Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-tqyscs1glr
Target c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227
SHA256 c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227

Threat Level: Likely malicious

The file c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Unsigned PE

System Location Discovery: System Language Discovery

Embeds OpenSSL

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 16:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 16:16

Reported

2024-10-31 16:18

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile\InstupUpdatePending = "1" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "64" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "66" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "99" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "85" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-997.vpx" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "16" C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100" C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe
PID 2756 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe
PID 2756 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe
PID 2756 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe
PID 2020 wrote to memory of 2368 N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe
PID 2020 wrote to memory of 2368 N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe
PID 2020 wrote to memory of 2368 N/A C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe
PID 2368 wrote to memory of 908 N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe
PID 2368 wrote to memory of 908 N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe
PID 2368 wrote to memory of 908 N/A C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe

"C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe"

C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_tst_007_402_a /ga_clientid:450107dd-6fca-4975-ae8c-4137cbffc9de /edat_dir:C:\Windows\Temp\asw.f501326744aed155

C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe

"C:\Windows\Temp\asw.ba155d7c160d796e\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ba155d7c160d796e /edition:1 /prod:ais /stub_context:5643e993-50f2-40bc-a2eb-218410564ab2:11072232 /guid:53b2e407-35fd-49ff-bad2-56144a04bd93 /ga_clientid:450107dd-6fca-4975-ae8c-4137cbffc9de /no_delayed_installation /cookie:mmm_ava_tst_007_402_a /ga_clientid:450107dd-6fca-4975-ae8c-4137cbffc9de /edat_dir:C:\Windows\Temp\asw.f501326744aed155

C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe

"C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.ba155d7c160d796e /edition:1 /prod:ais /stub_context:5643e993-50f2-40bc-a2eb-218410564ab2:11072232 /guid:53b2e407-35fd-49ff-bad2-56144a04bd93 /ga_clientid:450107dd-6fca-4975-ae8c-4137cbffc9de /no_delayed_installation /cookie:mmm_ava_tst_007_402_a /edat_dir:C:\Windows\Temp\asw.f501326744aed155 /online_installer

Network

Country Destination Domain Proto
US 8.8.8.8:53 iavs9x.u.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avast.com udp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.98:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.98:80 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
GB 2.20.12.102:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 p9854759.iavs9x.u.avast.com tcp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
US 8.8.8.8:53 d3176133.iavs9x.u.avast.com udp
GB 2.20.12.98:80 r6726306.iavs9x.u.avast.com tcp
GB 2.20.12.98:80 r6726306.iavs9x.u.avast.com tcp
US 8.8.8.8:53 b8003600.vps18.u.avcdn.net udp
US 8.8.8.8:53 b8003600.vps18.u.avcdn.net udp
GB 2.20.12.90:80 s1843811.vps18.u.avcdn.net tcp
GB 2.20.12.90:80 s1843811.vps18.u.avcdn.net tcp
GB 2.20.12.90:80 s1843811.vps18.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp

Files

\Windows\Temp\asw.f501326744aed155\avast_free_antivirus_setup_online_x64.exe

MD5 285b70b3ac1698009e386ece00acee56
SHA1 dda4d5748970490ca1100d7e076045b3648008a3
SHA256 df8b438844b84bae4a78bd4a593fd28be2fd58a0fd431e4b942661eea9476dc0
SHA512 5c4a1819cd444d576e81fa10a686dabce9e66fae197aa1668cc2d394289a2722eeed7f88f5d3b80b2c9526ede50cb03deba999ecbaeb30e212c91e84b540580f

C:\Windows\Temp\asw.f501326744aed155\ecoo.edat

MD5 58d47cfa451dfb6748be33a8f4069f49
SHA1 7ca703bc598c8ed5d98407833ecebe7d5efec80b
SHA256 8ebbec1ccab81b5ab09770e38ed72b0f830c5bbdabd1e68979c9dd79bb278883
SHA512 4f636e1664c3884f6406aede91d8c6e2a0cff876d1be45014307c8a247f267f8b8db8a67edf43ee989fd59e1a74ab047d96cbac308d57cb00576cf4af14d4afb

C:\Windows\Temp\asw.ba155d7c160d796e\servers.def

MD5 b1960612149e68ce8d6f4827c5b39073
SHA1 6259a3ebd659bb63ec59fab4c8e1aa79092692a4
SHA256 847bd020bc930856d25c54d5fa03278b0e6b2434f2560f3c6b7c000332012173
SHA512 81d2737ca459d8fb3aab6dede1c666efdb6c3a851f1018a8b2d5166060de05fff7abb8eaa9e24ee441137033bd0574ce107ef9d3abd93ddde4b86cda76625423

