Trojan-Dropper.VBS.Agent.hi (Kaspersky), Gen:Heur.SMHeist.3 (B) (Emsisoft), Gen:Heur.SMHeist.3 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f07b0838fee1eb3e3d81758bdbd67ef8
SHA1: b83a1f5e1c4da4096f76b96e4140e873f5bff1c2
SHA256: 346ffd2de34fc4bf8d0377b3c26f7208faa6a80751cbff3a4efef8bc7e58b020
SSDeep: 98304:FAI d2mZYhDMIXFZ8EMhvKbZpVqJGfYahzZgvxp7kLk1fKjyt/GMLBYIw2MJTOu:Wt d2mZYlnFZ8EMhYAGAMZg5p7jfTdN8
Size: 5947780 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
aswOfferTool.exe:3048
aswOfferTool.exe:1656
aswOfferTool.exe:2856
FB_587C.tmp.exe:656
%original file name%.exe:2196
WScript.exe:3900
instup.exe:2036
instup.exe:3336
FB_53E9.tmp.exe:2360
avast_premier_antivirus_setup_online.exe:3504
rytr5674657gfhgjgj.eXe:992
The Trojan injects its code into the following process(es):
google.fr.exe:3908
svchost.exe:1700
iexplore.exe:1052
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process aswOfferTool.exe:3048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084123048.dll (368 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084123048.dll (0 bytes)
The process aswOfferTool.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gtapi_14826084121656.dll (146 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gtapi_14826084121656.dll (0 bytes)
The process aswOfferTool.exe:2856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084122856.dll (368 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084122856.dll (0 bytes)
The process FB_587C.tmp.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google.fr.exe (678 bytes)
The process %original file name%.exe:2196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (8250 bytes)
%Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe (101262 bytes)
%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe (3878 bytes)
%Program Files%\AVAST Software\Avast Antivirus\M.vbs (6697 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (1008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
%Program Files%\AVAST Software\Avast Antivirus\Uninstall.ini (2 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)
The process WScript.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rytr5674657gfhgjgj.eXe (32685 bytes)
The process instup.exe:2036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x86_ais-8e8.vpx (591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump32.exe (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.lkg (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\avBugReport.exe (15799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avbugreport_ais-8e8.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (451 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122403.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.new (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll (78553 bytes)
C:\$Directory (1152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-8.vpx (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll (24822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x86_ais-8e8.vpx (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump64.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x64_ais-8e8.vpx (725 bytes)
C:\ProgramData\AVAST Software\Avast\avast5.ini (838 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (27530 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4875 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\offertool_ais-8e8.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.vpx (2 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log (794 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll (2668 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1319.vpx (841 bytes)
C:\Windows\System32\config\SYSTEM (4538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe (7733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe (15278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x64_ais-8e8.vpx (513 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def (24 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log.tmp.cc4b2451-75b9-4c75-9742-0fb1c6e807d7 (3 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (0 bytes)
The process instup.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (421 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-0.vpx (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1.vpx (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe (146 bytes)
C:\ProgramData\AVAST Software\Avast\avast5.ini (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.new (196 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (15534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122402.vpx (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll (2668 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log (671 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll (291 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (0 bytes)
The process FB_53E9.tmp.exe:2360 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)
The process avast_premier_antivirus_setup_online.exe:3504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\setgui_ais-8e8.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.exe (1783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\HTMLayout.dll (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-setup_ais-c0308e8.vpx (97 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll (780 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def (6 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (2384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-prg_ais-c0308e8.vpx (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instcont_ais-8e8.vpx (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16081802.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-11af.vpx (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-7.vpx (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup_ais-8e8.vpx (780 bytes)
The process rytr5674657gfhgjgj.eXe:992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_587C.tmp.exe (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe (69 bytes)
Registry activity
The process aswOfferTool.exe:3048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\GCAPITemp]
"test" = "te^"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Google\GCAPITemp]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\GCAPITemp]
"test"
The process aswOfferTool.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\No Toolbar Offer Until]
"AVAST Software" = "20170624"
[HKLM\SOFTWARE\Google\Google Toolbar]
"test" = "test"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Google\Google Toolbar]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\No Toolbar Offer Until]
"AVAST Software"
[HKLM\SOFTWARE\Google\Google Toolbar]
"test"
The process FB_587C.tmp.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
[HKCU\Software\kSILlzCwXBSrQ1Vb72t6bIXtKRzHJ]
"US" = "@"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process %original file name%.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"VersionMinor" = "3"
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "47"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"InstallDate" = "20161224"
"VersionMajor" = "12"
"DisplayName" = "Avast Antivirus 12.3.3154.0"
"UninstallString" = "%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"DisplayVersion" = "12.3.3154.0"
"Publisher" = "AVAST Software"
"InstallSource" = "c:\"
"EstimatedSize" = "6513"
"URLInfoAbout" = "https://www.avast.com/en-us/index"
"HelpLink" = "Copyright (c) 2014 AVAST Software"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avast Antivirus 12.3.3154.0]
"DisplayIcon" = "%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe"
"Language" = "1033"
"InstallLocation" = "%Program Files%\AVAST Software\Avast Antivirus\"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process instup.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"EnableFileTracing" = "0"
[HKCR\AvastPersistentStorage]
"InstupProgress_UpdateSetup_Main" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\AVAST Software\Avast]
"SetupLog" = "C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log"
[HKCR\AvastPersistentStorage]
"InstupProgress_Description" = "Downloading file: servers.def.vpx"
"InstupProgress_UpdateSetup_Syncer" = "0"
"InstupProgress_Title" = "Updating the product"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\instup_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process instup.exe:3336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\AvastPersistentStorage]
"InstupProgress_Installation_Syncer" = "100"
"InstupProgress_Installation_Main" = "0"
"InstupProgress_Description" = "Checking install conditions"
[HKLM\SOFTWARE\AVAST Software\Avast]
"SetupLog" = "C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\aswProbeKey]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process FB_53E9.tmp.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\XtremeRAT]
"Mutex" = "PHypr4"
The process avast_premier_antivirus_setup_online.exe:3504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\AvastPersistentStorage]
"SfxInstProgress" = "0"
The process rytr5674657gfhgjgj.eXe:992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 66ea31bba02926125f360f7e02bc8344 | c:\Program Files\AVAST Software\Avast Antivirus\Uninstall.exe |
| b6e6fad911f99b82bf177954930deabb | c:\Program Files\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe |
| 60025dd6a05f3380ba1b0bafd338c320 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe |
| 4ef923e6c6243ce0188de66de429e605 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_587C.tmp.exe |
| edd855b165b286f79508a333b778f402 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\HTMLayout.dll |
| 12b1037493b0b39d76a750029b14e662 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll |
| 49b4a212a375cc583bfdfbaa5e389266 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.exe |
| 00719052b2e70042e19e7162aecf8568 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump32.exe |
| 7e55d04d833375d6c0b968360d49e979 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump64.exe |
| edd855b165b286f79508a333b778f402 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll |
| 12b1037493b0b39d76a750029b14e662 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll |
| 31cd6d713c3209701ad908027231641c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe |
| 907dd55be33c3c8bd9673ef209bfd014 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\avBugReport.exe |
| 49b4a212a375cc583bfdfbaa5e389266 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe |
| 907dd55be33c3c8bd9673ef209bfd014 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avbugreport_ais-8e8.vpx |
| 7e55d04d833375d6c0b968360d49e979 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x64_ais-8e8.vpx |
| 00719052b2e70042e19e7162aecf8568 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x86_ais-8e8.vpx |
| 49b4a212a375cc583bfdfbaa5e389266 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instcont_ais-8e8.vpx |
| 12b1037493b0b39d76a750029b14e662 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup_ais-8e8.vpx |
| 31cd6d713c3209701ad908027231641c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\offertool_ais-8e8.vpx |
| 89d228621266365f1d82d73ba48a9d0e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x64_ais-8e8.vpx |
| 9fd8268dcf87fafa76757f604296cb0d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x86_ais-8e8.vpx |
| edd855b165b286f79508a333b778f402 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\setgui_ais-8e8.vpx |
| 4ef923e6c6243ce0188de66de429e605 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\google.fr.exe |
| 7b49fea8cb10f38387e3f89a95096beb | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\rytr5674657gfhgjgj.eXe |
| 60025dd6a05f3380ba1b0bafd338c320 | c:\Windows\InstallDir\google.fr.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
aswOfferTool.exe:3048
aswOfferTool.exe:1656
aswOfferTool.exe:2856
FB_587C.tmp.exe:656
%original file name%.exe:2196
WScript.exe:3900
instup.exe:2036
instup.exe:3336
FB_53E9.tmp.exe:2360
avast_premier_antivirus_setup_online.exe:3504
rytr5674657gfhgjgj.eXe:992 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084123048.dll (368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gtapi_14826084121656.dll (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\gcapi_14826084122856.dll (368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google.fr.exe (678 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (8250 bytes)
%Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe (101262 bytes)
%Program Files%\AVAST Software\Avast Antivirus\Uninstall.exe (3878 bytes)
%Program Files%\AVAST Software\Avast Antivirus\M.vbs (6697 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (1008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
%Program Files%\AVAST Software\Avast Antivirus\Uninstall.ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rytr5674657gfhgjgj.eXe (32685 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x86_ais-8e8.vpx (591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump32.exe (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\uat.vpx.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.lkg (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-pgm.vpx (446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\avBugReport.exe (15799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avbugreport_ais-8e8.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\prod-vps.vpx (451 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122403.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.new (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\Instup.dll (78553 bytes)
C:\$Directory (1152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-8.vpx (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\HTMLayout.dll (24822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x86_ais-8e8.vpx (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\AvDump64.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\avdump_x64_ais-8e8.vpx (725 bytes)
C:\ProgramData\AVAST Software\Avast\avast5.ini (838 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log (27530 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4875 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\offertool_ais-8e8.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\servers.def.vpx (2 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log (794 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.dll (2668 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1319.vpx (841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe (7733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\aswOfferTool.exe (15278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\selfdefense_x64_ais-8e8.vpx (513 bytes)
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\event_manager.log.tmp.cc4b2451-75b9-4c75-9742-0fb1c6e807d7 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-0.vpx (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-1.vpx (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16122402.vpx (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\setgui_ais-8e8.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\config.def.vpx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\Instup.exe (1783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\HTMLayout.dll (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-setup_ais-c0308e8.vpx (97 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-prg_ais-c0308e8.vpx (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instcont_ais-8e8.vpx (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-vps_win32-16081802.vpx (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-jrog2-11af.vpx (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\part-iex-7.vpx (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup_ais-8e8.vpx (780 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_587C.tmp.exe (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe (69 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: AVAST Software
Product Name:
Product Version:
Legal Copyright: AVAST Software
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.3.3154.0
File Description: Avast Antivirus 12.3.3154.0 Installation
Comments:
Language: English (United States)
Company Name: AVAST SoftwareProduct Name: Product Version: Legal Copyright: AVAST SoftwareLegal Trademarks: Original Filename: Internal Name: File Version: 12.3.3154.0File Description: Avast Antivirus 12.3.3154.0 Installation Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 148684 | 148992 | 4.57091 | 5e14e4ede2e2215bc7d72837b9871f8f |
| DATA | 155648 | 10388 | 10752 | 2.62963 | abafcbfbd7f8ac0226ca496a92a0cf06 |
| BSS | 167936 | 4341 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 176128 | 6040 | 6144 | 3.3864 | a4e0ac39d5ed487ceea059fa23dfce5e |
| .tls | 184320 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 188416 | 24 | 512 | 0.14174 | c4fdd0c5c9efb616fcc85d66056ca490 |
| .reloc | 192512 | 6276 | 6656 | 4.56552 | 867a1120317d51734587a74f6ee70016 |
| .rsrc | 200704 | 4200 | 4608 | 3.30561 | dc97f4c1541feda16ef84cf7044f3d17 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www-google-analytics.l.google.com/collect?an=Premier&av=12.3.3154&cd=stub-extended&cd3=Online&cid=88954422-abef-43c9-a4a1-44e879ebb6a2&dt=Installation&t=screenview&tid=UA-58120669-3&v=1 | |
| hxxp://v7event.stats.avast.com/cgi-bin/iavsevents.cgi? | 46.4.34.3 |
| hxxp://shepherd.ff.avast.com/? | 77.234.43.107 |
| hxxp://a1639.g1.akamai.net/iavs9x/servers.def.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/prod-pgm.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitro/prod-vps.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitro/part-iex-8.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitro/part-jrog2-1319.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitro/part-vps_win32-16122403.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/avbugreport_ais-8e8.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/avdump_x64_ais-8e8.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/avdump_x86_ais-8e8.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/offertool_ais-8e8.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/selfdefense_x64_ais-8e8.vpx | |
| hxxp://a1639.g1.akamai.net/iavs9x/selfdefense_x86_ais-8e8.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitrotiny/prod-vps.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitrotiny/part-iex-0.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitrotiny/part-jrog2-1.vpx | |
| hxxp://a1639.g1.akamai.net/vpsnitrotiny/part-vps_win32-16122402.vpx | |
| hxxp://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | 46.4.34.3 |
| hxxp://g9421556.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-8e8.vpx | 212.30.134.147 |
| hxxp://www.google-analytics.com/collect?an=Premier&av=12.3.3154&cd=stub-extended&cd3=Online&cid=88954422-abef-43c9-a4a1-44e879ebb6a2&dt=Installation&t=screenview&tid=UA-58120669-3&v=1 | 216.58.214.238 |
| hxxp://77.234.43.107/? | |
| hxxp://p9849275.vpsnitrotiny.u.avast.com/vpsnitrotiny/part-jrog2-1.vpx | 212.30.134.147 |
| hxxp://p9849275.vpsnitrotiny.u.avast.com/vpsnitrotiny/prod-vps.vpx | 212.30.134.147 |
| hxxp://h1708605.vpsnitro.u.avast.com/vpsnitro/part-vps_win32-16122403.vpx | 212.30.134.146 |
| hxxp://g9421556.iavs9x.u.avast.com/iavs9x/selfdefense_x86_ais-8e8.vpx | 212.30.134.147 |
| hxxp://w2920311.vpsnitro.u.avast.com/vpsnitro/part-iex-8.vpx | 212.30.134.146 |
| hxxp://p9849275.vpsnitrotiny.u.avast.com/vpsnitrotiny/part-iex-0.vpx | 212.30.134.147 |
| hxxp://k7677977.iavs9x.u.avast.com/iavs9x/servers.def.vpx | 212.30.134.137 |
| hxxp://g9421556.iavs9x.u.avast.com/iavs9x/avbugreport_ais-8e8.vpx | 212.30.134.147 |
| hxxp://k8056924.vpsnitro.u.avast.com/vpsnitro/part-jrog2-1319.vpx | 212.30.134.146 |
| hxxp://g9421556.iavs9x.u.avast.com/iavs9x/offertool_ais-8e8.vpx | 212.30.134.147 |
| hxxp://h0356377.vpsnitro.u.avast.com/vpsnitro/prod-vps.vpx | 212.30.134.146 |
| hxxp://g9421556.iavs9x.u.avast.com/iavs9x/avdump_x64_ais-8e8.vpx | 212.30.134.147 |
| hxxp://r4205011.vpsnitrotiny.u.avast.com/vpsnitrotiny/part-vps_win32-16122402.vpx | 212.30.134.147 |
| hxxp://v4202226.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx | 212.30.134.137 |
| hxxp://g9421556.iavs9x.u.avast.com/iavs9x/selfdefense_x64_ais-8e8.vpx | 212.30.134.147 |
| hxxp://h1708605.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx | 212.30.134.147 |
| auth.ff.avast.com | 77.234.43.98 |
| mansoor-mans.ddns.net | 188.55.244.72 |
| ssl.google-analytics.com | 172.217.20.168 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /vpsnitrotiny/part-jrog2-1.vpx HTTP/1.1
Host: p9849275.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-d5"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 213
Accept-Ranges: bytes
Cache-Control: max-age=33
Expires: Sat, 24 Dec 2016 19:40:42 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFilem...u...x..pt.Ne``.s.ue..YE..F...n.@N..m......0(xp........~}r{........]3.X>........,....,.y........\......0..`..9.@.......k0ak-.o.../rP..Q......nI.?J^0...&l.K.s.I.#Q.@.c ...<....{2F{.i$..".ASWSig2B..
GET /iavs9x/avdump_x86_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 225164
Last-Modified: Fri, 19 Aug 2016 08:49:03 GMT
ETag: "57b6c7ff-36f8c"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:03 GMT
Connection: keep-alive
ASWsetupFPkgFil3....,o..].....&..p.........../D.N..MhC.T.....n.........L.V187y.].'.U..G6P`}6.._..f..;..<.....G../..(.......8cZ...........bi.....L#.....MuI...}v#.......u...XD4...6......".{.L.. .].RC.'...i.`.......Jn?i\.rk......j.i6b.aI..-.I.._H.....H.;....:..EQ.!<l..s......`x....\.%O...>.z....Y~..%..5.....X.2.L.f.,..tS}/4.s..vD.Tt........T..).Q..Mx...PI....1K.. . Zf....L..IombRS.....q..8H.J...x.7A.. w0$.:A;..0...X.r6$c.....-b..9...M..yBkmv....u..E.3..7#H.=..........s y.../.NNp.......]...../.........k..K..>A|R'0.<..Ip....f>2.*.............6..7i.R....9.G... ..L.'...."ju..U.P..aZ.......b.k_......R..l.......`L.@.`...@....p.zmU..`^.j...lo.Z.......L......}...6Z......'{.j....'`G2.ni.-.o...-....j..t......-..D..9..wAXv........E;*NP...:.....z.J;..pr....B.C.J.5V..v....9..d...F....|.b...s.&...O`cZ.5.`<...._....Jy.T.....u..).4-$.n.\lYU....... N...m.ba...o........Cg......d...E.....8.i...;..BkZ...x.n.<F.....j3..7...}A....?.,....6n.O..A....D....u^p......u0w%f]...'!..4.z..Bc.......;...6..u-.....Q.jp'[L......$..@.;.2...;}l-.........s... .M.. ..$.6a......._.....*WFh.Uz.-/:.<....z..k...j$..mDE.D.m.....".\....s.........n=.I...[\M..".]Nh...u[......P\..i.:L8...H.I-@{r.........A*Z.e.y`.@)I.......^.3:.O.....8.....6.......0.<.6C?.....m..u....6/.....Z.....3.yi..;#..s..a9`Gtn-p.GrY"..6q..... ..T.....3..E..'k#..%.T....O.~.d.... ...sb8... .....x...L....L.r.F.?....(Jf.0.........!c..p.k.V.dL8...C9..w.g.L......;S[..#.#.A0q..... B..._...p..M.......J<7ph.%&.K.n@k3ZI.6..no....]10...I.02.k.....v..j..C........s~."Zg6
<<< skipped >>>
GET /iavs9x/selfdefense_x86_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 196135
Last-Modified: Fri, 19 Aug 2016 08:49:25 GMT
ETag: "57b6c815-2fe27"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:06 GMT
Connection: keep-alive
ASWsetupFPkgFil3........].....&..p.........../D.N..I...r,.`....}..9....I..DS.(......}......P.>....<..#|,..??....v.`..<./wD....@c.`......l8#!....Bb{..8..X_..!..m...EB...E./....dFi.ta.. r'ugU92dt...'.....T..%.D..@.<...~.>O..g..X."$...B.C.....h6 7.1.X.Z.'."6....V.1..............QnCD$..$.......a.<...F..FfXo9:.....g%...'.BH..%n....C.Qm.....{...tC..E.B^.|H....j.!......q....R.....|.U..>v.0.%.D.5.m `.nZ7~n..7.2.c.?.^.......X........O:.......;3x..5....g.;...CgaMg...JV.........5....S. .>=........7....j*|.o.W.9..5Gu..B....@M$D..f.}.J.*X..0..K.Yxx.h(~.(5>.h......xCEJ.qx|,\A.....T..-.f%..({.......}.....XM.r...2..Y.Yi.?1....y.[KM.{......E........>y.(......1...o ...{U.......Zz.|E..}(dC.|....y..D...f....D.IK..J.E.-!.....-ft...I...J1...5....>.;.DX..[/.....d.[{N.{7.K.......H$.M..z..y...U..sO.]i.........)l....<."~.Ah..a..9.-..o}.v....3..8rwUE..L..C.d.k...2.p..z.`..wj`.AcI...V...o..'...f...l|p*<.G'.T.7....7<.7=H...!O...........f_.O... i.C\.O\..u._.!x.wH..t.......L.c...,8..Q.a.e.....8...J..J.?._.p@....&Z.i..y"/.b.D3,.._....:...m..c......\)j.*....&.........s.....~.m.......$..Iwv..p..%...".TU.T.u!.b.D..h.n..O7.D....7..d.O.lc...M..9%.s.a...$.....E....cY..J.C?0Z.>. .w!...m.....g&. u.K.......?.Q.R..L.F#.....\..m.cV.?M...7.s#._m.X...{..UG-...f.8 ..O.....dbY..{.l.z.......q..#.p..K#..>...3h..]..*%...*.mr...7E.....@.n...A.......mq....Eh...vK.....N{........P..q.o.....^.k...B.:.._....})........h|..I.hw%.g.....#o...>..z....O...o[...A...}.ve.~..L..G.Z.....B$.o....S.H.."j...d.-...E...z9.>....
