Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-se7epaynaz
Target 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3
SHA256 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3

Threat Level: Likely malicious

The file 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Embeds OpenSSL

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 15:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 15:03

Reported

2024-10-31 15:06

Platform

win7-20241023-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A
N/A N/A N/A N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 32 N/A C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe

"C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"

C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe

"C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_998_999_000_m:dlid_AVAST-ONE-FREE-WIN-HP /ga_clientid:8592bc03-3772-46fa-aa2c-3aab605f4c6d /edat_dir:C:\Windows\Temp\asw.207f1679667a49a7

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 s-iavast.avcdn.net udp
US 8.8.8.8:53 s-iavast.avcdn.net udp
GB 184.26.189.84:443 s-iavast.avcdn.net tcp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabEE66.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe

MD5 4c13bc2b1caecbf324785475de2ef0ae
SHA1 98199b8679aca9c3adad8fe10b5c4a7a8f4c66db
SHA256 b817b1a59d48f02d34f28727db9956b932aa89660194289ba14f0a1911a63638
SHA512 fcb80682fd302a3f3df8ce1886eaf779e8504ef17dc73e1558bcf2758ae1436be6b29545b2fbe765b8a0d1a82ab459187253be05590a7bf7c22b08a252716c88

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 15:03

Reported

2024-10-31 15:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57" C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-a4e.vpx" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64" C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100" C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7" C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18" C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-a4e.vpx" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71" C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe
PID 3120 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe
PID 5020 wrote to memory of 732 N/A C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe
PID 5020 wrote to memory of 732 N/A C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe
PID 732 wrote to memory of 1908 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe
PID 732 wrote to memory of 1908 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe
PID 1908 wrote to memory of 3836 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 3836 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 3836 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 3716 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 3716 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 3716 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 384 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 384 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe
PID 1908 wrote to memory of 384 N/A C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe

"C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"

C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe

"C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_998_999_000_m:dlid_AVAST-ONE-FREE-WIN-HP /ga_clientid:6f7a4bfa-f790-431e-837d-a17e5c707dcf /edat_dir:C:\Windows\Temp\asw.17e8761e8c0a62ab /geo:GB

C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe

"C:\Windows\Temp\asw.0d943d2b3bb86b1d\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.0d943d2b3bb86b1d /edition:21 /prod:ais /stub_context:74bbb698-061b-4528-9936-23cfdd25688b:11071208 /guid:d91d8f9c-27a3-4412-97c5-828a5eb73f24 /ga_clientid:6f7a4bfa-f790-431e-837d-a17e5c707dcf /no_delayed_installation /cookie:mmm_aon_998_999_000_m:dlid_AVAST-ONE-FREE-WIN-HP /ga_clientid:6f7a4bfa-f790-431e-837d-a17e5c707dcf /edat_dir:C:\Windows\Temp\asw.17e8761e8c0a62ab /geo:GB

C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe

"C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.0d943d2b3bb86b1d /edition:21 /prod:ais /stub_context:74bbb698-061b-4528-9936-23cfdd25688b:11071208 /guid:d91d8f9c-27a3-4412-97c5-828a5eb73f24 /ga_clientid:6f7a4bfa-f790-431e-837d-a17e5c707dcf /no_delayed_installation /cookie:mmm_aon_998_999_000_m:dlid_AVAST-ONE-FREE-WIN-HP /edat_dir:C:\Windows\Temp\asw.17e8761e8c0a62ab /geo:GB /online_installer

C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\aswOfferTool.exe" /check_secure_browser

