Malware Analysis Report

2024-09-23 12:03

Sample ID 240612-lyhr4stgmp
Target bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294
SHA256 bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294

Threat Level: Likely malicious

The file bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 09:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 09:56

Reported

2024-06-12 09:58

Platform

win7-20240611-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "6" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "64" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "66" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "32" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "43" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "19" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "86" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "31" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "91" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "65" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "70" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "9" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "50" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "85" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "14" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-997.vpx" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "76" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "82" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "51" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "3" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "4" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "49" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "61" C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-997.vpx" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe
PID 2480 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe
PID 2480 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe
PID 2480 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe
PID 1208 wrote to memory of 2176 N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.757f809abe387aa1\instup.exe
PID 1208 wrote to memory of 2176 N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.757f809abe387aa1\instup.exe
PID 1208 wrote to memory of 2176 N/A C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.757f809abe387aa1\instup.exe
PID 2176 wrote to memory of 748 N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe
PID 2176 wrote to memory of 748 N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe
PID 2176 wrote to memory of 748 N/A C:\Windows\Temp\asw.757f809abe387aa1\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2708 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2532 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2588 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1656 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 1968 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
PID 748 wrote to memory of 2280 N/A C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe

"C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe"

C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a6h_m /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /edat_dir:C:\Windows\Temp\asw.3231917d683b8e89

C:\Windows\Temp\asw.757f809abe387aa1\instup.exe

"C:\Windows\Temp\asw.757f809abe387aa1\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.757f809abe387aa1 /edition:1 /prod:ais /stub_context:c4b61cbe-d485-43dd-b351-08ef6215d74e:9897680 /guid:91a1979d-d44b-4269-a065-43234ed4ca36 /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /cookie:mmm_ava_012_999_a6h_m /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /edat_dir:C:\Windows\Temp\asw.3231917d683b8e89

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.757f809abe387aa1 /edition:1 /prod:ais /stub_context:c4b61cbe-d485-43dd-b351-08ef6215d74e:9897680 /guid:91a1979d-d44b-4269-a065-43234ed4ca36 /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /cookie:mmm_ava_012_999_a6h_m /edat_dir:C:\Windows\Temp\asw.3231917d683b8e89 /online_installer

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 23.73.139.81:443 iavs9x.u.avast.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
GB 23.73.139.81:443 iavs9x.u.avast.com tcp
GB 23.73.139.81:443 iavs9x.u.avast.com tcp
GB 23.73.139.81:443 iavs9x.u.avast.com tcp
GB 23.73.139.81:443 iavs9x.u.avast.com tcp
GB 23.73.139.81:80 iavs9x.u.avast.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
GB 23.73.139.56:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
GB 23.73.139.81:80 l7814800.iavs9x.u.avast.com tcp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
GB 23.73.139.56:80 d3176133.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 d3176133.iavs9x.u.avast.com tcp
US 8.8.8.8:53 c3978047.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 c3978047.vps18tiny.u.avcdn.net udp
GB 23.73.139.43:80 c3978047.vps18tiny.u.avcdn.net tcp
GB 23.73.139.43:80 c3978047.vps18tiny.u.avcdn.net tcp
GB 23.73.139.43:80 c3978047.vps18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 alpha-license-dealer.ff.avast.com udp
BE 34.140.0.190:443 alpha-license-dealer.ff.avast.com tcp
US 8.8.8.8:53 alpha-iqs.ff.avast.com udp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 34.111.24.1:443 ipm-provider.ff.avast.com tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
GB 2.22.15.85:443 ipmcdn.avast.com tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp

Files

\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe

MD5 54aaadc43b9a0a026a86db8d350a2cd3
SHA1 d1b767200495717f9abbd808c3b38079c64be877
SHA256 de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844
SHA512 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a

