Analysis Overview
SHA256
bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294
Threat Level: Likely malicious
The file bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks for any installed AV software in registry
Writes to the Master Boot Record (MBR)
Unsigned PE
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 09:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 09:56
Reported
2024-06-12 09:58
Platform
win7-20240611-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
Loads dropped DLL
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \Registry\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \Registry\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "6" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "64" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "66" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "32" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "43" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "19" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "86" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "31" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "91" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "65" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "70" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "9" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "50" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "85" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "14" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-997.vpx" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "76" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "82" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21" | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "51" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "3" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "4" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "49" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "61" | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-997.vpx" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe
"C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe"
C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a6h_m /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /edat_dir:C:\Windows\Temp\asw.3231917d683b8e89
C:\Windows\Temp\asw.757f809abe387aa1\instup.exe
"C:\Windows\Temp\asw.757f809abe387aa1\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.757f809abe387aa1 /edition:1 /prod:ais /stub_context:c4b61cbe-d485-43dd-b351-08ef6215d74e:9897680 /guid:91a1979d-d44b-4269-a065-43234ed4ca36 /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /cookie:mmm_ava_012_999_a6h_m /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /edat_dir:C:\Windows\Temp\asw.3231917d683b8e89
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.757f809abe387aa1 /edition:1 /prod:ais /stub_context:c4b61cbe-d485-43dd-b351-08ef6215d74e:9897680 /guid:91a1979d-d44b-4269-a065-43234ed4ca36 /ga_clientid:f3188ad4-f8e2-4c04-8eae-ea1bde452326 /cookie:mmm_ava_012_999_a6h_m /edat_dir:C:\Windows\Temp\asw.3231917d683b8e89 /online_installer
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" /check_secure_browser
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChrome -elevated
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA
C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA
C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe
"C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswOfferTool.exe" -checkChrome -elevated
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | iavs9x.u.avast.com | udp |
| US | 34.117.223.223:80 | v7event.stats.avast.com | tcp |
| GB | 23.73.139.81:443 | iavs9x.u.avast.com | tcp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| GB | 23.73.139.81:443 | iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:443 | iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:443 | iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:443 | iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | iavs9x.u.avast.com | tcp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 8.8.8.8:53 | c3978047.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | c3978047.iavs9x.u.avast.com | udp |