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
US 34.111.175.102:443 ip-info.ff.avast.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 102.175.111.34.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 s-iavast.avcdn.net udp
GB 184.26.189.84:443 s-iavast.avcdn.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 84.189.26.184.in-addr.arpa udp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 n8283613.iavs9x.u.avast.com udp
US 8.8.8.8:53 p1043812.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.4.4:53 m0658849.iavs9x.u.avast.com udp
US 8.8.4.4:53 n8283613.iavs9x.u.avast.com udp
US 8.8.4.4:53 c3978047.iavs9x.u.avast.com udp
US 8.8.4.4:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 n8283613.iavs9x.u.avast.com udp
US 8.8.8.8:53 p1043812.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.4.4:53 s-iavs9x.avcdn.net udp
US 8.8.4.4:53 r9319236.iavs9x.u.avast.com udp
US 8.8.4.4:53 p1043812.iavs9x.u.avast.com udp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
US 8.8.8.8:53 102.12.20.2.in-addr.arpa udp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 c3978047.iavs9x.u.avast.com tcp
US 8.8.8.8:53 f3461309.iavs9x.u.avast.com udp
US 8.8.8.8:53 f3461309.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 n4291289.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 w5805295.iavs9x.u.avast.com udp
US 8.8.8.8:53 z4055813.iavs9x.u.avast.com udp
US 8.8.8.8:53 f3461309.iavs9x.u.avast.com udp
US 8.8.8.8:53 f3461309.iavs9x.u.avast.com udp
US 8.8.8.8:53 m0658849.iavs9x.u.avast.com udp
US 8.8.8.8:53 n4291289.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 w5805295.iavs9x.u.avast.com udp
US 8.8.8.8:53 z4055813.iavs9x.u.avast.com udp
GB 2.20.12.98:80 z4055813.iavs9x.u.avast.com tcp
US 8.8.8.8:53 d3176133.vps18.u.avcdn.net udp
US 8.8.8.8:53 d3176133.vps18.u.avcdn.net udp
US 8.8.8.8:53 h4305360.vps18.u.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18.u.avcdn.net udp
US 8.8.8.8:53 n8283613.vps18.u.avcdn.net udp
US 8.8.8.8:53 p9854759.vps18.u.avcdn.net udp
US 8.8.8.8:53 s-vps18.avcdn.net udp
US 8.8.8.8:53 d3176133.vps18.u.avcdn.net udp
US 8.8.8.8:53 d3176133.vps18.u.avcdn.net udp
US 8.8.8.8:53 h4305360.vps18.u.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18.u.avcdn.net udp
US 8.8.8.8:53 n8283613.vps18.u.avcdn.net udp
US 8.8.8.8:53 p9854759.vps18.u.avcdn.net udp
US 8.8.8.8:53 s-vps18.avcdn.net udp
GB 2.20.12.97:80 p9854759.vps18.u.avcdn.net tcp
US 8.8.8.8:53 98.12.20.2.in-addr.arpa udp
GB 2.20.12.97:80 p9854759.vps18.u.avcdn.net tcp
GB 2.20.12.97:80 p9854759.vps18.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 97.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 72.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\Windows\Temp\asw.17e8761e8c0a62ab\avast_one_essential_setup_online_x64.exe

MD5 4c13bc2b1caecbf324785475de2ef0ae
SHA1 98199b8679aca9c3adad8fe10b5c4a7a8f4c66db
SHA256 b817b1a59d48f02d34f28727db9956b932aa89660194289ba14f0a1911a63638
SHA512 fcb80682fd302a3f3df8ce1886eaf779e8504ef17dc73e1558bcf2758ae1436be6b29545b2fbe765b8a0d1a82ab459187253be05590a7bf7c22b08a252716c88

C:\Windows\Temp\asw.17e8761e8c0a62ab\ecoo.edat

MD5 a0505d991e7435d22a259ca50fd88502
SHA1 1548a59416847ef561117598aa6fcb18197e64fa
SHA256 e2338acacbb507fdcece45f997d24326a5b9030ae4af0d3d80be6a2139501947
SHA512 3b875e6ef1130ecd72a7054459ecb854c37afa75461c7bfe91c4d4b0b11a3d9a7cd359c8f0353fdbc26c7c174e8bd3fc4ec86c3a97c829390d2d549dc6a60b09