C:\Windows\Temp\asw.ba155d7c160d796e\Instup.dll

MD5 0d09efc988c41b14c4fd0bd9c1457b87
SHA1 7c8bb0b4760edfc009e8b122124aa2b70e1da93a
SHA256 49ae4e9a468593038c1ab7fd6f988ddc0eace7e8c3c407c53b130e2eba1506fb
SHA512 b54c3ab104ce574690155d672146be30a1ae45abec71ddaad81ba16f9435f76deb4daccab628b006cbde0e9c9a85b99a3b8a33ad4dd3ebdc05a2dbb963062993

C:\Windows\Temp\asw.ba155d7c160d796e\Instup.exe

MD5 6179a6bcb9d35753d2deb3c1594a9bad
SHA1 d114563b01f474084efd2c4f7edef133cdc1018f
SHA256 0f1d9af4f5eee63bf1959ec61e459f9f304c77ba3af29cbd640910661ecbe2d2
SHA512 2cd159f3de29a011d4b6c807e87c3b404e311f39d015b5760febab1f480cca9bb8472ec53e912d526eaba65f58659acea1530923caa6c2baa60cfd9f98786f69

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 ee6b91a4d81979a782a8502ccc8ad832
SHA1 83cb54fa712de6f446472ff50e0cbdf8d997b699
SHA256 473b9f0d04d3c4c28d4003373635e51c7c9d41e0dd2acb19e51af7b5d9476a35
SHA512 526c5d10379d484c8063bba0d1fa34f7146d5410504151e0ee3c82df61d2d58f831996ccbc1f222bb3ea5e2ee3eb67e9fbd4f6d67949e15357133d69f990b858

C:\Windows\Temp\asw.ba155d7c160d796e\config.def

MD5 5a0f70dfbf66819ca9c50d6ac6f3702a
SHA1 ab4d2eac9985dba69422cf8cd6bc36846eda1855
SHA256 31acc29e2df1d0841bbe81db1c28e145d44aa5805c3fd3a1615b6768a08514c2
SHA512 13b24f45680e1607dc6fd2560b697918d11c4d8fec1ef561961e5846887f37623470782e36daa16005bf52142de3bd2ff15860c015a798e4729d6625c335c0ad

C:\Windows\Temp\asw.ba155d7c160d796e\HTMLayout.dll

MD5 b0e91293160024bfc0302bbdadd0bb9c
SHA1 005fbe3c47213d4b791c05f2a8a6932dc70357e9
SHA256 3db7c1fc402a689bb160ed2d0bc12edb6765307c725ad02e7b27510008b4f8ca
SHA512 f7239b26fedc2a90c2b267467781ff26512890b879772bcc0809409a368fefd74a8930d8d4958559381dd57f7bdc769668c5ec638b5ad82e4a20a1e0217e9304

C:\Windows\Temp\asw.ba155d7c160d796e\config.def

MD5 0d07a8262487b7a5be2c70f2b8bc1ab8
SHA1 c9282f515f56f1cf961a4e7432ba4a57e4406486
SHA256 7b2709e2c3ebd3b900ef4bcbcca7c8ec0062261381774acc8ef54867b0a28e0a
SHA512 2cc90735291f9faf5c6d497b4b87d6aa08b5221d0cc525f8632b8820a5c5d4f22304ebbced290285bd577c12e113f573a2cd10cba3c8ec3def26cadbd0ecf484

C:\Windows\Temp\asw.ba155d7c160d796e\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.ba155d7c160d796e\servers.def.vpx

MD5 eab5eaa228b24e2a0c3313fc200caa97
SHA1 407dd379fd78df5b31585931fc567a1f9a3da40c
SHA256 5d784971dcc44fd271dccb4351ebabb16b3170ff680ccfa64dc848a4125651fa
SHA512 126b2bf2a5fe7a4d78eb766f95e4e7fc15095876ffc25f0955f1d073f351281b3d7a8f1cc3c8b8cfad7157e705a0d8019b28a82ce72c15f02cd31029b801bb0a

\Windows\Temp\asw.ba155d7c160d796e\uat64.dll

MD5 b49ac1e7007e1e445c45fc906e96687e
SHA1 b33adeb3d8ad516a3fe826cc3f48f9c6e67030cb
SHA256 da17cf39c773ab3048e767aff993458e284837287e8c4af0d139ad71f3459ff8
SHA512 e3ef8ef9423552281dc12e25eeef69b954e50bc844442d7e0de9c7e066c53e62dc84a43e44428caff1e18b06470c17d25e65825c07f5f85535d97ace23f05ba2

C:\Windows\Temp\asw.ba155d7c160d796e\uat64.vpx

MD5 63e7a59b7d1f9405ba1a0e685ca98af7
SHA1 c90d503b31b8027a0fbbe1f0008021e27ce42609
SHA256 03cee410775634e7570b80077ca95e47cbafbdf982c19ac2e222726d28b9a584
SHA512 9b70322f966accc16435bd3869106be18ac7e21962846938e64c7001c663cbd1ea7a7662e0d85af97af05820192ceb0bb01d65cff3d7bbe8467b873a872d644f

