Malware Analysis Report

2024-11-13 18:06

Sample ID 241109-zr17rsvmer
Target avast_premier_antivirus_setup_offline.exe
SHA256 c2647f7dbad73035b124cf61a997c1788511982891e0a431c47e4ebf9e5d5cef
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

c2647f7dbad73035b124cf61a997c1788511982891e0a431c47e4ebf9e5d5cef

Threat Level: Shows suspicious behavior

The file avast_premier_antivirus_setup_offline.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:57

Reported

2024-11-09 21:03

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\aswOfferTool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "54" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "60" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "81" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "6" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "20" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "27" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "95" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "13" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "63" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "89" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "90" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "10" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "61" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "86" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "87" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "18" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "23" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "40" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "66" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "74" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "75" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "76" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "77" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "2" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "11" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "15" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "52" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "51" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "55" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "96" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "97" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "22" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "29" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "48" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "83" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "98" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "38" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "59" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "62" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "94" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "68" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "80" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "39" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "56" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "91" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "4" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "5" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "8" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "30" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "37" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "47" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Token: 32 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe
PID 1988 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe
PID 1988 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe
PID 4844 wrote to memory of 4216 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 4216 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 4216 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 1452 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 1452 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 1452 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 4396 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 4396 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
PID 4844 wrote to memory of 4396 N/A C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe

Processes

C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe

"C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"

C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe

"C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.8496c63a5483c22e /edition:12 /prod:ais /stub_context:41b42433-8016-40de-ab37-86ed93347eec:658550208 /guid:a648f11e-ad98-460d-b91f-bb8dcf68b351 /ga_clientid:f2071e81-4ad1-47f7-bc24-4b5ec7286943

C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe

"C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe

"C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkChrome -elevated

C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe

"C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC

C:\Users\Public\Documents\aswOfferTool.exe

"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 40.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Windows\Temp\asw.8496c63a5483c22e\servers.def

MD5 8625cc598545b4313acb4c34cec05821
SHA1 5ff65be78f84c547f43e7109604fb579c98c0f2a
SHA256 4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d
SHA512 04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

C:\Windows\Temp\asw.8496c63a5483c22e\Instup.exe

MD5 bcba54c439a6cd7067c7f4be8222af42
SHA1 ac9e41e57a6f4deb45e545946cec41dd2b6b0bf5
SHA256 25ace49b61a7a546d4ffda52748d419e7cad5f4df5424498349eb9bd23d62f90
SHA512 617836bf66faba386aae0619d5e36d881c4eadb13399ec117d02b0c3169a2e6365cde9be06f152e514667679659816bbe90c2127e4c25d02536e22fdf3bf7906

C:\Windows\Temp\asw.8496c63a5483c22e\Instup.dll

MD5 6b86a7da767c529dddde5cf7955f2ea2
SHA1 ff2bd33133ca01b68e117834b1b9bf92a3fd2e5d
SHA256 b91e05f5a85cc570dae52b49dce29de1db778b322e7bdec1065f0ec6e163e71a
SHA512 b3e384bab230237e97d2c26ad9b1246343402936ea830772558c5fc143a2fd2b0edf471a257acbd698da9ad46b1fba005bc27ef76e446fe9114be200c0776ec5

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 fd16e8864b71685719d3b0be875a8d6c
SHA1 a9cd7719c7d121aa6a208affde927e40a7ac0c03
SHA256 b2ddb7e775790c492ec17087a3d3a0961227f534918b81d3ed63ba0650cce4e0
SHA512 25aea20e1c68da9683e42bae4ce906c2de3fb527f9c81085c85e9d3f59d85e531c5279e60593f01d2c14b8ee1215b07930a1b0acc7620080ad556d79899aef24

C:\Windows\Temp\asw.8496c63a5483c22e\config.def

MD5 5a7719d8f91210806e0de046a2897b56
SHA1 7bd04389df2595ac430a2441418f60ce7c2d7846
SHA256 730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea
SHA512 17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

C:\Windows\Temp\asw.8496c63a5483c22e\uat.vpx

MD5 16d1b7886ec2231630f1cc9e823843a2
SHA1 25708f9ba0f774b252a019fed30b395ce994f47a
SHA256 3c570c42f6e66510e6a9666e3f9e3c3243cfff852b62c78a006c0261241e348f
SHA512 bb234c1b43ab7a8c92d94e8b35728659ccb550fa0f026d5859a10c637f5dd35a8d65c222d6ea6b089a27d0c2e717daa69a1442752d0fd5b417a0ecc5a0381fc6

