Malware Analysis Report

2024-09-23 12:04

Sample ID 240612-p2schavhka
Target 2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef
SHA256 2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef

Threat Level: Likely malicious

The file 2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:49

Reported

2024-06-12 12:52

Platform

win7-20240220-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "40" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "75" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "30" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "71" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "82" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "14" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "63" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "58" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7" C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "1" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42" C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "92" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-c62.vpx" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "43" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "51" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "90" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "89" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "15" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "29" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "85" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "93" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "27" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "42" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-c62.vpx" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "7" C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "DNS resolving" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe
PID 2208 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe
PID 2208 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe
PID 2208 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe
PID 2220 wrote to memory of 1244 N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe
PID 2220 wrote to memory of 1244 N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe
PID 2220 wrote to memory of 1244 N/A C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe
PID 1244 wrote to memory of 872 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe
PID 1244 wrote to memory of 872 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe
PID 1244 wrote to memory of 872 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2968 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2720 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2292 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe
PID 872 wrote to memory of 2864 N/A C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe

"C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe"

C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe

"C:\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_012_999_e7f_m /ga_clientid:d52a2bef-feca-46d0-ae6b-245a4336d12c /edat_dir:C:\Windows\Temp\asw.10b90435db2e67e8

C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe

"C:\Windows\Temp\asw.0b98eb614dbd04d2\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.0b98eb614dbd04d2 /edition:15 /prod:ais /stub_context:7cadbaa8-9092-4718-b81b-cd955988623e:9994552 /guid:a2b77c9a-5435-44f0-abd6-72703483eb9e /ga_clientid:d52a2bef-feca-46d0-ae6b-245a4336d12c /cookie:mmm_bav_012_999_e7f_m /ga_clientid:d52a2bef-feca-46d0-ae6b-245a4336d12c /edat_dir:C:\Windows\Temp\asw.10b90435db2e67e8

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe

"C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.0b98eb614dbd04d2 /edition:15 /prod:ais /stub_context:7cadbaa8-9092-4718-b81b-cd955988623e:9994552 /guid:a2b77c9a-5435-44f0-abd6-72703483eb9e /ga_clientid:d52a2bef-feca-46d0-ae6b-245a4336d12c /cookie:mmm_bav_012_999_e7f_m /edat_dir:C:\Windows\Temp\asw.10b90435db2e67e8 /online_installer

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe

"C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFA

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.avg.u.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
NL 96.16.53.153:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 d9217321.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 d9217321.iavs9x.avg.u.avcdn.net udp
NL 96.16.53.146:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 s1299785.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 d7509631.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 d7509631.iavs9x.avg.u.avcdn.net udp
NL 96.16.53.146:80 d7509631.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.146:80 d7509631.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 b0017156.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 b0017156.avi18tiny.u.avcdn.net udp
NL 96.16.53.159:80 s9788044.avi18tiny.u.avcdn.net tcp
NL 96.16.53.159:80 s9788044.avi18tiny.u.avcdn.net tcp
NL 96.16.53.159:80 s9788044.avi18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 alpha-license-dealer.ff.avast.com udp
BE 34.140.0.190:443 alpha-license-dealer.ff.avast.com tcp
US 8.8.8.8:53 alpha-iqs.ff.avast.com udp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp

Files

\Windows\Temp\asw.10b90435db2e67e8\avg_antivirus_free_setup_x64.exe

MD5 72c1cad77d7a37f6eed6606b00b22738
SHA1 1883d039f42ead5318de8f5f37b61bad4b61fa72
SHA256 47cee4d44e8fe27f3229fa751c11259227a00b605d6a42e2cb066f100a9049c3
SHA512 87104f2cf47683f113398e71b795fbeadd6835b5d333e1aedf22e7d3afec7de3e138cbc949947235ff4892489caaf219405832df91885084e361806ac22d0209

C:\Windows\Temp\asw.10b90435db2e67e8\ecoo.edat

MD5 1d4e0e4e8171ed13c494adeeed3d3fae
SHA1 ad94ef4db6aa20944ef55447e02c2d5f986e948f
SHA256 7bcbed4ca467576f306ac3021d90b39ad43776bd0a9cf77bcde53e48581ad7fd
SHA512 4d7da02f009e7819ed60553fb89a915e36fd3e04c93336501e2c68d1e5a468ff22ef74f690b708dca46419611f16e321a4b8a7245d757bfbfe87ff79db8dd490

C:\Windows\Temp\asw.0b98eb614dbd04d2\servers.def

MD5 2b62fb1ecd174c7e951f2b8af502c1c0
SHA1 90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b
SHA256 1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67
SHA512 0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0