C:\Windows\Temp\asw.ba155d7c160d796e\prod-pgm.vpx

MD5 db09685c045dc0df0552427c752a1aa7
SHA1 eb0e8e1e9839e7517efb7fedfa7edabc5d57587a
SHA256 9219680462bef7060264ac63d21f3332daf0fca5090cae295427710895be0002
SHA512 d0b4b1c23557aa18a5ca9299c7269cd2221ec8b155b9ec9c045f6ddb612f1979a9d3e78ae395dc6e515338ee8bdf13225a1cafc903bc800a22b9b9e3489a462b

C:\Windows\Temp\asw.ba155d7c160d796e\prod-vps.vpx

MD5 8499e8596ec1c873e132662092da0a85
SHA1 dd27c53c9fb86cbcc367182fccf8bd0af6ebb763
SHA256 26d22504cae4bb0e7de6e10317a97aa4be15a0a3fa9bf2d735d89213696e0712
SHA512 f06bcf0f8239a15c78b8113d27c60b32bcdc1be25d913ef3356ca5a58349e12b14b6673838e83972d81e90e338d948781626d5ff6db3a6fea303b8aead98824d

C:\Windows\Temp\asw.ba155d7c160d796e\part-setup_ais-15020997.vpx

MD5 365b6ee6fbde00af486fc012251db2da
SHA1 8050ba5a9b6321f067fc694527011ba00767d4a2
SHA256 01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830
SHA512 949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\asw659bb851a3b8441f.tmp

MD5 ef035189604e7f5d68a62827b985ccbb
SHA1 c094c6eef2640a71aee9f4b27123c2080d38136f
SHA256 64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740
SHA512 32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\asw7a7da283b379274a.tmp

MD5 700b6740e6bfa7729f146572d8455348
SHA1 19d80fb0251f417283ed36fc20c43079b3f6fbb8
SHA256 d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e
SHA512 7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\aswd963631f809021b1.tmp

MD5 b216fc28400c184a5108c0228fba86bc
SHA1 5d82203153963ebede19585b0054de8221c60509
SHA256 7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd
SHA512 6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\aswa2f11cc58a54d82f.tmp

MD5 9ee6528abdad768fbfa28bd1bb80ebe9
SHA1 f5582697e068ba1d56825fc32bd5ab1a71bd4d38
SHA256 61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4
SHA512 de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

C:\Windows\Temp\asw.ba155d7c160d796e\New_15020997\asw2cb9971110456f3a.tmp

MD5 c5665f1f93d9aabbcb1dde533e2c46e6
SHA1 732389de20c600d0222d61b4ee74b0be6412a45b
SHA256 adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a
SHA512 51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

\Windows\Temp\asw.ba155d7c160d796e\New_15020997\asw24363698aaba3c53.tmp

MD5 13e9fbb02cb7497562b59a9ef8f1ee92
SHA1 047936e9296e77939b5b23c1a2af3056eaa2ae99
SHA256 40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a
SHA512 0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

\Windows\Temp\asw.ba155d7c160d796e\New_15020997\aswf843e6aef1281f80.tmp

MD5 d9be57d4e1a25264b8317278f8b93396
SHA1 d3c98696582fed570f38ae45bf22b8197253b325
SHA256 a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3
SHA512 2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 ecab00fe7795c441b4a7d5e8cf13e045
SHA1 1e164ea170ea535268c66f621f2d9f105a677660
SHA256 277a4834d898968721dd6ce27b5dc37bb3dbd74c59381266660576101c635077
SHA512 caf18cbe93fb574624591eb340fcfa4cdc55166d912b3fe78b3b62f02809d4b478704f79ecd60dd3f1ae99f5e79fbf65adc1d117fa10739e9f2419523f2c9e5f

C:\Windows\Temp\asw.ba155d7c160d796e\part-prg_ais-15020997.vpx

MD5 b898fa20bf9b0321b50a8d4946aae799
SHA1 4e173a99dc9a9ef507112857525ad53991f4d2a0
SHA256 6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c
SHA512 c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

C:\Windows\Temp\asw.ba155d7c160d796e\setup.def

MD5 be793535c4acf02d4ad13b20d0c84deb
SHA1 65dd6b4891a75848042c10057808535298cee3e1
SHA256 31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd
SHA512 7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

C:\Windows\Temp\asw.ba155d7c160d796e\prod-vps.vpx

MD5 fa7efdecc2537c953bb8a49f6ac54224
SHA1 68821ae21e5c476b5f451bd5a0a6fb6650a421f1
SHA256 16ee2337d70bd3241362fd815d6ccf948836e3c5bfa1eb7921592ac909c0cba9
SHA512 3f4e9d2e016b3d47fa2492dd0c7788bd2d320fcc39dca850ffa94d1ceaf212573f76c3e8305817ee282811f7533284a1619987ceaaee6858c8702d5cf412f538

