Malware Analysis Report

2024-09-23 12:03

Sample ID 240612-p23s8sygnp
Target 71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39
SHA256 71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39

Threat Level: Likely malicious

The file 71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:50

Reported

2024-06-12 12:52

Platform

win7-20240221-en

Max time kernel

146s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "56" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "67" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "32" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "37" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "53" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "63" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "60" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "27" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "42" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "44" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "57" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "22" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "70" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "33" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "1" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "40" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "72" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "82" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "74" C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: part-setup_ais-15020997.vpx" C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe
PID 2176 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe
PID 2176 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe
PID 2176 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe
PID 2172 wrote to memory of 2376 N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe
PID 2172 wrote to memory of 2376 N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe
PID 2172 wrote to memory of 2376 N/A C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe
PID 2376 wrote to memory of 596 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe
PID 2376 wrote to memory of 596 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe
PID 2376 wrote to memory of 596 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2500 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2816 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2520 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
PID 596 wrote to memory of 2652 N/A C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe

"C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe"

C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a5i_m /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /edat_dir:C:\Windows\Temp\asw.ca0b53132b010add

C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe

"C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.e5c5dec041efd4a1 /edition:1 /prod:ais /stub_context:75f70dbc-75fb-4054-ac07-252f37159f94:9897680 /guid:448ea62b-14df-4160-a38d-de8808b620a8 /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /cookie:mmm_ava_012_999_a5i_m /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /edat_dir:C:\Windows\Temp\asw.ca0b53132b010add

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe

"C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.e5c5dec041efd4a1 /edition:1 /prod:ais /stub_context:75f70dbc-75fb-4054-ac07-252f37159f94:9897680 /guid:448ea62b-14df-4160-a38d-de8808b620a8 /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /cookie:mmm_ava_012_999_a5i_m /edat_dir:C:\Windows\Temp\asw.ca0b53132b010add /online_installer

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
NL 96.16.53.153:443 iavs9x.u.avast.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
NL 96.16.53.153:443 iavs9x.u.avast.com tcp
NL 96.16.53.153:443 iavs9x.u.avast.com tcp
NL 96.16.53.153:443 iavs9x.u.avast.com tcp
NL 96.16.53.153:443 iavs9x.u.avast.com tcp
NL 96.16.53.153:80 iavs9x.u.avast.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
NL 96.16.53.146:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
NL 96.16.53.153:80 p1043812.iavs9x.u.avast.com tcp
US 8.8.8.8:53 h4305360.iavs9x.u.avast.com udp
US 8.8.8.8:53 h4305360.iavs9x.u.avast.com udp
NL 96.16.53.146:80 s1843811.iavs9x.u.avast.com tcp
NL 96.16.53.146:80 s1843811.iavs9x.u.avast.com tcp
US 8.8.8.8:53 g1928587.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 g1928587.vps18tiny.u.avcdn.net udp
NL 96.16.53.150:80 r6726306.vps18tiny.u.avcdn.net tcp
NL 96.16.53.150:80 r6726306.vps18tiny.u.avcdn.net tcp
NL 96.16.53.150:80 r6726306.vps18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 alpha-license-dealer.ff.avast.com udp
BE 34.140.0.190:443 alpha-license-dealer.ff.avast.com tcp
US 8.8.8.8:53 alpha-iqs.ff.avast.com udp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp

Files

\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe

MD5 54aaadc43b9a0a026a86db8d350a2cd3
SHA1 d1b767200495717f9abbd808c3b38079c64be877
SHA256 de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844
SHA512 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a

C:\Windows\Temp\asw.ca0b53132b010add\ecoo.edat

MD5 781913e64dab08a0e3b91831fc565591
SHA1 78f33d91ee3544222d240061176f8bb491190957
SHA256 f82d46c7e5a50f0936541029fa529e3a12ba943a4dc9f0a810a496dd08c9ec00
SHA512 15e08d08e8f3182be18b20ccea74ef6ae31c82ee96bdbbbaa806218f3e86a56cc22b85ae84a6e84624e18a83808a96130677289af5dfb418eeef78a423d47710

C:\Windows\Temp\asw.e5c5dec041efd4a1\servers.def

MD5 e76e81467cf59e07920fa8350f262269
SHA1 e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94
SHA256 cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8
SHA512 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

C:\Windows\Temp\asw.e5c5dec041efd4a1\Instup.dll

MD5 3b6abc970f7227284d87acd2d95c7c5a
SHA1 02b1248aa23cb8aee91b06a9b8b044fa93b469b1
SHA256 ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa
SHA512 bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1

C:\Windows\Temp\asw.e5c5dec041efd4a1\Instup.exe

MD5 4aed041ad383def5407e438fd5597675
SHA1 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4
SHA256 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf
SHA512 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 e2a9808811de30eac6b324c062e809a8
SHA1 6691a55076521587d8de3aee270d67d84e93609a
SHA256 aa2ef18a6dc94efdc5135051be6890bdf4dd0dd026c5c184f963fc983ef3dd43
SHA512 29b7e2795b7eac02420c2b2a1c93a8f3086c9f2c7136d05e3e541b1f099c8ca838374e527e37b361d0a46132cc9a41c551dfdc2f40aa4bd842a9af93f89c45d4