<<< skipped >>>
GET /vpsnitro/part-jrog2-1319.vpx HTTP/1.1
Host: k8056924.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 841
Last-Modified: Sat, 24 Dec 2016 16:28:14 GMT
ETag: "585ea21e-349"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:01 GMT
Connection: keep-alive
ASWsetupFPkgFile........x.-.yL.q...O.]...b..e.9...fe.f....\....d6...t(..!.._D...Bn.E(........k...|?.......4..AdF........#..&GNd....i.....?~M`..;#.d.....6.I.cmP....q].!Y-..9I.O...E/.=.BI.........1... z..z.D&;J...D.....2H....E|0%X..].E...'...<...U.`.....f....E....].,..;.......z.v...".X.{.U{\.#...X.a9...?..........L.7..,....D~.V....w....c.D.../.g....a...vc........1......0.U.....[...y;4.....k.t.i.....U|....E^a...4.._...X..4.S\N.Op...c...E.?.....S..<....G...#r.wp..Z.=...'.......<.5N=&....y...:.......e."...k...r....j. ......{x.....".b^.....s^.........y7....R.<.V..r...2.N}..M.%..y..6./..^.m.W..9..N......|..| .q.>.?f...3.z...|.&..=......>y....<...q..p.rq1.c..-...O....f...db.udh......^.#M........S....n....e......f....v...6..V..........S.......c......w=.%.:.s-.p...2q., ..#. ..K....f....ia...."...j.4.|vh6.........p.....XA@..{......&ASWSig2B..
POST /? HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Avast SimpleHttp/3.0
Content-Length: 87
Host: 77.234.43.107
data=CAMQ/////w8Y/////w8g/////w8qAIgBANoTBmlhdnM5eA==
HTTP/1.1 200 OK
Config-Name: avast_paid-products_low-value-countries_premier_szb-new-version_production-2ae52425519c67c5eb684b44a6b4c5f6a5caa285d2358eb0ace07d13944877c2
Config-Version: 1324
Content-Type: text/plain
TTL: 86400
TTL-Spread: 43200
Content-Length: 6656
Connection: close
[GrimeFighter]..LicensedClean=1..UseGF1License=1..info2_licensed_period=3600..info2_unlicensed_period=3600..[Instup.GA]..FractionDivisor=-1..FractionRemainder=1..[GA]..gaFractionDivisor=-1..[Analytics.Burger]..SendingPeriodSeconds=3600..BlackList=20.*;1.1.1;1.1.2;1.1.3;1.1.5;1.1.6;1.1.9;1.1.10;1.2;1.6;1.8.1;1.9..[StreamFilter]..TcpSpdy=0..[Bodyguard]..LeakedServer=digibody.ff.avast.com..LeakCheckInterval=0..[Instup.Submits]..SendBurger=1..HttpOnlyAsFallback=1..[Ffl2]..authServer=auth.ff.avast.com..[Pam]..SyncServer=pam-syncs.ff.avast.com..FFLAuthServer=auth.ff.avast.com..OnlineKeyServer=pam-airbond.ff.avast.com..AirBondServer=pam-airbond.ff.avast.com..[WebmailSignature]..GmailEnabled=0..OutlookEnabled=1..YahooEnabled=1..MaxRequestSize=16384..[Extensions]..FFSP=sp@avast.com..FFPAM=jid1-r1tDuNiNb4SEww@jetpack..GCSP=eofcbnmajmjmplflapaojjnihcjkigck..GCPAM=emhginjpijfggbofeediiojmdlmlkoik..GCAOS=gomekmidlodglbbmalcneegieacbdmki..FFAOS=wrc@avast.com..IEPAM=0A4E4748-5FEC-4098-88FA-080F11FF7B92..IEAOS=8E5E2654-AD2D-48bf-AC2D-D17F00898D06..GCASP=mbckjcfnjmoiinpgddefodcighgikkgn..GCWTU=chfdnecihphmhljaaejmgoiahnihplgn..GCWTU3=lkmdocpbnblchppecickbipihlkehdfg..GCAST=ndibdjnfmopecpmkdieinmbadjfpblof..GCASG=ndibdjnfmopecpmkdieinmbadjfpblof..FFASP=886A6486-37B3-4BCD-891B-FD0E325E7b1A..IEWTU=95B7759C-8C7F-4BF1-B163-73684A933233..FFWTU3=avg@wtu3..FFAST=avg@security..FFASG=avg@safeguard..[Components]..[SecureLine]..[Alpha]..AldServer=alpha-license-dealer.ff.avast.com..IqsServer=alpha-iqs.ff.avast.com..[common]..ConfigName=paid
<<< skipped >>>
GET /iavs9x/avbugreport_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 811029
Last-Modified: Fri, 19 Aug 2016 08:49:01 GMT
ETag: "57b6c7fd-c6015"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:01 GMT
Connection: keep-alive
ASWsetupFPkgFil38.#.._..].....&..p.........../D.N..x....si...pp.1s.%...1.....}.P`..M..6..M.K8agO..p*.'.T(....f.eJ...Z..r....W..{ k....vj.=.......?..G.6......4..F..w.N.b..,~.....~......&*,y/...pR.%.. .P.V&Z....'t ..tY*TG....;...w^.>.K.WUH.K..U0..}.$..r..R.z*.A.m...].~..O..Yu...g..... ..Fx.;h#K..p...m....]...x.sk....,.Z.Fq.v/r@..{y1/.7.Y".cP[...X.?..0K.Q.cZ...9/..n=>.3^.....;<...Q.b.`(.mm...Yl...<.I...a...y..8r....C....D...]J........7tU.x.Y.bT.z..|>......M...e.9n....&......9B...".e.]?8.}.%D@...d.X../..O.....`.... ..[~X.s2..x.....X..\.R...S....Vk..Yo.."?.T..(\........i.m..*....<..!..Mzk.e.D...d...rg1G..7.....[L....r.o.SP.|q.....O,..]..}8.=....*. ...R8wm..|..r..D&b.,H).Mx..y.J.<.. 2lK.E.....w..k.X..2U07......`.[_/...Z80...V.H...}l:P=.....-....`[pIE .........U.'b..V.a.Z.....l. ..X..t.o....v.~%Vn...t..K......%y1.1....1W...J.?.O.>.,....T._...?!8..r...`...l..T.`C...].%%W....K..r.s..g.].........L'o7t.~.%L.r},\.....=..t....A .i2.H..B .....;dB.U.5.......9..............i..a......3?F..M'xU...c".B.# .1q...!..s.vs....V.7.C_#`.\&n....^o2. P.........S...".z&'..x...c^\}F..4X.)S.E...hX9`.."C.JI..A..d_..C.(..s..,?.;.....]k....C..mWN. ..........$...w.......BO^..........-.......x.n?]...N"H#.H..L.....*F.D4.#.!. ...Z...`;..-M.N.6.4...{..........1........r......`J...Cd.G...j........"....rdQ..\..$......K...IH..04Ig....1.....Q.R....j..\)8....@dK.F...RphY..j.....x.8aaV.7.1..5..`.2._[....70...w..V......[.......f..J...;.!....;.....o.?..B.h%f..H....L..3'.M.I>..u.........5K... .-/.1.....td.C......5....0L./.*......^X
<<< skipped >>>
GET /vpsnitro/prod-vps.vpx HTTP/1.1
Host: h0356377.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Last-Modified: Sat, 24 Dec 2016 16:28:17 GMT
ETag: "585ea221-1c3"
Content-Type: application/octet-stream
Content-Length: 451
Accept-Ranges: bytes
Cache-Control: max-age=46
Expires: Sat, 24 Dec 2016 19:40:46 GMT
Date: Sat, 24 Dec 2016 19:40:00 GMT
Connection: keep-alive
ASWsetupFPkgFile....c...x.s..r.```....p..o..m .....8.1(..(.......3S ..}a.0..`. ....|\.@.. v.....f./. ...h.{..wE..W.......'zJ.....lo...{t..-4M9{_Ol.2......,F._..:'x..x....[...rI..%.@:.(?....8...Ia.k<......DYH.g.w...s.../_...W.............e.-.z0a........L...ptx....t.3....]....e.. .pB....y.p.0.....#..p....<a.e.D|....=...l...../b.....~..J;..&W..>.B!...7b..r.Y....x}.x.4..{......z..!.!.-p... ......GZ)..P...t..bO.dg.2Ni.g...6.=..V.d.]._s....Q..*.ASWSig2B..
GET /iavs9x/prod-pgm.vpx HTTP/1.1
Host: h1708605.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Last-Modified: Fri, 19 Aug 2016 08:49:43 GMT
ETag: "57b6c827-1be"
Content-Type: application/octet-stream
Content-Length: 446
Accept-Ranges: bytes
Cache-Control: max-age=59
Expires: Sat, 24 Dec 2016 19:40:59 GMT
Date: Sat, 24 Dec 2016 19:40:00 GMT
Connection: keep-alive
ASWsetupFPkgFile....^...x.s..r.```....p..o..m .....8.1(..(......2.....%..9.B......a.A.,@...f.7.W?.;....-.....v..Ud.....M.....,..<zjR......o.l.v..........nI... W._n.-w............B<}Af......"V ].ZRZ.r.'...El5.p.q}Y..l.}G...3.%m...h.0K...]hp.............6.......# }ge...H_........0...]......d...4.D....f...?..u.^%1..}].F.pj..[N....w.m}.&.R.7..j.k.Js.)!..-..&.9qfu.......`.J.......A{.......$ ....O.*..j..Q.)..>....{.6....k.F....Gv.....a..FM.ASWSig2B..
POST /? HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Avast SimpleHttp/3.0
Content-Length: 39
Host: 77.234.43.107
data=CAMQDBgDIOgRKgCIAQDaEwZpYXZzOXg=
HTTP/1.1 200 OK
Config-Name: avast_paid-products_low-value-countries_premier_szb-new-version_production-2ae52425519c67c5eb684b44a6b4c5f6a5caa285d2358eb0ace07d13944877c2
Config-Version: 1324
Content-Type: text/plain
TTL: 86400
TTL-Spread: 43200
Content-Length: 6656
Connection: close
[GrimeFighter]..LicensedClean=1..UseGF1License=1..info2_licensed_period=3600..info2_unlicensed_period=3600..[Instup.GA]..FractionDivisor=-1..FractionRemainder=1..[GA]..gaFractionDivisor=-1..[Analytics.Burger]..SendingPeriodSeconds=3600..BlackList=20.*;1.1.1;1.1.2;1.1.3;1.1.5;1.1.6;1.1.9;1.1.10;1.2;1.6;1.8.1;1.9..[StreamFilter]..TcpSpdy=0..[Bodyguard]..LeakedServer=digibody.ff.avast.com..LeakCheckInterval=0..[Instup.Submits]..SendBurger=1..HttpOnlyAsFallback=1..[Ffl2]..authServer=auth.ff.avast.com..[Pam]..SyncServer=pam-syncs.ff.avast.com..FFLAuthServer=auth.ff.avast.com..OnlineKeyServer=pam-airbond.ff.avast.com..AirBondServer=pam-airbond.ff.avast.com..[WebmailSignature]..GmailEnabled=0..OutlookEnabled=1..YahooEnabled=1..MaxRequestSize=16384..[Extensions]..FFSP=sp@avast.com..FFPAM=jid1-r1tDuNiNb4SEww@jetpack..GCSP=eofcbnmajmjmplflapaojjnihcjkigck..GCPAM=emhginjpijfggbofeediiojmdlmlkoik..GCAOS=gomekmidlodglbbmalcneegieacbdmki..FFAOS=wrc@avast.com..IEPAM=0A4E4748-5FEC-4098-88FA-080F11FF7B92..IEAOS=8E5E2654-AD2D-48bf-AC2D-D17F00898D06..GCASP=mbckjcfnjmoiinpgddefodcighgikkgn..GCWTU=chfdnecihphmhljaaejmgoiahnihplgn..GCWTU3=lkmdocpbnblchppecickbipihlkehdfg..GCAST=ndibdjnfmopecpmkdieinmbadjfpblof..GCASG=ndibdjnfmopecpmkdieinmbadjfpblof..FFASP=886A6486-37B3-4BCD-891B-FD0E325E7b1A..IEWTU=95B7759C-8C7F-4BF1-B163-73684A933233..FFWTU3=avg@wtu3..FFAST=avg@security..FFASG=avg@safeguard..[Components]..[SecureLine]..[Alpha]..AldServer=alpha-license-dealer.ff.avast.com..IqsServer=alpha-iqs.ff.avast.com..[common]..ConfigName=paid
<<< skipped >>>
GET /vpsnitro/part-iex-8.vpx HTTP/1.1
Host: w2920311.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 225
Last-Modified: Sat, 24 Dec 2016 16:28:14 GMT
ETag: "585ea21e-e1"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:00 GMT
Connection: keep-alive
ASWsetupFPkgFile........x..pt..```.s.u.....9...y....n.@....Z.K!.. .Jn...s.O|.s..)...U...*._......g.B..4..KrE....{.zp?.........,.4.d..w..v .....8......@(3...-.^L.......F_...K-E`n....C..kK....-7'8)5.......?.:.Zj.L._...IASWSig2B..