C:\Windows\Temp\asw.ba155d7c160d796e\part-jrog2-1643.vpx

MD5 0487afba722c75421dab5ad76c907b64
SHA1 2af01aae124736188c6879265bc8e5b8aaf5f633
SHA256 756380ea118c2bc721918c7fe94300032667b3f5a143b6374246e80339833019
SHA512 23047f15ca793efd76614034455653960540b7831b726234501f8bb3d057ac48ce7fef0370cb4adbffe1f1c37d4199176a701479c8824afbe3ae55ca5714ac1d

C:\Windows\Temp\asw.ba155d7c160d796e\part-vps_windows-24103102.vpx

MD5 fbaf91e11247fcacda8bbba7e78e5aae
SHA1 88d882c06b0f3c30d69fe1aa018d921f1264a8bc
SHA256 d5b2609e3056fb970c1ff0dd020add9fb95208c520058308595ea9a550f40317
SHA512 b5e647dfe1bfa9a81235ab91719548ac473b32f31a0c0515bf79191c23e35bc48d1654c31258df35150e27357f5e9f615b4c63450e77d081396a6c7425aaa99b

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 8cdff2d1b9cbfac2d3e58ef38253dc52
SHA1 6954177fe3eb650630a6220ee6ed27bb6232ab22
SHA256 5d9b6225e666e449f43c0dac21953dfe7ab25900d1614427f916785110c1db08
SHA512 1c3aa1313da4e47b48dbe764eab2234c523173959e0b0abf495791816daddfa021eaa1c3c99317ef781bc3641c7bad1595a292cef13a371972d7858307c7895b

C:\Windows\Temp\asw.ba155d7c160d796e\config.ini

MD5 6a766ca07084f64a9b7dfba52d5c2809
SHA1 fc8ef405df18dc5a4fb32f181113a301fe3cf9a9
SHA256 67b76e2b3a6edd045316b3db52cfec763f56e18234b84a488e5fcc4f3b49559d
SHA512 cb0183ef328ced1633faa441c265794c1ee2cb05939cfeda1356c56db00bea749d54c78e3e90cd2438f41ba77ab7fc53acdb063a93d55632ed2e3cf4ca445a55

C:\Windows\Temp\asw.ba155d7c160d796e\config.def

MD5 451e39c6cd7a95d14888bbf2cf5732a8
SHA1 de44e3554d8f0528f0e1b7e677038a8f4db7b741
SHA256 a47b4fc552eb4b9fec22fbf0540b9ce0fc2b8d1b30865c7c816a460a60eab74a
SHA512 1f0fb925af814e4b0c4804d64d9e79e4aabef5bdc94a22a8005772d57d58c0085ba700108f1ca8ce66a6fcc715f89fe32c675b24e1ae78a81b3864358666bfe9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 16:16

Reported

2024-10-31 16:18

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe"

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a4e.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-a4e.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a4e.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21" C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-a4e.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7" C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-a4e.vpx" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87" C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe
PID 4120 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe
PID 2416 wrote to memory of 4596 N/A C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe
PID 2416 wrote to memory of 4596 N/A C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe
PID 4596 wrote to memory of 3472 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe
PID 4596 wrote to memory of 3472 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe
PID 3472 wrote to memory of 3068 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 3068 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 3068 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 868 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 868 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 868 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 2900 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 2900 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 2900 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 2784 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 2784 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe
PID 3472 wrote to memory of 2784 N/A C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe

"C:\Users\Admin\AppData\Local\Temp\c485536f8d1a635cbce0960872c7c5c952bf6af170c0c0a239067e139b967227.exe"

C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe

"C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_tst_007_402_a /ga_clientid:97855599-3801-48f8-8614-7756b6577e27 /edat_dir:C:\Windows\Temp\asw.5b4d3c1ea636b15e

C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe

"C:\Windows\Temp\asw.a23c07ac08cdd441\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.a23c07ac08cdd441 /edition:1 /prod:ais /stub_context:869f13e2-9cdf-4ff4-979f-443b3a7c19b8:11072232 /guid:7121f573-29a3-472a-bda1-158acf21ef78 /ga_clientid:97855599-3801-48f8-8614-7756b6577e27 /no_delayed_installation /cookie:mmm_ava_tst_007_402_a /ga_clientid:97855599-3801-48f8-8614-7756b6577e27 /edat_dir:C:\Windows\Temp\asw.5b4d3c1ea636b15e

C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe

"C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.a23c07ac08cdd441 /edition:1 /prod:ais /stub_context:869f13e2-9cdf-4ff4-979f-443b3a7c19b8:11072232 /guid:7121f573-29a3-472a-bda1-158acf21ef78 /ga_clientid:97855599-3801-48f8-8614-7756b6577e27 /no_delayed_installation /cookie:mmm_ava_tst_007_402_a /edat_dir:C:\Windows\Temp\asw.5b4d3c1ea636b15e /online_installer

C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe" /check_secure_browser

C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC

C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe

"C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswOfferTool.exe" -checkChrome -elevated