C:\Windows\Temp\asw.3231917d683b8e89\ecoo.edat

MD5 245f1a8571179f960b43703c405e11ec
SHA1 ac9a4d13c7f9907a81f13c0419344d48fdda7e1c
SHA256 d30d2c1e8781e93bc5c713e7c01890c459c65e8bc356034ed74ae2d63dd288fe
SHA512 906e7e1b0b9666bf7925696b0e39af1dc6d601e717b585ef4efc03ba503fcff43acea7655419974cc1b7f379b5c1564cdd48bc75a23eec83a715cb66cb5e65c4

C:\Windows\Temp\asw.757f809abe387aa1\servers.def

MD5 e76e81467cf59e07920fa8350f262269
SHA1 e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94
SHA256 cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8
SHA512 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

C:\Windows\Temp\asw.757f809abe387aa1\Instup.dll

MD5 3b6abc970f7227284d87acd2d95c7c5a
SHA1 02b1248aa23cb8aee91b06a9b8b044fa93b469b1
SHA256 ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa
SHA512 bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1

C:\Windows\Temp\asw.757f809abe387aa1\Instup.exe

MD5 4aed041ad383def5407e438fd5597675
SHA1 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4
SHA256 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf
SHA512 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 60dfbaf53b1ef24c24260b073a266551
SHA1 a08f584b75d0a9d9c4e04ecdcea1b23f33146a91
SHA256 926b551f5df161000284fe9d6ba566af8ac4f8dc89ef501e216f95d698421b83
SHA512 b29e9072fa7ecce3731c3ab5d3c0449c86321740d8e078387e417d01436aff070b66dafe762c04d0fde0773364a5532a877b6acdb68aafb39e66b58e31d41946

C:\Windows\Temp\asw.757f809abe387aa1\config.def

MD5 da59c9092a31f572c882d563c600a34f
SHA1 0ec1cb7f7c16252d637d71e08e9363bfe96a5842
SHA256 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766
SHA512 ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

C:\Windows\Temp\asw.757f809abe387aa1\aswaa20ac4f5602573d.ini

MD5 56a2c5fc58628b61b7532097fcc9af0c
SHA1 efa54cd9a863371ead54a56d1a9b7601675067f9
SHA256 652c80e9c04030131b1d10ad7aec51d0a21e8b334955fe4bc02e3fe875db6afb
SHA512 c61ceee672467dac9cbfc17b2c6ea31c7e90e7cb4060aa01745d00b9de59185a762a1ab424bc95d4e94548d7a39e4a3cc490dc02a09bb15c1ad08f190be0a610

C:\Windows\Temp\asw.757f809abe387aa1\config.def

MD5 aa93672fa5e2fd382ab779a8e46215c4
SHA1 32659cae689d6ec0e28e210b292fd27864abff82
SHA256 9ed779578343731ae6f15b02fa30f95d8734ba419454e5fdc8a007248489b246
SHA512 2c9a6d03e6d319b67ffa6a5aade45f8006899ec5c02d8bcbff21660317c0fa31336028c317afb2b442bdbdb4761beefda7cabed918f5c20474bc9b8f1be0ff9f

C:\Windows\Temp\asw.757f809abe387aa1\config.ini

MD5 40e1e1b53a76946c721f9202e7ad46c4
SHA1 6ee540984144dde56592e7ce7deb298a714341ac
SHA256 118cb16e5e5961155bca9ced69e74d28bfdbd37fa62beda8e1f8aa4c8ed981aa
SHA512 56847aaec184f29d3a8b1044ec3a0417e2f3a42d5d6b8f0109aee66c32a60a90bba9f70cf7523ed1cc84ed286aeecf20727dc7ac8ab805468991fcd4af2cf608

\Windows\Temp\asw.757f809abe387aa1\HTMLayout.dll

MD5 39a20f9d67d6d4bac0ff081c62b13996
SHA1 b5b6b70e943a96a8697f07759245702e026be7e7
SHA256 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1
SHA512 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0

C:\Windows\Temp\asw.757f809abe387aa1\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.757f809abe387aa1\servers.def.vpx

