Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-rek11s1maj
Target cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db
SHA256 cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db

Threat Level: Likely malicious

The file cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Unsigned PE

System Location Discovery: System Language Discovery

Embeds OpenSSL

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 14:06

Reported

2024-10-31 14:09

Platform

win7-20241023-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A
N/A N/A C:\Users\Public\Documents\aswOfferTool.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "42" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "68" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "75" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "73" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "1" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "41" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "10" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "17" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "27" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "72" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100" C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "47" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "4" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "46" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "99" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "59" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-997.vpx" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "77" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "83" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "91" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "29" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-997.vpx" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-997.vpx" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "48" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "53" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "74" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "28" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-997.vpx" C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe
PID 2580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe
PID 2580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe
PID 2580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe
PID 2420 wrote to memory of 1632 N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe
PID 2420 wrote to memory of 1632 N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe
PID 2420 wrote to memory of 1632 N/A C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe
PID 1632 wrote to memory of 580 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe
PID 1632 wrote to memory of 580 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe
PID 1632 wrote to memory of 580 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1144 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2216 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2720 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2180 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 2164 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe
PID 580 wrote to memory of 1612 N/A C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe

"C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe"

C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:fb5ba342-0447-4764-8b27-9edf30cc4939 /edat_dir:C:\Windows\Temp\asw.5f3b1ba922b2db93

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.83c2d23f0d7a4ab1 /edition:1 /prod:ais /stub_context:fa1b1898-e085-49ec-90fb-cedbd656d264:11072232 /guid:dcf5f137-b89c-4812-9ded-9d915ee581a2 /ga_clientid:fb5ba342-0447-4764-8b27-9edf30cc4939 /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:fb5ba342-0447-4764-8b27-9edf30cc4939 /edat_dir:C:\Windows\Temp\asw.5f3b1ba922b2db93

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.83c2d23f0d7a4ab1 /edition:1 /prod:ais /stub_context:fa1b1898-e085-49ec-90fb-cedbd656d264:11072232 /guid:dcf5f137-b89c-4812-9ded-9d915ee581a2 /ga_clientid:fb5ba342-0447-4764-8b27-9edf30cc4939 /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.5f3b1ba922b2db93 /online_installer

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe

"C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avcdn.net udp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 172.217.169.78:80 www.google-analytics.com tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 iavs9x.u.avcdn.net udp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.102:80 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
GB 172.217.169.78:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 w5805295.iavs9x.u.avast.com tcp
US 8.8.8.8:53 h4444966.iavs9x.u.avast.com udp
US 8.8.8.8:53 h4444966.iavs9x.u.avast.com udp
GB 2.20.12.98:80 w5805295.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 w5805295.iavs9x.u.avast.com tcp
US 8.8.8.8:53 h4305360.vps18.u.avcdn.net udp
US 8.8.8.8:53 h4305360.vps18.u.avcdn.net udp
GB 2.20.12.97:80 h4305360.vps18.u.avcdn.net tcp
GB 2.20.12.97:80 h4305360.vps18.u.avcdn.net tcp
GB 2.20.12.97:80 h4305360.vps18.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 alpha-license-dealer.ff.avast.com udp
DE 34.159.85.52:443 alpha-license-dealer.ff.avast.com tcp
US 8.8.8.8:53 alpha-iqs.ff.avast.com udp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 34.111.24.1:443 ipm-provider.ff.avast.com tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
GB 184.26.189.54:443 ipmcdn.avast.com tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB389.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Windows\Temp\asw.5f3b1ba922b2db93\avast_free_antivirus_setup_online_x64.exe

MD5 285b70b3ac1698009e386ece00acee56
SHA1 dda4d5748970490ca1100d7e076045b3648008a3
SHA256 df8b438844b84bae4a78bd4a593fd28be2fd58a0fd431e4b942661eea9476dc0
SHA512 5c4a1819cd444d576e81fa10a686dabce9e66fae197aa1668cc2d394289a2722eeed7f88f5d3b80b2c9526ede50cb03deba999ecbaeb30e212c91e84b540580f

C:\Windows\Temp\asw.5f3b1ba922b2db93\ecoo.edat

MD5 0c3fb92e76191db5caf5b0b3faa37ce5
SHA1 c3def7847d3ee4a5f6f6977d0b1b95aa2ef3ded9
SHA256 c0b918fff0c176e58cb694ad6b830eddb0f987f3558583fc339b49681d5d3b46
SHA512 0d5935e4883ed4ad612c130e5542ff45e81431c2a52dbdb2319469b84927963f1cb138c612ed73e584f2222c4e53a5fc0ec29da8d5cbcd261bbf789356ab0e66

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\servers.def

MD5 b1960612149e68ce8d6f4827c5b39073
SHA1 6259a3ebd659bb63ec59fab4c8e1aa79092692a4
SHA256 847bd020bc930856d25c54d5fa03278b0e6b2434f2560f3c6b7c000332012173
SHA512 81d2737ca459d8fb3aab6dede1c666efdb6c3a851f1018a8b2d5166060de05fff7abb8eaa9e24ee441137033bd0574ce107ef9d3abd93ddde4b86cda76625423