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 iavs9x.u.avcdn.net udp
US 34.117.223.223:80 v7event.stats.avast.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 102.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.102:443 iavs9x.u.avcdn.net tcp
GB 2.20.12.102:80 iavs9x.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 n2833777.iavs9x.u.avast.com udp
US 8.8.8.8:53 r3802239.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 t1024579.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 c3978047.iavs9x.u.avast.com udp
US 8.8.8.8:53 n2833777.iavs9x.u.avast.com udp
US 8.8.8.8:53 r3802239.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 t1024579.iavs9x.u.avast.com udp
GB 2.20.12.98:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 98.12.20.2.in-addr.arpa udp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
GB 2.20.12.102:80 t1024579.iavs9x.u.avast.com tcp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 n2833777.iavs9x.u.avast.com udp
US 8.8.8.8:53 p9854759.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 s1843811.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 j0294597.iavs9x.u.avast.com udp
US 8.8.8.8:53 n2833777.iavs9x.u.avast.com udp
US 8.8.8.8:53 p9854759.iavs9x.u.avast.com udp
US 8.8.8.8:53 r9319236.iavs9x.u.avast.com udp
US 8.8.8.8:53 s-iavs9x.avcdn.net udp
US 8.8.8.8:53 s1843811.iavs9x.u.avast.com udp
GB 2.20.12.98:80 s1843811.iavs9x.u.avast.com tcp
US 8.8.8.8:53 l7814800.vps18.u.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18.u.avcdn.net udp
US 8.8.8.8:53 m0658849.vps18.u.avcdn.net udp
US 8.8.8.8:53 n2833777.vps18.u.avcdn.net udp
US 8.8.8.8:53 p1043812.vps18.u.avcdn.net udp
US 8.8.8.8:53 r3802239.vps18.u.avcdn.net udp
US 8.8.8.8:53 s-vps18.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18.u.avcdn.net udp
US 8.8.8.8:53 l7814800.vps18.u.avcdn.net udp
US 8.8.8.8:53 m0658849.vps18.u.avcdn.net udp
US 8.8.8.8:53 n2833777.vps18.u.avcdn.net udp
US 8.8.8.8:53 p1043812.vps18.u.avcdn.net udp
US 8.8.8.8:53 r3802239.vps18.u.avcdn.net udp
US 8.8.8.8:53 s-vps18.avcdn.net udp
GB 2.20.12.90:80 r3802239.vps18.u.avcdn.net tcp
GB 2.20.12.90:80 r3802239.vps18.u.avcdn.net tcp
GB 2.20.12.90:80 r3802239.vps18.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 90.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 8.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 ipm.avcdn.net udp
US 8.8.8.8:53 ipm.avcdn.net udp
US 34.111.24.1:443 ipm.avcdn.net tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
GB 184.26.189.54:443 ipmcdn.avast.com tcp
US 8.8.8.8:53 54.189.26.184.in-addr.arpa udp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Windows\Temp\asw.5b4d3c1ea636b15e\avast_free_antivirus_setup_online_x64.exe

MD5 285b70b3ac1698009e386ece00acee56
SHA1 dda4d5748970490ca1100d7e076045b3648008a3
SHA256 df8b438844b84bae4a78bd4a593fd28be2fd58a0fd431e4b942661eea9476dc0
SHA512 5c4a1819cd444d576e81fa10a686dabce9e66fae197aa1668cc2d394289a2722eeed7f88f5d3b80b2c9526ede50cb03deba999ecbaeb30e212c91e84b540580f

C:\Windows\Temp\asw.5b4d3c1ea636b15e\ecoo.edat

MD5 58d47cfa451dfb6748be33a8f4069f49
SHA1 7ca703bc598c8ed5d98407833ecebe7d5efec80b
SHA256 8ebbec1ccab81b5ab09770e38ed72b0f830c5bbdabd1e68979c9dd79bb278883
SHA512 4f636e1664c3884f6406aede91d8c6e2a0cff876d1be45014307c8a247f267f8b8db8a67edf43ee989fd59e1a74ab047d96cbac308d57cb00576cf4af14d4afb

C:\Windows\Temp\asw.a23c07ac08cdd441\servers.def

MD5 b1960612149e68ce8d6f4827c5b39073
SHA1 6259a3ebd659bb63ec59fab4c8e1aa79092692a4
SHA256 847bd020bc930856d25c54d5fa03278b0e6b2434f2560f3c6b7c000332012173
SHA512 81d2737ca459d8fb3aab6dede1c666efdb6c3a851f1018a8b2d5166060de05fff7abb8eaa9e24ee441137033bd0574ce107ef9d3abd93ddde4b86cda76625423

