Malware Analysis Report

2024-09-10 23:59

Sample ID 240616-xxzvsatcng
Target 1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2
SHA256 1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2
Tags
neshta bootkit persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2

Threat Level: Known bad

The file 1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2 was found to be: Known bad.

Malicious Activity Summary

neshta bootkit persistence spyware stealer

Neshta family

Detect Neshta payload

Neshta

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Modifies system executable filetype association

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 19:14

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 19:14

Reported

2024-06-16 19:17

Platform

win10v2004-20240508-en

Max time kernel

69s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe

"C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 files.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 files.avast.com udp
US 8.8.8.8:53 files.avast.com udp
US 8.8.8.8:53 files.avast.com udp
US 8.8.8.8:53 files.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe

MD5 93be92ff95beb40f2851bccf8165e172
SHA1 95f54ea35047ccd100661450ec77f5a0c2efbe68
SHA256 dbca536c340bbecf94cb27d668364d69caca27d454fd68431ff756376a98aa6e
SHA512 dabef4dd764b3f7bb904a53613fb311882c713f4c2420e6180048c31bf13ae898ced7edccbd8d86d5b720b5b3b316659417af0d9dc66fff7eaee53697218e993

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/4048-98-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4048-99-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4048-101-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 19:14

Reported

2024-06-16 19:17

Platform

win7-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile\InstupUpdatePending = "1" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-997.vpx" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-997.vpx" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-997.vpx" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-997.vpx" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-997.vpx" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30" C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 32 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A
Token: 32 N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 2392 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 1888 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 2792 wrote to memory of 1612 N/A C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe C:\Windows\Temp\asw.07a18dab09376e24\instup.exe
PID 1612 wrote to memory of 2804 N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\instup.exe
PID 1612 wrote to memory of 2804 N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\instup.exe
PID 1612 wrote to memory of 2804 N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\instup.exe
PID 1612 wrote to memory of 2804 N/A C:\Windows\Temp\asw.07a18dab09376e24\instup.exe C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\instup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe

"C:\Users\Admin\AppData\Local\Temp\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe"

C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe

"C:\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe" /cookie:mmm_inp_ppi_003_297_k /ga_clientid:9e289b91-b9b7-49df-b589-22ba720b82a5

C:\Windows\Temp\asw.07a18dab09376e24\instup.exe

"C:\Windows\Temp\asw.07a18dab09376e24\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.07a18dab09376e24 /edition:1 /prod:ais /stub_context:e89461a4-f9fa-494f-9bce-2466987b2b0e:8824032 /guid:19a16cd1-59df-440e-a113-f78e2254ade1 /ga_clientid:9e289b91-b9b7-49df-b589-22ba720b82a5 /cookie:mmm_inp_ppi_003_297_k /ga_clientid:9e289b91-b9b7-49df-b589-22ba720b82a5

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\instup.exe

"C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.07a18dab09376e24 /edition:1 /prod:ais /stub_context:e89461a4-f9fa-494f-9bce-2466987b2b0e:8824032 /guid:19a16cd1-59df-440e-a113-f78e2254ade1 /ga_clientid:9e289b91-b9b7-49df-b589-22ba720b82a5 /cookie:mmm_inp_ppi_003_297_k /online_installer

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 files.avast.com udp
NL 2.18.121.15:80 files.avast.com tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
US 8.8.8.8:53 files.avast.com udp
NL 2.18.121.15:80 files.avast.com tcp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 23.220.113.74:443 s-iavs9x.avcdn.net tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
NL 216.58.206.78:80 www.google-analytics.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
NL 216.58.206.78:80 www.google-analytics.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 l2983942.iavs9x.u.avast.com udp
US 8.8.8.8:53 l2983942.iavs9x.u.avast.com udp
NL 2.18.121.29:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp
NL 2.18.121.9:80 l2983942.iavs9x.u.avast.com tcp

Files

\Users\Admin\AppData\Local\Temp\3582-490\1bd5d17d040a44f0a355f168e51586cde0a01e5473b345fa89c8fbbd2d4db6c2.exe

MD5 93be92ff95beb40f2851bccf8165e172
SHA1 95f54ea35047ccd100661450ec77f5a0c2efbe68
SHA256 dbca536c340bbecf94cb27d668364d69caca27d454fd68431ff756376a98aa6e
SHA512 dabef4dd764b3f7bb904a53613fb311882c713f4c2420e6180048c31bf13ae898ced7edccbd8d86d5b720b5b3b316659417af0d9dc66fff7eaee53697218e993

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2392-83-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2392-84-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2392-85-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2392-87-0x0000000000400000-0x000000000041B000-memory.dmp

\Windows\Temp\asw.124b5047fdb3c0ea\avast_free_antivirus_setup_online.exe

MD5 d4438acdb5cc9a63570faf0e4c102012
SHA1 eb5ec9065948080bf0a89738ee5bf110990ad014
SHA256 de9d2e1ca74f6c4730a3566abe2e3a632d56807421d7752e35b8a714b78f0bff
SHA512 d3a851114db330a92fd6543f012c9d80a1f6aec8c7445ef4818878ecbe5bbd02f05f04f03cc556d51ca360a5ed73eaf0710c009138ae6efc8117858c2ab88d03