\Windows\Temp\asw.83c2d23f0d7a4ab1\Instup.exe

MD5 6179a6bcb9d35753d2deb3c1594a9bad
SHA1 d114563b01f474084efd2c4f7edef133cdc1018f
SHA256 0f1d9af4f5eee63bf1959ec61e459f9f304c77ba3af29cbd640910661ecbe2d2
SHA512 2cd159f3de29a011d4b6c807e87c3b404e311f39d015b5760febab1f480cca9bb8472ec53e912d526eaba65f58659acea1530923caa6c2baa60cfd9f98786f69

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\Instup.dll

MD5 0d09efc988c41b14c4fd0bd9c1457b87
SHA1 7c8bb0b4760edfc009e8b122124aa2b70e1da93a
SHA256 49ae4e9a468593038c1ab7fd6f988ddc0eace7e8c3c407c53b130e2eba1506fb
SHA512 b54c3ab104ce574690155d672146be30a1ae45abec71ddaad81ba16f9435f76deb4daccab628b006cbde0e9c9a85b99a3b8a33ad4dd3ebdc05a2dbb963062993

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 3557f3a00ab5e0f7eb7d4e0caa5576c0
SHA1 d4960d16350ac8becbb6cb9d0cc3752bd828a511
SHA256 5670445d39f304013f4c4e885aedf91927ad87d60fed18e101ff14d76b7e2c28
SHA512 decd075153afc00c2f7c706bfd17ca831e064161f0aad6ad8ad72056666167a7647d4fcfb8c5afd966224bcfcf04caf5da4fe12de015e25259aa42477d2f48ca

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\config.def

MD5 5a0f70dfbf66819ca9c50d6ac6f3702a
SHA1 ab4d2eac9985dba69422cf8cd6bc36846eda1855
SHA256 31acc29e2df1d0841bbe81db1c28e145d44aa5805c3fd3a1615b6768a08514c2
SHA512 13b24f45680e1607dc6fd2560b697918d11c4d8fec1ef561961e5846887f37623470782e36daa16005bf52142de3bd2ff15860c015a798e4729d6625c335c0ad

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\config.def

MD5 bba0ccf7de498eb42cec81d162c3d7e4
SHA1 1d91872dde9781fbe7fc2492615df8f7c592d8f5
SHA256 30d04a63e4a0f2b63b3f7b68a8336384b4b154cef135b6065edd3568ea81fce1
SHA512 2fc4a1ea285d430fb59520c5e354eb5e6db37889a6b880a705602912f70e6e96c00d95932c59c8ec0c4377d346305ca8e409a4b629ab2e4e4505ec85aa1bdc7b

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\HTMLayout.dll

MD5 b0e91293160024bfc0302bbdadd0bb9c
SHA1 005fbe3c47213d4b791c05f2a8a6932dc70357e9
SHA256 3db7c1fc402a689bb160ed2d0bc12edb6765307c725ad02e7b27510008b4f8ca
SHA512 f7239b26fedc2a90c2b267467781ff26512890b879772bcc0809409a368fefd74a8930d8d4958559381dd57f7bdc769668c5ec638b5ad82e4a20a1e0217e9304

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\servers.def.vpx

MD5 eab5eaa228b24e2a0c3313fc200caa97
SHA1 407dd379fd78df5b31585931fc567a1f9a3da40c
SHA256 5d784971dcc44fd271dccb4351ebabb16b3170ff680ccfa64dc848a4125651fa
SHA512 126b2bf2a5fe7a4d78eb766f95e4e7fc15095876ffc25f0955f1d073f351281b3d7a8f1cc3c8b8cfad7157e705a0d8019b28a82ce72c15f02cd31029b801bb0a

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\uat64.vpx

MD5 63e7a59b7d1f9405ba1a0e685ca98af7
SHA1 c90d503b31b8027a0fbbe1f0008021e27ce42609
SHA256 03cee410775634e7570b80077ca95e47cbafbdf982c19ac2e222726d28b9a584
SHA512 9b70322f966accc16435bd3869106be18ac7e21962846938e64c7001c663cbd1ea7a7662e0d85af97af05820192ceb0bb01d65cff3d7bbe8467b873a872d644f

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\prod-pgm.vpx

MD5 db09685c045dc0df0552427c752a1aa7
SHA1 eb0e8e1e9839e7517efb7fedfa7edabc5d57587a
SHA256 9219680462bef7060264ac63d21f3332daf0fca5090cae295427710895be0002
SHA512 d0b4b1c23557aa18a5ca9299c7269cd2221ec8b155b9ec9c045f6ddb612f1979a9d3e78ae395dc6e515338ee8bdf13225a1cafc903bc800a22b9b9e3489a462b