C:\Windows\Temp\asw.a23c07ac08cdd441\Instup.dll

MD5 0d09efc988c41b14c4fd0bd9c1457b87
SHA1 7c8bb0b4760edfc009e8b122124aa2b70e1da93a
SHA256 49ae4e9a468593038c1ab7fd6f988ddc0eace7e8c3c407c53b130e2eba1506fb
SHA512 b54c3ab104ce574690155d672146be30a1ae45abec71ddaad81ba16f9435f76deb4daccab628b006cbde0e9c9a85b99a3b8a33ad4dd3ebdc05a2dbb963062993

C:\Windows\Temp\asw.a23c07ac08cdd441\Instup.exe

MD5 6179a6bcb9d35753d2deb3c1594a9bad
SHA1 d114563b01f474084efd2c4f7edef133cdc1018f
SHA256 0f1d9af4f5eee63bf1959ec61e459f9f304c77ba3af29cbd640910661ecbe2d2
SHA512 2cd159f3de29a011d4b6c807e87c3b404e311f39d015b5760febab1f480cca9bb8472ec53e912d526eaba65f58659acea1530923caa6c2baa60cfd9f98786f69

C:\Windows\Temp\asw.a23c07ac08cdd441\config.def

MD5 5a0f70dfbf66819ca9c50d6ac6f3702a
SHA1 ab4d2eac9985dba69422cf8cd6bc36846eda1855
SHA256 31acc29e2df1d0841bbe81db1c28e145d44aa5805c3fd3a1615b6768a08514c2
SHA512 13b24f45680e1607dc6fd2560b697918d11c4d8fec1ef561961e5846887f37623470782e36daa16005bf52142de3bd2ff15860c015a798e4729d6625c335c0ad

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 ce9689a161e19baf28df55d097c482cd
SHA1 106c943ad8806349887038725c9a4ab8aa31c4d9
SHA256 e6719a5da5271a3e7860575832421578fa2f05245d63f87c5a4050d56440d633
SHA512 90b691ecf3fbb15c852cf0e61d7c036543c66898f25d98b811a2b4f13fa656e4963cc7845b08acefb8b7321d22428d9904536362251127bac91737657e27fcd0

C:\Windows\Temp\asw.a23c07ac08cdd441\config.ini

MD5 d9ce12fa8862809891ecd4e3f5de1790
SHA1 2a84a6de467a2bda1914ec028850a69313ba4098
SHA256 68dc2c240dedd1f6f94c4ab4105d95b743923b28e33ea3e061f8eacadb11ec01
SHA512 71e8dffbf597c15dd9b491c8af2a8ef991d49d0d294d2ea8d267945e4fe0ad0380c77568542c7bef42d0a744cfdb05eee389c88142cf4b3c0b417e94639e56f6

C:\Windows\Temp\asw.a23c07ac08cdd441\HTMLayout.dll

MD5 b0e91293160024bfc0302bbdadd0bb9c
SHA1 005fbe3c47213d4b791c05f2a8a6932dc70357e9
SHA256 3db7c1fc402a689bb160ed2d0bc12edb6765307c725ad02e7b27510008b4f8ca
SHA512 f7239b26fedc2a90c2b267467781ff26512890b879772bcc0809409a368fefd74a8930d8d4958559381dd57f7bdc769668c5ec638b5ad82e4a20a1e0217e9304

C:\Windows\Temp\asw.a23c07ac08cdd441\config.def

MD5 b2502251d7795503a70b7e60f3a5dd3f
SHA1 717e38516fc1ec1dc8aa72d1f901d4318cd428be
SHA256 d47e71fa865949a2faf3e03022f1ca0a61bee18807f6e09f1af9f08f8415fe61
SHA512 83c4a3fa101a3a0f298d55ab1d556c4d4a48b202465f5cdc45b4c44f6247296b10c62a15f07bbe589e596ce00164ef95b44855886ebf87b3a48acad2abd5b9e7

C:\Windows\Temp\asw.a23c07ac08cdd441\servers.def.vpx

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw.a23c07ac08cdd441\servers.def.vpx

MD5 eab5eaa228b24e2a0c3313fc200caa97
SHA1 407dd379fd78df5b31585931fc567a1f9a3da40c
SHA256 5d784971dcc44fd271dccb4351ebabb16b3170ff680ccfa64dc848a4125651fa
SHA512 126b2bf2a5fe7a4d78eb766f95e4e7fc15095876ffc25f0955f1d073f351281b3d7a8f1cc3c8b8cfad7157e705a0d8019b28a82ce72c15f02cd31029b801bb0a

C:\Windows\Temp\asw.a23c07ac08cdd441\uat64.vpx

MD5 63e7a59b7d1f9405ba1a0e685ca98af7
SHA1 c90d503b31b8027a0fbbe1f0008021e27ce42609
SHA256 03cee410775634e7570b80077ca95e47cbafbdf982c19ac2e222726d28b9a584
SHA512 9b70322f966accc16435bd3869106be18ac7e21962846938e64c7001c663cbd1ea7a7662e0d85af97af05820192ceb0bb01d65cff3d7bbe8467b873a872d644f