\Windows\Temp\asw.0b98eb614dbd04d2\Instup.exe

MD5 cb33ee6145c1dfad640103e1bc8b00e9
SHA1 e68405536c9501a5f7617636db734a7e7bfdb61c
SHA256 068bd9cd5dc944ff9030bdf3e31638408314e54861b93cdaf8c3c905a8005cac
SHA512 31608dc1d295c91d012fd4634494b182c6d4b70c255036cbd0f71ace56fbc1a69f8358b8799d2db21e0bea1010ad79dee774b6049bf31dd513042b460722508b

C:\Windows\Temp\asw.0b98eb614dbd04d2\Instup.dll

MD5 e9134948a4db2642f9bfaaf157a18bd0
SHA1 98249d941c196e9ee01f5d77713f13a12fff87f4
SHA256 67721cd04b1866888a97c1027e6d6ca5805b08124b724a31ff9931f9f3e28b2a
SHA512 629b39736755e9a9987a74aa9dab6aec94be061a3c70c140ce98d4eb9ca3575ccc02380990a023f3fbc1f49d56518f1dc9345fd8c7fe3b9cfbf7eb9c80187995

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

MD5 1782f102f1315b57630e4f943b95da9d
SHA1 4eabba0084e5496fafbf6263e05f9556336b571e
SHA256 5bfa5d01bf3ecc7b732bf4a4b6e3285db6d02bf8fc4785261a41c5f57fab0b2a
SHA512 21ea9e829625ca0630229f37d5a9254aa41f00c6d7b9a08ec958299aac32a79f0ba43baa97e09763eb5705a45370b547115024d5e11870fb8a3f30c9d434cf12

C:\Windows\Temp\asw.0b98eb614dbd04d2\config.def

MD5 b86dd14aadb9e34d004ad39a4693ced0
SHA1 1cb7775cee3e4106b2ddba89a0ccdc9dd547c521
SHA256 b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878
SHA512 03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1

C:\Windows\Temp\asw.0b98eb614dbd04d2\aswe2b980c3e8955745.ini

MD5 72a2295038a1cc4d9b59e112fefb73a9
SHA1 75d20db0c8d9e3376da7a69615737691845d446f
SHA256 df495b46aaf26bd363eb15e93beaa3a89d2d3fea0e33229a45c11f4014afe8c7
SHA512 a39905b825dec2658152d4af3552a04f9e9e2a77e3843d9ed672404f486a5f40a46bffa1dc0b7566bca47988749ecbe3c7cbd61f9546dec7356dee8d041720db

C:\Windows\Temp\asw.0b98eb614dbd04d2\config.def

MD5 9da30a7fc48305ab7e4db0ef54ec0d76
SHA1 a532b8d27de57455f387c0e81ca505a37d1f98b4
SHA256 429adb7080275c2e5d322a82da4c71a50d6d615d1533fa18d0b55e8599622a67
SHA512 79a368068173fc2f37cfdf82981aa9cec76f92887d6fefb7be365c5e7d395543b09b92fde65787c3cf7b88d4e7b8e7aab04b24e662529d60f7f3c88f9d42e353

C:\Windows\Temp\asw.0b98eb614dbd04d2\config.ini

MD5 cecb4ef3fdb772ae9db10986cf53f856
SHA1 7a402fe027e12e07cbf378ab91dedc9c118c1d91
SHA256 51b8b7ceecded40d93a9be8724d607bb63ddf74587920af785caa51ced80d377
SHA512 73d7da5cce5a9de4a6036c5e04960f7987519509c4d4c3346c712c002807b848017962518ee60753d7c6df8e1c31a0b9d3f226dfba5c080f059eef6a50cb3109

C:\Windows\Temp\asw.0b98eb614dbd04d2\HTMLayout.dll

MD5 4cc6efda014cc654142c97cd09175e37
SHA1 9ff80f73eb8aa9563ee04f3857fedbb4167a9a2a
SHA256 0ffd67c501dd1778c35830465f07f2390e318a485e0b22e437404b0a9d4b5ad2
SHA512 064ceb07ef2a8a5db7d07a3ee58df07008efd642f12960c7dce837f533876199c0773a4b9861cf7907487b7fb2a96d6a1efdcc854855fd9246198ca438cab751

C:\Windows\Temp\asw.0b98eb614dbd04d2\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.0b98eb614dbd04d2\servers.def.vpx

MD5 ca027a5ef5f6d21d7e42855fa4db4120
SHA1 eee669fe1c3cabd5f96c65ac992e4851f8eca9da
SHA256 e1b5e5122457b19ad5175b0b372d6d0b55813503827ad1d84c26f23b8506a66d
SHA512 8dcd63d2406f6f7e67053342553345bb372401a8dda64e1b41e937df7359a8e4c0afa9705d8fbb953aeed403d54bcd6a5d5bddf7ca1d6c43f1da37020bdda491