C:\Windows\Temp\asw.8496c63a5483c22e\prod-pgm.vpx

MD5 f767ec2c67fcb174088857a0e5a7dfe9
SHA1 1f82e0ebabc7a81b8440f2cc658bc36ef80aa058
SHA256 026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c
SHA512 ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

C:\Windows\Temp\asw.8496c63a5483c22e\uat.dll

MD5 18b6face0e9bde889dc1268e9912d5e8
SHA1 a4d6ed39c41feb742d7ca839461afb05b4ebbba7
SHA256 c80f8a0daf4b1fee5f44caf6b4574f3224008ea03f75a2717410261e0d38a709
SHA512 716735c9f7728a026f28461ba0081b6acb180ef5469ec7065a392e2cdb42cbdad7c65a9e93a15e010f25b2d2d0ff404031db0827cac0c8c87eb1735b62dca687

C:\Windows\Temp\asw.8496c63a5483c22e\part-prg_ais-180417e0.vpx

MD5 010b32b4b577447101045f32f076e441
SHA1 9ddf3608765048d234cfc01fcce04f65ada018a0
SHA256 d3b2ea21a681047518df0ec68da6f2121ff26d4e10412665197361986ec9c2c3
SHA512 19ad1b0650321df771f61cad16838a607108f53707da471fd10de00a63756ac6ca4722ddc0e7e08a1cc26e2b4b4fdb32c45420f78f22d798adf868fe928cfba1

C:\Windows\Temp\asw.8496c63a5483c22e\part-setup_ais-180417e0.vpx

MD5 7d99b56ebdc9d7b916fc2f42f54c1171
SHA1 47c4ec171248c1e31de40062aec51ffd63d40cad
SHA256 2a47e8af3f7be4f14fbc1fb141ee1d2db8d53aae946d632dac45446f968e4619
SHA512 e4b45dcd90e14fb61ea861b3b56ea718bd51c97a436532855ff29dd856ccb1a8f9b9f6d58ae32887a956b29ae9d209fb387c9b90809bfc884541d2f53bed4dfa

C:\Windows\Temp\asw.8496c63a5483c22e\prod-vps.vpx

MD5 3d6229735be0de243d57ed765e21f391
SHA1 967b83c77716e2e500f10f44008b2c196064652e
SHA256 182a84959f3ff27c94083e233e319ad6328453eddb367dd369226a843324090b
SHA512 8774e32b9f2967a03640554106a19ad7547b028ed3554cd23dac49bb1aa4788185225b1dfb6b73482e92f73647912222d1065f3c237ec6b7f1c673945468d11d

C:\Windows\Temp\asw.8496c63a5483c22e\part-jrog2-141e.vpx

MD5 95e405699f512968a80e0c01bf99205a
SHA1 ab36f0c1f6d261262ca1d5267836e97cc42526ee
SHA256 bbff6e8371bed4c238b53c1c9dfd8ed36994f6fd68db224250fd3c0556b06898
SHA512 97eba5d7210819f8be1268aeb5f254a6d1bebf881dab24f990a4e2fb81eaeaf128bb125189fc92700625521d604dc957a886e6cf760154f2cb9a8c4efa747836

C:\Windows\Temp\asw.8496c63a5483c22e\part-vps_windows-24042902.vpx

MD5 0ca004aaef835d6b30cc4d5754ed6639
SHA1 e771217a831a8c2afbbeab39f8fffd46d3b92ee5
SHA256 02e00417efd1cf171bcddb5f9453f5d6b278d72219a27fb0b5b6a602308aa342
SHA512 d24ad9439ba26a5fe840bcb835de2d1a2b47821e0ec20315871c75a971184fe8d94e66404a65c7094629c1f38c98eb0283726a70fe395132c9998d3ddb468077

C:\Windows\Temp\asw.8496c63a5483c22e\config.def

MD5 09a26afb5b25f95b15e214f83f342100
SHA1 8af7434cbee2933be035be3e65398f94f86aaa3c
SHA256 c134e766093b1beb0e7a5ec7856e28937df3596314e4b553c78359cc72c19ec3
SHA512 8a13336514644e401091bee35203fd9b837f55d49c07741d24e3b7dce77997f85739eb17246660716e98fdd646539c9de053c2202cdf6403ab19b3f2ef6de699