| GB | 23.73.139.56:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.81:80 | l7814800.iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | d3176133.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | d3176133.iavs9x.u.avast.com | udp |
| GB | 23.73.139.56:80 | d3176133.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | d3176133.iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | c3978047.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | c3978047.vps18tiny.u.avcdn.net | udp |
| GB | 23.73.139.43:80 | c3978047.vps18tiny.u.avcdn.net | tcp |
| GB | 23.73.139.43:80 | c3978047.vps18tiny.u.avcdn.net | tcp |
| GB | 23.73.139.43:80 | c3978047.vps18tiny.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 8.8.8.8:53 | alpha-license-dealer.ff.avast.com | udp |
| BE | 34.140.0.190:443 | alpha-license-dealer.ff.avast.com | tcp |
| US | 8.8.8.8:53 | alpha-iqs.ff.avast.com | udp |
| BE | 34.76.203.183:443 | alpha-iqs.ff.avast.com | tcp |
| BE | 34.76.203.183:443 | alpha-iqs.ff.avast.com | tcp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | ipm-provider.ff.avast.com | udp |
| US | 8.8.8.8:53 | ipm-provider.ff.avast.com | udp |
| US | 8.8.8.8:53 | ipm-provider.ff.avast.com | udp |
| US | 34.111.24.1:443 | ipm-provider.ff.avast.com | tcp |
| US | 8.8.8.8:53 | ipmcdn.avast.com | udp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 8.8.8.8:53 | ipmcdn.avast.com | udp |
| GB | 172.217.169.40:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 8.8.8.8:53 | ipmcdn.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| GB | 2.22.15.85:443 | ipmcdn.avast.com | tcp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
Files
\Windows\Temp\asw.3231917d683b8e89\avast_free_antivirus_setup_online_x64.exe
| MD5 | 54aaadc43b9a0a026a86db8d350a2cd3 |
| SHA1 | d1b767200495717f9abbd808c3b38079c64be877 |
| SHA256 | de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844 |
| SHA512 | 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a |
C:\Windows\Temp\asw.3231917d683b8e89\ecoo.edat
| MD5 | 245f1a8571179f960b43703c405e11ec |
| SHA1 | ac9a4d13c7f9907a81f13c0419344d48fdda7e1c |
| SHA256 | d30d2c1e8781e93bc5c713e7c01890c459c65e8bc356034ed74ae2d63dd288fe |
| SHA512 | 906e7e1b0b9666bf7925696b0e39af1dc6d601e717b585ef4efc03ba503fcff43acea7655419974cc1b7f379b5c1564cdd48bc75a23eec83a715cb66cb5e65c4 |
C:\Windows\Temp\asw.757f809abe387aa1\servers.def
| MD5 | e76e81467cf59e07920fa8350f262269 |
| SHA1 | e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94 |
| SHA256 | cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8 |
| SHA512 | 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070 |
C:\Windows\Temp\asw.757f809abe387aa1\Instup.dll
| MD5 | 3b6abc970f7227284d87acd2d95c7c5a |
| SHA1 | 02b1248aa23cb8aee91b06a9b8b044fa93b469b1 |
| SHA256 | ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa |
| SHA512 | bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1 |
C:\Windows\Temp\asw.757f809abe387aa1\Instup.exe
| MD5 | 4aed041ad383def5407e438fd5597675 |
| SHA1 | 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4 |
| SHA256 | 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf |
| SHA512 | 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
| MD5 | 60dfbaf53b1ef24c24260b073a266551 |
| SHA1 | a08f584b75d0a9d9c4e04ecdcea1b23f33146a91 |
| SHA256 | 926b551f5df161000284fe9d6ba566af8ac4f8dc89ef501e216f95d698421b83 |
| SHA512 | b29e9072fa7ecce3731c3ab5d3c0449c86321740d8e078387e417d01436aff070b66dafe762c04d0fde0773364a5532a877b6acdb68aafb39e66b58e31d41946 |
C:\Windows\Temp\asw.757f809abe387aa1\config.def
| MD5 | da59c9092a31f572c882d563c600a34f |
| SHA1 | 0ec1cb7f7c16252d637d71e08e9363bfe96a5842 |
| SHA256 | 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766 |
| SHA512 | ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924 |