C:\Windows\Temp\asw.0d943d2b3bb86b1d\servers.def

MD5 b1960612149e68ce8d6f4827c5b39073
SHA1 6259a3ebd659bb63ec59fab4c8e1aa79092692a4
SHA256 847bd020bc930856d25c54d5fa03278b0e6b2434f2560f3c6b7c000332012173
SHA512 81d2737ca459d8fb3aab6dede1c666efdb6c3a851f1018a8b2d5166060de05fff7abb8eaa9e24ee441137033bd0574ce107ef9d3abd93ddde4b86cda76625423

C:\Windows\Temp\asw.0d943d2b3bb86b1d\Instup.exe

MD5 6179a6bcb9d35753d2deb3c1594a9bad
SHA1 d114563b01f474084efd2c4f7edef133cdc1018f
SHA256 0f1d9af4f5eee63bf1959ec61e459f9f304c77ba3af29cbd640910661ecbe2d2
SHA512 2cd159f3de29a011d4b6c807e87c3b404e311f39d015b5760febab1f480cca9bb8472ec53e912d526eaba65f58659acea1530923caa6c2baa60cfd9f98786f69

C:\Windows\Temp\asw.0d943d2b3bb86b1d\Instup.dll

MD5 0d09efc988c41b14c4fd0bd9c1457b87
SHA1 7c8bb0b4760edfc009e8b122124aa2b70e1da93a
SHA256 49ae4e9a468593038c1ab7fd6f988ddc0eace7e8c3c407c53b130e2eba1506fb
SHA512 b54c3ab104ce574690155d672146be30a1ae45abec71ddaad81ba16f9435f76deb4daccab628b006cbde0e9c9a85b99a3b8a33ad4dd3ebdc05a2dbb963062993

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 33e66df4306aff6f5e7ec5b71991537d
SHA1 a119b3aae4e93938a1074e97e9d3189871e17876
SHA256 2628fdebf3c0b2d10e22e6182e8f04ac2d7299f49d1b0d19ae1acd37a18f32b5
SHA512 77502be176698288fb5cfd309a9ea5e98b2e61ca3e4af188591b28152bd99676882f718f1274fbaf89c177c1c81af5d2375a95c0fc60b2e79a18942b9ee03825

C:\Windows\Temp\asw.0d943d2b3bb86b1d\config.def

MD5 5a0f70dfbf66819ca9c50d6ac6f3702a
SHA1 ab4d2eac9985dba69422cf8cd6bc36846eda1855
SHA256 31acc29e2df1d0841bbe81db1c28e145d44aa5805c3fd3a1615b6768a08514c2
SHA512 13b24f45680e1607dc6fd2560b697918d11c4d8fec1ef561961e5846887f37623470782e36daa16005bf52142de3bd2ff15860c015a798e4729d6625c335c0ad

C:\Windows\Temp\asw.0d943d2b3bb86b1d\config.def

MD5 2f1a22ae7b1118c24fcb6b9c2df3038d
SHA1 f04670fd403cc4ddad6e4031091b5c6de8e682cd
SHA256 4ca18132f29681af38f30c560cf72afc3c21e0972f7576bdbd27a766dacfaada
SHA512 8ed9664106c619ef30f095fc5ae45558593b5d55a546b2a25e72435babb2f3a6a44a84c5cd9d54fca2d882f412a467ce016f1effd6d4c4d6401b65085bb84175

C:\Windows\Temp\asw.0d943d2b3bb86b1d\config.ini

MD5 c89b5f6de41adcfa8a89b774569fcbc1
SHA1 37af5462ecf08e7ce1354041d57a87183080d64f
SHA256 3a5dfb9dae6e0e7c534dc9d856d8c881490cef64486d32ba2b79b420b7004275
SHA512 15a690187f86b3c4495184e69693bb944e90472d4855e139dc2fd8bf55b436c1567def1997e6f06507e565502101c458d87143695b54121f77e770c4e8578cb4