C:\Windows\Temp\asw.07a18dab09376e24\servers.def

MD5 e76e81467cf59e07920fa8350f262269
SHA1 e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94
SHA256 cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8
SHA512 5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

\Windows\Temp\asw.07a18dab09376e24\Instup.exe

MD5 8d15464d003bc697b7f447cba547a029
SHA1 83364819221edfdd1c07d50d00c45be5ecdc7a4c
SHA256 23ac78a0b16079dc2ffb04f44e56c1f063acd966eb11fb7454724f9a45d6cfca
SHA512 12525093e2efec70b826cef9eae9f73e4330c38fe3d156d5b593c2ca0f9060b722b80ac96b7e396efa794cdc58b3818b82dbdc95d2206d51e83514a8b184c4c2

C:\Windows\Temp\asw.07a18dab09376e24\Instup.dll

MD5 373dd1429610fd75ffacfaf2c46116a1
SHA1 d1ab825e35b15bce57641470ff6dd683a27c1970
SHA256 66089fe5aaf43fe987bc606a9097d802006ced13fa63803854489bbc6cbb7d79
SHA512 583320bfcb7df9344cb7645e182b2fbb1946aa134e6c03f5d3af07a5df50d8e266b76ff30355aa73f17e8e78a8ca4753c3bb9eb4950deea599e1ce84ae0c4380

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 2e4e75eba751a80f9cf8e2281cc9e310
SHA1 316289b790ac91f1d58ece01820d42696893b2e5
SHA256 cea18648304c9e62b138e0b674a28de45aadd7ae2ddde57c3dedc5be22c79c52
SHA512 502c7042eea8b2c580332043d6e913f125a414fc7a845c93fd6e6e59c55da0f4856e3c0081f7d86375e5d9a6c221f6e37ba53d1cb1ea0c8b03b258a44abe8ac9

C:\Windows\Temp\asw.07a18dab09376e24\config.def

MD5 da59c9092a31f572c882d563c600a34f
SHA1 0ec1cb7f7c16252d637d71e08e9363bfe96a5842
SHA256 563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766
SHA512 ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

C:\Windows\Temp\asw.07a18dab09376e24\asw6d0041797b1a5212.ini

MD5 0c1b93a05291e58ec75d1b6471e95d96
SHA1 a326623fb34a23bd561237c4a47a7013b4d6dc25
SHA256 806b25f9a4068201eae0c3badea84388a498dd1b37818ac5e67e2f017142c0cc
SHA512 bc5181adbc0fa1bba9ae26f3f881df40588ad561f983f51c8057324e3aa1bf5d1e2643dda88e01150d34e58a9e53614db451204bf03bdce6e0ddb08e20635290

C:\Windows\Temp\asw.07a18dab09376e24\config.def

MD5 c0a8842065fcc7f23904a7e2fe217c9c
SHA1 b3514a6a360b45dd875c7a3a1e254864baf5b36f
SHA256 dd2465f67afe8d7f8c10dbf231e9fd28cde0ae2c1747e3b3b835fbbffb3d0128
SHA512 441c24947f287f0157eec06b940e63c230007bad2a4d790eaf9d9decfa75228e18c926c26c8f005f0a3d215caaddb0a853428f644b3a5ad6b818e5bfef24dff5

C:\Windows\Temp\asw.07a18dab09376e24\config.ini

MD5 51390bc970e267bb0fd764d10573912a
SHA1 2ce3faf507c1880fa627ab4bbfbfdfbc947d8708
SHA256 4b437e02371b69c5a7f1b3b5cb5c6cfa9039532e952888567f974229422dcee5
SHA512 6c23d33b6b7533bd8693af415d8d18affbd20566498fee66758100026bec7408548c4677e26087cb322df1dda2e175f94e65da78774a692ed26a572a928a5dfc

\Windows\Temp\asw.07a18dab09376e24\HTMLayout.dll

MD5 1beeed950d2ab9f14387d988488c636e
SHA1 28dc9f8aec84d8fd8c065935038a620be54b4831
SHA256 82894c0813967a36b1bcbb003bfa0a7e8c96fba68e78add6777e13884c1cbf98
SHA512 772112c4b9e087a268f24d53db7e9f3ce3dd1e11e31dfaab30139e0393ad0c8bfa66349d492ab2d68c6b7347c8f794e116016c9209ba8db8f576e09c24a85279

C:\Windows\Temp\asw.07a18dab09376e24\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.07a18dab09376e24\servers.def.vpx

MD5 dc5709c442df025a33cb2ca0d22133af
SHA1 5007da1e31f4705932c1f272dd4975b14bef268d
SHA256 6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744
SHA512 c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

C:\Windows\Temp\asw.07a18dab09376e24\prod-pgm.vpx

MD5 d4f72d1329501105ec7111178ac7c98f
SHA1 17bfc1e8299b43c46b18442b7e74f84953dc6193
SHA256 e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7
SHA512 570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