C:\Windows\Temp\asw.757f809abe387aa1\aswaa20ac4f5602573d.ini
| MD5 | 56a2c5fc58628b61b7532097fcc9af0c |
| SHA1 | efa54cd9a863371ead54a56d1a9b7601675067f9 |
| SHA256 | 652c80e9c04030131b1d10ad7aec51d0a21e8b334955fe4bc02e3fe875db6afb |
| SHA512 | c61ceee672467dac9cbfc17b2c6ea31c7e90e7cb4060aa01745d00b9de59185a762a1ab424bc95d4e94548d7a39e4a3cc490dc02a09bb15c1ad08f190be0a610 |
C:\Windows\Temp\asw.757f809abe387aa1\config.def
| MD5 | aa93672fa5e2fd382ab779a8e46215c4 |
| SHA1 | 32659cae689d6ec0e28e210b292fd27864abff82 |
| SHA256 | 9ed779578343731ae6f15b02fa30f95d8734ba419454e5fdc8a007248489b246 |
| SHA512 | 2c9a6d03e6d319b67ffa6a5aade45f8006899ec5c02d8bcbff21660317c0fa31336028c317afb2b442bdbdb4761beefda7cabed918f5c20474bc9b8f1be0ff9f |
C:\Windows\Temp\asw.757f809abe387aa1\config.ini
| MD5 | 40e1e1b53a76946c721f9202e7ad46c4 |
| SHA1 | 6ee540984144dde56592e7ce7deb298a714341ac |
| SHA256 | 118cb16e5e5961155bca9ced69e74d28bfdbd37fa62beda8e1f8aa4c8ed981aa |
| SHA512 | 56847aaec184f29d3a8b1044ec3a0417e2f3a42d5d6b8f0109aee66c32a60a90bba9f70cf7523ed1cc84ed286aeecf20727dc7ac8ab805468991fcd4af2cf608 |
\Windows\Temp\asw.757f809abe387aa1\HTMLayout.dll
| MD5 | 39a20f9d67d6d4bac0ff081c62b13996 |
| SHA1 | b5b6b70e943a96a8697f07759245702e026be7e7 |
| SHA256 | 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1 |
| SHA512 | 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0 |
C:\Windows\Temp\asw.757f809abe387aa1\servers.def.vpx
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\Temp\asw.757f809abe387aa1\servers.def.vpx
| MD5 | dc5709c442df025a33cb2ca0d22133af |
| SHA1 | 5007da1e31f4705932c1f272dd4975b14bef268d |
| SHA256 | 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744 |
| SHA512 | c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b |
C:\Windows\Temp\asw.757f809abe387aa1\uat64.vpx
| MD5 | 11bb373887fe44e1edea08b70c638095 |
| SHA1 | e887149cb489a3aec8092636379ac4c64e389089 |
| SHA256 | a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358 |
| SHA512 | d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879 |
C:\Windows\Temp\asw.757f809abe387aa1\prod-pgm.vpx
| MD5 | d4f72d1329501105ec7111178ac7c98f |
| SHA1 | 17bfc1e8299b43c46b18442b7e74f84953dc6193 |
| SHA256 | e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7 |
| SHA512 | 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329 |
\Windows\Temp\asw.757f809abe387aa1\uat64.dll
| MD5 | c0719ef096798494a616f84f587282d7 |
| SHA1 | ee38158f887bc2189234330c4891f12f9d902d7a |
| SHA256 | ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a |
| SHA512 | 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298 |
C:\Windows\Temp\asw.757f809abe387aa1\part-setup_ais-15020997.vpx
| MD5 | 365b6ee6fbde00af486fc012251db2da |
| SHA1 | 8050ba5a9b6321f067fc694527011ba00767d4a2 |
| SHA256 | 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830 |
| SHA512 | 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261 |
C:\Windows\Temp\asw.757f809abe387aa1\prod-vps.vpx
| MD5 | 0066d9b938e4d92eed90d515c0da993f |
| SHA1 | 60f4f31c64671349b100505428a618c9a9033820 |
| SHA256 | bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209 |
| SHA512 | d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62 |
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\asw95d2cbd4d0afd6fa.tmp
| MD5 | ef035189604e7f5d68a62827b985ccbb |
| SHA1 | c094c6eef2640a71aee9f4b27123c2080d38136f |
| SHA256 | 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740 |
| SHA512 | 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9 |
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswac90eae6e8103a62.tmp
| MD5 | 700b6740e6bfa7729f146572d8455348 |
| SHA1 | 19d80fb0251f417283ed36fc20c43079b3f6fbb8 |
| SHA256 | d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e |
| SHA512 | 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65 |
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\aswe43ed79712e695d3.tmp
| MD5 | b216fc28400c184a5108c0228fba86bc |
| SHA1 | 5d82203153963ebede19585b0054de8221c60509 |
| SHA256 | 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd |
| SHA512 | 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294 |
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\asw47ab0fc3b07b7a02.tmp
| MD5 | 9ee6528abdad768fbfa28bd1bb80ebe9 |
| SHA1 | f5582697e068ba1d56825fc32bd5ab1a71bd4d38 |
| SHA256 | 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4 |
| SHA512 | de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9 |
C:\Windows\Temp\asw.757f809abe387aa1\offertool_x64_ais-997.vpx
| MD5 | c5665f1f93d9aabbcb1dde533e2c46e6 |
| SHA1 | 732389de20c600d0222d61b4ee74b0be6412a45b |
| SHA256 | adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a |
| SHA512 | 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0 |
C:\Windows\Temp\asw.757f809abe387aa1\sbr_x64_ais-997.vpx
| MD5 | 13e9fbb02cb7497562b59a9ef8f1ee92 |
| SHA1 | 047936e9296e77939b5b23c1a2af3056eaa2ae99 |
| SHA256 | 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a |
| SHA512 | 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba |
C:\Windows\Temp\asw.757f809abe387aa1\New_15020997\asw6636064c161d1be0.tmp
| MD5 | d9be57d4e1a25264b8317278f8b93396 |
| SHA1 | d3c98696582fed570f38ae45bf22b8197253b325 |
| SHA256 | a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3 |
| SHA512 | 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
| MD5 | 7f38d84a2ca61f423f51b9cf1bfffdf2 |
| SHA1 | c7ead1ccd5f019862f9ab3fca61088da88a8a451 |
| SHA256 | fa0eea0e62bde4ea8e2bdfbe06cb9f8e0ba010512ce342b5b60b9e069e23733a |
| SHA512 | 9d5bf5dd2b60c4558ef328968c80fb74dfeb241eab89cfd053e588f346270fce2421a9524662c9f3339bbfbcacc38603d3ce807ef6b9c82c94e74efc31655135 |
C:\Windows\Temp\asw.757f809abe387aa1\part-prg_ais-15020997.vpx
| MD5 | b898fa20bf9b0321b50a8d4946aae799 |
| SHA1 | 4e173a99dc9a9ef507112857525ad53991f4d2a0 |
| SHA256 | 6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c |
| SHA512 | c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810 |
C:\Windows\Temp\asw.757f809abe387aa1\setup.def
| MD5 | be793535c4acf02d4ad13b20d0c84deb |
| SHA1 | 65dd6b4891a75848042c10057808535298cee3e1 |
| SHA256 | 31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd |
| SHA512 | 7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62 |
C:\Windows\Temp\asw.757f809abe387aa1\prod-vps.vpx
| MD5 | 85f4992f7b075bcc8fc6cc4f5e24afd4 |
| SHA1 | abe54ed56c0d23d3e1184bd500ba0fb6cf03fdde |
| SHA256 | 3dc8281c192753aafe5408485d3344df73209c96989b0524fe2db5a081d848a0 |
| SHA512 | 271ab9967418f12041eeecc39b16881d4f46b0ea4ab59b8dbf7c88c22ef99b1c069a1060f8f94784e39e37d6cc0e6bd68f734d41999055727cc1f12c29cc1ee1 |
C:\Windows\Temp\asw.757f809abe387aa1\part-jrog2-90.vpx
| MD5 | a3feee18df3f2ef19f6fe6f493afb123 |
| SHA1 | 005ee607c0f3f6459a30675f906689616ddd99eb |
| SHA256 | be994b277f65df1872557d53e7f55c62f3af4b50e744bca93998311363093ec9 |
| SHA512 | 5881f379d63d58ed61467cf9a92cf53f40ed6aca9e6576af29a6dc4602e3200e4a6decb69b0dfac7ae9052de820f5132da881f2cc02a7c5ed0171eda05b241b9 |
C:\Windows\Temp\asw.757f809abe387aa1\part-vps_windows-24061199.vpx
| MD5 | d00a98ab97227224d17c17924aac4e5e |
| SHA1 | 9c6c80a4e6c799a3b562b2597fe567ff8bd5f404 |
| SHA256 | 8a3b5176bff78d05a4589c08a9ba7b6af7de744cfbd45821b77816d7149fa842 |
| SHA512 | dd76fb5e3212f0beac81a559a4a438c11604a8c125e2e4567af4f33ee210f4aff48581033e447bfd3fafe675a60939a924e4027d3f30e49ebd1ce2ef017eb7f4 |
C:\Windows\Temp\asw.757f809abe387aa1\config.def
| MD5 | 0e7a4080ff0ab8ddc0ecc35a512a55a6 |
| SHA1 | 1bec2128c9c5874e7d7ea308ad5d07710ecfb7f5 |
| SHA256 | beb4517a19e6d2801749c50875557796b87725c6ca23251241facf25f316903d |
| SHA512 | 9e61b3b54a6279f33043ef2712c231e0b43c63bd74128b011248ea2753cc557e19b416b5c8ea3c2b76b55f3d7c43339d901acdc60e46eddff51b3206c7cbfbb5 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log
| MD5 | cbf22598a4d872bb9f4c072ed693c720 |
| SHA1 | 5b424847396f8130c96b64a075d6e4c0aef29849 |
| SHA256 | c3162a7f1ab97598b4fd3ff7d27dfe579da6414ad119cf14131ec223a7b2e752 |
| SHA512 | 1e93081fccd2c37c2e087603650d861e98479236818fc48a30b116f6220257d4967a6b58f604fe2b5ed052272260142b2fbb31b7262efddb703e7bcd8dbe8a14 |