MD5 dc5709c442df025a33cb2ca0d22133af
SHA1 5007da1e31f4705932c1f272dd4975b14bef268d
SHA256 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744
SHA512 c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

C:\Windows\Temp\asw.757f809abe387aa1\uat64.vpx

MD5 11bb373887fe44e1edea08b70c638095
SHA1 e887149cb489a3aec8092636379ac4c64e389089
SHA256 a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358
SHA512 d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879

C:\Windows\Temp\asw.757f809abe387aa1\prod-pgm.vpx

MD5 d4f72d1329501105ec7111178ac7c98f
SHA1 17bfc1e8299b43c46b18442b7e74f84953dc6193
SHA256 e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7
SHA512 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

\Windows\Temp\asw.757f809abe387aa1\uat64.dll

MD5 c0719ef096798494a616f84f587282d7
SHA1 ee38158f887bc2189234330c4891f12f9d902d7a
SHA256 ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a
SHA512 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298

C:\Windows\Temp\asw.757f809abe387aa1\part-setup_ais-15020997.vpx

MD5 365b6ee6fbde00af486fc012251db2da
SHA1 8050ba5a9b6321f067fc694527011ba00767d4a2
SHA256 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830
SHA512 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

C:\Windows\Temp\asw.757f809abe387aa1\prod-vps.vpx

MD5 0066d9b938e4d92eed90d515c0da993f
SHA1 60f4f31c64671349b100505428a618c9a9033820
SHA256 bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209
SHA512 d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\asw95d2cbd4d0afd6fa.tmp

MD5 ef035189604e7f5d68a62827b985ccbb
SHA1 c094c6eef2640a71aee9f4b27123c2080d38136f
SHA256 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740
SHA512 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswac90eae6e8103a62.tmp

MD5 700b6740e6bfa7729f146572d8455348
SHA1 19d80fb0251f417283ed36fc20c43079b3f6fbb8
SHA256 d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e
SHA512 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswe43ed79712e695d3.tmp

MD5 b216fc28400c184a5108c0228fba86bc
SHA1 5d82203153963ebede19585b0054de8221c60509
SHA256 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd
SHA512 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\asw47ab0fc3b07b7a02.tmp

MD5 9ee6528abdad768fbfa28bd1bb80ebe9
SHA1 f5582697e068ba1d56825fc32bd5ab1a71bd4d38
SHA256 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4
SHA512 de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

C:\Windows\Temp\asw.757f809abe387aa1\offertool_x64_ais-997.vpx

MD5 c5665f1f93d9aabbcb1dde533e2c46e6
SHA1 732389de20c600d0222d61b4ee74b0be6412a45b
SHA256 adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a
SHA512 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

C:\Windows\Temp\asw.757f809abe387aa1\sbr_x64_ais-997.vpx

MD5 13e9fbb02cb7497562b59a9ef8f1ee92
SHA1 047936e9296e77939b5b23c1a2af3056eaa2ae99
SHA256 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a
SHA512 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\asw6636064c161d1be0.tmp

MD5 d9be57d4e1a25264b8317278f8b93396
SHA1 d3c98696582fed570f38ae45bf22b8197253b325
SHA256 a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3
SHA512 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 7f38d84a2ca61f423f51b9cf1bfffdf2
SHA1 c7ead1ccd5f019862f9ab3fca61088da88a8a451
SHA256 fa0eea0e62bde4ea8e2bdfbe06cb9f8e0ba010512ce342b5b60b9e069e23733a
SHA512 9d5bf5dd2b60c4558ef328968c80fb74dfeb241eab89cfd053e588f346270fce2421a9524662c9f3339bbfbcacc38603d3ce807ef6b9c82c94e74efc31655135

C:\Windows\Temp\asw.757f809abe387aa1\part-prg_ais-15020997.vpx

MD5 b898fa20bf9b0321b50a8d4946aae799
SHA1 4e173a99dc9a9ef507112857525ad53991f4d2a0
SHA256 6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c
SHA512 c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

