Malware Analysis Report

2024-09-23 12:00

Sample ID 240612-q21vbaxbpf
Target 6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84
SHA256 6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84

Threat Level: Likely malicious

The file 6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:46

Reported

2024-06-12 13:48

Platform

win7-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe

"C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:46

Reported

2024-06-12 13:48

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a3d.vpx" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7" C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a3d.vpx" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe
PID 1140 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe
PID 2212 wrote to memory of 544 N/A C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe
PID 2212 wrote to memory of 544 N/A C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe
PID 544 wrote to memory of 4304 N/A C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe
PID 544 wrote to memory of 4304 N/A C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe
PID 4304 wrote to memory of 2032 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 2032 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 2032 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 4204 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 4204 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 4204 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 1468 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 1468 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 1468 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 3468 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 3468 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 3468 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 940 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 940 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 940 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 4444 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 4444 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe
PID 4304 wrote to memory of 4444 N/A C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe

"C:\Users\Admin\AppData\Local\Temp\6fc31d442d8e9a708464b8010e2f69a295ece3eaaab3a80a6d1d30c27ef78d84.exe"

C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_003_999_a5e_m /ga_clientid:61fe227d-a62e-414c-bf6c-b4edfc240fad /edat_dir:C:\Windows\Temp\asw.940b0d79ba177bfd

C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ba838a31135c6c00 /edition:1 /prod:ais /stub_context:ab0cf964-05b5-4349-8008-3666cb935afe:9897680 /guid:1d156b8f-1a9c-4432-b4f7-8cf0a739d8e0 /ga_clientid:61fe227d-a62e-414c-bf6c-b4edfc240fad /cookie:mmm_ava_003_999_a5e_m /ga_clientid:61fe227d-a62e-414c-bf6c-b4edfc240fad /edat_dir:C:\Windows\Temp\asw.940b0d79ba177bfd

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.ba838a31135c6c00 /edition:1 /prod:ais /stub_context:ab0cf964-05b5-4349-8008-3666cb935afe:9897680 /guid:1d156b8f-1a9c-4432-b4f7-8cf0a739d8e0 /ga_clientid:61fe227d-a62e-414c-bf6c-b4edfc240fad /cookie:mmm_ava_003_999_a5e_m /edat_dir:C:\Windows\Temp\asw.940b0d79ba177bfd /online_installer

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe

"C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
SE 184.31.15.51:443 iavs9x.u.avast.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.234:443 www.bing.com tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 51.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 234.83.221.88.in-addr.arpa udp
SE 184.31.15.51:443 iavs9x.u.avast.com tcp
SE 184.31.15.51:443 iavs9x.u.avast.com tcp
SE 184.31.15.51:443 iavs9x.u.avast.com tcp
SE 184.31.15.51:443 iavs9x.u.avast.com tcp
SE 184.31.15.51:80 iavs9x.u.avast.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 l4691727.iavs9x.u.avast.com udp
US 8.8.8.8:53 l7814800.iavs9x.u.avast.com udp
US 8.8.8.8:53 n4291289.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 z4055813.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 l4691727.iavs9x.u.avast.com udp
US 8.8.8.8:53 l7814800.iavs9x.u.avast.com udp
US 8.8.8.8:53 n4291289.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 z4055813.iavs9x.u.avast.com udp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
US 8.8.8.8:53 81.15.31.184.in-addr.arpa udp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
SE 184.31.15.81:80 z4055813.iavs9x.u.avast.com tcp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 l7814800.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 n8283613.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y9830512.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 l7814800.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 n8283613.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y9830512.iavs9x.u.avast.com udp
SE 184.31.15.51:80 y9830512.iavs9x.u.avast.com tcp
US 8.8.8.8:53 h4305360.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 h4305360.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 n8283613.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 r3802239.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 s-vps18tiny.avcdn.net udp
US 8.8.8.8:53 y8002308.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 h4305360.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 h4305360.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 n8283613.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 r3802239.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 s-vps18tiny.avcdn.net udp
US 8.8.8.8:53 y8002308.vps18tiny.u.avcdn.net udp
SE 184.31.15.41:80 y8002308.vps18tiny.u.avcdn.net tcp
SE 184.31.15.41:80 y8002308.vps18tiny.u.avcdn.net tcp
US 8.8.8.8:53 41.15.31.184.in-addr.arpa udp
SE 184.31.15.41:80 y8002308.vps18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 ipm.avcdn.net udp
US 8.8.8.8:53 ipm.avcdn.net udp
US 34.111.24.1:443 ipm.avcdn.net tcp
US 8.8.8.8:53 8.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp
NL 23.51.79.68:443 ipmcdn.avast.com tcp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 68.79.51.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Windows\Temp\asw.940b0d79ba177bfd\avast_free_antivirus_setup_online_x64.exe