\Windows\Temp\asw.757f809abe387aa1\New_15020997\gcapi_17181862132588.dll
| MD5 | 2973af8515effd0a3bfc7a43b03b3fcc |
| SHA1 | 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee |
| SHA256 | d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0 |
| SHA512 | b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e |
memory/748-337-0x000007FEF3160000-0x000007FEF353A000-memory.dmp
memory/748-336-0x000007FEF3540000-0x000007FEF486B000-memory.dmp
memory/748-338-0x000007FEF3540000-0x000007FEF486B000-memory.dmp
memory/748-348-0x000007FEF3540000-0x000007FEF486B000-memory.dmp
memory/748-350-0x000007FEF3540000-0x000007FEF486B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 09:56
Reported
2024-06-12 09:59
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \Registry\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a3d.vpx" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-a3d.vpx" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a3d.vpx" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a3d.vpx" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64" | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe
"C:\Users\Admin\AppData\Local\Temp\bbdc50a409493a675c15ff7873171c308df7c484cf8ba885f1ace3c19ef19294.exe"
C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a6h_m /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /edat_dir:C:\Windows\Temp\asw.0823071b187b5af6
C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe
"C:\Windows\Temp\asw.6d7e615ab4a23e6e\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.6d7e615ab4a23e6e /edition:1 /prod:ais /stub_context:b5cebbc0-2a2b-4bd6-aaab-7e83669a5455:9897680 /guid:55c4e2b6-d9db-452d-899e-a77d56e0f637 /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /cookie:mmm_ava_012_999_a6h_m /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /edat_dir:C:\Windows\Temp\asw.0823071b187b5af6
C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe
"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.6d7e615ab4a23e6e /edition:1 /prod:ais /stub_context:b5cebbc0-2a2b-4bd6-aaab-7e83669a5455:9897680 /guid:55c4e2b6-d9db-452d-899e-a77d56e0f637 /ga_clientid:58891209-c0e0-472c-b650-cbe8bcde0e69 /cookie:mmm_ava_012_999_a6h_m /edat_dir:C:\Windows\Temp\asw.0823071b187b5af6 /online_installer
C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" -checkGToolbar -elevated
C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" /check_secure_browser
C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" -checkChrome -elevated
C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe
"C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| GB | 23.73.139.56:443 | iavs9x.u.avast.com | tcp |
| US | 34.117.223.223:80 | v7event.stats.avast.com | tcp |
| US | 8.8.8.8:53 | 223.223.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| GB | 23.73.139.56:443 | iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 23.73.139.56:443 | iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.73.139.56:443 | iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:443 | iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 8.8.8.8:53 | 28.176.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c3978047.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | c3978047.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | h4305360.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | j0294597.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | r3802239.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | s-iavs9x.avcdn.net | udp |
| US | 8.8.8.8:53 | s1843811.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | c3978047.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | c3978047.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | h4305360.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | j0294597.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | r3802239.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | s-iavs9x.avcdn.net | udp |
