Malware Analysis Report

2024-09-23 12:38

Sample ID 240612-q2l16a1app
Target f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646
SHA256 f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646

Threat Level: Likely malicious

The file f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:45

Reported

2024-06-12 13:48

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe

"C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:45

Reported

2024-06-12 13:48

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile\InstupUpdatePending = "1" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "45" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "49" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "52" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-997.vpx" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "44" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "54" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "59" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "66" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "55" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "9" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-997.vpx" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "30" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "46" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "95" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "31" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "35" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "64" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "99" C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe
PID 2384 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe
PID 2384 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe
PID 2384 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe
PID 2004 wrote to memory of 1068 N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe
PID 2004 wrote to memory of 1068 N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe
PID 2004 wrote to memory of 1068 N/A C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe
PID 1068 wrote to memory of 2404 N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe
PID 1068 wrote to memory of 2404 N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe
PID 1068 wrote to memory of 2404 N/A C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe

"C:\Users\Admin\AppData\Local\Temp\f0e64826ffdc43bd3c961c86511c6588cc1d204a7390ed67739815444c1d1646.exe"

C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_fhp_dlp_006_480_a /ga_clientid:9e7135f0-0966-4364-a8de-5e728159b458 /edat_dir:C:\Windows\Temp\asw.6db26e89863f0e27

C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe

"C:\Windows\Temp\asw.e9281c4ae011d655\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.e9281c4ae011d655 /edition:1 /prod:ais /stub_context:8776907a-08cb-4584-a9dd-8d69054646a0:9897680 /guid:4398170a-0a66-4337-87cd-31b697a20507 /ga_clientid:9e7135f0-0966-4364-a8de-5e728159b458 /cookie:mmm_fhp_dlp_006_480_a /ga_clientid:9e7135f0-0966-4364-a8de-5e728159b458 /edat_dir:C:\Windows\Temp\asw.6db26e89863f0e27

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe

"C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.e9281c4ae011d655 /edition:1 /prod:ais /stub_context:8776907a-08cb-4584-a9dd-8d69054646a0:9897680 /guid:4398170a-0a66-4337-87cd-31b697a20507 /ga_clientid:9e7135f0-0966-4364-a8de-5e728159b458 /cookie:mmm_fhp_dlp_006_480_a /edat_dir:C:\Windows\Temp\asw.6db26e89863f0e27 /online_installer

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avast.com udp
SE 184.31.15.81:443 iavs9x.u.avast.com tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
SE 184.31.15.81:443 iavs9x.u.avast.com tcp
SE 184.31.15.81:443 iavs9x.u.avast.com tcp
SE 184.31.15.81:443 iavs9x.u.avast.com tcp
SE 184.31.15.81:443 iavs9x.u.avast.com tcp
SE 184.31.15.81:80 iavs9x.u.avast.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
SE 184.31.15.81:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 y8002308.iavs9x.u.avast.com tcp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
SE 184.31.15.51:80 r4427608.iavs9x.u.avast.com tcp
SE 184.31.15.51:80 r4427608.iavs9x.u.avast.com tcp
US 8.8.8.8:53 d3176133.vps18tiny.u.avcdn.net udp
US 8.8.8.8:53 d3176133.vps18tiny.u.avcdn.net udp
SE 184.31.15.41:80 r9319236.vps18tiny.u.avcdn.net tcp
SE 184.31.15.41:80 r9319236.vps18tiny.u.avcdn.net tcp
SE 184.31.15.41:80 r9319236.vps18tiny.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp

Files

\Windows\Temp\asw.6db26e89863f0e27\avast_free_antivirus_setup_online_x64.exe

MD5 54aaadc43b9a0a026a86db8d350a2cd3
SHA1 d1b767200495717f9abbd808c3b38079c64be877
SHA256 de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844
SHA512 1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a

