Analysis Overview
SHA256
c2647f7dbad73035b124cf61a997c1788511982891e0a431c47e4ebf9e5d5cef
Threat Level: Shows suspicious behavior
The file avast_premier_antivirus_setup_offline.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Checks for any installed AV software in registry
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:59
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:57
Reported
2024-11-09 21:03
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
164s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\MACHINE\SOFTWARE\Avast Software\Avast | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Documents\aswOfferTool.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "54" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "60" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "81" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "6" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "20" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "27" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "95" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "13" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "63" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "89" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "90" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "10" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "61" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "86" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "87" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "18" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "23" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "40" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "66" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "74" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "75" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "76" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "77" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "2" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "11" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "15" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "52" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "51" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "55" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "96" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "97" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "22" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "29" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "48" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "83" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "98" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "38" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "59" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "62" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "94" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "68" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "80" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "39" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "56" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "91" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "4" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "5" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "8" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "30" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "37" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "47" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe
"C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"
C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe
"C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.8496c63a5483c22e /edition:12 /prod:ais /stub_context:41b42433-8016-40de-ab37-86ed93347eec:658550208 /guid:a648f11e-ad98-460d-b91f-bb8dcf68b351 /ga_clientid:f2071e81-4ad1-47f7-bc24-4b5ec7286943
C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
"C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkGToolbar -elevated
C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
"C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkChrome -elevated
C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
"C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| GB | 142.250.187.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.223.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 8.8.8.8:53 | 28.176.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 40.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\Temp\asw.8496c63a5483c22e\servers.def
| MD5 | 8625cc598545b4313acb4c34cec05821 |
| SHA1 | 5ff65be78f84c547f43e7109604fb579c98c0f2a |
| SHA256 | 4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d |