\Windows\Temp\asw.83c2d23f0d7a4ab1\uat64.dll

MD5 b49ac1e7007e1e445c45fc906e96687e
SHA1 b33adeb3d8ad516a3fe826cc3f48f9c6e67030cb
SHA256 da17cf39c773ab3048e767aff993458e284837287e8c4af0d139ad71f3459ff8
SHA512 e3ef8ef9423552281dc12e25eeef69b954e50bc844442d7e0de9c7e066c53e62dc84a43e44428caff1e18b06470c17d25e65825c07f5f85535d97ace23f05ba2

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\part-setup_ais-15020997.vpx

MD5 365b6ee6fbde00af486fc012251db2da
SHA1 8050ba5a9b6321f067fc694527011ba00767d4a2
SHA256 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830
SHA512 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\prod-vps.vpx

MD5 8499e8596ec1c873e132662092da0a85
SHA1 dd27c53c9fb86cbcc367182fccf8bd0af6ebb763
SHA256 26d22504cae4bb0e7de6e10317a97aa4be15a0a3fa9bf2d735d89213696e0712
SHA512 f06bcf0f8239a15c78b8113d27c60b32bcdc1be25d913ef3356ca5a58349e12b14b6673838e83972d81e90e338d948781626d5ff6db3a6fea303b8aead98824d

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw5922e718182ea3c1.tmp

MD5 ef035189604e7f5d68a62827b985ccbb
SHA1 c094c6eef2640a71aee9f4b27123c2080d38136f
SHA256 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740
SHA512 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw6d284b8c3b0c86c9.tmp

MD5 700b6740e6bfa7729f146572d8455348
SHA1 19d80fb0251f417283ed36fc20c43079b3f6fbb8
SHA256 d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e
SHA512 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw65a77a99f2ccf184.tmp

MD5 b216fc28400c184a5108c0228fba86bc
SHA1 5d82203153963ebede19585b0054de8221c60509
SHA256 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd
SHA512 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw46763ea0c873b956.tmp

MD5 9ee6528abdad768fbfa28bd1bb80ebe9
SHA1 f5582697e068ba1d56825fc32bd5ab1a71bd4d38
SHA256 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4
SHA512 de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw5e8c469a025a795d.tmp

MD5 c5665f1f93d9aabbcb1dde533e2c46e6
SHA1 732389de20c600d0222d61b4ee74b0be6412a45b
SHA256 adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a
SHA512 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw6b9f4e612652a128.tmp

MD5 d9be57d4e1a25264b8317278f8b93396
SHA1 d3c98696582fed570f38ae45bf22b8197253b325
SHA256 a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3
SHA512 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\asw0b2467ddcec09183.tmp

MD5 13e9fbb02cb7497562b59a9ef8f1ee92
SHA1 047936e9296e77939b5b23c1a2af3056eaa2ae99
SHA256 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a
SHA512 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 a84d2fc712c28e4ce89ccfd7f4af885d
SHA1 3e97e10a0e7e9f61bd9312be6cf740d85fe9895f
SHA256 440b9adaaa3783d55d7dde92b93c4ba8682d535f66b97ce2317cd2f5c4f61a24
SHA512 0d8c5fbfe1fb27172446b2ec17e451ec7c032daee793d5b22cb69b0b1359d534fcf900edf1f9d36d1fcd62425d16db76bdb5e48f7fe2b0ced032c407c9ef935c

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\part-prg_ais-15020997.vpx

MD5 b898fa20bf9b0321b50a8d4946aae799
SHA1 4e173a99dc9a9ef507112857525ad53991f4d2a0
SHA256 6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c
SHA512 c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\setup.def

MD5 be793535c4acf02d4ad13b20d0c84deb
SHA1 65dd6b4891a75848042c10057808535298cee3e1
SHA256 31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd
SHA512 7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\prod-vps.vpx

MD5 fa7efdecc2537c953bb8a49f6ac54224
SHA1 68821ae21e5c476b5f451bd5a0a6fb6650a421f1
SHA256 16ee2337d70bd3241362fd815d6ccf948836e3c5bfa1eb7921592ac909c0cba9
SHA512 3f4e9d2e016b3d47fa2492dd0c7788bd2d320fcc39dca850ffa94d1ceaf212573f76c3e8305817ee282811f7533284a1619987ceaaee6858c8702d5cf412f538

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\part-jrog2-1643.vpx

MD5 0487afba722c75421dab5ad76c907b64
SHA1 2af01aae124736188c6879265bc8e5b8aaf5f633
SHA256 756380ea118c2bc721918c7fe94300032667b3f5a143b6374246e80339833019
SHA512 23047f15ca793efd76614034455653960540b7831b726234501f8bb3d057ac48ce7fef0370cb4adbffe1f1c37d4199176a701479c8824afbe3ae55ca5714ac1d

memory/580-333-0x000007FEF3600000-0x000007FEF492B000-memory.dmp

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\part-vps_windows-24103102.vpx