C:\Windows\Temp\asw.757f809abe387aa1\setup.def

MD5 be793535c4acf02d4ad13b20d0c84deb
SHA1 65dd6b4891a75848042c10057808535298cee3e1
SHA256 31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd
SHA512 7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

C:\Windows\Temp\asw.757f809abe387aa1\prod-vps.vpx

MD5 85f4992f7b075bcc8fc6cc4f5e24afd4
SHA1 abe54ed56c0d23d3e1184bd500ba0fb6cf03fdde
SHA256 3dc8281c192753aafe5408485d3344df73209c96989b0524fe2db5a081d848a0
SHA512 271ab9967418f12041eeecc39b16881d4f46b0ea4ab59b8dbf7c88c22ef99b1c069a1060f8f94784e39e37d6cc0e6bd68f734d41999055727cc1f12c29cc1ee1

C:\Windows\Temp\asw.757f809abe387aa1\part-jrog2-90.vpx

MD5 a3feee18df3f2ef19f6fe6f493afb123
SHA1 005ee607c0f3f6459a30675f906689616ddd99eb
SHA256 be994b277f65df1872557d53e7f55c62f3af4b50e744bca93998311363093ec9
SHA512 5881f379d63d58ed61467cf9a92cf53f40ed6aca9e6576af29a6dc4602e3200e4a6decb69b0dfac7ae9052de820f5132da881f2cc02a7c5ed0171eda05b241b9

C:\Windows\Temp\asw.757f809abe387aa1\part-vps_windows-24061199.vpx

MD5 d00a98ab97227224d17c17924aac4e5e
SHA1 9c6c80a4e6c799a3b562b2597fe567ff8bd5f404
SHA256 8a3b5176bff78d05a4589c08a9ba7b6af7de744cfbd45821b77816d7149fa842
SHA512 dd76fb5e3212f0beac81a559a4a438c11604a8c125e2e4567af4f33ee210f4aff48581033e447bfd3fafe675a60939a924e4027d3f30e49ebd1ce2ef017eb7f4

C:\Windows\Temp\asw.757f809abe387aa1\config.def

MD5 0e7a4080ff0ab8ddc0ecc35a512a55a6
SHA1 1bec2128c9c5874e7d7ea308ad5d07710ecfb7f5
SHA256 beb4517a19e6d2801749c50875557796b87725c6ca23251241facf25f316903d
SHA512 9e61b3b54a6279f33043ef2712c231e0b43c63bd74128b011248ea2753cc557e19b416b5c8ea3c2b76b55f3d7c43339d901acdc60e46eddff51b3206c7cbfbb5

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 cbf22598a4d872bb9f4c072ed693c720
SHA1 5b424847396f8130c96b64a075d6e4c0aef29849
SHA256 c3162a7f1ab97598b4fd3ff7d27dfe579da6414ad119cf14131ec223a7b2e752
SHA512 1e93081fccd2c37c2e087603650d861e98479236818fc48a30b116f6220257d4967a6b58f604fe2b5ed052272260142b2fbb31b7262efddb703e7bcd8dbe8a14

\Windows\Temp\asw.757f809abe387aa1\New_15020997\gcapi_17181862132588.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

memory/748-337-0x000007FEF3160000-0x000007FEF353A000-memory.dmp

memory/748-336-0x000007FEF3540000-0x000007FEF486B000-memory.dmp

memory/748-338-0x000007FEF3540000-0x000007FEF486B000-memory.dmp

memory/748-348-0x000007FEF3540000-0x000007FEF486B000-memory.dmp

memory/748-350-0x000007FEF3540000-0x000007FEF486B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 09:56

Reported

2024-06-12 09:59

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a3d.vpx" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-a3d.vpx" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a3d.vpx" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a3d.vpx" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64" C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe
PID 2748 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe
PID 440 wrote to memory of 2132 N/A C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe
PID 440 wrote to memory of 2132 N/A C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe
PID 2132 wrote to memory of 996 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe
PID 2132 wrote to memory of 996 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe
PID 996 wrote to memory of 2304 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 2304 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 2304 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 2704 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 2704 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 2704 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 3460 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 3460 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 3460 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 952 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 952 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
PID 996 wrote to memory of 952 N/A C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe

"C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe"

C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a6h_m /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /edat_dir:C:\Windows\Temp\asw.0823071b187b5af6

C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe

"C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.6d7e615ab4a23e6e /edition:1 /prod:ais /stub_context:b5cebbc0-2a2b-4bd6-aaab-7e83669a5455:9897680 /guid:55c4e2b6-d9db-452d-899e-a77d56e0f637 /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /cookie:mmm_ava_012_999_a6h_m /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /edat_dir:C:\Windows\Temp\asw.0823071b187b5af6

C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe

"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.6d7e615ab4a23e6e /edition:1 /prod:ais /stub_context:b5cebbc0-2a2b-4bd6-aaab-7e83669a5455:9897680 /guid:55c4e2b6-d9db-452d-899e-a77d56e0f637 /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /cookie:mmm_ava_012_999_a6h_m /edat_dir:C:\Windows\Temp\asw.0823071b187b5af6 /online_installer

C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
GB 216.58.213.14:80 www.google-analytics.com tcp
GB 23.73.139.56:443 iavs9x.u.avast.com tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 56.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 23.73.139.56:443 iavs9x.u.avast.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 23.73.139.56:443 iavs9x.u.avast.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.73.139.56:443 iavs9x.u.avast.com tcp
GB 23.73.139.56:443 iavs9x.u.avast.com tcp
GB 23.73.139.56:80 iavs9x.u.avast.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 h4305360.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 r3802239.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 s1843811.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 h4305360.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 r3802239.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 s1843811.iavs9x.u.avast.com udp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
GB 23.73.139.56:80 s1843811.iavs9x.u.avast.com tcp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 r4427608.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 t1024579.iavs9x.u.avast.com udp
US 8.8.8.8:53 w5805295.iavs9x.u.avast.com udp
US 8.8.8.8:53 y8002308.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 r4427608.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 t1024579.iavs9x.u.avast.com udp
US 8.8.8.8:53 w5805295.iavs9x.u.avast.com udp
US 8.8.8.8:53 y8002308.iavs9x.u.avast.com udp
GB 23.73.139.81:80 y8002308.iavs9x.u.avast.com tcp
US 8.8.8.8:53 b7210692.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 b7210692.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 b8003600.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 m0658849.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 r3802239.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 s-vps18tiny.avcdn.net udp
US 8.8.8.8:53 s1843811.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 b7210692.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 b7210692.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 b8003600.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 m0658849.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 r3802239.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 s-vps18tiny.avcdn.net udp
US 8.8.8.8:53 s1843811.vps18tiny.u.avcdn.net udp
GB 23.73.139.50:80 s1843811.vps18tiny.u.avcdn.net tcp
GB 23.73.139.50:80 s1843811.vps18tiny.u.avcdn.net tcp
GB 23.73.139.50:80 s1843811.vps18tiny.u.avcdn.net tcp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 50.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 200.187.250.142.in-addr.arpa udp
GB 23.73.139.56:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe

MD5 54aaadc43b9a0a026a86db8d350a2cd3
SHA1 d1b767200495717f9abbd808c3b38079c64be877
SHA256 de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844
SHA512 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a

C:\Windows\Temp\asw.0823071b187b5af6\ecoo.edat

MD5 245f1a8571179f960b43703c405e11ec
SHA1 ac9a4d13c7f9907a81f13c0419344d48fdda7e1c
SHA256 d30d2c1e8781e93bc5c713e7c01890c459c65e8bc356034ed74ae2d63dd288fe
SHA512 906e7e1b0b9666bf7925696b0e39af1dc6d601e717b585ef4efc03ba503fcff43acea7655419974cc1b7f379b5c1564cdd48bc75a23eec83a715cb66cb5e65c4