C:\Windows\Temp\asw.0d943d2b3bb86b1d\HTMLayout.dll

MD5 b0e91293160024bfc0302bbdadd0bb9c
SHA1 005fbe3c47213d4b791c05f2a8a6932dc70357e9
SHA256 3db7c1fc402a689bb160ed2d0bc12edb6765307c725ad02e7b27510008b4f8ca
SHA512 f7239b26fedc2a90c2b267467781ff26512890b879772bcc0809409a368fefd74a8930d8d4958559381dd57f7bdc769668c5ec638b5ad82e4a20a1e0217e9304

C:\Windows\Temp\asw.0d943d2b3bb86b1d\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.0d943d2b3bb86b1d\servers.def.vpx

MD5 eab5eaa228b24e2a0c3313fc200caa97
SHA1 407dd379fd78df5b31585931fc567a1f9a3da40c
SHA256 5d784971dcc44fd271dccb4351ebabb16b3170ff680ccfa64dc848a4125651fa
SHA512 126b2bf2a5fe7a4d78eb766f95e4e7fc15095876ffc25f0955f1d073f351281b3d7a8f1cc3c8b8cfad7157e705a0d8019b28a82ce72c15f02cd31029b801bb0a

C:\Windows\Temp\asw.0d943d2b3bb86b1d\uat64.vpx

MD5 63e7a59b7d1f9405ba1a0e685ca98af7
SHA1 c90d503b31b8027a0fbbe1f0008021e27ce42609
SHA256 03cee410775634e7570b80077ca95e47cbafbdf982c19ac2e222726d28b9a584
SHA512 9b70322f966accc16435bd3869106be18ac7e21962846938e64c7001c663cbd1ea7a7662e0d85af97af05820192ceb0bb01d65cff3d7bbe8467b873a872d644f

C:\Windows\Temp\asw.0d943d2b3bb86b1d\prod-pgm.vpx

MD5 db09685c045dc0df0552427c752a1aa7
SHA1 eb0e8e1e9839e7517efb7fedfa7edabc5d57587a
SHA256 9219680462bef7060264ac63d21f3332daf0fca5090cae295427710895be0002
SHA512 d0b4b1c23557aa18a5ca9299c7269cd2221ec8b155b9ec9c045f6ddb612f1979a9d3e78ae395dc6e515338ee8bdf13225a1cafc903bc800a22b9b9e3489a462b

C:\Windows\Temp\asw.0d943d2b3bb86b1d\prod-vps.vpx

MD5 8499e8596ec1c873e132662092da0a85
SHA1 dd27c53c9fb86cbcc367182fccf8bd0af6ebb763
SHA256 26d22504cae4bb0e7de6e10317a97aa4be15a0a3fa9bf2d735d89213696e0712
SHA512 f06bcf0f8239a15c78b8113d27c60b32bcdc1be25d913ef3356ca5a58349e12b14b6673838e83972d81e90e338d948781626d5ff6db3a6fea303b8aead98824d

C:\Windows\Temp\asw.0d943d2b3bb86b1d\uat64.dll

MD5 b49ac1e7007e1e445c45fc906e96687e
SHA1 b33adeb3d8ad516a3fe826cc3f48f9c6e67030cb
SHA256 da17cf39c773ab3048e767aff993458e284837287e8c4af0d139ad71f3459ff8
SHA512 e3ef8ef9423552281dc12e25eeef69b954e50bc844442d7e0de9c7e066c53e62dc84a43e44428caff1e18b06470c17d25e65825c07f5f85535d97ace23f05ba2

C:\Windows\Temp\asw.0d943d2b3bb86b1d\part-setup_ais-180a17f5.vpx

MD5 9e51873b5404f36f66233ab303691c3c
SHA1 829708f060b08fac4fc0474d2eddc76ba8a0d560
SHA256 bece96f0fdacad51d9b490a4ecf7e129ef8feace87795d9ba9cb7901536d3f58
SHA512 0d9b13ae03de4c94f0863a576a986810ba0d0d0cab1a8676f160628a66e26d76f673ca51f7e7ac48dd507b358a41220a94bb5dbbc96ed9dd95c29dc4c1288e6c