MD5 fbaf91e11247fcacda8bbba7e78e5aae
SHA1 88d882c06b0f3c30d69fe1aa018d921f1264a8bc
SHA256 d5b2609e3056fb970c1ff0dd020add9fb95208c520058308595ea9a550f40317
SHA512 b5e647dfe1bfa9a81235ab91719548ac473b32f31a0c0515bf79191c23e35bc48d1654c31258df35150e27357f5e9f615b4c63450e77d081396a6c7425aaa99b

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\config.ini

MD5 76512dd194c58c77d7d2d6d70703b4d9
SHA1 50eb316213cc79b5d2a08e5b28ec899de68a43e3
SHA256 61989bdc094bf380befbafb7b57d2e6e86e506ffa2b3cc69adf93c9c40d0c97d
SHA512 e8a0607126462d824759da08621f49c0bb0e0958cfb67469c900154f778eef88e9c8c7868da12aaf8b86be11c49f333f5e2c2d514fa62a7b227559a310df30d6

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 88a96d69b09f6e7de31876b8776ffbe7
SHA1 f253fe10026188b347ed8d32e83809fe590afc63
SHA256 890e8e240212dc7466b360355694405a0acb240b860e9625c46e5c50d22301bc
SHA512 be100bafc94341953e9ccf82fccdb3f6d2c97203b45b4541f090bf588f46d6a1ef97d3e4b8a9669cf1ad66ac094a9c906fb8ecee4f045c3fdd04dad3c82bfb46

C:\Windows\Temp\asw.83c2d23f0d7a4ab1\config.def

MD5 0c6f9081ca534bb92af1625a9f3a085e
SHA1 f92ee67b0d3a8993f5dff2f70f7fbf228471a8f7
SHA256 59f869984f8370005bba78e7501deeb8baebf57e015d690eab8af2d9f04dc763
SHA512 98ad5c128d6be6601efba6d03fc442575292590367f25ef604271f41e414feadd6a786564b4212b18ca006e4b1aa464f15c02c89882ab24c78f406f8b1d05303

\Windows\Temp\asw.83c2d23f0d7a4ab1\New_15020997\gcapi_17303836882720.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

memory/580-394-0x000007FEF3220000-0x000007FEF35FA000-memory.dmp

memory/580-393-0x000007FEF3600000-0x000007FEF492B000-memory.dmp

memory/580-396-0x000007FEF3220000-0x000007FEF35FA000-memory.dmp

memory/580-395-0x000007FEF3600000-0x000007FEF492B000-memory.dmp

memory/580-405-0x000007FEF3600000-0x000007FEF492B000-memory.dmp

memory/580-407-0x000007FEF3600000-0x000007FEF492B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 14:06

Reported

2024-10-31 14:09

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a4e.vpx" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a4e.vpx" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a4e.vpx" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100" C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71" C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18" C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe
PID 2688 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe
PID 3804 wrote to memory of 3512 N/A C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe
PID 3804 wrote to memory of 3512 N/A C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe
PID 3512 wrote to memory of 1568 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe
PID 3512 wrote to memory of 1568 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe
PID 1568 wrote to memory of 1228 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 1228 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 1228 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 1140 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 1140 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 1140 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 4464 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 4464 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe
PID 1568 wrote to memory of 4464 N/A C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe

"C:\Users\Admin\AppData\Local\Temp\cc029d3b1ed56707aab21a94a11bedb98d905b8c80b63cc7592228672ee2c0db.exe"

C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:26de97e8-593c-4f0e-987c-3910bb0ffda4 /edat_dir:C:\Windows\Temp\asw.f1918a7871385379

C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe

"C:\Windows\Temp\asw.b1428497ccbf48a4\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.b1428497ccbf48a4 /edition:1 /prod:ais /stub_context:6649afe1-717f-4057-846a-fa6c0d9b2c32:11072232 /guid:307a7d68-94b8-4726-8253-b515b245f880 /ga_clientid:26de97e8-593c-4f0e-987c-3910bb0ffda4 /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:26de97e8-593c-4f0e-987c-3910bb0ffda4 /edat_dir:C:\Windows\Temp\asw.f1918a7871385379

C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe

"C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.b1428497ccbf48a4 /edition:1 /prod:ais /stub_context:6649afe1-717f-4057-846a-fa6c0d9b2c32:11072232 /guid:307a7d68-94b8-4726-8253-b515b245f880 /ga_clientid:26de97e8-593c-4f0e-987c-3910bb0ffda4 /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.f1918a7871385379 /online_installer