C:\Windows\Temp\asw.0b98eb614dbd04d2\prod-pgm.vpx

MD5 6d08ac0131cac7a2f9f2ea5d9d0b0cc6
SHA1 25983c1419089c6a7570963dda2d06e022b3b36d
SHA256 846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f
SHA512 753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c

C:\Windows\Temp\asw.0b98eb614dbd04d2\uat64.vpx

MD5 bd33707a5e0b6cc434fbaa32e69cb30a
SHA1 34ddc8fbda6acef9e07de571d4c00e65e3c09958
SHA256 bf60d1aa67abc73f927e1544ba8b66a79ec9143caedb15e1d94d023be6aba036
SHA512 02b78b7796e55e245d00ae5b94ae767c6c7da480ec609e84b1a4deafb5f6dbb8f15ad5947b3db421048e17d46419b2149ef23aa369ce42288d3bb5817a0863de

\Windows\Temp\asw.0b98eb614dbd04d2\uat64.dll

MD5 c53dc6d8050e08d12939b95e2f5c53dc
SHA1 01f3fd1a4c730cad939d243e6bb8f9fe8f1e0138
SHA256 5a690ef46a5c889adbad580b773a6025040426ee11d3817927dd1e77698e8ece
SHA512 75ec453cfa12a071322877db4244746de6ecec779c4f267cb3b9729437f3e0a90ffa2fe1d42e5baf05c159c8c6ef6c71bc7e258044162e5fcbaad10a9e93d84a

C:\Windows\Temp\asw.0b98eb614dbd04d2\part-setup_ais-15020c62.vpx

MD5 d5b798d8816b252e7d718195dfeb8a8c
SHA1 860c5807fd491aeeb12d661d8cf2ecca4ca1639b
SHA256 75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499
SHA512 16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

C:\Windows\Temp\asw.0b98eb614dbd04d2\prod-vps.vpx

MD5 b516373c4f4f0bd98bbbcd71b4022e4d
SHA1 fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062
SHA256 52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099
SHA512 b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\asw92710a27a5b5e950.tmp

MD5 bbb61ad0f20d3fe17a5227c13f09e82d
SHA1 01700413fc5470aa0ba29aa1a962d7a719a92a82
SHA256 39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e
SHA512 c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\asw3b16dfb8d3efce33.tmp

MD5 43dc9e69f1e9db4059cf49a5e825cfda
SHA1 519298f8a681b41d2d70db2670cc7543f1ee6da4
SHA256 98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d
SHA512 d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswa496781361e92788.tmp

MD5 c545527e69a46359a4a45f58794a0fe5
SHA1 e233e5837bfe5d1429300fb33f12f5b54689781b
SHA256 8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9
SHA512 754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswe4c9102b3ef8dd83.tmp

MD5 917a284494cbe4a4ec85e1ec768339c9
SHA1 47ccc0a04ecc7c3c1ff79bf42d424cfda356137c
SHA256 57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772
SHA512 90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\asw816f8cae1433379f.tmp

MD5 ce4d45d0b684f591d5a83fdbd99bd306
SHA1 e89637b905c37033950afadaca2161bd5b09fb5e
SHA256 907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7
SHA512 af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\asw0b8ea64d711a33b3.tmp

MD5 e38cc92cd980a55d811316ac62883e14
SHA1 fa83737abe11ee825c3da6843cc4d8e3b459729a
SHA256 be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87
SHA512 1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

C:\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\aswbe766cc5ef988b1b.tmp

MD5 0b830444a6ef848fb85bfbb173bb6076
SHA1 27964cc1673ddb68ca3da8018f0e13e9a141605e
SHA256 63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f
SHA512 31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

MD5 96c4b4f461949116c64b9daf76b71eae
SHA1 5f36b63307bea01db87817e4a94c9c98987923fe
SHA256 9f03dc618350fa25906e1855bc37d4946f57f30f119406bca5d9af175961bcf8
SHA512 2acad488bbabda607145015738fed68ba7d9b002537a5a2db08f7736e4fabbca6630cf099044fd2517fd50a864ffdb6f2e71413063466ba15ad953005b4fd7ed

C:\Windows\Temp\asw.0b98eb614dbd04d2\part-prg_ais-15020c62.vpx

MD5 29b9bfd25fabf42939e3a6877f9b3ece
SHA1 c30d865bc2d680311c68eb0bed0e356845f700f9
SHA256 ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475
SHA512 a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e

C:\Windows\Temp\asw.0b98eb614dbd04d2\setup.def

MD5 3fc9d055795a4c01893e5661f300c513
SHA1 29c64165afecea436a2dcb57dd5b54163a002df4
SHA256 425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0
SHA512 e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902