C:\Windows\Temp\asw.a23c07ac08cdd441\part-setup_ais-180a17f5.vpx

MD5 9e51873b5404f36f66233ab303691c3c
SHA1 829708f060b08fac4fc0474d2eddc76ba8a0d560
SHA256 bece96f0fdacad51d9b490a4ecf7e129ef8feace87795d9ba9cb7901536d3f58
SHA512 0d9b13ae03de4c94f0863a576a986810ba0d0d0cab1a8676f160628a66e26d76f673ca51f7e7ac48dd507b358a41220a94bb5dbbc96ed9dd95c29dc4c1288e6c

C:\Windows\Temp\asw.a23c07ac08cdd441\uat64.dll

MD5 b49ac1e7007e1e445c45fc906e96687e
SHA1 b33adeb3d8ad516a3fe826cc3f48f9c6e67030cb
SHA256 da17cf39c773ab3048e767aff993458e284837287e8c4af0d139ad71f3459ff8
SHA512 e3ef8ef9423552281dc12e25eeef69b954e50bc844442d7e0de9c7e066c53e62dc84a43e44428caff1e18b06470c17d25e65825c07f5f85535d97ace23f05ba2

C:\Windows\Temp\asw.a23c07ac08cdd441\prod-vps.vpx

MD5 8499e8596ec1c873e132662092da0a85
SHA1 dd27c53c9fb86cbcc367182fccf8bd0af6ebb763
SHA256 26d22504cae4bb0e7de6e10317a97aa4be15a0a3fa9bf2d735d89213696e0712
SHA512 f06bcf0f8239a15c78b8113d27c60b32bcdc1be25d913ef3356ca5a58349e12b14b6673838e83972d81e90e338d948781626d5ff6db3a6fea303b8aead98824d

C:\Windows\Temp\asw.a23c07ac08cdd441\prod-pgm.vpx

MD5 db09685c045dc0df0552427c752a1aa7
SHA1 eb0e8e1e9839e7517efb7fedfa7edabc5d57587a
SHA256 9219680462bef7060264ac63d21f3332daf0fca5090cae295427710895be0002
SHA512 d0b4b1c23557aa18a5ca9299c7269cd2221ec8b155b9ec9c045f6ddb612f1979a9d3e78ae395dc6e515338ee8bdf13225a1cafc903bc800a22b9b9e3489a462b

C:\Windows\Temp\asw.a23c07ac08cdd441\avbugreport_x64_ais-a4e.vpx

MD5 842ce0dd7cb9f7da03deeaca914d2601
SHA1 4fb1155f24c0a21ce05422acef92315b28cd00b0
SHA256 8611887d7a6d0e09154624ae8842101b75cebb9fbfed3ea5b75757dbf27f9c2b
SHA512 afc099e544c225ee59ea322b9e8214eaa52e38f87c3ef1e9c1342381ed6297edf0f2305e110e0161a8bc285282277e8f71d97c6975be2692694b252b7fc14227

C:\Windows\Temp\asw.a23c07ac08cdd441\avdump_x64_ais-a4e.vpx

MD5 1015a45d5a55cc49d7c9c7b738059b42
SHA1 378b0613fdb97f20c4fa7ada4d6ff477235ed714
SHA256 540d3f4ac06e02499b99a63e385fad6b9da3a0ddddd0f53c471fa337b29f6c9c
SHA512 0ea22eee2e4888a14ec99f288e115e94787dc98e4e23431fcecc19a7b54f5f7511b01317709a1fc5df667f97b7eda25d0cdb54b15b1e26c8d14921462a43089e

C:\Windows\Temp\asw.a23c07ac08cdd441\New_180a17f5\aswc3008c8abe340187.tmp

MD5 aa4483fee9197dcc99ad3e6fd1ed976a
SHA1 a7a70cc9d0cab661aa276a718eea9f5b4b417674
SHA256 c782bd3a455f7236c1f99d3f85805ebb8b79ff622d1a989d148b1c7db5ee2b31
SHA512 69b127b1516b447786d7cf0604fb75db1fff95f6d755c9f698a3164c8685a87dd3b288bcc70566b1e6c3aed444ee5db0321c19830e95750b79233952ba8188e8

C:\Windows\Temp\asw.a23c07ac08cdd441\offertool_x64_ais-a4e.vpx

MD5 6f6329510f25a07190dcb390f64aafb0
SHA1 bb01be426c6b48ffd4de21bbc8b57d5ac98dcd3b
SHA256 d494b12aeb973291ed85ff0ff94f734a827f14f52f9b2888824caad56a8192f1
SHA512 5a140f6748348159ea00a686e555aa514d356a4855f75560110ac7745b172cf7e69861599d74596300252a0249f7671637d49b1cd2a63f2f43aaf818dca198f6