C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC

C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avcdn.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 172.217.169.78:80 www.google-analytics.com tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 98.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 iavs9x.u.avcdn.net udp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 2.20.12.98:80 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
GB 172.217.169.78:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 r4427608.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y8002308.iavs9x.u.avast.com udp
US 8.8.4.4:53 g1928587.iavs9x.u.avast.com udp
US 8.8.4.4:53 r4427608.iavs9x.u.avast.com udp
US 8.8.4.4:53 b7210692.iavs9x.u.avast.com udp
US 8.8.4.4:53 y8002308.iavs9x.u.avast.com udp
US 8.8.4.4:53 r9319236.iavs9x.u.avast.com udp
US 8.8.4.4:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 r4427608.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y8002308.iavs9x.u.avast.com udp
US 8.8.4.4:53 y8002308.iavs9x.u.avast.com udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 r4427608.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y8002308.iavs9x.u.avast.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 b7210692.iavs9x.u.avast.com udp
US 8.8.8.8:53 g1928587.iavs9x.u.avast.com udp
US 8.8.8.8:53 r4427608.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 y8002308.iavs9x.u.avast.com udp
GB 2.20.12.98:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
US 8.8.8.8:53 102.12.20.2.in-addr.arpa udp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 g1928587.iavs9x.u.avast.com tcp
US 8.8.8.8:53 l4691727.iavs9x.u.avast.com udp
US 8.8.8.8:53 l4691727.iavs9x.u.avast.com udp
US 8.8.8.8:53 l7814800.iavs9x.u.avast.com udp
US 8.8.8.8:53 n2833777.iavs9x.u.avast.com udp
US 8.8.8.8:53 r6726306.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 t1024579.iavs9x.u.avast.com udp
US 8.8.8.8:53 l4691727.iavs9x.u.avast.com udp
US 8.8.8.8:53 l4691727.iavs9x.u.avast.com udp
US 8.8.8.8:53 l7814800.iavs9x.u.avast.com udp
US 8.8.8.8:53 n2833777.iavs9x.u.avast.com udp
US 8.8.8.8:53 r6726306.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 t1024579.iavs9x.u.avast.com udp
GB 2.20.12.98:80 t1024579.iavs9x.u.avast.com tcp
US 8.8.8.8:53 c3978047.vps18.u.avcdn.net udp
US 8.8.8.8:53 c3978047.vps18.u.avcdn.net udp
US 8.8.8.8:53 n8283613.vps18.u.avcdn.net udp
US 8.8.8.8:53 s-vps18.avcdn.net udp
US 8.8.8.8:53 s1843811.vps18.u.avcdn.net udp
US 8.8.8.8:53 t1024579.vps18.u.avcdn.net udp
US 8.8.8.8:53 y8002308.vps18.u.avcdn.net udp
US 8.8.8.8:53 c3978047.vps18.u.avcdn.net udp
US 8.8.8.8:53 c3978047.vps18.u.avcdn.net udp
US 8.8.8.8:53 n8283613.vps18.u.avcdn.net udp
US 8.8.8.8:53 s-vps18.avcdn.net udp
US 8.8.8.8:53 s1843811.vps18.u.avcdn.net udp
US 8.8.8.8:53 t1024579.vps18.u.avcdn.net udp
US 8.8.8.8:53 y8002308.vps18.u.avcdn.net udp
GB 2.20.12.90:80 y8002308.vps18.u.avcdn.net tcp
GB 2.20.12.90:80 y8002308.vps18.u.avcdn.net tcp
GB 2.20.12.90:80 y8002308.vps18.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 90.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.4.4:53 v7event.stats.avast.com udp
US 8.8.4.4:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 ipm.avcdn.net udp
US 8.8.8.8:53 8.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipm.avcdn.net udp
US 34.111.24.1:443 ipm.avcdn.net tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
GB 184.26.189.54:443 ipmcdn.avast.com tcp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 54.189.26.184.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\Temp\asw.f1918a7871385379\avast_free_antivirus_setup_online_x64.exe

MD5 285b70b3ac1698009e386ece00acee56
SHA1 dda4d5748970490ca1100d7e076045b3648008a3
SHA256 df8b438844b84bae4a78bd4a593fd28be2fd58a0fd431e4b942661eea9476dc0
SHA512 5c4a1819cd444d576e81fa10a686dabce9e66fae197aa1668cc2d394289a2722eeed7f88f5d3b80b2c9526ede50cb03deba999ecbaeb30e212c91e84b540580f

C:\Windows\Temp\asw.f1918a7871385379\ecoo.edat

MD5 0c3fb92e76191db5caf5b0b3faa37ce5
SHA1 c3def7847d3ee4a5f6f6977d0b1b95aa2ef3ded9
SHA256 c0b918fff0c176e58cb694ad6b830eddb0f987f3558583fc339b49681d5d3b46
SHA512 0d5935e4883ed4ad612c130e5542ff45e81431c2a52dbdb2319469b84927963f1cb138c612ed73e584f2222c4e53a5fc0ec29da8d5cbcd261bbf789356ab0e66