C:\Windows\Temp\asw.0b98eb614dbd04d2\prod-vps.vpx

MD5 a6aa5195417c52019dac2ea520161d70
SHA1 3867f26e50214fbef5698dcea3840ba6c35ab23b
SHA256 b5992d7f4f9cfbd8c06d0b40110f296e70a7b804e581553d120d22146efdfc92
SHA512 6986e715d9adf1142d965f0b8d0ec99915537015cb95ea14b9565f0aab3f2fde6c36ef06d760c8c32e0ad452419edcce0695eee5397f97afed3a28e75f25fc50

C:\Windows\Temp\asw.0b98eb614dbd04d2\part-jrog2-79.vpx

MD5 aa442786f758e5ad442aea88d6cf6124
SHA1 6c464722d20d261a155e2c5f6105cd8a4f0e5c21
SHA256 ba1333f2355a7660001410efc8ae3e0b49d1600806272050883980889d6e250b
SHA512 add459ffec8fa3883a56a64fb0a34bf0c99fbda9e296e30911f2fee313626a68ba3e1d56671615b6250a9adfa8a6e07e76a86dab234500a03c60a07556a50e1f

C:\Windows\Temp\asw.0b98eb614dbd04d2\part-vps_windows-24061199.vpx

MD5 91760dd268918f34d5035b70231c6662
SHA1 c244a869726ab00bc674ea81970ddc739f240426
SHA256 60cbcb938b4d06ec162bb2379fe94f0f22cac8927ea5740cb52260809c5ef50a
SHA512 30f015fc4cb040e617caff7545290b7add9ce500a2bf10a72d53eed64b0972754e4a5dc1296b50b06f286a473950b21c3bec9fadbe9733942d59542ec19175d6

C:\Windows\Temp\asw.0b98eb614dbd04d2\config.def

MD5 f00732944146897d74a4da3117f6916b
SHA1 7df25278bcdd9daf699ed1816b1c0600ae6713cc
SHA256 4c411ca656751ffc1e0bf4b61482372f47f8710df52889a34e3f2717da48f253
SHA512 9c07501d8a8e06564dfcfab57e5306128da8cebd4c2ad0d3e7bed3e80694f8fd32a13934cbfa3e92c201f0f293f6991f7e3f82746b78640cd1f31a18a7fdc4e7

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\event_manager.log

MD5 72cd669b89db43cd3ec87e0a44caa6ba
SHA1 8a5c7ec95f8b7b3950fc24de39b82039b0a2cd16
SHA256 7615292e1e17f3a8f478170342b1717ed5c585a0f13b708bbff5ae736f50641f
SHA512 ab508acffc00f4db32fdc95a29b270bbd570216752215007169a237f1f747ac5c9cfb977dc664d3471d6901f880e5ae26d0cf6892ad356aac11da4ced068a70b

\Windows\Temp\asw.0b98eb614dbd04d2\New_15020c62\gcapi_17181966212292.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

memory/872-323-0x000007FEF3440000-0x000007FEF381A000-memory.dmp

memory/872-322-0x000007FEF3820000-0x000007FEF4B46000-memory.dmp

memory/872-324-0x000007FEF3820000-0x000007FEF4B46000-memory.dmp

memory/872-334-0x000007FEF3820000-0x000007FEF4B46000-memory.dmp

memory/872-336-0x000007FEF3820000-0x000007FEF4B46000-memory.dmp

memory/872-341-0x000007FEF3440000-0x000007FEF381A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:49

Reported

2024-06-12 12:52

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "DNS resolving" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7" C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "64" C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-d08.vpx" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "67" C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-d08.vpx" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-d08.vpx" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "0" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "30" C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0" C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe
PID 2180 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe
PID 1348 wrote to memory of 4516 N/A C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe
PID 1348 wrote to memory of 4516 N/A C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe
PID 4516 wrote to memory of 1044 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe
PID 4516 wrote to memory of 1044 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe
PID 1044 wrote to memory of 4088 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 4088 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 4088 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 1848 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 1848 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 1848 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 5044 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 5044 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 5044 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 3124 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 3124 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 3124 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 2788 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 2788 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 2788 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 2556 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 2556 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe
PID 1044 wrote to memory of 2556 N/A C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe

"C:\Users\Admin\AppData\Local\Temp\2a50acbe66c4216dfaaf2d863f37a690fc4aa21666fa8293a70180375958beef.exe"

C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe

"C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_012_999_e7f_m /ga_clientid:144ce15c-008a-45e5-8745-f2bf2c11f6ea /edat_dir:C:\Windows\Temp\asw.36512079a9185ff3