MD5 54aaadc43b9a0a026a86db8d350a2cd3
SHA1 d1b767200495717f9abbd808c3b38079c64be877
SHA256 de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844
SHA512 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a

C:\Windows\Temp\asw.940b0d79ba177bfd\ecoo.edat

MD5 56f4b20336704a18bb61ef9aef436303
SHA1 e9f1ded4e5a9d2d5eaebb766bf432b41ad5e9983
SHA256 e1bfdfdb081a468302cd30abb7028e241f873549328e70661003094388b031dc
SHA512 f1c7b3d7383d710ad2103d9c818381d203fe8d19f4732ff7289cee3c32d91ac81bfb9d8a62c434515aa62b54e16988cbfa57ed5872994b1ecc882eb9e34256d1

C:\Windows\Temp\asw.ba838a31135c6c00\servers.def

MD5 e76e81467cf59e07920fa8350f262269
SHA1 e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94
SHA256 cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8
SHA512 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

C:\Windows\Temp\asw.ba838a31135c6c00\Instup.exe

MD5 4aed041ad383def5407e438fd5597675
SHA1 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4
SHA256 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf
SHA512 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171

C:\Windows\Temp\asw.ba838a31135c6c00\Instup.dll

MD5 3b6abc970f7227284d87acd2d95c7c5a
SHA1 02b1248aa23cb8aee91b06a9b8b044fa93b469b1
SHA256 ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa
SHA512 bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 f7165f3473af6d88a35edf2f2abcecb5
SHA1 baee098135281172120fdddfafa37448908263be
SHA256 0f29f9fb99f912cc081c69e2aabbe91cc4840cf1ffeadc0c1d3e88011141353c
SHA512 fb0b6b200956700f26e8e6539ad344980a38b538d706b84d73d601cab66597eeb151fa1be86a051baed91d0fa49379a86bcc9c498ebcfb7029e103f50be43b0d

C:\Windows\Temp\asw.ba838a31135c6c00\config.def

MD5 da59c9092a31f572c882d563c600a34f
SHA1 0ec1cb7f7c16252d637d71e08e9363bfe96a5842
SHA256 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766
SHA512 ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

C:\Windows\Temp\asw.ba838a31135c6c00\config.def

MD5 e2154738bd8bc2c4e18f709b289f2275
SHA1 80ca4d599d6134e202b34248782ff0c01197328f
SHA256 aa7cb5c85a4419c1bc271931b7172632b9a7ea1be51e4da094defdc246bfab32
SHA512 20ff711017fbd28483d7441ddc47fbcc825ff62e0b1144ee52a50198b4bbad6b9a7a6f97eeeee2ce8ef62e8cfa8e78a2bc9954b200d23e4e76b34fafdb43acaa

C:\Windows\Temp\asw.ba838a31135c6c00\config.ini

MD5 a642cb07d1d6d9efc7e763ef5f33a0e3
SHA1 50fe6c9b04e2d45163c6a28a328c470161433af8
SHA256 c868b9d95a9c8309ae6e0adf4cd2458b8a56af0624437eb4df1f9cdfeb8c8490
SHA512 446978f24d2d1975e740b95051f861dbba85a48c3dc0691b27e311c5d47c65efa13ae40896e85cecd1e3856a130d1008b3c26384b80ee2524aa8bfac49bce98f

C:\Windows\Temp\asw.ba838a31135c6c00\HTMLayout.dll

MD5 39a20f9d67d6d4bac0ff081c62b13996
SHA1 b5b6b70e943a96a8697f07759245702e026be7e7
SHA256 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1
SHA512 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0

C:\Windows\Temp\asw.ba838a31135c6c00\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.ba838a31135c6c00\servers.def.vpx

MD5 dc5709c442df025a33cb2ca0d22133af
SHA1 5007da1e31f4705932c1f272dd4975b14bef268d
SHA256 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744
SHA512 c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

C:\Windows\Temp\asw.ba838a31135c6c00\prod-pgm.vpx

MD5 d4f72d1329501105ec7111178ac7c98f
SHA1 17bfc1e8299b43c46b18442b7e74f84953dc6193
SHA256 e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7
SHA512 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