| SHA512 | 04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5 |
C:\Windows\Temp\asw.8496c63a5483c22e\Instup.exe
| MD5 | bcba54c439a6cd7067c7f4be8222af42 |
| SHA1 | ac9e41e57a6f4deb45e545946cec41dd2b6b0bf5 |
| SHA256 | 25ace49b61a7a546d4ffda52748d419e7cad5f4df5424498349eb9bd23d62f90 |
| SHA512 | 617836bf66faba386aae0619d5e36d881c4eadb13399ec117d02b0c3169a2e6365cde9be06f152e514667679659816bbe90c2127e4c25d02536e22fdf3bf7906 |
C:\Windows\Temp\asw.8496c63a5483c22e\Instup.dll
| MD5 | 6b86a7da767c529dddde5cf7955f2ea2 |
| SHA1 | ff2bd33133ca01b68e117834b1b9bf92a3fd2e5d |
| SHA256 | b91e05f5a85cc570dae52b49dce29de1db778b322e7bdec1065f0ec6e163e71a |
| SHA512 | b3e384bab230237e97d2c26ad9b1246343402936ea830772558c5fc143a2fd2b0edf471a257acbd698da9ad46b1fba005bc27ef76e446fe9114be200c0776ec5 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
| MD5 | fd16e8864b71685719d3b0be875a8d6c |
| SHA1 | a9cd7719c7d121aa6a208affde927e40a7ac0c03 |
| SHA256 | b2ddb7e775790c492ec17087a3d3a0961227f534918b81d3ed63ba0650cce4e0 |
| SHA512 | 25aea20e1c68da9683e42bae4ce906c2de3fb527f9c81085c85e9d3f59d85e531c5279e60593f01d2c14b8ee1215b07930a1b0acc7620080ad556d79899aef24 |
C:\Windows\Temp\asw.8496c63a5483c22e\config.def
| MD5 | 5a7719d8f91210806e0de046a2897b56 |
| SHA1 | 7bd04389df2595ac430a2441418f60ce7c2d7846 |
| SHA256 | 730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea |
| SHA512 | 17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6 |
C:\Windows\Temp\asw.8496c63a5483c22e\uat.vpx
| MD5 | 16d1b7886ec2231630f1cc9e823843a2 |
| SHA1 | 25708f9ba0f774b252a019fed30b395ce994f47a |
| SHA256 | 3c570c42f6e66510e6a9666e3f9e3c3243cfff852b62c78a006c0261241e348f |
| SHA512 | bb234c1b43ab7a8c92d94e8b35728659ccb550fa0f026d5859a10c637f5dd35a8d65c222d6ea6b089a27d0c2e717daa69a1442752d0fd5b417a0ecc5a0381fc6 |
C:\Windows\Temp\asw.8496c63a5483c22e\prod-pgm.vpx
| MD5 | f767ec2c67fcb174088857a0e5a7dfe9 |
| SHA1 | 1f82e0ebabc7a81b8440f2cc658bc36ef80aa058 |
| SHA256 | 026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c |
| SHA512 | ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12 |
C:\Windows\Temp\asw.8496c63a5483c22e\uat.dll
| MD5 | 18b6face0e9bde889dc1268e9912d5e8 |
| SHA1 | a4d6ed39c41feb742d7ca839461afb05b4ebbba7 |
| SHA256 | c80f8a0daf4b1fee5f44caf6b4574f3224008ea03f75a2717410261e0d38a709 |
| SHA512 | 716735c9f7728a026f28461ba0081b6acb180ef5469ec7065a392e2cdb42cbdad7c65a9e93a15e010f25b2d2d0ff404031db0827cac0c8c87eb1735b62dca687 |
C:\Windows\Temp\asw.8496c63a5483c22e\part-prg_ais-180417e0.vpx
| MD5 | 010b32b4b577447101045f32f076e441 |
| SHA1 | 9ddf3608765048d234cfc01fcce04f65ada018a0 |
| SHA256 | d3b2ea21a681047518df0ec68da6f2121ff26d4e10412665197361986ec9c2c3 |
| SHA512 | 19ad1b0650321df771f61cad16838a607108f53707da471fd10de00a63756ac6ca4722ddc0e7e08a1cc26e2b4b4fdb32c45420f78f22d798adf868fe928cfba1 |
C:\Windows\Temp\asw.8496c63a5483c22e\part-setup_ais-180417e0.vpx
| MD5 | 7d99b56ebdc9d7b916fc2f42f54c1171 |
| SHA1 | 47c4ec171248c1e31de40062aec51ffd63d40cad |
| SHA256 | 2a47e8af3f7be4f14fbc1fb141ee1d2db8d53aae946d632dac45446f968e4619 |
| SHA512 | e4b45dcd90e14fb61ea861b3b56ea718bd51c97a436532855ff29dd856ccb1a8f9b9f6d58ae32887a956b29ae9d209fb387c9b90809bfc884541d2f53bed4dfa |
C:\Windows\Temp\asw.8496c63a5483c22e\prod-vps.vpx
| MD5 | 3d6229735be0de243d57ed765e21f391 |
| SHA1 | 967b83c77716e2e500f10f44008b2c196064652e |
| SHA256 | 182a84959f3ff27c94083e233e319ad6328453eddb367dd369226a843324090b |
| SHA512 | 8774e32b9f2967a03640554106a19ad7547b028ed3554cd23dac49bb1aa4788185225b1dfb6b73482e92f73647912222d1065f3c237ec6b7f1c673945468d11d |
C:\Windows\Temp\asw.8496c63a5483c22e\part-jrog2-141e.vpx
| MD5 | 95e405699f512968a80e0c01bf99205a |
| SHA1 | ab36f0c1f6d261262ca1d5267836e97cc42526ee |
| SHA256 | bbff6e8371bed4c238b53c1c9dfd8ed36994f6fd68db224250fd3c0556b06898 |
| SHA512 | 97eba5d7210819f8be1268aeb5f254a6d1bebf881dab24f990a4e2fb81eaeaf128bb125189fc92700625521d604dc957a886e6cf760154f2cb9a8c4efa747836 |
C:\Windows\Temp\asw.8496c63a5483c22e\part-vps_windows-24042902.vpx
| MD5 | 0ca004aaef835d6b30cc4d5754ed6639 |
| SHA1 | e771217a831a8c2afbbeab39f8fffd46d3b92ee5 |
| SHA256 | 02e00417efd1cf171bcddb5f9453f5d6b278d72219a27fb0b5b6a602308aa342 |
| SHA512 | d24ad9439ba26a5fe840bcb835de2d1a2b47821e0ec20315871c75a971184fe8d94e66404a65c7094629c1f38c98eb0283726a70fe395132c9998d3ddb468077 |
C:\Windows\Temp\asw.8496c63a5483c22e\config.def
| MD5 | 09a26afb5b25f95b15e214f83f342100 |
| SHA1 | 8af7434cbee2933be035be3e65398f94f86aaa3c |
| SHA256 | c134e766093b1beb0e7a5ec7856e28937df3596314e4b553c78359cc72c19ec3 |
| SHA512 | 8a13336514644e401091bee35203fd9b837f55d49c07741d24e3b7dce77997f85739eb17246660716e98fdd646539c9de053c2202cdf6403ab19b3f2ef6de699 |
C:\Windows\Temp\asw.8496c63a5483c22e\HTMLayout.dll