C:\Windows\Temp\asw.6db26e89863f0e27\ecoo.edat

MD5 07ed55abf479d256d374f902cec50859
SHA1 64b12046ca4237efa405b12ec54aae46107db3d2
SHA256 22db945296999eef1084393ed04d26d2bc42679ff9d9261db1bc94a3afcab421
SHA512 b23104e352ca8096a37bee9a4c680358e005aef36c4041215a2b940a5003bb3024a05e27b2315b2f70aa5aad1c0d9919da7431e821a59162a289f4c1e8290eda

C:\Windows\Temp\asw.e9281c4ae011d655\servers.def

MD5 e76e81467cf59e07920fa8350f262269
SHA1 e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94
SHA256 cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8
SHA512 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

\Windows\Temp\asw.e9281c4ae011d655\Instup.exe

MD5 4aed041ad383def5407e438fd5597675
SHA1 6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4
SHA256 1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf
SHA512 4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171

C:\Windows\Temp\asw.e9281c4ae011d655\Instup.dll

MD5 3b6abc970f7227284d87acd2d95c7c5a
SHA1 02b1248aa23cb8aee91b06a9b8b044fa93b469b1
SHA256 ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa
SHA512 bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 66d2c908bfd5f6a36fed0eb0e122ded3
SHA1 013e334624c6e404221b1ee37c3fc6159a7a82a1
SHA256 58afdf4c61b4222dd528483bbf1670b25c227168b69c80a32ac2239e4b9ec584
SHA512 1009e1e78f114091925fddfd5f51159bb4f7e717b834b20a463df49ec7cf546b9ef40a2295da485c9d23155da67d72a180da87e79a48a2b83bec29cebb8cc816

C:\Windows\Temp\asw.e9281c4ae011d655\config.def

MD5 da59c9092a31f572c882d563c600a34f
SHA1 0ec1cb7f7c16252d637d71e08e9363bfe96a5842
SHA256 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766
SHA512 ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

C:\Windows\Temp\asw.e9281c4ae011d655\asw79419d689c81fe4e.ini

MD5 f0bf73e50b465135f51c3f37d8adc183
SHA1 3868bd1872c3341534011453397a82a1b0b24f1d
SHA256 6f490ba4ab4361fd8ce6334a672816de6a7f3dc8e6b7bd923bddc9b5a3aa8007
SHA512 df5e43bfe74d54e4eb767db03a45b7e6d939b42ad89207d1d38d9f39c5a158e7e7c35e9e5c7e955805ab6afc07eeb70c00dc79cf89c1c9ec4099f704384a5c65

C:\Windows\Temp\asw.e9281c4ae011d655\config.def

MD5 23dbd22d2f1d6fb20eb4bf5eeca2aac0
SHA1 49a3401b21372ae4c40b5b3762c86ab507bf35b9
SHA256 661212c83299197a8a53ca9b4e65e8cd9a8edf8cdd3f5a095b290e828533f803
SHA512 20e8b21e90e6734fa574b64ba66d077085f1d861a55e93ad4b2fb472cd9f5298c921788203c339f2630d68e9d0044f859e9d6512f96bfde30fa195c33059a625

C:\Windows\Temp\asw.e9281c4ae011d655\config.ini

MD5 06e337775bd1c84917f5eee4d8851c41
SHA1 b622d3fa3c357a7a773deda075d3193ec5a848fd
SHA256 ca9b26f8330b289826c697ee5773511322a134517325f13a180543fffe3a36ac
SHA512 3de8268b4a1dbfeddd976d7645a584ea790472641fcb782938bbd74fb7e35437bce7eb03fbcef7bbf3ede2f9a3c990cd24c8dfbd2ad1007ee73f9b53ec3cd372

C:\Windows\Temp\asw.e9281c4ae011d655\HTMLayout.dll

MD5 39a20f9d67d6d4bac0ff081c62b13996
SHA1 b5b6b70e943a96a8697f07759245702e026be7e7
SHA256 825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1
SHA512 798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0

C:\Windows\Temp\asw.e9281c4ae011d655\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.e9281c4ae011d655\servers.def.vpx

MD5 dc5709c442df025a33cb2ca0d22133af
SHA1 5007da1e31f4705932c1f272dd4975b14bef268d
SHA256 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744
SHA512 c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

