccf61856d42470ce0cdb946ed5c1 |
| SHA1 | 7cf21d64cec004b16d27edc5d9eaa606ff3f2093 |
| SHA256 | e5a82b8065ea7eb2689b9fe756ea781169a22736b6f706cfeecb1ab0d7fb0f53 |
| SHA512 | 037260fb2fff4b1fc1402dc71a2527e5a8985de0c0af662fbc6d27453f875e90265a696d175f1ebb645ecca37dcaa1ef2cb415ef32f66454f44906deed0b1f07 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\icarus_product.dll
| MD5 | 8dea9113f06c772b694076eb05e24af3 |
| SHA1 | 4136e3908af8c5d45bcb687bd908578d9b491bef |
| SHA256 | 06e5db8b67e8ec03a308d576a4c5b169767075b04a550d7be7f98c4f6531c0cf |
| SHA512 | eb8e5e2b7d85c0dfaf01e6a8b6db8363d8c3b82800ad686e2ddfcb654ce403f854262b969705d69b684dab58053bbf033a8aa3ca826e1677b2461f163987d128 |
C:\ProgramData\AVG\Icarus\Logs\icarus.log
| MD5 | 055945f0eec0e77d55cb975e1786292e |
| SHA1 | 2787877f8e3dbda82e88f6e01514eabae3d06b1e |
| SHA256 | 6905082fb24a58f8b330a8e88ea3503ddde264156f3f6ed7a504ef348b96c6dd |
| SHA512 | a039d5daf2fcf5c33b98b8656a32397b76167269df2bc0e8efaea212803622e83179d78dd7e9b905f8d3887c1085b09745915f975acfb2df4787dadcba43c186 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\product-info.xml
| MD5 | 4635b5fbcb1c6f8fcb6d533b47c3ef35 |
| SHA1 | 6906e683fdabf48cb9d97ddb0e34d56d51183b76 |
| SHA256 | 8eff397ceffa80d053e398860104160ca3348e15ef5625d6e63d3c5281cb1ff5 |
| SHA512 | 558805190cfb816d2c8e3137a78a9749906b0d3ad12079794dd084f551803e0cabaa18e39842827acf827a08ba3411e7206a14735317d3eacc5fd3da3d0bd683 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\product-def.xml
| MD5 | 0cee874dff0fd4424dc21752c3644103 |
| SHA1 | 2e975e58d3a6c35aef793449eec98e0c87ad78b1 |
| SHA256 | dff72d48fe1f71d6937579c2c849e9308c264a1d52bf83c929c1d6ecef80dfc1 |
| SHA512 | c3ab22359056fe2b5d220a0f4b97e52384fbd9a366d72c9b2e2e3874f7cb7c35e7fd0e39040bb1ea2db8b77212f470323e7738a4f57d439891adbb621be1476a |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av-vps\config.def
| MD5 | 88b8bbca6adfb658e9f64786290b1508 |
| SHA1 | a7e19f0be671882e7c0de8d546482d20045139de |
| SHA256 | a98977649c4c1e25f732e3023515cac1cf5d54df88d58c170dde6f895bc695fc |
| SHA512 | b7329cac2951e04645771d207dc0c095fe81dfa17bd3df185f4da1e1cc4f726750a48921fd97345b6777638e212624d4f0d3824d39f363d9421bbbffd44f3968 |
C:\Windows\Temp\asw-afa7c929-582e-4e08-8f85-ba53d30b74f4\avg-av\aswOfferTool.exe
| MD5 | 4ba75fbdc944ce051b0caa31b354fe3a |
| SHA1 | a20f3e601f311c9fff4de672eae5bb033ed6dc6f |
| SHA256 | 80b6f07ece1e64e25c8f9ce2f4074a6af344b1900bbe823ea5b295476a209136 |
| SHA512 | e51cd73f155d75b682245d226cb4d9276719070ddd0df5e1779f9e92a89e232f828f33d55cdb2df99d70a7aa21b161fbf9c4978c3a74212716f99b7dcd03319a |
C:\Users\Public\Documents\gcapi.dll
| MD5 | 3ead47f44293e18d66fb32259904197a |
| SHA1 | e61e88bd81c05d4678aeb2d62c75dee35a25d16b |
| SHA256 | e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905 |
| SHA512 | 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0 |