GET /iavs9x/prod-pgm.vpx HTTP/1.1
Host: v4202226.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Last-Modified: Fri, 19 Aug 2016 08:49:43 GMT
ETag: "57b6c827-1be"
Content-Type: application/octet-stream
Content-Length: 446
Accept-Ranges: bytes
Cache-Control: max-age=11
Expires: Sat, 24 Dec 2016 19:40:20 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFile....^...x.s..r.```....p..o..m .....8.1(..(......2.....%..9.B......a.A.,@...f.7.W?.;....-.....v..Ud.....M.....,..<zjR......o.l.v..........nI... W._n.-w............B<}Af......"V ].ZRZ.r.'...El5.p.q}Y..l.}G...3.%m...h.0K...]hp.............6.......# }ge...H_........0...]......d...4.D....f...?..u.^%1..}].F.pj..[N....w.m}.&.R.7..j.k.Js.)!..-..&.9qfu.......`.J.......A{.......$ ....O.*..j..Q.)..>....{.6....k.F....Gv.....a..FM.ASWSig2B..
GET /iavs9x/avdump_x64_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 253194
Last-Modified: Fri, 19 Aug 2016 08:49:02 GMT
ETag: "57b6c7fe-3dd0a"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:03 GMT
Connection: keep-alive
ASWsetupFPkgFil3........].....&..p.........../D.N..XOg..si...pp.1s.%...1.....}.P`..M..6..M.K8agO..p*.'.T(....f.eXR=.h.q..-.k.M."...vws...v..m.RP.....f.J9EH>I...c .......Xl5..b..\.H.g1..0.'...Hy......K.K.Y....mb..R.w...B.GS.i!l......Md.....<9....^}...J.,`.......kq.P&..w0\.#.....[hS.$8`..........:...........zf7O..[.b..e.c{F....4p..`...].....~-Lm........gK..:."qa...M.vd.I,...]t.B........l...'.{..Zl..B.......w.[.._.Du..&!......m...m.....Jg...Fd..M!.DZ..L.}U....Mz.....K......>.....`...._3C..$..n8.x.r.hFE..)..mT.AOA....n.==.... ....r.".>/..S..J.r.$.-...cd|........f.c...%4......%T3?...:h...8<.?..X.....R..@.....3W}S.P....B...W._.3.........../.|.....Y.`#......>.h...N.:FNG.:..M9. .05..( !...@H@"W<..G.,o.g..I...}..1T5P|.......$...J.<..J...C..1...ny.Q,..E...&}t(oF.C.t..HG.sUn...}.O...,...u...7....N......H...gX.....>.%.m....b.V......q@...kd.tt..{..{....0K..$...z....q&.............dZ;]0$..D..s{0.eh.N.-8u.1.=`.?.<S].u......".e6.g....u6d..v.....< .f....X....S.._0..a7.C....O.H......I..U&v..j..J...g.......z..>....j....R.S.2..UF...........9.{.|J$..]T...~..VVl\.. ....w....n.x-G....?.9....?......4 ..{ ....N......x.Uz.R..].....7.....nth.....~.ND..W........&...d...z..]$.B............QY.~af.L..h...F'.i.6oJA(%.Wc\i.6.AO...... P.......Cd-...MN...V.j.S..1<C.#.....<.$n..S...KT.&D...=8H.(.0"K.qm"iT.K.f.x.7.A.....Qcufx\.......`@....)'.g.'....R|..y.p<... r....:fYY...._.\{..^y}5>.G ...'O\.8R/.....o..._.....s.....}...b..<..DM.~.?.7.p.4.:d.!}qi...Fa]...........].%:\.;.....X6K.....]..K...0,..[j.
<<< skipped >>>
GET /vpsnitrotiny/part-vps_win32-16122402.vpx HTTP/1.1
Host: r4205011.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-12a"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 298
Accept-Ranges: bytes
Cache-Control: max-age=40
Expires: Sat, 24 Dec 2016 19:40:49 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFile........x..pt.Nc``.s.ue..e....F...n.@....JE?...H.........."....[...n)~.c...._&...\<ba.S..]....._y..f....(..5(......72..m.......<3.a......f'?.).O....w?.|8.m.0.........)...r.z....g&.W........3w.6....e.la@....%.PIN..=..s-/.Lg.i.U......c..(F....o,........h..F.P#.[.H.L.1..!.IO..ASWSig2B..
GET /vpsnitrotiny/prod-vps.vpx HTTP/1.1
Host: p9849275.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-1a5"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 421
Accept-Ranges: bytes
Cache-Control: max-age=33
Expires: Sat, 24 Dec 2016 19:40:42 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFile....E...x..p..ib``...pe.....~..0f.kP0.........W@.`Ow. m..N.,.f...!S..2..u.......mq....{G&...I..*..Wj.r..d.,\s....*.r..: _..x...|.$."...6.KX.tVQ~...-p..5.H.....l.........4..>.|h...y.w.....m.....}....w....R..,.7m&H-c.6r.f.Ty.\i..k:........N.3.<3....&.!1.{.......f...XW..O...%....H....p........u8.-..}.....k...(.G..`.Ye8....O.O......_...P......9..H[.0..|E.r.#.6..`.V.$s.........o....l6.G{...$.. .6f[.ASWSig2B..
POST /cgi-bin/iavsevents.cgi HTTP/1.1
Host: v7event.stats.avast.com
User-Agent: avast! Antivirus
Accept: */*
Content-MD5: qncYSVIJaU gO3AFDztlgg==
Content-Type: iavs4/stats
Content-Length: 293
InstupVersion=12.3.3154.
edition=1
event=install_intr
guid=88954422-abef-43c9-a4a1-44e879ebb6a
midex=000000000000000000000000000000002d13e766ec0058428680dd00adcbeb6
operation=
os=win,6,1,2,7601,1,3
stat_session=d7563c3c-0a22-4cae-81e3-2aa806c61c1
statver=2.3
statsSendTime=148260841
HTTP/1.1 204
Server: nginx
Date: Sat, 24 Dec 2016 19:40:11 GMT
Content-Type: text/html
Connection: keep-alive
GET /iavs9x/offertool_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 1163694
Last-Modified: Fri, 19 Aug 2016 08:49:23 GMT
ETag: "57b6c813-11c1ae"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:04 GMT
Connection: keep-alive
ASWsetupFPkgFil3P'!.N...].....&..p.........../D.N..MhC.T.....n.........L.V187y.].'.U..G6P`}6.._..f..;..<.....G../..%....SV.^Ci.J.]..65h."A...Z./..l.Y....F..`.:][..........hM.Y.........%d.r.u.A...yG.......ix...KME...I..A6..&[..o..1.r..c.....bv3_....0..HN.......!Hf..^.Z......g.=.7..k.@.5....&.......0Vl.A:y...D.V!.6....@.r.......A..Ek...d..\.%>.L.s.Z......Oh....3|.....0....W.x.j!*..}..j;5.....c..\.B....w...tF.R).......bJra.....77j.S....H.)...:$B.!.F.........O.....T.)..T.f^X{G....h.Sl...c..q..l..pJ.0....<....2kt....Z.W!.{9......`?....[...&.....Uvd....~%@....>g#.R.wE....T.&;E...U.]175<.....[...{..<(...p.Iy..c..N....<. ..c./.{AY. ..C.maz#}?.k*......'i..7p....'..........K.<..r..WIIE.hX'...9....v........j..........\p9...*\..CJU..F...b5....T..e'...<..l...V..hPj.........;.d..$.._(:V.8.L.....~..%.$..oX.....A.IY./.....G.....{..P,^6.9....Zo.b.O\.ar.>#R..{..%!h%.....@...:..)q,d......._..F..;.........;.k.b}.....^....f..S*.~..X.#=.S....% z.[..E..?`.y...gnx.i?g.q...S-\.........[.,..9lj.f.!v...j...Y.#..s...T%U....[}G.......R,....;y.....J}...Y......]Ssl....y....:..R|...C.mI...7.<.d..<:3#.....".zn........4EN..7"k9....U.....U..' ..B.....d.yMK...D....).v......x.s..1.`.....x.:...8L.b...6...LtA..~%....I............^....... p.#\....$..{.....]..b ..a.o..>..O.._.6C#...3.5`.L....i.....:..............q]......`....y.?...!.......}.?pk.s..k.e.F.....$...N.] !.S..h.....P.L-...B....<........L.S..C=.........{......3.,o...96^....=.... ...E.....g.:#.<.gsb%i..f...R.-.k".../U..QA...'......>....oT.I.i...
<<< skipped >>>
GET /vpsnitrotiny/part-iex-0.vpx HTTP/1.1
Host: p9849275.vpsnitrotiny.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Last-Modified: Sat, 24 Dec 2016 16:40:07 GMT
ETag: "585ea4e7-d4"
Server: nginx
Content-Type: application/octet-stream
Content-Length: 212
Accept-Ranges: bytes
Cache-Control: max-age=17
Expires: Sat, 24 Dec 2016 19:40:26 GMT
Date: Sat, 24 Dec 2016 19:40:09 GMT
Connection: keep-alive
ASWsetupFPkgFilep...t...x..pt..```.s.u.....9...y....n.@>............o.^...u..i\......_.\...........................U=.%wF\(.5(.d...0f`..G.%k4...6e.Y..T..Fh.^...o..)..B.EG...`.O.()z;u.&.m.dk|...:..%..7.,..ASWSig2B..