C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.64bfeb230ec2f8a9 /edition:15 /prod:ais /stub_context:5992a688-4278-4eb8-a35c-36d49002a5b5:9994552 /guid:4d37b7f7-7858-4b4e-8a04-bc54c574f969 /ga_clientid:144ce15c-008a-45e5-8745-f2bf2c11f6ea /cookie:mmm_bav_012_999_e7f_m /ga_clientid:144ce15c-008a-45e5-8745-f2bf2c11f6ea /edat_dir:C:\Windows\Temp\asw.36512079a9185ff3

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.64bfeb230ec2f8a9 /edition:15 /prod:ais /stub_context:5992a688-4278-4eb8-a35c-36d49002a5b5:9994552 /guid:4d37b7f7-7858-4b4e-8a04-bc54c574f969 /ga_clientid:144ce15c-008a-45e5-8745-f2bf2c11f6ea /cookie:mmm_bav_012_999_e7f_m /edat_dir:C:\Windows\Temp\asw.36512079a9185ff3 /online_installer

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe

"C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.avg.u.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
NL 96.16.53.146:443 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.176:443 www.bing.com tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 146.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 96.16.53.146:443 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 176.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 96.16.53.146:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.146:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.146:443 iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.146:80 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 h1785399.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 h2899040.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 k6951768.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y7637820.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 h1785399.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 h2899040.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 k6951768.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y7637820.iavs9x.avg.u.avcdn.net udp
NL 96.16.53.146:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 153.53.16.96.in-addr.arpa udp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
NL 96.16.53.153:80 y7637820.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 l9518228.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 n3338300.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 s8784910.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 s9788044.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 b5006751.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 l9518228.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 n3338300.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 s8784910.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 s9788044.iavs9x.avg.u.avcdn.net udp
NL 96.16.53.153:80 s9788044.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 d7509631.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 d7509631.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 h2899040.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 l8318517.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 l9518228.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 s-avi18tiny.avcdn.net udp
US 8.8.8.8:53 y7637820.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 d7509631.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 d7509631.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 h2899040.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 l8318517.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 l9518228.avi18tiny.u.avcdn.net udp
US 8.8.8.8:53 s-avi18tiny.avcdn.net udp
US 8.8.8.8:53 y7637820.avi18tiny.u.avcdn.net udp
NL 96.16.53.159:80 y7637820.avi18tiny.u.avcdn.net tcp
US 8.8.8.8:53 159.53.16.96.in-addr.arpa udp
NL 96.16.53.159:80 y7637820.avi18tiny.u.avcdn.net tcp
NL 96.16.53.159:80 y7637820.avi18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 232.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ipm.avcdn.net udp
US 8.8.8.8:53 ipm.avcdn.net udp
US 34.111.24.1:443 ipm.avcdn.net tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp
NL 23.51.79.68:443 ipmcdn.avast.com tcp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 68.79.51.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Windows\Temp\asw.36512079a9185ff3\avg_antivirus_free_setup_x64.exe

MD5 72c1cad77d7a37f6eed6606b00b22738
SHA1 1883d039f42ead5318de8f5f37b61bad4b61fa72
SHA256 47cee4d44e8fe27f3229fa751c11259227a00b605d6a42e2cb066f100a9049c3
SHA512 87104f2cf47683f113398e71b795fbeadd6835b5d333e1aedf22e7d3afec7de3e138cbc949947235ff4892489caaf219405832df91885084e361806ac22d0209

C:\Windows\Temp\asw.36512079a9185ff3\ecoo.edat

MD5 1d4e0e4e8171ed13c494adeeed3d3fae
SHA1 ad94ef4db6aa20944ef55447e02c2d5f986e948f
SHA256 7bcbed4ca467576f306ac3021d90b39ad43776bd0a9cf77bcde53e48581ad7fd
SHA512 4d7da02f009e7819ed60553fb89a915e36fd3e04c93336501e2c68d1e5a468ff22ef74f690b708dca46419611f16e321a4b8a7245d757bfbfe87ff79db8dd490

C:\Windows\Temp\asw.64bfeb230ec2f8a9\servers.def

MD5 2b62fb1ecd174c7e951f2b8af502c1c0
SHA1 90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b
SHA256 1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67
SHA512 0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0

C:\Windows\Temp\asw.64bfeb230ec2f8a9\Instup.exe

MD5 cb33ee6145c1dfad640103e1bc8b00e9
SHA1 e68405536c9501a5f7617636db734a7e7bfdb61c
SHA256 068bd9cd5dc944ff9030bdf3e31638408314e54861b93cdaf8c3c905a8005cac
SHA512 31608dc1d295c91d012fd4634494b182c6d4b70c255036cbd0f71ace56fbc1a69f8358b8799d2db21e0bea1010ad79dee774b6049bf31dd513042b460722508b