C:\Windows\Temp\asw.ba838a31135c6c00\uat64.vpx

MD5 11bb373887fe44e1edea08b70c638095
SHA1 e887149cb489a3aec8092636379ac4c64e389089
SHA256 a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358
SHA512 d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879

C:\Windows\Temp\asw.ba838a31135c6c00\uat64.dll

MD5 c0719ef096798494a616f84f587282d7
SHA1 ee38158f887bc2189234330c4891f12f9d902d7a
SHA256 ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a
SHA512 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298

C:\Windows\Temp\asw.ba838a31135c6c00\part-setup_ais-180517e4.vpx

MD5 67a540fcde81f108f7568628590ee342
SHA1 bd454d4203eb18115264fed792b4d5e41a2e2fb5
SHA256 328f4780c3389e61ea00604b5d5085e734adee7f162796f1130d5f36d0cf2924
SHA512 20586f6f537b18f7e3d0945e0dbf69e6bd62457a06c739268c9867b407e9071c0b82ba8adf166ac19c78e9f36f4d8ccceb85ce1dddc1d5c6b5b49c11fb602199

C:\Windows\Temp\asw.ba838a31135c6c00\prod-vps.vpx

MD5 0066d9b938e4d92eed90d515c0da993f
SHA1 60f4f31c64671349b100505428a618c9a9033820
SHA256 bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209
SHA512 d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

C:\Windows\Temp\asw.ba838a31135c6c00\avbugreport_x64_ais-a3d.vpx

MD5 dd9112cf8378dd2dcd7da7652ab7ef4f
SHA1 edba0ad6afe5f7d5fef1a68fe6e298285302a205
SHA256 01a5da7bd76821e598dd0c145e402f01968a486ec0289304ecbc01e8e3e3545f
SHA512 a792118766c8aefdda2f3158e3f20235b3d45e2504a8aa131189034a4c1dce36ef304253794bd73eefa9de1b58666422cba7311e93588b6b05340c23c9b24502

C:\Windows\Temp\asw.ba838a31135c6c00\avdump_x64_ais-a3d.vpx

MD5 4dae0714e69b6d570b458d2d464ace66
SHA1 7b87175b6810ba49fff360affcd27b0b1c163899
SHA256 009a8b3c599329995ec197d1c9e5a13ad8bcf0888d6ef434d295b4a7e76ca3e7
SHA512 9c5cb5a9893276cc5bfb5baddcfe6584b78bd0387fc731f0e21f963d8515a42fc77b3b8a25291ab0b09910d72193a191cd3f72a2b0dd92f27c89f5a62251a02e

C:\Windows\Temp\asw.ba838a31135c6c00\offertool_x64_ais-a3d.vpx

MD5 83a59fb227b8146aec13b3e5183da115
SHA1 c0edcf17207414387cbd193503dec8fc3d88bf4c
SHA256 240f009ab1ce95fb23cb1c76f0c944e3acc8567b4198dd6d4de7d8bbf2979919
SHA512 317ac6ea8ea54f32614a3623bff1c0193c072c6ee8d845ab1b23575170fe1e1048f71847a23f4a6ef42e33466bd4c4d8a1fe10a2c7c48410c032287de3992560

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\aswbb3ef04d8ff2093c.tmp

MD5 c137e649a83c0d6e99b40b7244015812
SHA1 6aaa485bec43f485b3863d525a8653d19949e005
SHA256 d54383d72f4ef21f157867ea9164ccdc3d6dd9c8de32a691a86c1f0c5a008f8f
SHA512 c38621980bb82a5fdf509d92167027c67db56c3b3d17c621ef732a98595d50788a4ea934fd19a93787f7d7defadb537036eb0e1464aec8ec1cf8dc6073cae88f

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 72201240c60d0b61407f2ff8d8f34371
SHA1 cc7ee405f1b8409523624898a06734109c02d44b
SHA256 2399c9af3a2aa671af66730b28155f378e70dc755a39a263bfae70fed79bd597
SHA512 229ca2dac169cf8bf4b902d42f92f9c2560da82408d23cce6e3954302bb5fb8a1f37e317d92551086b432b50fc3628354687c1840a0a09bba9026f11c6c0d2d5