C:\Windows\Temp\asw.0d943d2b3bb86b1d\avbugreport_x64_ais-a4e.vpx

MD5 842ce0dd7cb9f7da03deeaca914d2601
SHA1 4fb1155f24c0a21ce05422acef92315b28cd00b0
SHA256 8611887d7a6d0e09154624ae8842101b75cebb9fbfed3ea5b75757dbf27f9c2b
SHA512 afc099e544c225ee59ea322b9e8214eaa52e38f87c3ef1e9c1342381ed6297edf0f2305e110e0161a8bc285282277e8f71d97c6975be2692694b252b7fc14227

C:\Windows\Temp\asw.0d943d2b3bb86b1d\avdump_x64_ais-a4e.vpx

MD5 1015a45d5a55cc49d7c9c7b738059b42
SHA1 378b0613fdb97f20c4fa7ada4d6ff477235ed714
SHA256 540d3f4ac06e02499b99a63e385fad6b9da3a0ddddd0f53c471fa337b29f6c9c
SHA512 0ea22eee2e4888a14ec99f288e115e94787dc98e4e23431fcecc19a7b54f5f7511b01317709a1fc5df667f97b7eda25d0cdb54b15b1e26c8d14921462a43089e

C:\Windows\Temp\asw.0d943d2b3bb86b1d\offertool_x64_ais-a4e.vpx

MD5 6f6329510f25a07190dcb390f64aafb0
SHA1 bb01be426c6b48ffd4de21bbc8b57d5ac98dcd3b
SHA256 d494b12aeb973291ed85ff0ff94f734a827f14f52f9b2888824caad56a8192f1
SHA512 5a140f6748348159ea00a686e555aa514d356a4855f75560110ac7745b172cf7e69861599d74596300252a0249f7671637d49b1cd2a63f2f43aaf818dca198f6

C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\asw47d3faba363b93ff.tmp

MD5 aa4483fee9197dcc99ad3e6fd1ed976a
SHA1 a7a70cc9d0cab661aa276a718eea9f5b4b417674
SHA256 c782bd3a455f7236c1f99d3f85805ebb8b79ff622d1a989d148b1c7db5ee2b31
SHA512 69b127b1516b447786d7cf0604fb75db1fff95f6d755c9f698a3164c8685a87dd3b288bcc70566b1e6c3aed444ee5db0321c19830e95750b79233952ba8188e8

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 8ba9002e5a8e404ca047f3228b9bb59d
SHA1 432833fe0ba1358aef5839944127e6b504b94e3f
SHA256 4ca4474ff9c728dd8eb993d14ed9dd784c2ddf2d4f951b68ce716caa66236169
SHA512 2dddbfb502158e0fd64bcccf97d17f1f26c2f509304cd1bcb5173915576bb27fd7b506f0a85f1ffa700622f552ab448c8bff0fdf06e631c5423ba718f1af263b

C:\Windows\Temp\asw.0d943d2b3bb86b1d\part-prg_ais-180a17f5.vpx

MD5 7e65c81832ebfd31aaa0971528adfe72
SHA1 59394751b3e14f516152747902e6d8f1c0799b54
SHA256 bf4f0f44ab05c6585ab85b1d2b3ad7b36ca229dc39205069bda05674d6a6e034
SHA512 9c6a2885b8a8dab5181052205ae9b4a53731242d5ab0e3e23e3d0be53c28c1e6800b6d9c5451a5f28a50b617f71dd457db109de32e852ac9b268962b8d997916