C:\Windows\Temp\asw.b1428497ccbf48a4\servers.def

MD5 b1960612149e68ce8d6f4827c5b39073
SHA1 6259a3ebd659bb63ec59fab4c8e1aa79092692a4
SHA256 847bd020bc930856d25c54d5fa03278b0e6b2434f2560f3c6b7c000332012173
SHA512 81d2737ca459d8fb3aab6dede1c666efdb6c3a851f1018a8b2d5166060de05fff7abb8eaa9e24ee441137033bd0574ce107ef9d3abd93ddde4b86cda76625423

C:\Windows\Temp\asw.b1428497ccbf48a4\Instup.exe

MD5 6179a6bcb9d35753d2deb3c1594a9bad
SHA1 d114563b01f474084efd2c4f7edef133cdc1018f
SHA256 0f1d9af4f5eee63bf1959ec61e459f9f304c77ba3af29cbd640910661ecbe2d2
SHA512 2cd159f3de29a011d4b6c807e87c3b404e311f39d015b5760febab1f480cca9bb8472ec53e912d526eaba65f58659acea1530923caa6c2baa60cfd9f98786f69

C:\Windows\Temp\asw.b1428497ccbf48a4\Instup.dll

MD5 0d09efc988c41b14c4fd0bd9c1457b87
SHA1 7c8bb0b4760edfc009e8b122124aa2b70e1da93a
SHA256 49ae4e9a468593038c1ab7fd6f988ddc0eace7e8c3c407c53b130e2eba1506fb
SHA512 b54c3ab104ce574690155d672146be30a1ae45abec71ddaad81ba16f9435f76deb4daccab628b006cbde0e9c9a85b99a3b8a33ad4dd3ebdc05a2dbb963062993

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 ce79ab094e0bb6b0d37fcd50911820e9
SHA1 15879f130c513200c7d8d03ea668dd483d8e0c01
SHA256 a14e9c1cf5ce52bfdf7530a52d0c22666878b3c9acef6f26e3e58b648be70dfa
SHA512 3bf24db688457613bbe5ddbb1c45384877b2739578fc6cd29127b68f9a882bb8d3e9d1125d3f2d49c1be71ed96d7afa1c6204ba7f4b931345855ef8207285816

C:\Windows\Temp\asw.b1428497ccbf48a4\config.def

MD5 5a0f70dfbf66819ca9c50d6ac6f3702a
SHA1 ab4d2eac9985dba69422cf8cd6bc36846eda1855
SHA256 31acc29e2df1d0841bbe81db1c28e145d44aa5805c3fd3a1615b6768a08514c2
SHA512 13b24f45680e1607dc6fd2560b697918d11c4d8fec1ef561961e5846887f37623470782e36daa16005bf52142de3bd2ff15860c015a798e4729d6625c335c0ad

C:\Windows\Temp\asw.b1428497ccbf48a4\config.def

MD5 6bb612d4b85a2bcd95c90c25d8ae0282
SHA1 65b219604c108c704ebc393b6ddb085bbc36f62e
SHA256 36a1e5c2002398eb0f8bc2961f236d8257598e4416894e89593362da4364b213
SHA512 d4626731a1d9de5de03159b9f3380dc5c419f03129f431df42bb4e19b3cbdcdf41784e974340b014b6d832b6a0f0cf94eb285c4ebdcedb9976b33fa6d7ad5892

C:\Windows\Temp\asw.b1428497ccbf48a4\config.ini

MD5 10c22051959a25924a421be3bd411a83
SHA1 7b35798862a0c56908ba4c42a75ef4b765fb135f
SHA256 dcbd531e80363c3c010912e28505d0c8f9779bc9c9adf24673db014d8d708ee0
SHA512 50502ff14236a3479ecc5f078195259acb36c5ea2db7c6b8229d7e919f587551743a8b006421d3412212343cae6e414201460d678406da019616830192264de6

C:\Windows\Temp\asw.b1428497ccbf48a4\HTMLayout.dll

MD5 b0e91293160024bfc0302bbdadd0bb9c
SHA1 005fbe3c47213d4b791c05f2a8a6932dc70357e9
SHA256 3db7c1fc402a689bb160ed2d0bc12edb6765307c725ad02e7b27510008b4f8ca
SHA512 f7239b26fedc2a90c2b267467781ff26512890b879772bcc0809409a368fefd74a8930d8d4958559381dd57f7bdc769668c5ec638b5ad82e4a20a1e0217e9304

C:\Windows\Temp\asw.b1428497ccbf48a4\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.b1428497ccbf48a4\servers.def.vpx

MD5 eab5eaa228b24e2a0c3313fc200caa97
SHA1 407dd379fd78df5b31585931fc567a1f9a3da40c
SHA256 5d784971dcc44fd271dccb4351ebabb16b3170ff680ccfa64dc848a4125651fa
SHA512 126b2bf2a5fe7a4d78eb766f95e4e7fc15095876ffc25f0955f1d073f351281b3d7a8f1cc3c8b8cfad7157e705a0d8019b28a82ce72c15f02cd31029b801bb0a