GET /collect?an=Premier&av=12.3.3154&cd=stub-extended&cd3=Online&cid=88954422-abef-43c9-a4a1-44e879ebb6a2&dt=Installation&t=screenview&tid=UA-58120669-3&v=1 HTTP/1.1
Connection: Keep-Alive
User-Agent: Avast SFX/1.0
Host: VVV.google-analytics.com
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Tue, 20 Dec 2016 16:03:33 GMT
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
Cache-Control: no-cache, no-store, must-revalidate
Age: 358579
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Tue, 20 Dec 2016 16:03:33 GMT..Pragma: no-cache..Expires: Mon, 01 Jan 1990 00:00:00 GMT..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..Cache-Control: no-cache, no-store, must-revalidate..Age: 358579..GIF89a.............,...........D..;..
GET /vpsnitro/part-vps_win32-16122403.vpx HTTP/1.1
Host: h1708605.vpsnitro.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 3868
Last-Modified: Sat, 24 Dec 2016 16:28:17 GMT
ETag: "585ea221-f1c"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:01 GMT
Connection: keep-alive
ASWsetupFPkgFile........x.}..tM....;...... $..L.T.A.Ab&!1.5. .yH.ik.....k.P3.gh.kii(-m..<T....~...Z.....o=....9{..._.o.").&...m.....>.W..a...IKh..)Z....mv.....@.gI..Zs.....%]R.N.4.Y...g.L..?.hJ...Y...u~]...co.Yp..U;v6Y.9>5..*.o..2q.u....V....(2..2.,s....y....E...7.....m2.\s.$...)V..^.0....r.L.....4.WS.L...6.....N....o.\.J..L.{.Yd"8p...0w.Yr.J..2....Y...o..X..F.d....e...k.7.....hPR-2..k...`..,2..7.)...%....?a.....N....j........~..C....6...?k.....l2@.....*..I?...N...S.&}..U..,.Z..LpSW..V.=.,..o.9.S'w2,..n......^......'..3.-....`..`.b.t.k.......S:..V.t....$..9.).j..\.A..&..z..Ni........pJ[0..I.......^]..Dp}M.$....I..m.......H .m......HK...SZ../i..j.W......C..!o...z.@.4../.I.x .)..m.l.*83.).U.V.i.....W@..*...T.y..,r.K.}.C..KV:....w...w}...`.....O..RS..(...........9...(.%.j..vH..k9.T.?~l.*.....2...!...u.R......j~...`.M.D....!..~..I9..d.D.._3IY.|.H..Rh.....Y".x.v.W..0K).v.UJ.7c,..v\b.P....R...pH....]|..?.....2.G.C.M....f..cc.....w.........;`..5//.....r.K}....T.v.S.`..f...f.Slj.......s..<}..fp.`...N...u{.!/0..Z8./p.a.<.....3..5......Y.).....qB.7.........M\X...].9G..2f....{o.x.^.....q....~.l.....>,|Z....ys;.&U..yLQN._. ...Ou::1..!"U......{.$...Sl...-.....Ze..o.S....Y.Mp..K........<...`.y....n..L...~2.t.8e:..Sm..YTR.....d.h.Ye2..U...c.Yd.h.u.D...:.L.b..0~.[..W..d.x.B..../..l..'.2..l.]..w..i.z..e...D......'#.1].e8xq.W....>...@..Q...-.....e0... ..!.n....VR^.k.....=...?8 6X....a.....'}.{1>...J..L...........X.A3.Gg.$..U:\z.{.=..,X......n..N..*]...B..X....`.....\.&D:..5.I.....T.?6..meX...U.....g...
<<< skipped >>>
GET /iavs9x/selfdefense_x64_ais-8e8.vpx HTTP/1.1
Host: g9421556.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 220901
Last-Modified: Wed, 23 Nov 2016 10:00:38 GMT
ETag: "583568c6-35ee5"
Accept-Ranges: bytes
Date: Sat, 24 Dec 2016 19:40:05 GMT
Connection: keep-alive
ASWsetupFPkgFil3.....^..].....&..p.........../D.N..iO...T..w{...]..s...R..}.;W.^..HN.g..2.3........t..#Ft.4..2.5..rm}.U.......x...N...$2 9.1...i6.l.8..[....?......:...M......V.......[%/-.F.C.._....E.....!588os....y..|...N....-=b......S....B..*..........q2.a..:{..?..l...<f/..d....H.x..l@| ....D.....E#.|.f./..}.....f..........{.....j.A.....p.>....M.......]X..y..hE.....~S..).N.....@.........8..6i..dX...2....@`....g...MB...y..kK..{ .S._.. .......?....OE...C..5.,......,...C..6m...R%..b<.q^f......E.b@....(.~~.'u.l.M..-z..5..nN...,f....H"vIAp..f.hS&..... B.~<..j.y.@.....S%.......%....k@.....A$r;9G.........MI.8.\..s..#....F........H..?R.l.....RF.%...........)..P..|;.{...!@N.bO..*.5x.rW..Y..9K...t..l`]....<...J-QO...B%.........q...wD......V...D....5.s......sTn...../.....b.H.J..8.w..A..KL.8.$.YV.R.//# ......;.m....[H...ZL#.[!;...5.P%.k9......V..R>\.9>...C..1....w.f.E97..,...?i...........Y..$..{.Ba..../...@N.}w..J..jW.S..`...E. .Lz.Q;4..mz. N].......r.N...s.C" .XW....>.#.!..M..Y...8.{.9...d.o.....WziB.q..o.......D...'..e.V^..(...C.....g.F$:"..C...>...`L)a.5...@p....l5...aia.]'........"..1....4j..Y8D.p]........(|W......-.i........?o@"......j........n..5.....3l..._.B.2L9.x.......3;.*....a.F......K...g.q.O..H3...,Z;..........y.7......L7.1...H...C..V.dL3....t!..U.I....T....p..06.....$..)..=.z....._...F'...&VE.^.\j.f..c..h....|7....8.V..#\d...8.....\.K......c.....:.B..K..W..b.......w..6..C.e.B........:.)...q.Pi._............{M. .}{\;^.....s=x..,wm...-$.1.I.I..$m..T....1Y.w`~.... [..P......q......m ..
<<< skipped >>>
GET /iavs9x/servers.def.vpx HTTP/1.1
Host: k7677977.iavs9x.u.avast.com
User-Agent: avast! Antivirus
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/octet-stream
Content-Length: 2869
Last-Modified: Tue, 21 Jun 2016 10:45:50 GMT
ETag: "57691ade-b35"
Accept-Ranges: bytes
Cache-Control: max-age=32
Expires: Sat, 24 Dec 2016 19:40:31 GMT
Date: Sat, 24 Dec 2016 19:39:59 GMT
Connection: keep-alive
ASWsetupFPkgFile.a......x....s.:...3..!.ww.G.H...`..m.&]O..s..N........i...@...k...........q.. K...4..(....".......'...S.u.......Ih...`.9./...|...".ALY?...O.......y.$...%4../.FA..H..G..,...x..mC...&.F...Y...s`......F...g...h..9{'NF.`{~....p..{....x..]..V.w~...48.M.f.....A..~...ED....-.....d!.N.d.q..<]m..f.?U?O..8..]|..f.S.=..U.......... .............U....gC,j...X...........2,......w9^....._..5eG..K.t........0Q..........E......L?......./a...cc.9p.......?Q'....Q....O.....,.....~.>..qk.k.K.....j."a...=(...=(...=(...=(..Y{.....n-nLn.K..?.n07:7.e...W...O\^.T.u.[MX$,..pkqcr._v.....#..>..e...<..$..N...#......^..p..t.,..c....(..d...(...@xp.....~~.il.4.......[...Y$Yj-...]^.....Ya.uJ)/?.j...(.gu..E.j.._.c.=.~.a..Q.......n.a....`.J v%.<v.?..J.........9*M....$.0..Kxw..-........pcpc......o...n].<...G..............Mu<..H...............u6.....w.z.............z5J........3..f#.g.{........Vc.....l.t3..Q...5.:nT.~|.x.n....g..N.v.......w.i.......3.....!.~...3..^.)wA.. J.7..7....<.OiZ.....v.L.Wv...o....?{|....Y]......M.........*...........9....{}.].....@......g....,..v.<..S.tr.7.,...Y..c.I.c...k6.......9.x...a.....w7...1.../..|~|....o..7....\.l.`K....!@..".b.........S>vO.N"c..tz......x%kP.jF#7Xr......O..6.......n/..,..c.4}.k#K.....H5.........._...)H..".Ar.....T.z......D..`.R..]r0:.NxW..{2w=..|..O4.y..P..0.../U.z...........ppIa......N..D.z....,O...]...S.;.].=.......0.y....K...G..s.??...C.....l...</p..kKG.c6.......O..g.....<.....6;........{..k.VXUdER.f|...M.....Tj}7...XV....x.......Y3G......d......
<<< skipped >>>
POST /cgi-bin/iavsevents.cgi? HTTP/1.1
Connection: Keep-Alive
Content-Type: iavs4/stats
Content-MD5: jD3D40DKHlsozBl3CT2Htw==
User-Agent: Avast SimpleHttp/3.0
Content-Length: 356
Host: v7event.stats.avast.com
SfxCreated=148171082
SfxName=avast_premier_antivirus_setup_online.ex
SfxSize=630627
SfxVersion=12.3.3154.
edition=1
event=stu
guid=88954422-abef-43c9-a4a1-44e879ebb6a
midex=000000000000000000000000000000002d13e766ec0058428680dd00adcbeb6
os=win,6,1,2,7601,1,3
stat_session=d7563c3c-0a22-4cae-81e3-2aa806c61c1
statver=2.3
statsSendTime=148260839
HTTP/1.1 204
Server: nginx
Date: Sat, 24 Dec 2016 19:39:53 GMT
Content-Type: text/html
Connection: keep-alive
HTTP/1.1 204..Server: nginx..Date: Sat, 24 Dec 2016 19:39:53 GMT..Content-Type: text/html..Connection: keep-alive..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
avast_premier_antivirus_setup_online.exe_3504:
.text
.text
`.rdata
`.rdata
@.data
@.data
.didat
.didat
.rsrc
.rsrc
@.reloc
@.reloc
CMDL
CMDL
CMDP
CMDP
w%s(
w%s(
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
WINHTTP.dll
WINHTTP.dll
VERSION.dll
VERSION.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
address family not supported
address family not supported
broken pipe
broken pipe
function not supported
function not supported
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation canceled
operation canceled
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
InitOnceExecuteOnce
InitOnceExecuteOnce
gdiplus.dll
gdiplus.dll
MaxPolicyElementKey
MaxPolicyElementKey
pExecutionResource
pExecutionResource
operator
operator
operator ""
operator ""
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Operation not permitted
Operation not permitted
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
?#%X.y
?#%X.y
%S#[k
%S#[k
GetModuleHandleW (%s)
GetModuleHandleW (%s)
GetProcAddress (%s)
GetProcAddress (%s)
16:03:05
16:03:05
%s %d %d
%s %d %d
%d:%d:%d
%d:%d:%d
cmnbsInit %d
cmnbsInit %d
kernel32.dll
kernel32.dll
GetNamedPipeClientProcessId
GetNamedPipeClientProcessId
GetNamedPipeServerProcessId
GetNamedPipeServerProcessId
https
https
Unable to retrieve a path of the known folder (%d)!
Unable to retrieve a path of the known folder (%d)!