C:\Windows\Temp\asw.07a18dab09376e24\uat.vpx

MD5 af34ed98cdec9afa5a734e99bb3b3e0e
SHA1 6cc712a631aac6be0512d1673c53e83fdd82ff1d
SHA256 4c6e1e7a1946156a0ad2026428d72e4f8ecf3d37442cb6178cfb96c70c36b388
SHA512 9428e886c1048b286ecd67c49d7d0f31006bdb410856759d722a15dc8fc5ccf55f0f942bcc5eb8b383d39eb5234d6cb016b989b1da445492cacbd98e7c9978bc

\Windows\Temp\asw.07a18dab09376e24\uat.dll

MD5 c8135d223627a68ae77ec6e572bed5de
SHA1 a29a18516ec4ded2a5c22e4b568f988de7e7629f
SHA256 7da845e76737ffd0da68d8b6c8fdd7cbaf19502f1fb32b0cca735d8e30f26d15
SHA512 41efdf342a6cbed204b9540a54952aeaa7993152a2c0416aa08d48b8d621c9f707671fd2cadfd495e08523be1e0e7b0bac1ba9b6d874c79ce1d43b96208b0bc4

C:\Windows\Temp\asw.07a18dab09376e24\part-setup_ais-15020997.vpx

MD5 365b6ee6fbde00af486fc012251db2da
SHA1 8050ba5a9b6321f067fc694527011ba00767d4a2
SHA256 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830
SHA512 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

C:\Windows\Temp\asw.07a18dab09376e24\prod-vps.vpx

MD5 0066d9b938e4d92eed90d515c0da993f
SHA1 60f4f31c64671349b100505428a618c9a9033820
SHA256 bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209
SHA512 d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw912ac741e9260e94.tmp

MD5 ef035189604e7f5d68a62827b985ccbb
SHA1 c094c6eef2640a71aee9f4b27123c2080d38136f
SHA256 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740
SHA512 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw36a4632f07af76ef.tmp

MD5 700b6740e6bfa7729f146572d8455348
SHA1 19d80fb0251f417283ed36fc20c43079b3f6fbb8
SHA256 d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e
SHA512 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw3f7a577e4f024840.tmp

MD5 b216fc28400c184a5108c0228fba86bc
SHA1 5d82203153963ebede19585b0054de8221c60509
SHA256 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd
SHA512 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw6b33cdad6cb2441d.tmp

MD5 9ee6528abdad768fbfa28bd1bb80ebe9
SHA1 f5582697e068ba1d56825fc32bd5ab1a71bd4d38
SHA256 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4
SHA512 de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw3633c52c887a7760.tmp

MD5 c5665f1f93d9aabbcb1dde533e2c46e6
SHA1 732389de20c600d0222d61b4ee74b0be6412a45b
SHA256 adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a
SHA512 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw7af0f6d1414c5d49.tmp

MD5 13e9fbb02cb7497562b59a9ef8f1ee92
SHA1 047936e9296e77939b5b23c1a2af3056eaa2ae99
SHA256 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a
SHA512 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw1819089e1eac7619.tmp

MD5 d9be57d4e1a25264b8317278f8b93396
SHA1 d3c98696582fed570f38ae45bf22b8197253b325
SHA256 a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3
SHA512 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

C:\Windows\Temp\asw.07a18dab09376e24\avdump_x86_ais-997.vpx

MD5 4f2f4b4cae5bc3e568a2eb165ac6b74f
SHA1 f18b957799c48f18f0be8007ed4c6d3e721577c0
SHA256 52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b
SHA512 8536eb2e4ada2920d93806cb70cc35b7879119dfffe1ddc0a4710dddea7c0234257d25fe14fff45a58c820a4389e5ffc968f81c5bbeb9b77870962e608b5d45a

C:\Windows\Temp\asw.07a18dab09376e24\New_15020997\asw6b33cdad6cb2441d.tmp

MD5 fffde3382049074446aed11845d74663
SHA1 b897e9a20ea3212a04d4176dc992f8c0ecc6420d
SHA256 2721f41af9f9d09aa2265d0a1072b69dc16901a4a20b0f3dbdd8c6eba558208f
SHA512 d461f6cce8d0b8bd8a57a832cf99e6ebe587b8eda793fbd3e65edbe19d2fa9e4f72ee376c70eaef1d99c927bf898cfa6b04041b1c84483d84370b5e35145230d

C:\Windows\Temp\asw.07a18dab09376e24\instup_x64_ais-997.vpx

MD5 e9ab18be112d5e02bed0534c3776475c
SHA1 4cb1606d5f51cc0db5a6ab4f4829d7c2ecd610a6
SHA256 9d27543166d225ab1b3f00ef495c49628e05dfa716107b3d3dac27f4e54d3cdf
SHA512 dfbe1242a62e88d56b879118604e47486af2518a0b96f67acd4cbd190f027faef582b9f08293ef96aa520f9787b276e87241cb069466300421d4677353c276a8