C:\Windows\Temp\asw.64bfeb230ec2f8a9\Instup.dll

MD5 e9134948a4db2642f9bfaaf157a18bd0
SHA1 98249d941c196e9ee01f5d77713f13a12fff87f4
SHA256 67721cd04b1866888a97c1027e6d6ca5805b08124b724a31ff9931f9f3e28b2a
SHA512 629b39736755e9a9987a74aa9dab6aec94be061a3c70c140ce98d4eb9ca3575ccc02380990a023f3fbc1f49d56518f1dc9345fd8c7fe3b9cfbf7eb9c80187995

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

MD5 07d3aada986b793e102b8bbc54f2459b
SHA1 38845f96484e59c9aea2a2bf8b9e527721642602
SHA256 09002645543f3fd03a7170f98490fcba75e4e32fc319693b495a01e1bc614d9c
SHA512 b50c51d01e856ab0bd3d16e52a506a6552edf5cf04cf38b12161058e8a1641093f695065f2b60fa8a35c5463659510d310e54cc11d39849353fd4f289a2e38e4

C:\Windows\Temp\asw.64bfeb230ec2f8a9\config.def

MD5 b86dd14aadb9e34d004ad39a4693ced0
SHA1 1cb7775cee3e4106b2ddba89a0ccdc9dd547c521
SHA256 b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878
SHA512 03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1

C:\Windows\Temp\asw.64bfeb230ec2f8a9\aswa8a7a5610c5dce50.ini

MD5 5492c12bb7823ecef18800911641941a
SHA1 65c3af133b6243062aa2d3e78887e916d9863ec1
SHA256 e3b6d11b14f43847d8c53f03cd27d741c33b34281d299615c67f9f3febd6f6e0
SHA512 49aa734e715eba38e408b6a5a5c2ad7ae1b4973f5ab64ccf990f2d04f0e78d504cd575232c3cc675c17c6b864a8ebffad5aa4beda51bb30501238f388e08ad13

C:\Windows\Temp\asw.64bfeb230ec2f8a9\config.ini

MD5 979974e725f8d2e8fa9957c89175cbc4
SHA1 17f007c9c132e2344bdf2bde304845e8ec7d788a
SHA256 69066c377fdecd348bacdee328cb1d307cde9b5975363cdb6ef2a48e02b7c873
SHA512 c5d8a338c0fd328031ad2a34d5f0e1d6b0b7e7d8d0e0d948b60a38aeb4dff136efa6ad05467eb3f6e110a02a5597db7d9dffc418e82eaff8414cc52939ab7f65

C:\Windows\Temp\asw.64bfeb230ec2f8a9\HTMLayout.dll

MD5 4cc6efda014cc654142c97cd09175e37
SHA1 9ff80f73eb8aa9563ee04f3857fedbb4167a9a2a
SHA256 0ffd67c501dd1778c35830465f07f2390e318a485e0b22e437404b0a9d4b5ad2
SHA512 064ceb07ef2a8a5db7d07a3ee58df07008efd642f12960c7dce837f533876199c0773a4b9861cf7907487b7fb2a96d6a1efdcc854855fd9246198ca438cab751

C:\Windows\Temp\asw.64bfeb230ec2f8a9\config.def

MD5 0b821466a9a75f3e2bdb3530cf847a05
SHA1 9d20b434db0c0561dc2dfedfe2954616ca56d701
SHA256 5c6328f5866ed6899754cf161d2406880051bfa14265a83bb8916416a460918e
SHA512 54b9216df5c07f666afcf9b95d81da290a7a79ef2f0a3b134890ccd2e283654bc96ed3b36539eafabaf0dd7e472b43c1112f821ec053f64627e1f26435f5ed40

C:\Windows\Temp\asw.64bfeb230ec2f8a9\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.64bfeb230ec2f8a9\servers.def.vpx

MD5 ca027a5ef5f6d21d7e42855fa4db4120
SHA1 eee669fe1c3cabd5f96c65ac992e4851f8eca9da
SHA256 e1b5e5122457b19ad5175b0b372d6d0b55813503827ad1d84c26f23b8506a66d
SHA512 8dcd63d2406f6f7e67053342553345bb372401a8dda64e1b41e937df7359a8e4c0afa9705d8fbb953aeed403d54bcd6a5d5bddf7ca1d6c43f1da37020bdda491

C:\Windows\Temp\asw.64bfeb230ec2f8a9\prod-pgm.vpx

MD5 6d08ac0131cac7a2f9f2ea5d9d0b0cc6
SHA1 25983c1419089c6a7570963dda2d06e022b3b36d
SHA256 846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f
SHA512 753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c