InvokeMainViaCRT
InvokeMainViaCRT
ExitMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
Microsoft.CRTProvider
d:\DEV\AvastNitro\BUILDS\Release\x86\SfxInstPaid.pdb
d:\DEV\AvastNitro\BUILDS\Release\x86\SfxInstPaid.pdb
.text$di
.text$di
.text$mn
.text$mn
.text$x
.text$x
.text$yd
.text$yd
.idata$5
.idata$5
.CRT$XCA
.CRT$XCA
.CRT$XCAA
.CRT$XCAA
.CRT$XCC
.CRT$XCC
.CRT$XCL
.CRT$XCL
.CRT$XCU
.CRT$XCU
.CRT$XCZ
.CRT$XCZ
.CRT$XIA
.CRT$XIA
.CRT$XIAA
.CRT$XIAA
.CRT$XIAC
.CRT$XIAC
.CRT$XIC
.CRT$XIC
.CRT$XIZ
.CRT$XIZ
.CRT$XPA
.CRT$XPA
.CRT$XPB
.CRT$XPB
.CRT$XPX
.CRT$XPX
.CRT$XPXA
.CRT$XPXA
.CRT$XPZ
.CRT$XPZ
.CRT$XTA
.CRT$XTA
.CRT$XTZ
.CRT$XTZ
.cfguard
.cfguard
.rdata
.rdata
.rdata$r
.rdata$r
.rdata$sxdata
.rdata$sxdata
.rdata$zETW0
.rdata$zETW0
.rdata$zETW1
.rdata$zETW1
.rdata$zETW2
.rdata$zETW2
.rdata$zETW9
.rdata$zETW9
.rdata$zzzdbg
.rdata$zzzdbg
.rtc$IAA
.rtc$IAA
.rtc$IZZ
.rtc$IZZ
.rtc$TAA
.rtc$TAA
.rtc$TZZ
.rtc$TZZ
.xdata$x
.xdata$x
.didat$2
.didat$2
.didat$3
.didat$3
.didat$4
.didat$4
.didat$6
.didat$6
.didat$7
.didat$7
.idata$2
.idata$2
.idata$3
.idata$3
.idata$4
.idata$4
.idata$6
.idata$6
.data
.data
.data$r
.data$r
.didat$5
.didat$5
.rsrc$01
.rsrc$01
.rsrc$02
.rsrc$02
WinHttpOpen
WinHttpOpen
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpCloseHandle
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
GdiplusShutdown
GdiplusShutdown
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpReadData
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpSetStatusCallback
WinHttpSetCredentials
WinHttpSetCredentials
WinHttpQueryHeaders
WinHttpQueryHeaders
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetCPInfo
GetCPInfo
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AU_Crt_new_delete@std@@
.?AU_Crt_new_delete@std@@
CKv.AKv^AKv
CKv.AKv^AKv
2DX9%c`
2DX9%c`
{BT"p.PD
{BT"p.PD
0.XAh
0.XAh
B%S'
B%S'
"w%u8D)
"w%u8D)
Cðr
Cðr
4ppaaaae%CG
4ppaaaae%CG
RRRa`pppt4%c
RRRa`pppt4%c
5`ptaat4t4pt%c
5`ptaat4t4pt%c
CG%'CG%CG%gCg
CG%'CG%CG%gCg
aeÊg
aeÊg
RRCcW5Ì
RRCcW5Ì
`aee%cGêaacG
`aee%cGêaacG
|''',',',
|''',',',
"''''""'"
"''''""'"
.et
.et
3#4 434;4
3#4 434;4
: :$:(:,:0:4:8:\:
: :$:(:,:0:4:8:\:
4&6 6:6:7
4&6 6:6:7
?'?.?9?@?
?'?.?9?@?
3%3s3
3%3s3
12u2
12u2
7 71797?7
7 71797?7
5 575@5[8
5 575@5[8
: :$:(:,:0:4:8:
: :$:(:,:0:4:8:
7r7s7
7r7s7
9,:5:@:{:
9,:5:@:{:
6i6D6
6i6D6
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
? ?$?(?,?
? ?$?(?,?
5$5(585
5$5(585
5$5,545
5$5,545
1,181@1`1|1
1,181@1`1|1
combase.dll
combase.dll
advapi32.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
__crt_strtox::floating_point_value::as_float
mscoree.dll
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
portuguese-brazilian
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
OpOnReboot: MoveFileEx('%s') successfully performed.
OpOnReboot: MoveFileEx('%s') successfully performed.
OpOnReboot: MoveFileEx('%s') failed, code %s
OpOnReboot: MoveFileEx('%s') failed, code %s
OpOnReboot: Direct delete of file '%s' successfully performed.
OpOnReboot: Direct delete of file '%s' successfully performed.
OpOnReboot: Cannot directly delete file '%s', code %s
OpOnReboot: Cannot directly delete file '%s', code %s
0000-00-00 00:00:00
0000-00-00 00:00:00
[%s] [%-7s] [%-15s] [%5lu:%5lu] %s
[%s] [%-7s] [%-15s] [%5lu:%5lu] %s
Failed to open the log file "%s" with error 0xlx!
Failed to open the log file "%s" with error 0xlx!
GetValueImpl: cannot get value '%s\%s', code %s
GetValueImpl: cannot get value '%s\%s', code %s
SetValueImpl: cannot set value '%s' = '%d', code %s
SetValueImpl: cannot set value '%s' = '%d', code %s
servers.def
servers.def
config.def
config.def
CustomInstallation.ini
CustomInstallation.ini
Cannot get signature of archive '%s' (code 0x%x)
Cannot get signature of archive '%s' (code 0x%x)
Error in signature of archive '%s' (code 0x%x)
Error in signature of archive '%s' (code 0x%x)
Unknown signature type of archive '%s'
Unknown signature type of archive '%s'
Error opening archive '%s'
Error opening archive '%s'
Incorrect content length of archive '%s'
Incorrect content length of archive '%s'
Archive '%s' is too small
Archive '%s' is too small
Incorrect magic of archive '%s'
Incorrect magic of archive '%s'
Cannot load map block of archive '%s'
Cannot load map block of archive '%s'
Error loading map of archive '%s' (code 0x%x)
Error loading map of archive '%s' (code 0x%x)
Error in unpacked map data of archive '%s'
Error in unpacked map data of archive '%s'
SFX archive '%s' sucessfully loaded.
SFX archive '%s' sucessfully loaded.
Unpacking %s
Unpacking %s
Error saving %s to a file '%s', code %d (0x%X)
Error saving %s to a file '%s', code %d (0x%X)
license.avastlic
license.avastlic
bcc.cfg.tmp
bcc.cfg.tmp
Avast for business public key
Avast for business public key
bcpub.key.tmp
bcpub.key.tmp
rid.bin
rid.bin
Error saving embedded recommendation ID to a file '%s', code %d (0x%X)
Error saving embedded recommendation ID to a file '%s', code %d (0x%X)
pairing.bin
pairing.bin
Error saving embedded ticket ID to a file '%s', code %d (0x%X)
Error saving embedded ticket ID to a file '%s', code %d (0x%X)
prod-pgm.vpx
prod-pgm.vpx
prod-vps.vpx
prod-vps.vpx
uat.vpx
uat.vpx
Error extracting file '%s' (code 0x%x)
Error extracting file '%s' (code 0x%x)
C:\TEMP
C:\TEMP
"%s" %s
"%s" %s
Cannot get exit code of process '%s' (code 0x%x)
Cannot get exit code of process '%s' (code 0x%x)
Error creating process '%s' (code 0x%x)
Error creating process '%s' (code 0x%x)
Reboot: Restarting windows...
Reboot: Restarting windows...
Reboot: InitiateSystemShutdownEx returned 0xX
Reboot: InitiateSystemShutdownEx returned 0xX
VVV.google-analytics.com
VVV.google-analytics.com
ntdll.dll
ntdll.dll
instup.exe
instup.exe
Instup.dll
Instup.dll
Reboot.txt
Reboot.txt
bpubkey
bpubkey
\\.\ASWSP_Open
\\.\ASWSP_Open
Logs\Setup.log
Logs\Setup.log
Running SFX '%s'
Running SFX '%s'
The installer has detected corrupted Avast Antivirus installation on this computer (service '%s' is running), thus this installer cannot continue. Use the 'avastclear.exe' utility to fix the problem or contact the avast! support team.
The installer has detected corrupted Avast Antivirus installation on this computer (service '%s' is running), thus this installer cannot continue. Use the 'avastclear.exe' utility to fix the problem or contact the avast! support team.
Avast was not detected but service '%s' is running. There is a corrupted avast installation, thus this installer cannot continue.
Avast was not detected but service '%s' is running. There is a corrupted avast installation, thus this installer cannot continue.
The installer cannot open the SFX archive '%s'. (code 0x%x)
The installer cannot open the SFX archive '%s'. (code 0x%x)
Cannot open the SFX archive '%s' (code 0x%x)
Cannot open the SFX archive '%s' (code 0x%x)
_av_iup.tm~
_av_iup.tm~
~aswOfferTool.exe
~aswOfferTool.exe
GuiCust.dll
GuiCust.dll
The installer cannot extract servers.def with error %s!
The installer cannot extract servers.def with error %s!
\servers.def
\servers.def
The installer cannot extract VPX files to '%s' (code 0x%x)
The installer cannot extract VPX files to '%s' (code 0x%x)
Cannot extract VPX files to '%s' (code 0x%x)
Cannot extract VPX files to '%s' (code 0x%x)
setup.ovr
setup.ovr
avast.setup
avast.setup
Starting installer/updater executable '%s'
Starting installer/updater executable '%s'
The stub cannot run installer/updater executable '%s' (code 0x%x)
The stub cannot run installer/updater executable '%s' (code 0x%x)
Installer/updater executable '%s' finished (process return code 0x%x)
Installer/updater executable '%s' finished (process return code 0x%x)
Leaving Avast SFX stub guarded code section (return code 0x%x)
Leaving Avast SFX stub guarded code section (return code 0x%x)
hu/hu/hu hu:hu:hu START: Avast SFX stub executable
hu/hu/hu hu:hu:hu START: Avast SFX stub executable
hu/hu/hu hu:hu:hu END: Avast SFX stub executable, return code %d (0xlx)
hu/hu/hu hu:hu:hu END: Avast SFX stub executable, return code %d (0xlx)
win,%d,%d,%d,%d,%d,%s%s
win,%d,%d,%d,%d,%d,%s%s
Unable to retrieve stats URL from file '%s' with error 0x08lx!
Unable to retrieve stats URL from file '%s' with error 0x08lx!