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 f36806a7b43d788c10e1defed8308d9c
SHA1 ba8b93cddcabaa49ce75ff94a47f6ccf5f20ffc0
SHA256 b721317acc9fbdb6017f0ab44576070091e1ce7d9e03e40fe4971b783037be5e
SHA512 4c6a8b939f3d0ad2b81b2d0d8ec68755c6c281392c3439359bda6dc38cc9b331a5ecadf2430ea5e118b632b2485120fecfafadaa7fce65adcacaf6494283b446

C:\Windows\Temp\asw.a23c07ac08cdd441\part-prg_ais-180a17f5.vpx

MD5 7e65c81832ebfd31aaa0971528adfe72
SHA1 59394751b3e14f516152747902e6d8f1c0799b54
SHA256 bf4f0f44ab05c6585ab85b1d2b3ad7b36ca229dc39205069bda05674d6a6e034
SHA512 9c6a2885b8a8dab5181052205ae9b4a53731242d5ab0e3e23e3d0be53c28c1e6800b6d9c5451a5f28a50b617f71dd457db109de32e852ac9b268962b8d997916

C:\Windows\Temp\asw.a23c07ac08cdd441\setup.def

MD5 2968b90417f9078ef3ec90887589bcbc
SHA1 36ce6e67601513bd6efa46085a5570dfe0946f03
SHA256 f2de3592da42e4d30ffbfe8215539e08b0d9d7a4812b48a7a0ffe2da4f10db5b
SHA512 f84b09bfd16d8564b265e9616501a09fd60b702a3871efa083ed2bbe950c52de3123829b295c360f36a6f8e0a6feb29430d7d22059e64931459cc056eec2e779

C:\Windows\Temp\asw.a23c07ac08cdd441\prod-vps.vpx

MD5 fa7efdecc2537c953bb8a49f6ac54224
SHA1 68821ae21e5c476b5f451bd5a0a6fb6650a421f1
SHA256 16ee2337d70bd3241362fd815d6ccf948836e3c5bfa1eb7921592ac909c0cba9
SHA512 3f4e9d2e016b3d47fa2492dd0c7788bd2d320fcc39dca850ffa94d1ceaf212573f76c3e8305817ee282811f7533284a1619987ceaaee6858c8702d5cf412f538

C:\Windows\Temp\asw.a23c07ac08cdd441\part-jrog2-1643.vpx

MD5 0487afba722c75421dab5ad76c907b64
SHA1 2af01aae124736188c6879265bc8e5b8aaf5f633
SHA256 756380ea118c2bc721918c7fe94300032667b3f5a143b6374246e80339833019
SHA512 23047f15ca793efd76614034455653960540b7831b726234501f8bb3d057ac48ce7fef0370cb4adbffe1f1c37d4199176a701479c8824afbe3ae55ca5714ac1d

C:\Windows\Temp\asw.a23c07ac08cdd441\part-vps_windows-24103102.vpx

MD5 fbaf91e11247fcacda8bbba7e78e5aae
SHA1 88d882c06b0f3c30d69fe1aa018d921f1264a8bc
SHA256 d5b2609e3056fb970c1ff0dd020add9fb95208c520058308595ea9a550f40317
SHA512 b5e647dfe1bfa9a81235ab91719548ac473b32f31a0c0515bf79191c23e35bc48d1654c31258df35150e27357f5e9f615b4c63450e77d081396a6c7425aaa99b

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

MD5 a1887f77413905157db2fbc253b6ee96
SHA1 502c323f760ab3d9771e48362389e0c9c178621e
SHA256 d48e42d32beaa3a0942701c64934688205c6a6703678982351ebed6a1da23001
SHA512 1517e87854f92d1d8c2f7ea3cbd459baaa28d0bfcb369431824a4ea59d07c7bc61583da66bcd8b0bde627fbae4feb9ed6ad34e78ec499a9a34ceeddeab6d393f

C:\Windows\Temp\asw.a23c07ac08cdd441\asw30e27543ee77bd77.ini

MD5 cef9d7aa3866841bac4eee9c9dec4c19
SHA1 3920fa538252f9a5ee657e41e572546b2bd4d9e0
SHA256 9aae6a0acc7d7a2d2c62ead1f422805f2a728aff6d606c9256309a53bf6852f9
SHA512 8c50678eeccd6e4c6bd6ee49704b3718c99e45be0999aee37b1c2251dee477ef65bb5b198379e09dc97c4ec4520dc3cd301a7b41027665975a6e36ec1c177c51

C:\Windows\Temp\asw.a23c07ac08cdd441\config.def

MD5 07292303fa96e9a1e7d09757fdc4ab5a
SHA1 5e8b274e31db849bba8a59764a01855e727e3461
SHA256 ead2096f3750cbb5fdd7cbc47442c6b9b74e9972701557b4242586f95620704b
SHA512 3d3caf84cfeae8a575b01470606c500857e6d8bdb525aabdf213f3ccaeb5a338df9463f391f73ceec5f36fce668a35c28b2b6f553d4bd31a2d661aa2966728bf

C:\Users\Public\Documents\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0