C:\Windows\Temp\asw.8496c63a5483c22e\HTMLayout.dll

MD5 515486f8eb028440f5c6679af15febfa
SHA1 42b9d9032c351e54eed42f5a60e06a676db0bee8
SHA256 7529f2294df32f70a933b044bc241966bf1b31f4a312b1b2d58d3515152d0e41
SHA512 12fbffac26d39e30a329a28230286ad098177b96361341c2fa2bd54c7c1abf515361dae0571c8b62308c98870b529925c8bebff616ede7ed351a823d8cfb4456

C:\Windows\Temp\asw.8496c63a5483c22e\config.ini

MD5 562e382e0d54322c62df5f6a1c79a90c
SHA1 a3373dfdce86ee877af1b6c00c93b845b44f69e9
SHA256 c755cf65a286ea14f702f7d87a60ab006513cc9863cc319aa142e2e74625edb6
SHA512 16051272cb04c8f3be5858851476533456ddeb5c377b9fdbdf3be47aafae59f5e202d972808fa1ae02c53d7331e912308c51e0241b71cf3d4cb1972b34ae70ce

C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe

MD5 44645c9f6d213d0f87608f4461046731
SHA1 c5b6af10b2abb6e1422f27102f1ea1fac59099b6
SHA256 42ec9cd1f6ea316265a93119c865692108ecfd2ab6f007e6d4a2725214e56079
SHA512 27d7d698099ff3fe1c0200093174765f1f8e56c5b011cf2bb5ebdb60b3b2fcb3fe32bdac5cf79f349eb698cad269a3d75f6410c82b1e05e3a9ace1b9a5e1f4cd

C:\Windows\Temp\asw.8496c63a5483c22e\gcapi.dll

MD5 3ead47f44293e18d66fb32259904197a
SHA1 e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256 e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:57

Reported

2024-11-09 21:18

Platform

win7-20240729-en

Max time kernel

717s

Max time network

736s

Command Line

"C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "70" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "2" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "16" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "52" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "12" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "87" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "11" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "33" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "97" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "72" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "99" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "27" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "96" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "60" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "8" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "9" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "10" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "44" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "3" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "26" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "67" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "79" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "38" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "80" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "15" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "36" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "41" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "45" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "46" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "61" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "77" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "48" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "65" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "19" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "43" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "17" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "39" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "75" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "93" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\GUID = "de2fdf7b-5584-440d-98fa-0471b872b2c5" C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "51" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "74" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "20" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "24" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "54" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "63" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "89" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "25" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "68" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "95" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "59" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "81" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "29" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "56" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "88" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "94" C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
Token: 32 N/A C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.745370d7c5671c69\instup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe

"C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"

C:\Windows\Temp\asw.745370d7c5671c69\instup.exe

"C:\Windows\Temp\asw.745370d7c5671c69\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.745370d7c5671c69 /edition:12 /prod:ais /stub_context:0704781a-dbfc-4ad2-b206-9fa972f1c170:658550208 /guid:79faf98f-cc6e-4fc7-8e51-95d04cba3acb /ga_clientid:b7960701-b34b-4a69-9c89-10d2e5632420

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
GB 142.250.187.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp

Files

C:\Windows\Temp\asw.745370d7c5671c69\servers.def

MD5 8625cc598545b4313acb4c34cec05821
SHA1 5ff65be78f84c547f43e7109604fb579c98c0f2a
SHA256 4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d
SHA512 04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

\Windows\Temp\asw.745370d7c5671c69\Instup.exe

MD5 bcba54c439a6cd7067c7f4be8222af42
SHA1 ac9e41e57a6f4deb45e545946cec41dd2b6b0bf5
SHA256 25ace49b61a7a546d4ffda52748d419e7cad5f4df5424498349eb9bd23d62f90
SHA512 617836bf66faba386aae0619d5e36d881c4eadb13399ec117d02b0c3169a2e6365cde9be06f152e514667679659816bbe90c2127e4c25d02536e22fdf3bf7906

C:\Windows\Temp\asw.745370d7c5671c69\Instup.dll

MD5 6b86a7da767c529dddde5cf7955f2ea2
SHA1 ff2bd33133ca01b68e117834b1b9bf92a3fd2e5d
SHA256 b91e05f5a85cc570dae52b49dce29de1db778b322e7bdec1065f0ec6e163e71a
SHA512 b3e384bab230237e97d2c26ad9b1246343402936ea830772558c5fc143a2fd2b0edf471a257acbd698da9ad46b1fba005bc27ef76e446fe9114be200c0776ec5