C:\Windows\Temp\asw.64bfeb230ec2f8a9\uat64.vpx

MD5 bd33707a5e0b6cc434fbaa32e69cb30a
SHA1 34ddc8fbda6acef9e07de571d4c00e65e3c09958
SHA256 bf60d1aa67abc73f927e1544ba8b66a79ec9143caedb15e1d94d023be6aba036
SHA512 02b78b7796e55e245d00ae5b94ae767c6c7da480ec609e84b1a4deafb5f6dbb8f15ad5947b3db421048e17d46419b2149ef23aa369ce42288d3bb5817a0863de

C:\Windows\Temp\asw.64bfeb230ec2f8a9\uat64.dll

MD5 c53dc6d8050e08d12939b95e2f5c53dc
SHA1 01f3fd1a4c730cad939d243e6bb8f9fe8f1e0138
SHA256 5a690ef46a5c889adbad580b773a6025040426ee11d3817927dd1e77698e8ece
SHA512 75ec453cfa12a071322877db4244746de6ecec779c4f267cb3b9729437f3e0a90ffa2fe1d42e5baf05c159c8c6ef6c71bc7e258044162e5fcbaad10a9e93d84a

C:\Windows\Temp\asw.64bfeb230ec2f8a9\part-setup_ais-18050d08.vpx

MD5 0344288a18997069003d84c226a168f9
SHA1 0fe47920601834e620737ad321fbb24d38c7ee94
SHA256 675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d
SHA512 b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429

C:\Windows\Temp\asw.64bfeb230ec2f8a9\prod-vps.vpx

MD5 b516373c4f4f0bd98bbbcd71b4022e4d
SHA1 fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062
SHA256 52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099
SHA512 b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469

C:\Windows\Temp\asw.64bfeb230ec2f8a9\avbugreport_x64_ais-d08.vpx

MD5 ebc2e21a31af7ba94c3a70db0caf23ad
SHA1 36a25c19c6becbcf8e1c959458867f59cab774a3
SHA256 b1819bf1551be44e0f293f6b6ead1841aacb63ca3a9d90f1a31c9cb52f648c6e
SHA512 e777fd82cf1d782e73dc8796c57ecb9be4ed09256af456190ae0e414de651226c3eb616ae4ec1c245e55934843dd85485e0594c0125e013c47b48d89fff5f739

C:\Windows\Temp\asw.64bfeb230ec2f8a9\avdump_x64_ais-d08.vpx

MD5 c339cfe0485edefebae496b088d41221
SHA1 684e4fa30a601ef645293cc5a8b008bbc03b9483
SHA256 55ebd9dc7c26877a51e11722d3ea17f1afdf39a30aeda07ef6804659c34e54c4
SHA512 c78b4735ed9184219f95a461e97a47d95b60f353ded28d692a72f9c3db2ead081b700731c8b673e8a1ca969519281d8e73cef449d5bb6bcfd282fcd2261f4a5d

C:\Windows\Temp\asw.64bfeb230ec2f8a9\offertool_x64_ais-d08.vpx

MD5 993a67fbd5162510a2b0f3fba05bad33
SHA1 3c76258240a04c05341e611f55bef10341e34ff3
SHA256 0b7c3caa31928131ce0e1ca570aa72e20a98dda13e4ca0c59f31cc677d8e8c6e
SHA512 44a335d3db00fa9148066a5f2d2a9f5250d7df2315d132ab2798b02e2d21b700525a00be91d960e1564a6ffc0ee95347f0df9ffc27a10cf807d5a926ab5154a3

C:\Windows\Temp\asw.64bfeb230ec2f8a9\sbr_x64_ais-d08.vpx

MD5 ebd5c38aa827d9777dcde81e2a037b6f
SHA1 740eee39569863c6baa780e7d82c848c92abe0c1
SHA256 7fd358eddcef6756f315fec2bfad52286402f7194104fcfd3dcec7d588597025
SHA512 fc22fff31b6e84297af9769b84142960e45bf9d8b71e9039e3829be9c671fc173dd47c88c25807f3e7bca0b87f842de500f5227e21ed312bfae2e89d0b65ff0d

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

MD5 8acccfe1acc790327dc2c043afc960b1
SHA1 8bb1ff1e0552a75f558c4f56bceb493e96bd7603
SHA256 04aa372ba42078650986e3d8d7960d620550a42a47091bc8e5026b62d44db2c5
SHA512 32db775fc0c97ca80eacca4569d012ab319e4c1694116f6b8e9fab6d08ce20d3238c813d64e356577406f60f849659d245ff9a12ddbc15a371caa143c5ad6650

C:\Windows\Temp\asw.64bfeb230ec2f8a9\part-prg_ais-18050d08.vpx

MD5 d264bf74d7ffcbad341d9fcefa4893bb
SHA1 c7e9a0972524fa573825865c46eb6728d3e219e0
SHA256 4b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025
SHA512 afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3