| MD5 | 515486f8eb028440f5c6679af15febfa |
| SHA1 | 42b9d9032c351e54eed42f5a60e06a676db0bee8 |
| SHA256 | 7529f2294df32f70a933b044bc241966bf1b31f4a312b1b2d58d3515152d0e41 |
| SHA512 | 12fbffac26d39e30a329a28230286ad098177b96361341c2fa2bd54c7c1abf515361dae0571c8b62308c98870b529925c8bebff616ede7ed351a823d8cfb4456 |
C:\Windows\Temp\asw.8496c63a5483c22e\config.ini
| MD5 | 562e382e0d54322c62df5f6a1c79a90c |
| SHA1 | a3373dfdce86ee877af1b6c00c93b845b44f69e9 |
| SHA256 | c755cf65a286ea14f702f7d87a60ab006513cc9863cc319aa142e2e74625edb6 |
| SHA512 | 16051272cb04c8f3be5858851476533456ddeb5c377b9fdbdf3be47aafae59f5e202d972808fa1ae02c53d7331e912308c51e0241b71cf3d4cb1972b34ae70ce |
C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
| MD5 | 44645c9f6d213d0f87608f4461046731 |
| SHA1 | c5b6af10b2abb6e1422f27102f1ea1fac59099b6 |
| SHA256 | 42ec9cd1f6ea316265a93119c865692108ecfd2ab6f007e6d4a2725214e56079 |
| SHA512 | 27d7d698099ff3fe1c0200093174765f1f8e56c5b011cf2bb5ebdb60b3b2fcb3fe32bdac5cf79f349eb698cad269a3d75f6410c82b1e05e3a9ace1b9a5e1f4cd |
C:\Windows\Temp\asw.8496c63a5483c22e\gcapi.dll
| MD5 | 3ead47f44293e18d66fb32259904197a |
| SHA1 | e61e88bd81c05d4678aeb2d62c75dee35a25d16b |
| SHA256 | e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905 |
| SHA512 | 927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:57
Reported
2024-11-09 21:18
Platform
win7-20240729-en
Max time kernel
717s
Max time network
736s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key opened | \Registry\MACHINE\SOFTWARE\Avast Software\Avast | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "70" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "2" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "16" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "52" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "12" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "87" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "11" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "33" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "97" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "72" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "99" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "27" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "96" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "60" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "8" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "9" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "10" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "44" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "3" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "26" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "67" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "79" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "38" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "80" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "15" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "36" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "41" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "45" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "46" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "61" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "77" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "48" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "65" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "19" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "43" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "17" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "39" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "75" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "93" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\GUID = "de2fdf7b-5584-440d-98fa-0471b872b2c5" | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "51" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "74" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "20" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "24" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "54" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "63" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "89" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "25" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "68" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "95" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "59" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "81" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "29" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "56" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "88" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "94" | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.745370d7c5671c69\instup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe
"C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"
C:\Windows\Temp\asw.745370d7c5671c69\instup.exe
"C:\Windows\Temp\asw.745370d7c5671c69\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.745370d7c5671c69 /edition:12 /prod:ais /stub_context:0704781a-dbfc-4ad2-b206-9fa972f1c170:658550208 /guid:79faf98f-cc6e-4fc7-8e51-95d04cba3acb /ga_clientid:b7960701-b34b-4a69-9c89-10d2e5632420
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avast.com | tcp |
| GB | 142.250.187.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
Files
C:\Windows\Temp\asw.745370d7c5671c69\servers.def
| MD5 | 8625cc598545b4313acb4c34cec05821 |
| SHA1 | 5ff65be78f84c547f43e7109604fb579c98c0f2a |
| SHA256 | 4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d |
| SHA512 | 04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5 |
\Windows\Temp\asw.745370d7c5671c69\Instup.exe
| MD5 | bcba54c439a6cd7067c7f4be8222af42 |
| SHA1 | ac9e41e57a6f4deb45e545946cec41dd2b6b0bf5 |
| SHA256 | 25ace49b61a7a546d4ffda52748d419e7cad5f4df5424498349eb9bd23d62f90 |
| SHA512 | 617836bf66faba386aae0619d5e36d881c4eadb13399ec117d02b0c3169a2e6365cde9be06f152e514667679659816bbe90c2127e4c25d02536e22fdf3bf7906 |
C:\Windows\Temp\asw.745370d7c5671c69\Instup.dll
| MD5 | 6b86a7da767c529dddde5cf7955f2ea2 |
| SHA1 | ff2bd33133ca01b68e117834b1b9bf92a3fd2e5d |
| SHA256 | b91e05f5a85cc570dae52b49dce29de1db778b322e7bdec1065f0ec6e163e71a |
| SHA512 | b3e384bab230237e97d2c26ad9b1246343402936ea830772558c5fc143a2fd2b0edf471a257acbd698da9ad46b1fba005bc27ef76e446fe9114be200c0776ec5 |
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
| MD5 | 377c70caf74c0ac60128386d6fd34e49 |
| SHA1 | 9470517f764866555abb5ba807fff81b982131af |
| SHA256 | 0dc2ec331b09f6933837043a836aae10946265704d11071b4d0d45759ac96b81 |
| SHA512 | 321a0e79bf1539d0bf9726a2ee3999f1b67f87b5d2cf4b64522807f76ff4504417c379ff8b796aba627638fa99ea80b73017ac0e0ccd47f084cf896ec7b4c50e |
C:\Windows\Temp\asw.745370d7c5671c69\config.def
| MD5 | 5a7719d8f91210806e0de046a2897b56 |
| SHA1 | 7bd04389df2595ac430a2441418f60ce7c2d7846 |
| SHA256 | 730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea |
| SHA512 | 17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6 |
C:\Windows\Temp\asw.745370d7c5671c69\prod-pgm.vpx
| MD5 | f767ec2c67fcb174088857a0e5a7dfe9 |
| SHA1 | 1f82e0ebabc7a81b8440f2cc658bc36ef80aa058 |
| SHA256 | 026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c |
| SHA512 | ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12 |
C:\Windows\Temp\asw.745370d7c5671c69\uat.vpx
| MD5 | 16d1b7886ec2231630f1cc9e823843a2 |
| SHA1 | 25708f9ba0f774b252a019fed30b395ce994f47a |
| SHA256 | 3c570c42f6e66510e6a9666e3f9e3c3243cfff852b62c78a006c0261241e348f |
| SHA512 | bb234c1b43ab7a8c92d94e8b35728659ccb550fa0f026d5859a10c637f5dd35a8d65c222d6ea6b089a27d0c2e717daa69a1442752d0fd5b417a0ecc5a0381fc6 |
\Windows\Temp\asw.745370d7c5671c69\uat.dll
| MD5 | 18b6face0e9bde889dc1268e9912d5e8 |
| SHA1 | a4d6ed39c41feb742d7ca839461afb05b4ebbba7 |
| SHA256 | c80f8a0daf4b1fee5f44caf6b4574f3224008ea03f75a2717410261e0d38a709 |
| SHA512 | 716735c9f7728a026f28461ba0081b6acb180ef5469ec7065a392e2cdb42cbdad7c65a9e93a15e010f25b2d2d0ff404031db0827cac0c8c87eb1735b62dca687 |
C:\Windows\Temp\asw.745370d7c5671c69\aswd0165568058cae00.ini
| MD5 | 7744b4d8ea976bfed7a6cdc2912c4844 |
| SHA1 | 05a5dc75bef9fb5a1b812da7f4bb2ca7f5024be5 |
| SHA256 | 114b07124cdda264e0a8e9de0c62f08392bad4dd2b25e0ec35e378bf2c30bb26 |
| SHA512 | d3e6ba2e6a6aed520f04d1ef6439a198c1a80f54b6399fa16272b5cf771983eb111ffaaae8a81be2d59db3316847de521ee40f8ce0c1ad290fbbe355f4b47901 |
C:\Windows\Temp\asw.745370d7c5671c69\config.def
| MD5 | 4c551f6ac99d64428734af64520e4802 |
| SHA1 | ac1533ffd21bd560eb0aafc544f852d68ca90bcb |
| SHA256 | 953e7033e903a8ee87d4c88661b3e221ecdbce00a0ed2d7ab01671dd1b6833ec |
| SHA512 | d1b5fc7c0d84482514cd2b27c5382b3bbba7213b8ffe053e3e670d252574803cf0369af1185cfcf362fe57168ed9cb40c93e7a0ae87e3be70fdabd0b734b868e |
C:\Windows\Temp\asw.745370d7c5671c69\HTMLayout.dll
| MD5 | 515486f8eb028440f5c6679af15febfa |
| SHA1 | 42b9d9032c351e54eed42f5a60e06a676db0bee8 |
| SHA256 | 7529f2294df32f70a933b044bc241966bf1b31f4a312b1b2d58d3515152d0e41 |
| SHA512 | 12fbffac26d39e30a329a28230286ad098177b96361341c2fa2bd54c7c1abf515361dae0571c8b62308c98870b529925c8bebff616ede7ed351a823d8cfb4456 |
C:\Windows\Temp\asw.745370d7c5671c69\config.ini
| MD5 | 908974ca283158d892def1ee5ffad882 |
| SHA1 | c5785d2c326df9f03bc473e2ad3ea60457397e9a |
| SHA256 | 0a026b8109fb265ce84033aaa2b4cee91adb397aff4ab6cdd6f5e55c8db1aebc |
| SHA512 | 0ad70353915c2de92ac7b6a75b7e2d030caef8539bc0fdc0565726b10aebd3be7ee3fb2a70b6f297fef99d31f4be58b0f942a61eeb9c0e5624c2f07c3ce66a6a |