C:\Windows\Temp\asw.6d7e615ab4a23e6e\servers.def

MD5 e76e81467cf59e07920fa8350f262269
SHA1 e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94
SHA256 cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8
SHA512 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

C:\Windows\Temp\asw.6d7e615ab4a23e6e\Instup.exe

MD5 4aed041ad383def5407e438fd5597675
SHA1 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4
SHA256 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf
SHA512 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171

C:\Windows\Temp\asw.6d7e615ab4a23e6e\Instup.dll

MD5 3b6abc970f7227284d87acd2d95c7c5a
SHA1 02b1248aa23cb8aee91b06a9b8b044fa93b469b1
SHA256 ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa
SHA512 bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 16e10629323067b179a0d0d0a734a854
SHA1 06a80722700fa689a64ef1fadbc73e70fd17d229
SHA256 d97e8b9dd69ab281c8eb65891e290369baeb11679ce828acbfaf86ccf085e9ca
SHA512 7a87195125e63fd29c4fdb261dacbd0d66b5359fe1fb4e9c53ce956df8aea85177989a19e807952b51d3b5e47f7b36519c7037287a1b9903409986ecaa8cd462

C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.def

MD5 da59c9092a31f572c882d563c600a34f
SHA1 0ec1cb7f7c16252d637d71e08e9363bfe96a5842
SHA256 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766
SHA512 ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.def

MD5 e2754ccd58ea22c38ebc51e0cb4a7cbb
SHA1 0f7a62ce0cd301eb558ccd7e0964b0f7b58c4fcf
SHA256 7fb13f32ff72d3e3bf610209cc13e27f34a1b136d32d3d99b800e2ff161ec119
SHA512 d688f2b4ba396857c78426258cf2ff0d8bde23a8ebf9c192f315cad059c8290fd9b3690c9cccd9c28474cd860f3ce683be3ffae652e8a93f8b23f4d3784a5260

C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.ini

MD5 6e177583e031cc9739f4f670410a9ce4
SHA1 60201de6eb0603cdc28868141087c769166d5a19
SHA256 b90eb02d081e11693c6e5ad97422643185b494cd0949737ec65839a099a2e10b
SHA512 6d84cc56380ab2a757d9910f103950619ddc5cba8d38fc2ac36ada4cb35d4a7790ede8ded586586cb9411327632012da3b2011234bee1d036dfed3fc51522e45

C:\Windows\Temp\asw.6d7e615ab4a23e6e\HTMLayout.dll

MD5 39a20f9d67d6d4bac0ff081c62b13996
SHA1 b5b6b70e943a96a8697f07759245702e026be7e7
SHA256 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1
SHA512 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0

C:\Windows\Temp\asw.6d7e615ab4a23e6e\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.6d7e615ab4a23e6e\servers.def.vpx

MD5 dc5709c442df025a33cb2ca0d22133af
SHA1 5007da1e31f4705932c1f272dd4975b14bef268d
SHA256 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744
SHA512 c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-setup_ais-180517e4.vpx

MD5 67a540fcde81f108f7568628590ee342
SHA1 bd454d4203eb18115264fed792b4d5e41a2e2fb5
SHA256 328f4780c3389e61ea00604b5d5085e734adee7f162796f1130d5f36d0cf2924
SHA512 20586f6f537b18f7e3d0945e0dbf69e6bd62457a06c739268c9867b407e9071c0b82ba8adf166ac19c78e9f36f4d8ccceb85ce1dddc1d5c6b5b49c11fb602199

C:\Windows\Temp\asw.6d7e615ab4a23e6e\uat64.dll

MD5 c0719ef096798494a616f84f587282d7
SHA1 ee38158f887bc2189234330c4891f12f9d902d7a
SHA256 ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a
SHA512 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298

C:\Windows\Temp\asw.6d7e615ab4a23e6e\prod-vps.vpx

MD5 0066d9b938e4d92eed90d515c0da993f
SHA1 60f4f31c64671349b100505428a618c9a9033820
SHA256 bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209
SHA512 d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