C:\Windows\Temp\asw.b1428497ccbf48a4\uat64.vpx

MD5 63e7a59b7d1f9405ba1a0e685ca98af7
SHA1 c90d503b31b8027a0fbbe1f0008021e27ce42609
SHA256 03cee410775634e7570b80077ca95e47cbafbdf982c19ac2e222726d28b9a584
SHA512 9b70322f966accc16435bd3869106be18ac7e21962846938e64c7001c663cbd1ea7a7662e0d85af97af05820192ceb0bb01d65cff3d7bbe8467b873a872d644f

C:\Windows\Temp\asw.b1428497ccbf48a4\prod-pgm.vpx

MD5 db09685c045dc0df0552427c752a1aa7
SHA1 eb0e8e1e9839e7517efb7fedfa7edabc5d57587a
SHA256 9219680462bef7060264ac63d21f3332daf0fca5090cae295427710895be0002
SHA512 d0b4b1c23557aa18a5ca9299c7269cd2221ec8b155b9ec9c045f6ddb612f1979a9d3e78ae395dc6e515338ee8bdf13225a1cafc903bc800a22b9b9e3489a462b

C:\Windows\Temp\asw.b1428497ccbf48a4\uat64.dll

MD5 b49ac1e7007e1e445c45fc906e96687e
SHA1 b33adeb3d8ad516a3fe826cc3f48f9c6e67030cb
SHA256 da17cf39c773ab3048e767aff993458e284837287e8c4af0d139ad71f3459ff8
SHA512 e3ef8ef9423552281dc12e25eeef69b954e50bc844442d7e0de9c7e066c53e62dc84a43e44428caff1e18b06470c17d25e65825c07f5f85535d97ace23f05ba2

C:\Windows\Temp\asw.b1428497ccbf48a4\part-setup_ais-180a17f5.vpx

MD5 9e51873b5404f36f66233ab303691c3c
SHA1 829708f060b08fac4fc0474d2eddc76ba8a0d560
SHA256 bece96f0fdacad51d9b490a4ecf7e129ef8feace87795d9ba9cb7901536d3f58
SHA512 0d9b13ae03de4c94f0863a576a986810ba0d0d0cab1a8676f160628a66e26d76f673ca51f7e7ac48dd507b358a41220a94bb5dbbc96ed9dd95c29dc4c1288e6c

C:\Windows\Temp\asw.b1428497ccbf48a4\prod-vps.vpx

MD5 8499e8596ec1c873e132662092da0a85
SHA1 dd27c53c9fb86cbcc367182fccf8bd0af6ebb763
SHA256 26d22504cae4bb0e7de6e10317a97aa4be15a0a3fa9bf2d735d89213696e0712
SHA512 f06bcf0f8239a15c78b8113d27c60b32bcdc1be25d913ef3356ca5a58349e12b14b6673838e83972d81e90e338d948781626d5ff6db3a6fea303b8aead98824d

C:\Windows\Temp\asw.b1428497ccbf48a4\avbugreport_x64_ais-a4e.vpx

MD5 842ce0dd7cb9f7da03deeaca914d2601
SHA1 4fb1155f24c0a21ce05422acef92315b28cd00b0
SHA256 8611887d7a6d0e09154624ae8842101b75cebb9fbfed3ea5b75757dbf27f9c2b
SHA512 afc099e544c225ee59ea322b9e8214eaa52e38f87c3ef1e9c1342381ed6297edf0f2305e110e0161a8bc285282277e8f71d97c6975be2692694b252b7fc14227

C:\Windows\Temp\asw.b1428497ccbf48a4\avdump_x64_ais-a4e.vpx

MD5 1015a45d5a55cc49d7c9c7b738059b42
SHA1 378b0613fdb97f20c4fa7ada4d6ff477235ed714
SHA256 540d3f4ac06e02499b99a63e385fad6b9da3a0ddddd0f53c471fa337b29f6c9c
SHA512 0ea22eee2e4888a14ec99f288e115e94787dc98e4e23431fcecc19a7b54f5f7511b01317709a1fc5df667f97b7eda25d0cdb54b15b1e26c8d14921462a43089e

C:\Windows\Temp\asw.b1428497ccbf48a4\offertool_x64_ais-a4e.vpx

MD5 6f6329510f25a07190dcb390f64aafb0
SHA1 bb01be426c6b48ffd4de21bbc8b57d5ac98dcd3b
SHA256 d494b12aeb973291ed85ff0ff94f734a827f14f52f9b2888824caad56a8192f1
SHA512 5a140f6748348159ea00a686e555aa514d356a4855f75560110ac7745b172cf7e69861599d74596300252a0249f7671637d49b1cd2a63f2f43aaf818dca198f6