C:\Windows\Temp\asw.e5c5dec041efd4a1\config.def

MD5 da59c9092a31f572c882d563c600a34f
SHA1 0ec1cb7f7c16252d637d71e08e9363bfe96a5842
SHA256 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766
SHA512 ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

C:\Windows\Temp\asw.e5c5dec041efd4a1\asw8fab2e6575e76ce4.ini

MD5 4e6a46a09da8418eb103af1e22578352
SHA1 91cd4b59b5c8f94dda2eee9d80c24e910c4523f7
SHA256 41056264ee53f3aa8ac9a60b589973f411235384f8c42f469fcd1bcf0801f757
SHA512 f4d6b1dd5ab8162d5c8b62e6eb43f2a9e8d0a1185433ec7a6bdb25590205ca9e8e91ddfc30702689659f4f361aee13d3e08a2957fc3c0c27de1847d66887dc6b

C:\Windows\Temp\asw.e5c5dec041efd4a1\asw8fab2e6575e76ce4.ini

MD5 5690a82fc21d862aec1d7e35ff53ab78
SHA1 11037a31a79f265b1347738d8dc9e576e45779a5
SHA256 ab0f1c33c2a917f05b41797b9581f4c92e08535a55080ecffd7edb2a23b196fe
SHA512 2cd6e1d8f505a0e4e1a2d0090846ec73d3ae53797cf02cca191b5f2951350b221f445b2a7b3d77cdd7ec8a2acc0b313e8afa9fa6852e135322688f36c521d90f

C:\Windows\Temp\asw.e5c5dec041efd4a1\config.def

MD5 c04456aee0cecffd8b230f2cc6bdb484
SHA1 89b8958011ad1755478f13a38970199d27365674
SHA256 882a391578959256a190480e38cdede4fa7286b8abc470df4788d649ebd363e3
SHA512 de6b8aef25f8dfc1cbdbe700be09f5b1378ef222edbf43934173525be81dfb6d68ff12e72eaac2ffd36f33a36a59fbba565c335a70227a62e3313dff735a615f

C:\Windows\Temp\asw.e5c5dec041efd4a1\HTMLayout.dll

MD5 39a20f9d67d6d4bac0ff081c62b13996
SHA1 b5b6b70e943a96a8697f07759245702e026be7e7
SHA256 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1
SHA512 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0

C:\Windows\Temp\asw.e5c5dec041efd4a1\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.e5c5dec041efd4a1\servers.def.vpx

MD5 dc5709c442df025a33cb2ca0d22133af
SHA1 5007da1e31f4705932c1f272dd4975b14bef268d
SHA256 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744
SHA512 c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

C:\Windows\Temp\asw.e5c5dec041efd4a1\uat64.vpx

MD5 11bb373887fe44e1edea08b70c638095
SHA1 e887149cb489a3aec8092636379ac4c64e389089
SHA256 a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358
SHA512 d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879

C:\Windows\Temp\asw.e5c5dec041efd4a1\prod-pgm.vpx

MD5 d4f72d1329501105ec7111178ac7c98f
SHA1 17bfc1e8299b43c46b18442b7e74f84953dc6193
SHA256 e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7
SHA512 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

\Windows\Temp\asw.e5c5dec041efd4a1\uat64.dll

MD5 c0719ef096798494a616f84f587282d7
SHA1 ee38158f887bc2189234330c4891f12f9d902d7a
SHA256 ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a
SHA512 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298

C:\Windows\Temp\asw.e5c5dec041efd4a1\part-setup_ais-15020997.vpx

MD5 365b6ee6fbde00af486fc012251db2da
SHA1 8050ba5a9b6321f067fc694527011ba00767d4a2
SHA256 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830
SHA512 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

C:\Windows\Temp\asw.e5c5dec041efd4a1\prod-vps.vpx

MD5 0066d9b938e4d92eed90d515c0da993f
SHA1 60f4f31c64671349b100505428a618c9a9033820
SHA256 bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209
SHA512 d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswdf9c56347b8453d9.tmp

MD5 ef035189604e7f5d68a62827b985ccbb
SHA1 c094c6eef2640a71aee9f4b27123c2080d38136f
SHA256 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740
SHA512 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\asw9675bdf82e93b4c1.tmp

MD5 700b6740e6bfa7729f146572d8455348
SHA1 19d80fb0251f417283ed36fc20c43079b3f6fbb8
SHA256 d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e
SHA512 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\asw918978de40cf8c71.tmp

MD5 b216fc28400c184a5108c0228fba86bc
SHA1 5d82203153963ebede19585b0054de8221c60509
SHA256 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd
SHA512 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswc5f13fb0fcd7102c.tmp

MD5 9ee6528abdad768fbfa28bd1bb80ebe9
SHA1 f5582697e068ba1d56825fc32bd5ab1a71bd4d38
SHA256 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4
SHA512 de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