C:\Windows\Temp\asw.0d943d2b3bb86b1d\setup.def

MD5 2968b90417f9078ef3ec90887589bcbc
SHA1 36ce6e67601513bd6efa46085a5570dfe0946f03
SHA256 f2de3592da42e4d30ffbfe8215539e08b0d9d7a4812b48a7a0ffe2da4f10db5b
SHA512 f84b09bfd16d8564b265e9616501a09fd60b702a3871efa083ed2bbe950c52de3123829b295c360f36a6f8e0a6feb29430d7d22059e64931459cc056eec2e779

C:\Windows\Temp\asw.0d943d2b3bb86b1d\prod-vps.vpx

MD5 fa7efdecc2537c953bb8a49f6ac54224
SHA1 68821ae21e5c476b5f451bd5a0a6fb6650a421f1
SHA256 16ee2337d70bd3241362fd815d6ccf948836e3c5bfa1eb7921592ac909c0cba9
SHA512 3f4e9d2e016b3d47fa2492dd0c7788bd2d320fcc39dca850ffa94d1ceaf212573f76c3e8305817ee282811f7533284a1619987ceaaee6858c8702d5cf412f538

C:\Windows\Temp\asw.0d943d2b3bb86b1d\part-jrog2-1643.vpx

MD5 0487afba722c75421dab5ad76c907b64
SHA1 2af01aae124736188c6879265bc8e5b8aaf5f633
SHA256 756380ea118c2bc721918c7fe94300032667b3f5a143b6374246e80339833019
SHA512 23047f15ca793efd76614034455653960540b7831b726234501f8bb3d057ac48ce7fef0370cb4adbffe1f1c37d4199176a701479c8824afbe3ae55ca5714ac1d

C:\Windows\Temp\asw.0d943d2b3bb86b1d\part-vps_windows-24103102.vpx

MD5 fbaf91e11247fcacda8bbba7e78e5aae
SHA1 88d882c06b0f3c30d69fe1aa018d921f1264a8bc
SHA256 d5b2609e3056fb970c1ff0dd020add9fb95208c520058308595ea9a550f40317
SHA512 b5e647dfe1bfa9a81235ab91719548ac473b32f31a0c0515bf79191c23e35bc48d1654c31258df35150e27357f5e9f615b4c63450e77d081396a6c7425aaa99b

C:\Windows\Temp\asw.0d943d2b3bb86b1d\aswd00f058f84545716.ini

MD5 ff4d4c937909ce3c2563b84c3cee1ec4
SHA1 c83606f52a0a35f65bc03a33b759c5f0856c16c5
SHA256 4efb0356affd1bfe50697929b1ad1155575413f1d22286373c746c66b8e5bd41
SHA512 9cd902b38a5d40e2a97eb88edf5d19adba8e23b58af868a8dd009f25dc6dbc1574b1eedde8f721dd33d50dee36d15cbdad5cea6cef7a27000e3a51a566cdf687

C:\Windows\Temp\asw.0d943d2b3bb86b1d\config.def

MD5 8092e79170a8b3f69e53092838f08f8d
SHA1 8449b5163e2905d17ba7455c814d19d0a4f538bf
SHA256 cd01bd40b9c13168baa8307a95442c70694d252ebd6379225eaf9c1e661c1dc0
SHA512 e34a78798c54703e50f59428ebd412c468f7de88acae7d9f5152631956381daf0fea214016579f6f084bc1009787625af1a3abcd997d435fff1ead71b4ab6294

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 e2c2f5a388af467a68a8e9f0d133e4a1
SHA1 7f76e28a5e743d91c232cbad310d08fe6fedaa3a
SHA256 fcd51deffc7f451ce6d33022ec91c2ac7d5fd3949818384b11675ea67e02fe45
SHA512 9c3acd9d7f35c02c1def8003cb865398c95263165b92c58069c86554c1c620921f00e74eb04be9b6705f23b877d2dbf63fa0d647245c17f901d2ff39cc4e053d

C:\Windows\Temp\asw.0d943d2b3bb86b1d\New_180a17f5\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0