C:\Windows\Temp\asw.b1428497ccbf48a4\New_180a17f5\asw12e658d29b45eebd.tmp

MD5 aa4483fee9197dcc99ad3e6fd1ed976a
SHA1 a7a70cc9d0cab661aa276a718eea9f5b4b417674
SHA256 c782bd3a455f7236c1f99d3f85805ebb8b79ff622d1a989d148b1c7db5ee2b31
SHA512 69b127b1516b447786d7cf0604fb75db1fff95f6d755c9f698a3164c8685a87dd3b288bcc70566b1e6c3aed444ee5db0321c19830e95750b79233952ba8188e8

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 7f5a33c735b0f1a4cb0983dc30769ff6
SHA1 32e9b7ac8f8c48bfcd2246484ad48fb02730ac8b
SHA256 9e3e4036ee212784e97bbb4c3284cf2f38c074c209ca166ec714109c24e1a27b
SHA512 d70340256cbca41b2a0919711cc761f9f6ea9acbadd630d2e7e3e75e118523ab1238052cc99021ad9740963b188234652ee44cfb007f74a2efcccf36680b512f

C:\Windows\Temp\asw.b1428497ccbf48a4\part-prg_ais-180a17f5.vpx

MD5 7e65c81832ebfd31aaa0971528adfe72
SHA1 59394751b3e14f516152747902e6d8f1c0799b54
SHA256 bf4f0f44ab05c6585ab85b1d2b3ad7b36ca229dc39205069bda05674d6a6e034
SHA512 9c6a2885b8a8dab5181052205ae9b4a53731242d5ab0e3e23e3d0be53c28c1e6800b6d9c5451a5f28a50b617f71dd457db109de32e852ac9b268962b8d997916

C:\Windows\Temp\asw.b1428497ccbf48a4\setup.def

MD5 2968b90417f9078ef3ec90887589bcbc
SHA1 36ce6e67601513bd6efa46085a5570dfe0946f03
SHA256 f2de3592da42e4d30ffbfe8215539e08b0d9d7a4812b48a7a0ffe2da4f10db5b
SHA512 f84b09bfd16d8564b265e9616501a09fd60b702a3871efa083ed2bbe950c52de3123829b295c360f36a6f8e0a6feb29430d7d22059e64931459cc056eec2e779

C:\Windows\Temp\asw.b1428497ccbf48a4\prod-vps.vpx

MD5 fa7efdecc2537c953bb8a49f6ac54224
SHA1 68821ae21e5c476b5f451bd5a0a6fb6650a421f1
SHA256 16ee2337d70bd3241362fd815d6ccf948836e3c5bfa1eb7921592ac909c0cba9
SHA512 3f4e9d2e016b3d47fa2492dd0c7788bd2d320fcc39dca850ffa94d1ceaf212573f76c3e8305817ee282811f7533284a1619987ceaaee6858c8702d5cf412f538

C:\Windows\Temp\asw.b1428497ccbf48a4\part-jrog2-1643.vpx

MD5 0487afba722c75421dab5ad76c907b64
SHA1 2af01aae124736188c6879265bc8e5b8aaf5f633
SHA256 756380ea118c2bc721918c7fe94300032667b3f5a143b6374246e80339833019
SHA512 23047f15ca793efd76614034455653960540b7831b726234501f8bb3d057ac48ce7fef0370cb4adbffe1f1c37d4199176a701479c8824afbe3ae55ca5714ac1d

C:\Windows\Temp\asw.b1428497ccbf48a4\part-vps_windows-24103102.vpx

MD5 fbaf91e11247fcacda8bbba7e78e5aae
SHA1 88d882c06b0f3c30d69fe1aa018d921f1264a8bc
SHA256 d5b2609e3056fb970c1ff0dd020add9fb95208c520058308595ea9a550f40317
SHA512 b5e647dfe1bfa9a81235ab91719548ac473b32f31a0c0515bf79191c23e35bc48d1654c31258df35150e27357f5e9f615b4c63450e77d081396a6c7425aaa99b

C:\Windows\Temp\asw.b1428497ccbf48a4\config.def

MD5 732d079159f66306531fc0f05df7ece6
SHA1 da3114747531fe838458f7f9e44101d1c1ab9453
SHA256 5f817eb4dc9aeaaf0ecf739026a95c50ab1f45c56a83042a0791fb0c87efc105
SHA512 644ecce145ff60c9e77b0340d0ebd076ab1671cd3a59a36495d0cc6309b3e50caf7884539c9dd48d14838f7fd2dd2beacda2d613756873d411b352ab167183dc

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 a1c558319f2a2ee45bd8f1410be5e7eb
SHA1 7757189ef470dfcbf1694d28e1a64eeac9668e11
SHA256 440d18de1597690530ef8ed4323b615dc30dba6df69d4348d9b4918a40cd4872
SHA512 fa4a8fc5cd313faeeadc672607713fb795fb200ad008ba0fb9a918626f30deea3e6aaab7692d7d2532803bdaea0b463ed85fc564d851e7fae582dd0983f7f781

C:\Users\Public\Documents\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0