C:\Windows\Temp\asw.e5c5dec041efd4a1\offertool_x64_ais-997.vpx

MD5 c5665f1f93d9aabbcb1dde533e2c46e6
SHA1 732389de20c600d0222d61b4ee74b0be6412a45b
SHA256 adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a
SHA512 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

C:\Windows\Temp\asw.e5c5dec041efd4a1\sbr_x64_ais-997.vpx

MD5 13e9fbb02cb7497562b59a9ef8f1ee92
SHA1 047936e9296e77939b5b23c1a2af3056eaa2ae99
SHA256 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a
SHA512 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\asw5fd8600493e4cff2.tmp

MD5 d9be57d4e1a25264b8317278f8b93396
SHA1 d3c98696582fed570f38ae45bf22b8197253b325
SHA256 a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3
SHA512 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 ec335fa850a3377af69ba8217e4f2ee3
SHA1 dd801a3729a6cf617eb4689df9bf8d99b6d0745b
SHA256 aab96937596b21a1f2641fc13a1299710a020de218895372ab6c77d3a939d206
SHA512 5de7827f0e1d152356d80209d0ad8e44431612501aaa3b913813cfdd69805f80dad50898df3efd43babfe76e6c38771f82b2936e028e4250e231733b2bc1b7fc

C:\Windows\Temp\asw.e5c5dec041efd4a1\part-prg_ais-15020997.vpx

MD5 b898fa20bf9b0321b50a8d4946aae799
SHA1 4e173a99dc9a9ef507112857525ad53991f4d2a0
SHA256 6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c
SHA512 c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

C:\Windows\Temp\asw.e5c5dec041efd4a1\setup.def

MD5 be793535c4acf02d4ad13b20d0c84deb
SHA1 65dd6b4891a75848042c10057808535298cee3e1
SHA256 31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd
SHA512 7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

C:\Windows\Temp\asw.e5c5dec041efd4a1\prod-vps.vpx

MD5 85f4992f7b075bcc8fc6cc4f5e24afd4
SHA1 abe54ed56c0d23d3e1184bd500ba0fb6cf03fdde
SHA256 3dc8281c192753aafe5408485d3344df73209c96989b0524fe2db5a081d848a0
SHA512 271ab9967418f12041eeecc39b16881d4f46b0ea4ab59b8dbf7c88c22ef99b1c069a1060f8f94784e39e37d6cc0e6bd68f734d41999055727cc1f12c29cc1ee1

C:\Windows\Temp\asw.e5c5dec041efd4a1\part-jrog2-90.vpx

MD5 a3feee18df3f2ef19f6fe6f493afb123
SHA1 005ee607c0f3f6459a30675f906689616ddd99eb
SHA256 be994b277f65df1872557d53e7f55c62f3af4b50e744bca93998311363093ec9
SHA512 5881f379d63d58ed61467cf9a92cf53f40ed6aca9e6576af29a6dc4602e3200e4a6decb69b0dfac7ae9052de820f5132da881f2cc02a7c5ed0171eda05b241b9

C:\Windows\Temp\asw.e5c5dec041efd4a1\part-vps_windows-24061199.vpx

MD5 d00a98ab97227224d17c17924aac4e5e
SHA1 9c6c80a4e6c799a3b562b2597fe567ff8bd5f404
SHA256 8a3b5176bff78d05a4589c08a9ba7b6af7de744cfbd45821b77816d7149fa842
SHA512 dd76fb5e3212f0beac81a559a4a438c11604a8c125e2e4567af4f33ee210f4aff48581033e447bfd3fafe675a60939a924e4027d3f30e49ebd1ce2ef017eb7f4

C:\Windows\Temp\asw.e5c5dec041efd4a1\config.def

MD5 c40ddecd1b7621224f298b91681619fe
SHA1 a3422cfc6bc6bc67495be790414c2252924d76f0
SHA256 0298787c069cff59eacfb8e1ecd6a0f744df9c8dea0040866f2ce308fd9114ce
SHA512 94ef11de6fe8ebe1cefa092724a56e0a311ab3ee9e370bc8fdaaffb45e7c3a6ccbc2a77a1459fe62265c0f454283a1adef6812f65e93801468fb85a5ad3e0ea9

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 8275cd59cf776e65ba3e5fa1558da630
SHA1 5b0ba63be0ef959fc3af4bd48cd447f373f5530e
SHA256 a2c178189a32ff3aaf779cea613d978aced74fb19fc0f5ff2276082e6da4b329
SHA512 972ba52c296426fe30449d800779697054f37e845628c9c5e67c7f6238331dafb1ee5d01b35e31f07c5d69da5e309802a893e4d6cbf5c786a7978a8331067656

\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\gcapi_17181966572520.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

memory/596-318-0x000007FEF37D0000-0x000007FEF3BAA000-memory.dmp

memory/596-317-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp

memory/596-319-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp

memory/596-329-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp

memory/596-331-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:50

Reported

2024-06-12 12:52

Platform

win10v2004-20240508-en

Max time kernel

70s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe

"C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp

Files

N/A