C:\Windows\Temp\asw.6d7e615ab4a23e6e\uat64.vpx

MD5 11bb373887fe44e1edea08b70c638095
SHA1 e887149cb489a3aec8092636379ac4c64e389089
SHA256 a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358
SHA512 d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879

C:\Windows\Temp\asw.6d7e615ab4a23e6e\prod-pgm.vpx

MD5 d4f72d1329501105ec7111178ac7c98f
SHA1 17bfc1e8299b43c46b18442b7e74f84953dc6193
SHA256 e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7
SHA512 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

C:\Windows\Temp\asw.6d7e615ab4a23e6e\avbugreport_x64_ais-a3d.vpx

MD5 dd9112cf8378dd2dcd7da7652ab7ef4f
SHA1 edba0ad6afe5f7d5fef1a68fe6e298285302a205
SHA256 01a5da7bd76821e598dd0c145e402f01968a486ec0289304ecbc01e8e3e3545f
SHA512 a792118766c8aefdda2f3158e3f20235b3d45e2504a8aa131189034a4c1dce36ef304253794bd73eefa9de1b58666422cba7311e93588b6b05340c23c9b24502

C:\Windows\Temp\asw.6d7e615ab4a23e6e\avdump_x64_ais-a3d.vpx

MD5 4dae0714e69b6d570b458d2d464ace66
SHA1 7b87175b6810ba49fff360affcd27b0b1c163899
SHA256 009a8b3c599329995ec197d1c9e5a13ad8bcf0888d6ef434d295b4a7e76ca3e7
SHA512 9c5cb5a9893276cc5bfb5baddcfe6584b78bd0387fc731f0e21f963d8515a42fc77b3b8a25291ab0b09910d72193a191cd3f72a2b0dd92f27c89f5a62251a02e

C:\Windows\Temp\asw.6d7e615ab4a23e6e\offertool_x64_ais-a3d.vpx

MD5 83a59fb227b8146aec13b3e5183da115
SHA1 c0edcf17207414387cbd193503dec8fc3d88bf4c
SHA256 240f009ab1ce95fb23cb1c76f0c944e3acc8567b4198dd6d4de7d8bbf2979919
SHA512 317ac6ea8ea54f32614a3623bff1c0193c072c6ee8d845ab1b23575170fe1e1048f71847a23f4a6ef42e33466bd4c4d8a1fe10a2c7c48410c032287de3992560

C:\Windows\Temp\asw.6d7e615ab4a23e6e\sbr_x64_ais-a3d.vpx

MD5 c137e649a83c0d6e99b40b7244015812
SHA1 6aaa485bec43f485b3863d525a8653d19949e005
SHA256 d54383d72f4ef21f157867ea9164ccdc3d6dd9c8de32a691a86c1f0c5a008f8f
SHA512 c38621980bb82a5fdf509d92167027c67db56c3b3d17c621ef732a98595d50788a4ea934fd19a93787f7d7defadb537036eb0e1464aec8ec1cf8dc6073cae88f

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 c8be734878bf01808f48dfb8dbe22086
SHA1 96124b2e2d42963102ea493094e5ec680064c23d
SHA256 420fba717929b81d16e644ed0f14a93d03ac183c4676110585234d915f578dbb
SHA512 6be875833d2fd2c811b6c12fd4c4b388170bb3b41a5f236e205ec426259189a431f5dba3f74841f917b7fbbfc139cbf8c33822897e7e5fafdb66c3d4a929d295

C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-prg_ais-180517e4.vpx

MD5 2c670a43751b0f2adb2bbb0f5dd646bb
SHA1 74ad4b2eeb00c337bb4902def41353c44aef6e3a
SHA256 876f56bdbd1314c4f97757bbb341c908bc1de6acb5fbe8fdbbfdd2e3b1c55bdf
SHA512 bd5b7b4996f1c70adb77fb3b590a96cbe673253e05a10c94c2d38ee12d63995fc385c541eaacfd653ffd7e3629673fc539830943d9202ed2c9a04f2c42f8b4d7