C:\Windows\Temp\asw.e9281c4ae011d655\prod-pgm.vpx

MD5 d4f72d1329501105ec7111178ac7c98f
SHA1 17bfc1e8299b43c46b18442b7e74f84953dc6193
SHA256 e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7
SHA512 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

C:\Windows\Temp\asw.e9281c4ae011d655\uat64.vpx

MD5 11bb373887fe44e1edea08b70c638095
SHA1 e887149cb489a3aec8092636379ac4c64e389089
SHA256 a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358
SHA512 d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879

\Windows\Temp\asw.e9281c4ae011d655\uat64.dll

MD5 c0719ef096798494a616f84f587282d7
SHA1 ee38158f887bc2189234330c4891f12f9d902d7a
SHA256 ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a
SHA512 7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298

C:\Windows\Temp\asw.e9281c4ae011d655\part-setup_ais-15020997.vpx

MD5 365b6ee6fbde00af486fc012251db2da
SHA1 8050ba5a9b6321f067fc694527011ba00767d4a2
SHA256 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830
SHA512 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

C:\Windows\Temp\asw.e9281c4ae011d655\prod-vps.vpx

MD5 0066d9b938e4d92eed90d515c0da993f
SHA1 60f4f31c64671349b100505428a618c9a9033820
SHA256 bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209
SHA512 d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\aswf6c789ad5e247f35.tmp

MD5 ef035189604e7f5d68a62827b985ccbb
SHA1 c094c6eef2640a71aee9f4b27123c2080d38136f
SHA256 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740
SHA512 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\asw7decbc9181c541cc.tmp

MD5 700b6740e6bfa7729f146572d8455348
SHA1 19d80fb0251f417283ed36fc20c43079b3f6fbb8
SHA256 d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e
SHA512 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\aswb8117280870a2509.tmp

MD5 b216fc28400c184a5108c0228fba86bc
SHA1 5d82203153963ebede19585b0054de8221c60509
SHA256 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd
SHA512 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\asw26a0e5814712597a.tmp

MD5 9ee6528abdad768fbfa28bd1bb80ebe9
SHA1 f5582697e068ba1d56825fc32bd5ab1a71bd4d38
SHA256 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4
SHA512 de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\asw7e62627683ce8955.tmp

MD5 c5665f1f93d9aabbcb1dde533e2c46e6
SHA1 732389de20c600d0222d61b4ee74b0be6412a45b
SHA256 adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a
SHA512 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\asw1f8ded3a3964b9b6.tmp

MD5 13e9fbb02cb7497562b59a9ef8f1ee92
SHA1 047936e9296e77939b5b23c1a2af3056eaa2ae99
SHA256 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a
SHA512 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

C:\Windows\Temp\asw.e9281c4ae011d655\New_15020997\asw309e31df16718181.tmp

MD5 d9be57d4e1a25264b8317278f8b93396
SHA1 d3c98696582fed570f38ae45bf22b8197253b325
SHA256 a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3
SHA512 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 e0ad0ecf5cededca1f1975c5872b1d1f
SHA1 9c58216628d315cd6a4f9e4eb107d09416b369af
SHA256 8612501ad84b284d0ec8c5332f9d63e9abb4ba406f3d1687c7eba3d244f5bae0
SHA512 6a27d04e686f60ada976e49883dd546446b25942c3b77e26f1961c07662cd0d97e9b96ddffbd8f6007d46c504284580ea856b88dea1e95e04a2e291900ee19f4

C:\Windows\Temp\asw.e9281c4ae011d655\part-prg_ais-15020997.vpx

MD5 b898fa20bf9b0321b50a8d4946aae799
SHA1 4e173a99dc9a9ef507112857525ad53991f4d2a0
SHA256 6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c
SHA512 c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

C:\Windows\Temp\asw.e9281c4ae011d655\setup.def

MD5 be793535c4acf02d4ad13b20d0c84deb
SHA1 65dd6b4891a75848042c10057808535298cee3e1
SHA256 31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd
SHA512 7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