| US | 8.8.8.8:53 | s1843811.iavs9x.u.avast.com | udp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| GB | 23.73.139.56:80 | s1843811.iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | m0658849.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | m0658849.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | r4427608.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | s-iavs9x.avcdn.net | udp |
| US | 8.8.8.8:53 | t1024579.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | w5805295.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | y8002308.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | m0658849.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | m0658849.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | r4427608.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | s-iavs9x.avcdn.net | udp |
| US | 8.8.8.8:53 | t1024579.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | w5805295.iavs9x.u.avast.com | udp |
| US | 8.8.8.8:53 | y8002308.iavs9x.u.avast.com | udp |
| GB | 23.73.139.81:80 | y8002308.iavs9x.u.avast.com | tcp |
| US | 8.8.8.8:53 | b7210692.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b7210692.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b8003600.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | m0658849.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | r3802239.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | s-vps18tiny.avcdn.net | udp |
| US | 8.8.8.8:53 | s1843811.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b7210692.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b7210692.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | b8003600.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | m0658849.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | r3802239.vps18tiny.u.avcdn.net | udp |
| US | 8.8.8.8:53 | s-vps18tiny.avcdn.net | udp |
| US | 8.8.8.8:53 | s1843811.vps18tiny.u.avcdn.net | udp |
| GB | 23.73.139.50:80 | s1843811.vps18tiny.u.avcdn.net | tcp |
| GB | 23.73.139.50:80 | s1843811.vps18tiny.u.avcdn.net | tcp |
| GB | 23.73.139.50:80 | s1843811.vps18tiny.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 200.187.250.142.in-addr.arpa | udp |
| GB | 23.73.139.56:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Windows\Temp\asw.0823071b187b5af6\avast_free_antivirus_setup_online_x64.exe
| MD5 | 54aaadc43b9a0a026a86db8d350a2cd3 |
| SHA1 | d1b767200495717f9abbd808c3b38079c64be877 |
| SHA256 | de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844 |
| SHA512 | 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a |
C:\Windows\Temp\asw.0823071b187b5af6\ecoo.edat
| MD5 | 245f1a8571179f960b43703c405e11ec |
| SHA1 | ac9a4d13c7f9907a81f13c0419344d48fdda7e1c |
| SHA256 | d30d2c1e8781e93bc5c713e7c01890c459c65e8bc356034ed74ae2d63dd288fe |
| SHA512 | 906e7e1b0b9666bf7925696b0e39af1dc6d601e717b585ef4efc03ba503fcff43acea7655419974cc1b7f379b5c1564cdd48bc75a23eec83a715cb66cb5e65c4 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\servers.def
| MD5 | e76e81467cf59e07920fa8350f262269 |
| SHA1 | e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94 |
| SHA256 | cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8 |
| SHA512 | 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\Instup.exe
| MD5 | 4aed041ad383def5407e438fd5597675 |
| SHA1 | 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4 |
| SHA256 | 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf |
| SHA512 | 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\Instup.dll
| MD5 | 3b6abc970f7227284d87acd2d95c7c5a |
| SHA1 | 02b1248aa23cb8aee91b06a9b8b044fa93b469b1 |
| SHA256 | ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa |
| SHA512 | bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
| MD5 | 16e10629323067b179a0d0d0a734a854 |
| SHA1 | 06a80722700fa689a64ef1fadbc73e70fd17d229 |
| SHA256 | d97e8b9dd69ab281c8eb65891e290369baeb11679ce828acbfaf86ccf085e9ca |
| SHA512 | 7a87195125e63fd29c4fdb261dacbd0d66b5359fe1fb4e9c53ce956df8aea85177989a19e807952b51d3b5e47f7b36519c7037287a1b9903409986ecaa8cd462 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.def
| MD5 | da59c9092a31f572c882d563c600a34f |