The operation completed successfully
The operation completed successfully
Operation was cancelled
Operation was cancelled
Proxy login needed
Proxy login needed
HTTP error
HTTP error
Retrying operation
Retrying operation
%d (0xX)
%d (0xX)
SnxReboot.txt
SnxReboot.txt
FwReboot.txt
FwReboot.txt
Stats.ini
Stats.ini
Urls
Urls
LastVpsUrl
LastVpsUrl
LastPgmUrl
LastPgmUrl
defs\aswdefs.ini
defs\aswdefs.ini
ais_shl_web
ais_shl_web
alc_shl_web
alc_shl_web
ais_cmp_webrep
ais_cmp_webrep
alc_cmp_webrep
alc_cmp_webrep
setup.ini
setup.ini
product.groups
product.groups
product.parts.current
product.parts.current
product.parts.latest
product.parts.latest
Components.ini
Components.ini
ais_web_sh
ais_web_sh
ais_webrep
ais_webrep
ais_cmp_webrep_x64
ais_cmp_webrep_x64
ais_webrep_x64
ais_webrep_x64
ais_cmp_webrep_chrome
ais_cmp_webrep_chrome
ais_cmp_webrep_ff
ais_cmp_webrep_ff
ais_cmp_webrep_ie
ais_cmp_webrep_ie
.current
.current
.latest
.latest
.groups
.groups
KERNEL32.DLL
KERNEL32.DLL
%SystemRoot%
%SystemRoot%
avast5.ini
avast5.ini
aswCmnOS.dll
aswCmnOS.dll
%s\Oem\%s
%s\Oem\%s
KeyFolder
KeyFolder
ReportFolder
ReportFolder
report
report
CertificateFile
CertificateFile
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
\UXTHEME.DLL
\UXTHEME.DLL
\MSCTF.DLL
\MSCTF.DLL
JHOOK.DLL
JHOOK.DLL
X86\JHOOK.DLL
X86\JHOOK.DLL
\LIB\NVDAHELPERREMOTE.DLL
\LIB\NVDAHELPERREMOTE.DLL
user32.dll
user32.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
\\.\Scsi%u:
\\.\Scsi%u:
\\.\AswHWID
\\.\AswHWID
f\\.\aswSP_Handler
f\\.\aswSP_Handler
\\.\ASWSP
\\.\ASWSP
daavmGlob.cnt
daavmGlob.cnt
aavmGlob.mtx
aavmGlob.mtx
aavmRefr.now
aavmRefr.now
aavmSema.apc
aavmSema.apc
asw.script_blocking.conf_data
asw.script_blocking.conf_data
asw.script_blocking.conf_data_protect
asw.script_blocking.conf_data_protect
aswAavmUp.evt
aswAavmUp.evt
aswArPotTest.evt
aswArPotTest.evt
aswLogDebug.mtx
aswLogDebug.mtx
AswMailSvc.Evt
AswMailSvc.Evt
aswUpdateNow.evt
aswUpdateNow.evt
Avast5.ChestMutex
Avast5.ChestMutex
AvWsCfgChg.evt
AvWsCfgChg.evt
AvWsTrm.evt
AvWsTrm.evt
vpsNew.sig
vpsNew.sig
vpsUpdat.sig
vpsUpdat.sig
Avast5.XLayer.AavmMutex
Avast5.XLayer.AavmMutex
AswProxyCfgChg.evt
AswProxyCfgChg.evt
AswProxy.evt
AswProxy.evt
avResWss64.mtx
avResWss64.mtx
avResE2K64.mtx
avResE2K64.mtx
avResSPM64.mtx
avResSPM64.mtx
avResMai64.mtx
avResMai64.mtx
NTDLL.DLL
NTDLL.DLL
\\?\UNC
\\?\UNC
\\.\%s
\\.\%s
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_USERS
Unable to crack the URL '%s' into components!
Unable to crack the URL '%s' into components!
Unable to crack the URL '%s' into components! Scheme is missing.
Unable to crack the URL '%s' into components! Scheme is missing.
Unable to crack the URL '%s' into components! Hostname is missing.
Unable to crack the URL '%s' into components! Hostname is missing.
Unable to initialize a WinHTTP connection!
Unable to initialize a WinHTTP connection!
Avast SimpleHttp/3.0
Avast SimpleHttp/3.0
Unable to initialize a WinHTTP session!
Unable to initialize a WinHTTP session!
Unable to set WinHTTP protocols (lx)!
Unable to set WinHTTP protocols (lx)!
Unable to set WinHTTP timeouts!
Unable to set WinHTTP timeouts!
Unable to open file '%s'!
Unable to open file '%s'!
Unable to initialize WinHTTP request!
Unable to initialize WinHTTP request!
Unable to set WinHTTP context!
Unable to set WinHTTP context!
Unable to set WinHTTP status callback!
Unable to set WinHTTP status callback!
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
?:\Program Files\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
?:\Program Files\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
%Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
%Program Files%\AVAST Software\Avast Antivirus\avast_premier_antivirus_setup_online.exe
12.3.3154.0
12.3.3154.0
SfxInst.exe
SfxInst.exe
instup.exe_2036:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
AKv.AKv
AKv.AKv
address family not supported
address family not supported
broken pipe
broken pipe
function not supported
function not supported
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation canceled
operation canceled
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
InitOnceExecuteOnce
InitOnceExecuteOnce
%b %d %H : %M : %S %Y
%b %d %H : %M : %S %Y
%m / %d / %y
%m / %d / %y
%I : %M : %S %p
%I : %M : %S %p
%H : %M : %S
%H : %M : %S
%d / %m / %y
%d / %m / %y
0123456789-
0123456789-
MaxPolicyElementKey
MaxPolicyElementKey
pExecutionResource
pExecutionResource
operator
operator
operator ""
operator ""
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Operation not permitted
Operation not permitted
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
?#%X.y
?#%X.y
%S#[k
%S#[k
avBugReport.exe
avBugReport.exe
GetModuleHandleW (%s)
GetModuleHandleW (%s)
GetProcAddress (%s)
GetProcAddress (%s)
0xx (%d)
0xx (%d)
Unable to retrieve a path of the known folder (%d)!
Unable to retrieve a path of the known folder (%d)!
GetNamedPipeClientProcessId
GetNamedPipeClientProcessId
GetNamedPipeServerProcessId
GetNamedPipeServerProcessId
InvokeMainViaCRT
InvokeMainViaCRT
ExitMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
Microsoft.CRTProvider
d:\DEV\AvastNitro\BUILDS\Release\x86\InstCont.pdb
d:\DEV\AvastNitro\BUILDS\Release\x86\InstCont.pdb
.text$di
.text$di
.text$mn
.text$mn
.text$x
.text$x
.text$yd
.text$yd
.idata$5
.idata$5
.CRT$XCA
.CRT$XCA
.CRT$XCAA
.CRT$XCAA
.CRT$XCC
.CRT$XCC
.CRT$XCL
.CRT$XCL
.CRT$XCU
.CRT$XCU
.CRT$XCZ
.CRT$XCZ
.CRT$XIA
.CRT$XIA
.CRT$XIAA
.CRT$XIAA
.CRT$XIAC
.CRT$XIAC
.CRT$XIC
.CRT$XIC
.CRT$XIZ
.CRT$XIZ
.CRT$XPA
.CRT$XPA
.CRT$XPB
.CRT$XPB
.CRT$XPX
.CRT$XPX
.CRT$XPXA
.CRT$XPXA
.CRT$XPZ
.CRT$XPZ
.CRT$XTA
.CRT$XTA
.CRT$XTZ
.CRT$XTZ
.cfguard
.cfguard
.rdata
.rdata
.rdata$r
.rdata$r
.rdata$sxdata
.rdata$sxdata
.rdata$zETW0
.rdata$zETW0
.rdata$zETW1
.rdata$zETW1
.rdata$zETW2
.rdata$zETW2
.rdata$zETW9
.rdata$zETW9
.rdata$zzzdbg
.rdata$zzzdbg
.rtc$IAA
.rtc$IAA
.rtc$IZZ
.rtc$IZZ
.rtc$TAA
.rtc$TAA
.rtc$TZZ
.rtc$TZZ
.xdata$x
.xdata$x
.idata$2
.idata$2
.idata$3
.idata$3
.idata$4
.idata$4
.idata$6
.idata$6
.data
.data
.data$r
.data$r
.rsrc$01
.rsrc$01
.rsrc$02
.rsrc$02
VERSION.dll
VERSION.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
Instup.dll
Instup.dll
RPCRT4.dll
RPCRT4.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVwindows_file_codecvt@@
.?AVwindows_file_codecvt@@
.?AVunsupported_os@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AV?$Exportable@VIEventConnection@mi@asw@@@mi@asw@@
.?AV?$Exportable@VIEventConnection@mi@asw@@@mi@asw@@
.?AVExportedFromModule@mi@asw@@
.?AVExportedFromModule@mi@asw@@
.?AVIExportable@mi@asw@@
.?AVIExportable@mi@asw@@
.?AU_Crt_new_delete@std@@
.?AU_Crt_new_delete@std@@
.?AV?$Exportable@VILogger@log@asw@@@mi@asw@@
.?AV?$Exportable@VILogger@log@asw@@@mi@asw@@
8#9 939;9
8#9 939;9
: :$:(:,:0:4:8:\:
: :$:(:,:0:4:8:\:
0"1-191?1
0"1-191?1
0 1$1(1,1014181
0 1$1(1,1014181
2%2s2
2%2s2
5%5s5
5%5s5
3=3
3=3
9 9$9(9,90949
9 9$9(9,90949
2$2(2,2024282
2$2(2,2024282
combase.dll
combase.dll
advapi32.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
__crt_strtox::floating_point_value::as_float
mscoree.dll
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
portuguese-brazilian
\\.\ASWSP_Open
\\.\ASWSP_Open
avast! Self-Defense trust was not acquired. Code %s
avast! Self-Defense trust was not acquired. Code %s
Cannot initialize Instup, return code %s
Cannot initialize Instup, return code %s
Error returned by Instup, return code %s
Error returned by Instup, return code %s
Error in Instup cleanup, return code %s
Error in Instup cleanup, return code %s
--send dumps|report
--send dumps|report
hu/hu/hu hu:hu:hu END: Avast installer/updater, return code %s
hu/hu/hu hu:hu:hu END: Avast installer/updater, return code %s
The operation completed successfully
The operation completed successfully
Operation was cancelled
Operation was cancelled
Proxy login needed
Proxy login needed
HTTP error
HTTP error
Retrying operation
Retrying operation
%d (0xX)
%d (0xX)
dbghelp.dll
dbghelp.dll
Install failed: cannot get filename of current process due to error: %d
Install failed: cannot get filename of current process due to error: %d
Minidump generation failed with error: %d
Minidump generation failed with error: %d
Minidump created successfully. Exception code is: %x
Minidump created successfully. Exception code is: %x
Attempted to WriteDump while another operation is already in progress
Attempted to WriteDump while another operation is already in progress
unp%u%u.mdmp
unp%u%u.mdmp
"%s" --pid %d --exception_ptr %p --thread_id %d --dump_level %d --dump_file "%s" --comment "%s"
"%s" --pid %d --exception_ptr %p --thread_id %d --dump_level %d --dump_file "%s" --comment "%s"
Failed to start process dumper at '%s' due to error: %d
Failed to start process dumper at '%s' due to error: %d
Failed to get exit code from dumper process, error: %d
Failed to get exit code from dumper process, error: %d
avDump32.exe
avDump32.exe
User-initiated crash in %d ms
User-initiated crash in %d ms
ekernel32.dll
ekernel32.dll
rKernel32.dll
rKernel32.dll
KERNEL32.DLL
KERNEL32.DLL
.tmp.