C:\Windows\Temp\asw.e9281c4ae011d655\prod-vps.vpx

MD5 51f6fac2009104d5f762fa96da0fb4df
SHA1 9798fc1805d71b77a6b8eec1ba8002cb12a462f8
SHA256 5dc789130f9ceaa92c2530ade945ef95804f0f9519e4ecbabec0ab104b882ab7
SHA512 2768756909dec027ea777aa95af5c2e2263814fafda58e029205cc879182128c16598b338d2e4dc0c3b80f72c9588954ed2be8fce513fbebcfd4092122c5f955

C:\Windows\Temp\asw.e9281c4ae011d655\part-jrog2-91.vpx

MD5 50ed7b55b37c13655e12a753c7081199
SHA1 990c0910191de72e53b0e3426d2f06c7124425a6
SHA256 1b4d2809f2cdc781612b674461640b101b049b4a7df6d7be5b67e6c80909e55e
SHA512 67a9fc1a3feb3b47790c81aa4afb976ccf439f5c55384d0bc592776aabe4de797381aec3b8060f81fbbaa9b47004a0b1e219d2abe034f9ac496208a816a815c9

C:\Windows\Temp\asw.e9281c4ae011d655\part-vps_windows-24061201.vpx

MD5 102a394e8bfebe0fb42bb05e59f7ecf1
SHA1 cc47fb78c38667e008ee4ed04da6c7b28f461f3d
SHA256 2e14f2273e3ce235b3ba2b387c0894c9d1a081a7527387ff717c28677389cac3
SHA512 6419d924e80435a7063559f7753ab940aeaebdb279672654dd885c3ab0c211e80d59f63b237a3417ddf0dcbd8b836fc2c75350fbc9fef68599803ffba8174500

C:\Windows\Temp\asw.e9281c4ae011d655\asw82fe4ab504ed78fe.ini

MD5 b3a7f1048786a1afbc40dd1282730854
SHA1 f4beec793e6bdc81fa127521462496908bcf200f
SHA256 fc278133237f88fc1352e4975399c1fa7fe67020178c07a7052bb42e5c3b8e87
SHA512 da9e5649a04709aadf48b44972d01aeb29b32339f51643386de5d35e3668b4110faa648237a82bb47558829dc3c17054ae62b10f1d4f467a960c7faec8a95ecf

C:\Windows\Temp\asw.e9281c4ae011d655\asw82fe4ab504ed78fe.ini

MD5 13706c607bc0829a66e4b4c80fdc9807
SHA1 2e1753d2198d0fce91e38ac53df40ddeef2eb50e
SHA256 8d150eff7a78713e4857c91c2fb74f6895bb5a8437f945bbdac12253a1e4d934
SHA512 8fa5620de3ed30dac39c9b42fafa7ed8ee2f27fbcc5f2db86162d644c3956f54736b93aebe1844beaf5f82f9e60ce4253381a780c330693dea313ca42ca8a2f7

C:\Windows\Temp\asw.e9281c4ae011d655\config.def

MD5 55cf0786700f1e20245c4d07b0b577d7
SHA1 2b826676cb1f9c0264092ef6406a2568b0728b6e
SHA256 498514bc2674201d572e1ecdea4d36a69cd4a812a789c5249c19260ca21af621
SHA512 e35d49a38905b99c847fc8bcf9a440cdd313893067e474b70991986ab4d18a0302a58a0ba3c3c8e2989ea0ccf88c63e08fd8951987443a34d009e16a390498ac

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 0e615d5cbfaf4cf3bd279448af37243c
SHA1 5b94a8ee3adee6de0c8bdb6164a56befd9f8b23b
SHA256 dfdef26d17595a0af5d2c6491f894d353904324b6fd95e9438287931c01818fd
SHA512 08ee098cd9a19b148096b706c7714087bb0ee311c933456005bc246a710dd3bdc75d9e8eed153ea4ea1d587f8044a53ed7a7c90f364fa87879941918d7785a7c