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

MD5 377c70caf74c0ac60128386d6fd34e49
SHA1 9470517f764866555abb5ba807fff81b982131af
SHA256 0dc2ec331b09f6933837043a836aae10946265704d11071b4d0d45759ac96b81
SHA512 321a0e79bf1539d0bf9726a2ee3999f1b67f87b5d2cf4b64522807f76ff4504417c379ff8b796aba627638fa99ea80b73017ac0e0ccd47f084cf896ec7b4c50e

C:\Windows\Temp\asw.745370d7c5671c69\config.def

MD5 5a7719d8f91210806e0de046a2897b56
SHA1 7bd04389df2595ac430a2441418f60ce7c2d7846
SHA256 730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea
SHA512 17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

C:\Windows\Temp\asw.745370d7c5671c69\prod-pgm.vpx

MD5 f767ec2c67fcb174088857a0e5a7dfe9
SHA1 1f82e0ebabc7a81b8440f2cc658bc36ef80aa058
SHA256 026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c
SHA512 ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

C:\Windows\Temp\asw.745370d7c5671c69\uat.vpx

MD5 16d1b7886ec2231630f1cc9e823843a2
SHA1 25708f9ba0f774b252a019fed30b395ce994f47a
SHA256 3c570c42f6e66510e6a9666e3f9e3c3243cfff852b62c78a006c0261241e348f
SHA512 bb234c1b43ab7a8c92d94e8b35728659ccb550fa0f026d5859a10c637f5dd35a8d65c222d6ea6b089a27d0c2e717daa69a1442752d0fd5b417a0ecc5a0381fc6

\Windows\Temp\asw.745370d7c5671c69\uat.dll

MD5 18b6face0e9bde889dc1268e9912d5e8
SHA1 a4d6ed39c41feb742d7ca839461afb05b4ebbba7
SHA256 c80f8a0daf4b1fee5f44caf6b4574f3224008ea03f75a2717410261e0d38a709
SHA512 716735c9f7728a026f28461ba0081b6acb180ef5469ec7065a392e2cdb42cbdad7c65a9e93a15e010f25b2d2d0ff404031db0827cac0c8c87eb1735b62dca687

C:\Windows\Temp\asw.745370d7c5671c69\aswd0165568058cae00.ini

MD5 7744b4d8ea976bfed7a6cdc2912c4844
SHA1 05a5dc75bef9fb5a1b812da7f4bb2ca7f5024be5
SHA256 114b07124cdda264e0a8e9de0c62f08392bad4dd2b25e0ec35e378bf2c30bb26
SHA512 d3e6ba2e6a6aed520f04d1ef6439a198c1a80f54b6399fa16272b5cf771983eb111ffaaae8a81be2d59db3316847de521ee40f8ce0c1ad290fbbe355f4b47901

C:\Windows\Temp\asw.745370d7c5671c69\config.def

MD5 4c551f6ac99d64428734af64520e4802
SHA1 ac1533ffd21bd560eb0aafc544f852d68ca90bcb
SHA256 953e7033e903a8ee87d4c88661b3e221ecdbce00a0ed2d7ab01671dd1b6833ec
SHA512 d1b5fc7c0d84482514cd2b27c5382b3bbba7213b8ffe053e3e670d252574803cf0369af1185cfcf362fe57168ed9cb40c93e7a0ae87e3be70fdabd0b734b868e

C:\Windows\Temp\asw.745370d7c5671c69\HTMLayout.dll

MD5 515486f8eb028440f5c6679af15febfa
SHA1 42b9d9032c351e54eed42f5a60e06a676db0bee8
SHA256 7529f2294df32f70a933b044bc241966bf1b31f4a312b1b2d58d3515152d0e41
SHA512 12fbffac26d39e30a329a28230286ad098177b96361341c2fa2bd54c7c1abf515361dae0571c8b62308c98870b529925c8bebff616ede7ed351a823d8cfb4456

C:\Windows\Temp\asw.745370d7c5671c69\config.ini

MD5 908974ca283158d892def1ee5ffad882
SHA1 c5785d2c326df9f03bc473e2ad3ea60457397e9a
SHA256 0a026b8109fb265ce84033aaa2b4cee91adb397aff4ab6cdd6f5e55c8db1aebc
SHA512 0ad70353915c2de92ac7b6a75b7e2d030caef8539bc0fdc0565726b10aebd3be7ee3fb2a70b6f297fef99d31f4be58b0f942a61eeb9c0e5624c2f07c3ce66a6a