C:\Windows\Temp\asw.ba838a31135c6c00\part-prg_ais-180517e4.vpx

MD5 2c670a43751b0f2adb2bbb0f5dd646bb
SHA1 74ad4b2eeb00c337bb4902def41353c44aef6e3a
SHA256 876f56bdbd1314c4f97757bbb341c908bc1de6acb5fbe8fdbbfdd2e3b1c55bdf
SHA512 bd5b7b4996f1c70adb77fb3b590a96cbe673253e05a10c94c2d38ee12d63995fc385c541eaacfd653ffd7e3629673fc539830943d9202ed2c9a04f2c42f8b4d7

C:\Windows\Temp\asw.ba838a31135c6c00\setup.def

MD5 98592e07fab8330e4b367ee1c2ee1a23
SHA1 aaaeddbb740f3fb46362ff6055b909e7215e7c22
SHA256 046d8d52a8da3a1e288aa24452ce97ed72f47c0f327177ac76373d1eacfc9b40
SHA512 1f734e991340156de357b638b562b6f95e762f1913953fab3b449ea6fa3fb081db02dfc3339a4dd1d5c82a0fe169d7a4d4699ce239900bd7e51372a561cc7511

C:\Windows\Temp\asw.ba838a31135c6c00\prod-vps.vpx

MD5 51f6fac2009104d5f762fa96da0fb4df
SHA1 9798fc1805d71b77a6b8eec1ba8002cb12a462f8
SHA256 5dc789130f9ceaa92c2530ade945ef95804f0f9519e4ecbabec0ab104b882ab7
SHA512 2768756909dec027ea777aa95af5c2e2263814fafda58e029205cc879182128c16598b338d2e4dc0c3b80f72c9588954ed2be8fce513fbebcfd4092122c5f955

C:\Windows\Temp\asw.ba838a31135c6c00\part-jrog2-91.vpx

MD5 50ed7b55b37c13655e12a753c7081199
SHA1 990c0910191de72e53b0e3426d2f06c7124425a6
SHA256 1b4d2809f2cdc781612b674461640b101b049b4a7df6d7be5b67e6c80909e55e
SHA512 67a9fc1a3feb3b47790c81aa4afb976ccf439f5c55384d0bc592776aabe4de797381aec3b8060f81fbbaa9b47004a0b1e219d2abe034f9ac496208a816a815c9

C:\Windows\Temp\asw.ba838a31135c6c00\part-vps_windows-24061201.vpx

MD5 102a394e8bfebe0fb42bb05e59f7ecf1
SHA1 cc47fb78c38667e008ee4ed04da6c7b28f461f3d
SHA256 2e14f2273e3ce235b3ba2b387c0894c9d1a081a7527387ff717c28677389cac3
SHA512 6419d924e80435a7063559f7753ab940aeaebdb279672654dd885c3ab0c211e80d59f63b237a3417ddf0dcbd8b836fc2c75350fbc9fef68599803ffba8174500

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 359461f9f1a9e7abc456cd67c11998ed
SHA1 c08c3bedb7cd898655f821cc4ed52033a1382145
SHA256 3a26d74f809e69be9eae32534e751ce46bb11acc59bc07343c2a8a374146dc05
SHA512 678df0a30c3c234c4d6cacc27a416591eee20099c9a9b7ceea23d19b66704158cf81567f5a8da93c84189e5d59de368d225a18273d20a955ecd79d48c1236484

C:\Windows\Temp\asw.ba838a31135c6c00\asw227e117854b77359.ini

MD5 026a55ea25eae846db911145ae55cd98
SHA1 a666ffd0bb6e20fe5b3e8c2d89b140b1be81d303
SHA256 ef6a36f8fc557ed0ca7ce77133ab164624fe67ae500d877c3867115c7c40086e
SHA512 8a11fbac0b7a8814a915bba4bc73b68910db2f335d2ad1dd59fbaaa8d1eebd93523ec9771019356b3b3b6162358885bc47f3079f51a2270eb7295a446898acbe

C:\Windows\Temp\asw.ba838a31135c6c00\config.def

MD5 a5799df6dc41e06b189f6be905cca2c3
SHA1 6d0151e4b183ac80313f983faab48f155ff4bc33
SHA256 87dd3203988872f4edb45214a6feffa193f341aa88aa080aeca41d9bb650744b
SHA512 fb03a2473ed70639d4e8cd8f5b2b7b6dc8ce7267a15ff442fdec6ed63e8bcbb8d3c39cd8d71a6e92825b7949f800184d9158767531534b65f407751787ce5ecb

C:\Windows\Temp\asw.ba838a31135c6c00\New_180517e4\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0