C:\Windows\Temp\asw.6d7e615ab4a23e6e\setup.def

MD5 98592e07fab8330e4b367ee1c2ee1a23
SHA1 aaaeddbb740f3fb46362ff6055b909e7215e7c22
SHA256 046d8d52a8da3a1e288aa24452ce97ed72f47c0f327177ac76373d1eacfc9b40
SHA512 1f734e991340156de357b638b562b6f95e762f1913953fab3b449ea6fa3fb081db02dfc3339a4dd1d5c82a0fe169d7a4d4699ce239900bd7e51372a561cc7511

C:\Windows\Temp\asw.6d7e615ab4a23e6e\prod-vps.vpx

MD5 85f4992f7b075bcc8fc6cc4f5e24afd4
SHA1 abe54ed56c0d23d3e1184bd500ba0fb6cf03fdde
SHA256 3dc8281c192753aafe5408485d3344df73209c96989b0524fe2db5a081d848a0
SHA512 271ab9967418f12041eeecc39b16881d4f46b0ea4ab59b8dbf7c88c22ef99b1c069a1060f8f94784e39e37d6cc0e6bd68f734d41999055727cc1f12c29cc1ee1

C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-jrog2-90.vpx

MD5 a3feee18df3f2ef19f6fe6f493afb123
SHA1 005ee607c0f3f6459a30675f906689616ddd99eb
SHA256 be994b277f65df1872557d53e7f55c62f3af4b50e744bca93998311363093ec9
SHA512 5881f379d63d58ed61467cf9a92cf53f40ed6aca9e6576af29a6dc4602e3200e4a6decb69b0dfac7ae9052de820f5132da881f2cc02a7c5ed0171eda05b241b9

C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-vps_windows-24061199.vpx

MD5 d00a98ab97227224d17c17924aac4e5e
SHA1 9c6c80a4e6c799a3b562b2597fe567ff8bd5f404
SHA256 8a3b5176bff78d05a4589c08a9ba7b6af7de744cfbd45821b77816d7149fa842
SHA512 dd76fb5e3212f0beac81a559a4a438c11604a8c125e2e4567af4f33ee210f4aff48581033e447bfd3fafe675a60939a924e4027d3f30e49ebd1ce2ef017eb7f4

C:\Windows\Temp\asw.6d7e615ab4a23e6e\asw3f5da6f46c390b44.ini

MD5 9929a08ded5edd34efefb669a51284fb
SHA1 90442a01a9efe1c1dd73f4a3b0498877711bb397
SHA256 05cc2cde750b3c238f99b8beff373f9ea9612f66d3d8fd1a1c764eafc2eb4647
SHA512 f8c3862d1ff00dafc022eec5c7106f5d06588ee7eff3060da9cbc8b4cb5b05f1e2ca68568a2a1c49cb32a7bd2c887e1a6fbb7816d894c62f81f0bd4ea1cfec91

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 92f7a7403dc656dbf95bff68161095ca
SHA1 323983e7bf2ddf1d019af490310a7a9cdb904cc6
SHA256 17ce269b6cc589cb8025d90f5f9fd54f906859c18f9bba06c703efd367d3c1ab
SHA512 2b119919de921732f89d75a87c59f03f9b3b393f23815954a7bf7006c3623541748f5c61a7723a5fb4925658cac0134e2cff23cc24ecc450044e763ea1c346bc

C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.def

MD5 b967e8988fbaa130437c03e6287bbde0
SHA1 5232786528a58b8d8ff54a7f4513fbe1b3c1a6f2
SHA256 3ab5a6e58fcaaca7f2230493326968b47693d2232a2fe6c223946a14907fed66
SHA512 87f0fc084cdbbb35075eef1b11000be72d251bcfa8525c707a83202019f390ce1e3911342f5bd7830b29b8c4d39f744a1b37fe327a92e49bd06d73c8dca9fecf

C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0