| SHA1 | 0ec1cb7f7c16252d637d71e08e9363bfe96a5842 |
| SHA256 | 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766 |
| SHA512 | ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.def
| MD5 | e2754ccd58ea22c38ebc51e0cb4a7cbb |
| SHA1 | 0f7a62ce0cd301eb558ccd7e0964b0f7b58c4fcf |
| SHA256 | 7fb13f32ff72d3e3bf610209cc13e27f34a1b136d32d3d99b800e2ff161ec119 |
| SHA512 | d688f2b4ba396857c78426258cf2ff0d8bde23a8ebf9c192f315cad059c8290fd9b3690c9cccd9c28474cd860f3ce683be3ffae652e8a93f8b23f4d3784a5260 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.ini
| MD5 | 6e177583e031cc9739f4f670410a9ce4 |
| SHA1 | 60201de6eb0603cdc28868141087c769166d5a19 |
| SHA256 | b90eb02d081e11693c6e5ad97422643185b494cd0949737ec65839a099a2e10b |
| SHA512 | 6d84cc56380ab2a757d9910f103950619ddc5cba8d38fc2ac36ada4cb35d4a7790ede8ded586586cb9411327632012da3b2011234bee1d036dfed3fc51522e45 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\HTMLayout.dll
| MD5 | 39a20f9d67d6d4bac0ff081c62b13996 |
| SHA1 | b5b6b70e943a96a8697f07759245702e026be7e7 |
| SHA256 | 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1 |
| SHA512 | 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\servers.def.vpx
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\servers.def.vpx
| MD5 | dc5709c442df025a33cb2ca0d22133af |
| SHA1 | 5007da1e31f4705932c1f272dd4975b14bef268d |
| SHA256 | 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744 |
| SHA512 | c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-setup_ais-180517e4.vpx
| MD5 | 67a540fcde81f108f7568628590ee342 |
| SHA1 | bd454d4203eb18115264fed792b4d5e41a2e2fb5 |
| SHA256 | 328f4780c3389e61ea00604b5d5085e734adee7f162796f1130d5f36d0cf2924 |
| SHA512 | 20586f6f537b18f7e3d0945e0dbf69e6bd62457a06c739268c9867b407e9071c0b82ba8adf166ac19c78e9f36f4d8ccceb85ce1dddc1d5c6b5b49c11fb602199 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\uat64.dll
| MD5 | c0719ef096798494a616f84f587282d7 |
| SHA1 | ee38158f887bc2189234330c4891f12f9d902d7a |
| SHA256 | ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a |
| SHA512 | 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\prod-vps.vpx
| MD5 | 0066d9b938e4d92eed90d515c0da993f |
| SHA1 | 60f4f31c64671349b100505428a618c9a9033820 |
| SHA256 | bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209 |
| SHA512 | d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\uat64.vpx
| MD5 | 11bb373887fe44e1edea08b70c638095 |
| SHA1 | e887149cb489a3aec8092636379ac4c64e389089 |
| SHA256 | a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358 |
| SHA512 | d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\prod-pgm.vpx
| MD5 | d4f72d1329501105ec7111178ac7c98f |
| SHA1 | 17bfc1e8299b43c46b18442b7e74f84953dc6193 |
| SHA256 | e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7 |
| SHA512 | 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\avbugreport_x64_ais-a3d.vpx
| MD5 | dd9112cf8378dd2dcd7da7652ab7ef4f |
| SHA1 | edba0ad6afe5f7d5fef1a68fe6e298285302a205 |
| SHA256 | 01a5da7bd76821e598dd0c145e402f01968a486ec0289304ecbc01e8e3e3545f |
| SHA512 | a792118766c8aefdda2f3158e3f20235b3d45e2504a8aa131189034a4c1dce36ef304253794bd73eefa9de1b58666422cba7311e93588b6b05340c23c9b24502 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\avdump_x64_ais-a3d.vpx
| MD5 | 4dae0714e69b6d570b458d2d464ace66 |
| SHA1 | 7b87175b6810ba49fff360affcd27b0b1c163899 |
| SHA256 | 009a8b3c599329995ec197d1c9e5a13ad8bcf0888d6ef434d295b4a7e76ca3e7 |
| SHA512 | 9c5cb5a9893276cc5bfb5baddcfe6584b78bd0387fc731f0e21f963d8515a42fc77b3b8a25291ab0b09910d72193a191cd3f72a2b0dd92f27c89f5a62251a02e |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\offertool_x64_ais-a3d.vpx
| MD5 | 83a59fb227b8146aec13b3e5183da115 |
| SHA1 | c0edcf17207414387cbd193503dec8fc3d88bf4c |
| SHA256 | 240f009ab1ce95fb23cb1c76f0c944e3acc8567b4198dd6d4de7d8bbf2979919 |
| SHA512 | 317ac6ea8ea54f32614a3623bff1c0193c072c6ee8d845ab1b23575170fe1e1048f71847a23f4a6ef42e33466bd4c4d8a1fe10a2c7c48410c032287de3992560 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\sbr_x64_ais-a3d.vpx