C:\Windows\Temp\asw.64bfeb230ec2f8a9\setup.def

MD5 49474897d267894daa13e9dcb168793d
SHA1 10331de148bb89ecc6e1af25bd3b0a862dd2b4eb
SHA256 0b9aedce74468150c054d27649dad8f98109e537a581649be6668a13cd29e6a7
SHA512 687dfcfdff27d8be7fa2b7a277a6bd269bf719ca12bf5e7f38643582785032cb8b0e11c04180736dfa56c2b10a12e10c10e50427ceacf6d6332125ebf65eb9da

C:\Windows\Temp\asw.64bfeb230ec2f8a9\prod-vps.vpx

MD5 a6aa5195417c52019dac2ea520161d70
SHA1 3867f26e50214fbef5698dcea3840ba6c35ab23b
SHA256 b5992d7f4f9cfbd8c06d0b40110f296e70a7b804e581553d120d22146efdfc92
SHA512 6986e715d9adf1142d965f0b8d0ec99915537015cb95ea14b9565f0aab3f2fde6c36ef06d760c8c32e0ad452419edcce0695eee5397f97afed3a28e75f25fc50

C:\Windows\Temp\asw.64bfeb230ec2f8a9\part-jrog2-79.vpx

MD5 aa442786f758e5ad442aea88d6cf6124
SHA1 6c464722d20d261a155e2c5f6105cd8a4f0e5c21
SHA256 ba1333f2355a7660001410efc8ae3e0b49d1600806272050883980889d6e250b
SHA512 add459ffec8fa3883a56a64fb0a34bf0c99fbda9e296e30911f2fee313626a68ba3e1d56671615b6250a9adfa8a6e07e76a86dab234500a03c60a07556a50e1f

C:\Windows\Temp\asw.64bfeb230ec2f8a9\part-vps_windows-24061199.vpx

MD5 91760dd268918f34d5035b70231c6662
SHA1 c244a869726ab00bc674ea81970ddc739f240426
SHA256 60cbcb938b4d06ec162bb2379fe94f0f22cac8927ea5740cb52260809c5ef50a
SHA512 30f015fc4cb040e617caff7545290b7add9ce500a2bf10a72d53eed64b0972754e4a5dc1296b50b06f286a473950b21c3bec9fadbe9733942d59542ec19175d6

C:\Windows\Temp\asw.64bfeb230ec2f8a9\asw44829ed94bd0473a.ini

MD5 9257025ff7b93bb2f36e2211c9dc2687
SHA1 a661db2387eb0c3a356d49053fc6ba1d632b0473
SHA256 139ce102df1a13223d2c2734c91c57d32d14449c247ad3a49d34c110dc2934c1
SHA512 d6cb55a25bc2a3289d0aa992018e728cecdae46f8053e0c601a71cce528b252ad006a00a6018e785ff0bd11959902654a1a70a36fb885b18bd5f03e8d9edfd7e

C:\Windows\Temp\asw.64bfeb230ec2f8a9\config.def

MD5 dd123d02c5fb7bf00da212457fe6cbf0
SHA1 15356356012afd7cc5976f891c2bff8aeabced0d
SHA256 0f364d105452c4f5786db91364178f30eac36ab1a72726bfe2ddb0dcc3fd3e1e
SHA512 b1cbb7fddb688887be4042158aca8678ec4e3adc0296bd0e8e9ca85e289275f3b02d6aa71b809bd19c607b709c00019206825ca7003c6cd912ae3b1fe4e0dcbd

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\event_manager.log

MD5 4ec76af75eed283e1eee5f72917232ef
SHA1 9a194992e9ea644151589eebcf90e22c8f36aa61
SHA256 52777f1e546eca56e73aab243ef2cfcb150d139e6fde8a68b5bd905aec68f9ba
SHA512 959000c4c9eca4962a7488a94a9d1de01efa7f4da9efef5be60768a6636666e5100113c82070577280579ca4be740718c6f7c89518c5cf6c2421a8c7cc8811f7

C:\Windows\Temp\asw.64bfeb230ec2f8a9\asw44829ed94bd0473a.ini

MD5 58f64e8bec0659b383cdc7ec92fa2fef
SHA1 6aa370594dd5c0930fed224db64be413311ae503
SHA256 0319e45cf1547f8f6272aa06df0af85c39aa8467b71678335d2e697fb4afc2c7
SHA512 c14c3e15753c0544ea4d4bb32636d4b2a6e85d57d6d0acf7999daefe0ea5c7f362d052220996052d5c7018535fb0d132a44a25166b7dba3a1bda69f3a462a701

C:\Windows\Temp\asw.64bfeb230ec2f8a9\New_18050d08\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0