| MD5 | c137e649a83c0d6e99b40b7244015812 |
| SHA1 | 6aaa485bec43f485b3863d525a8653d19949e005 |
| SHA256 | d54383d72f4ef21f157867ea9164ccdc3d6dd9c8de32a691a86c1f0c5a008f8f |
| SHA512 | c38621980bb82a5fdf509d92167027c67db56c3b3d17c621ef732a98595d50788a4ea934fd19a93787f7d7defadb537036eb0e1464aec8ec1cf8dc6073cae88f |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
| MD5 | c8be734878bf01808f48dfb8dbe22086 |
| SHA1 | 96124b2e2d42963102ea493094e5ec680064c23d |
| SHA256 | 420fba717929b81d16e644ed0f14a93d03ac183c4676110585234d915f578dbb |
| SHA512 | 6be875833d2fd2c811b6c12fd4c4b388170bb3b41a5f236e205ec426259189a431f5dba3f74841f917b7fbbfc139cbf8c33822897e7e5fafdb66c3d4a929d295 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-prg_ais-180517e4.vpx
| MD5 | 2c670a43751b0f2adb2bbb0f5dd646bb |
| SHA1 | 74ad4b2eeb00c337bb4902def41353c44aef6e3a |
| SHA256 | 876f56bdbd1314c4f97757bbb341c908bc1de6acb5fbe8fdbbfdd2e3b1c55bdf |
| SHA512 | bd5b7b4996f1c70adb77fb3b590a96cbe673253e05a10c94c2d38ee12d63995fc385c541eaacfd653ffd7e3629673fc539830943d9202ed2c9a04f2c42f8b4d7 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\setup.def
| MD5 | 98592e07fab8330e4b367ee1c2ee1a23 |
| SHA1 | aaaeddbb740f3fb46362ff6055b909e7215e7c22 |
| SHA256 | 046d8d52a8da3a1e288aa24452ce97ed72f47c0f327177ac76373d1eacfc9b40 |
| SHA512 | 1f734e991340156de357b638b562b6f95e762f1913953fab3b449ea6fa3fb081db02dfc3339a4dd1d5c82a0fe169d7a4d4699ce239900bd7e51372a561cc7511 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\prod-vps.vpx
| MD5 | 85f4992f7b075bcc8fc6cc4f5e24afd4 |
| SHA1 | abe54ed56c0d23d3e1184bd500ba0fb6cf03fdde |
| SHA256 | 3dc8281c192753aafe5408485d3344df73209c96989b0524fe2db5a081d848a0 |
| SHA512 | 271ab9967418f12041eeecc39b16881d4f46b0ea4ab59b8dbf7c88c22ef99b1c069a1060f8f94784e39e37d6cc0e6bd68f734d41999055727cc1f12c29cc1ee1 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-jrog2-90.vpx
| MD5 | a3feee18df3f2ef19f6fe6f493afb123 |
| SHA1 | 005ee607c0f3f6459a30675f906689616ddd99eb |
| SHA256 | be994b277f65df1872557d53e7f55c62f3af4b50e744bca93998311363093ec9 |
| SHA512 | 5881f379d63d58ed61467cf9a92cf53f40ed6aca9e6576af29a6dc4602e3200e4a6decb69b0dfac7ae9052de820f5132da881f2cc02a7c5ed0171eda05b241b9 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\part-vps_windows-24061199.vpx
| MD5 | d00a98ab97227224d17c17924aac4e5e |
| SHA1 | 9c6c80a4e6c799a3b562b2597fe567ff8bd5f404 |
| SHA256 | 8a3b5176bff78d05a4589c08a9ba7b6af7de744cfbd45821b77816d7149fa842 |
| SHA512 | dd76fb5e3212f0beac81a559a4a438c11604a8c125e2e4567af4f33ee210f4aff48581033e447bfd3fafe675a60939a924e4027d3f30e49ebd1ce2ef017eb7f4 |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\asw3f5da6f46c390b44.ini
| MD5 | 9929a08ded5edd34efefb669a51284fb |
| SHA1 | 90442a01a9efe1c1dd73f4a3b0498877711bb397 |
| SHA256 | 05cc2cde750b3c238f99b8beff373f9ea9612f66d3d8fd1a1c764eafc2eb4647 |
| SHA512 | f8c3862d1ff00dafc022eec5c7106f5d06588ee7eff3060da9cbc8b4cb5b05f1e2ca68568a2a1c49cb32a7bd2c887e1a6fbb7816d894c62f81f0bd4ea1cfec91 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log
| MD5 | 92f7a7403dc656dbf95bff68161095ca |
| SHA1 | 323983e7bf2ddf1d019af490310a7a9cdb904cc6 |
| SHA256 | 17ce269b6cc589cb8025d90f5f9fd54f906859c18f9bba06c703efd367d3c1ab |
| SHA512 | 2b119919de921732f89d75a87c59f03f9b3b393f23815954a7bf7006c3623541748f5c61a7723a5fb4925658cac0134e2cff23cc24ecc450044e763ea1c346bc |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\config.def
| MD5 | b967e8988fbaa130437c03e6287bbde0 |
| SHA1 | 5232786528a58b8d8ff54a7f4513fbe1b3c1a6f2 |
| SHA256 | 3ab5a6e58fcaaca7f2230493326968b47693d2232a2fe6c223946a14907fed66 |
| SHA512 | 87f0fc084cdbbb35075eef1b11000be72d251bcfa8525c707a83202019f390ce1e3911342f5bd7830b29b8c4d39f744a1b37fe327a92e49bd06d73c8dca9fecf |
C:\Windows\Temp\asw.6d7e615ab4a23e6e\New_180517e4\gcapi.dll
| MD5 | 3ead47f44293e18d66fb32259904197a |
| SHA1 | e61e88bd81c05d4678aeb2d62c75dee35a25d16b |
| SHA256 | e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905 |
| SHA512 | 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0 |