.tmp.
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\\.\GLOBALROOT
\\.\GLOBALROOT
\\.\aswSP_Handler
\\.\aswSP_Handler
\\.\ASWSP
\\.\ASWSP
daavmGlob.cnt
daavmGlob.cnt
aavmGlob.mtx
aavmGlob.mtx
aavmRefr.now
aavmRefr.now
aavmSema.apc
aavmSema.apc
asw.script_blocking.conf_data
asw.script_blocking.conf_data
asw.script_blocking.conf_data_protect
asw.script_blocking.conf_data_protect
aswAavmUp.evt
aswAavmUp.evt
aswArPotTest.evt
aswArPotTest.evt
aswLogDebug.mtx
aswLogDebug.mtx
AswMailSvc.Evt
AswMailSvc.Evt
aswUpdateNow.evt
aswUpdateNow.evt
Avast5.ChestMutex
Avast5.ChestMutex
AvWsCfgChg.evt
AvWsCfgChg.evt
AvWsTrm.evt
AvWsTrm.evt
vpsNew.sig
vpsNew.sig
vpsUpdat.sig
vpsUpdat.sig
Avast5.XLayer.AavmMutex
Avast5.XLayer.AavmMutex
AswProxyCfgChg.evt
AswProxyCfgChg.evt
AswProxy.evt
AswProxy.evt
avResWss64.mtx
avResWss64.mtx
avResE2K64.mtx
avResE2K64.mtx
avResSPM64.mtx
avResSPM64.mtx
avResMai64.mtx
avResMai64.mtx
%SystemRoot%
%SystemRoot%
avast5.ini
avast5.ini
aswCmnOS.dll
aswCmnOS.dll
%s\Oem\%s
%s\Oem\%s
KeyFolder
KeyFolder
ReportFolder
ReportFolder
report
report
CertificateFile
CertificateFile
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
\\.\%s
\\.\%s
NTDLL.DLL
NTDLL.DLL
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_USERS
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\instup.exe
12.3.3154.0
12.3.3154.0
InstCont.exe
InstCont.exe
svchost.exe_1700:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Host Process for Windows Services
Host Process for Windows Services
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
\PIPE\
Host Process for Windows Services
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
svchost.exe_1700_rwx_10000000_0004D000:
`.rsrc
`.rsrc
ServerKeyloggerU
ServerKeyloggerU
789:;
789:;
%SERVER%
%SERVER%
URLMON.DLL
URLMON.DLL
shell32.dll
shell32.dll
hXXp://
hXXp://
advapi32.dll
advapi32.dll
kernel32.dll
kernel32.dll
mpr.dll
mpr.dll
version.dll
version.dll
comctl32.dll
comctl32.dll
gdi32.dll
gdi32.dll
opengl32.dll
opengl32.dll
user32.dll
user32.dll
wintrust.dll
wintrust.dll
msimg32.dll
msimg32.dll
KWindows
KWindows
TServerKeylogger
TServerKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardType
GetKeyboardType
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
URLD
URLD
KERNEL32.DLL
KERNEL32.DLL
ntdll.dll
ntdll.dll
oleaut32.dll
oleaut32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
x.html
x.html
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
.html
.html
XtremeKeylogger
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
.functions
.functions
icon=shell32.dll,4
icon=shell32.dll,4
shellexecute=
shellexecute=
autorun.inf
autorun.inf
\Microsoft\Windows\
\Microsoft\Windows\
ÞFAULTBROWSER%
ÞFAULTBROWSER%
svchost.exe
svchost.exe
mansoor-mans.ddns.net
mansoor-mans.ddns.net
google.fr.exe
google.fr.exe
{266BM021-35E2-GSW3-78P1-660EAO21QSP3}
{266BM021-35E2-GSW3-78P1-660EAO21QSP3}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Port
Port
ftpuser
ftpuser
PTF.ftpserver.com
PTF.ftpserver.com
iexplore.exe_1052:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
>.uzf
>.uzf
.us;}
.us;}
IEFRAME.dll
IEFRAME.dll
MLANG.dll
MLANG.dll
iertutil.dll
iertutil.dll
urlmon.dll
urlmon.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
UrlApplySchemeW
UrlApplySchemeW
PathIsURLW
PathIsURLW
UrlCanonicalizeW
UrlCanonicalizeW
UrlCreateFromPathW
UrlCreateFromPathW
iexplore.pdb
iexplore.pdb
KEYW
KEYW
KEYWh
KEYWh
KEYWD
KEYWD
.ENNNG.
.ENNNG.
a.ry.v
a.ry.v
l.igM4
l.igM4
?1%SGf
?1%SGf
xh.JW^
xh.JW^
.97777"7" " " !
.97777"7" " " !
3.... ))
3.... ))
8888888888888
8888888888888
8888888888
8888888888
.lPV)
.lPV)
úW1
úW1
.ApX/
.ApX/
H.ZAf
H.ZAf
ð[U
ð[U
%s!FK
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
888777777
Y.hilkRROMLK=C,
Y.hilkRROMLK=C,
..(((($$
..(((($$
3...((((%
3...((((%
3....(.''$
3....(.''$
3.2...((((%
3.2...((((%
33.2....(,'
33.2....(,'
55323222...
55323222...
(%&'00443445?
(%&'00443445?
00.,,,4(
00.,,,4(
000.,,9(
000.,,9(
0020..9(
0020..9(
003200;(
003200;(
(#'( (''''!'!
(#'( (''''!'!
Microsoft.InternetExplorer.Default
Microsoft.InternetExplorer.Default
user32.dll
user32.dll
Kernel32.DLL
Kernel32.DLL
xfire.exe
xfire.exe
wlmail.exe
wlmail.exe
winamp.exe
winamp.exe
waol.exe
waol.exe
sidebar.exe
sidebar.exe
psocdesigner.exe
psocdesigner.exe
np.exe
np.exe
netscape.exe
netscape.exe
netcaptor.exe
netcaptor.exe
neoplanet.exe
neoplanet.exe
msn.exe
msn.exe
mshtmpad.exe
mshtmpad.exe
mshta.exe
mshta.exe
loader42.exe
loader42.exe
infopath.exe
infopath.exe
iexplore.exe
iexplore.exe
iepreview.exe
iepreview.exe
groove.exe
groove.exe
explorer.exe
explorer.exe
dreamweaver.exe
dreamweaver.exe
contribute.exe
contribute.exe
aol.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
"%s" %s
Kernel32.dll
Kernel32.dll
\AppPatch\sysmain.sdb
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
kernel32.dll
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
shell:%s
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Frame_URLEntered
Imaging_CreateWebPagePreview
Imaging_CreateWebPagePreview
WS_ExecuteQuery
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421
iexplore.exe_1052_rwx_10000000_0004D000:
`.rsrc
`.rsrc
ServerKeyloggerU
ServerKeyloggerU
789:;
789:;
%SERVER%
%SERVER%
URLMON.DLL
URLMON.DLL
shell32.dll
shell32.dll
hXXp://
hXXp://
advapi32.dll
advapi32.dll
kernel32.dll
kernel32.dll
mpr.dll
mpr.dll
version.dll
version.dll
comctl32.dll
comctl32.dll
gdi32.dll
gdi32.dll
opengl32.dll
opengl32.dll
user32.dll
user32.dll
wintrust.dll
wintrust.dll
msimg32.dll
msimg32.dll
KWindows
KWindows
TServerKeylogger
TServerKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardType
GetKeyboardType
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
URLD
URLD
KERNEL32.DLL
KERNEL32.DLL
ntdll.dll
ntdll.dll
oleaut32.dll
oleaut32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
x.html
x.html
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
.html
.html
XtremeKeylogger
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
.functions
.functions
icon=shell32.dll,4
icon=shell32.dll,4
shellexecute=
shellexecute=
autorun.inf
autorun.inf
\Microsoft\Windows\
\Microsoft\Windows\
ÞFAULTBROWSER%
ÞFAULTBROWSER%
svchost.exe
svchost.exe
mansoor-mans.ddns.net
mansoor-mans.ddns.net
google.fr.exe
google.fr.exe
{266BM021-35E2-GSW3-78P1-660EAO21QSP3}
{266BM021-35E2-GSW3-78P1-660EAO21QSP3}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Port
Port
ftpuser
ftpuser
PTF.ftpserver.com
PTF.ftpserver.com
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FB_53E9.tmp.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
google.fr.exe_3908_rwx_00312000_00002000:
6%Ci(
6%Ci(
google.fr.exe_3908_rwx_692D2000_00002000:
.iOj?ifj?iK
.iOj?ifj?iK
@*-iu}6i
@*-iu}6i
instup.exe_3336:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
AKv.AKv
AKv.AKv
address family not supported
address family not supported
broken pipe
broken pipe
function not supported
function not supported
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation canceled
operation canceled
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
InitOnceExecuteOnce
InitOnceExecuteOnce
%b %d %H : %M : %S %Y
%b %d %H : %M : %S %Y
%m / %d / %y
%m / %d / %y
%I : %M : %S %p
%I : %M : %S %p
%H : %M : %S
%H : %M : %S
%d / %m / %y
%d / %m / %y
0123456789-
0123456789-
MaxPolicyElementKey
MaxPolicyElementKey
pExecutionResource
pExecutionResource
operator
operator
operator ""
operator ""
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Operation not permitted
Operation not permitted
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
?#%X.y
?#%X.y
%S#[k
%S#[k
avBugReport.exe
avBugReport.exe
GetModuleHandleW (%s)
GetModuleHandleW (%s)
GetProcAddress (%s)
GetProcAddress (%s)
0xx (%d)
0xx (%d)
Unable to retrieve a path of the known folder (%d)!
Unable to retrieve a path of the known folder (%d)!
GetNamedPipeClientProcessId
GetNamedPipeClientProcessId
GetNamedPipeServerProcessId
GetNamedPipeServerProcessId
InvokeMainViaCRT
InvokeMainViaCRT
ExitMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
Microsoft.CRTProvider
d:\DEV\AvastNitro\BUILDS\Release\x86\InstCont.pdb
d:\DEV\AvastNitro\BUILDS\Release\x86\InstCont.pdb
.text$di
.text$di
.text$mn
.text$mn
.text$x
.text$x
.text$yd
.text$yd
.idata$5
.idata$5
.CRT$XCA
.CRT$XCA
.CRT$XCAA
.CRT$XCAA
.CRT$XCC
.CRT$XCC
.CRT$XCL
.CRT$XCL
.CRT$XCU
.CRT$XCU
.CRT$XCZ
.CRT$XCZ
.CRT$XIA
.CRT$XIA
.CRT$XIAA
.CRT$XIAA
.CRT$XIAC
.CRT$XIAC
.CRT$XIC
.CRT$XIC
.CRT$XIZ
.CRT$XIZ
.CRT$XPA
.CRT$XPA
.CRT$XPB
.CRT$XPB
.CRT$XPX
.CRT$XPX
.CRT$XPXA
.CRT$XPXA
.CRT$XPZ
.CRT$XPZ
.CRT$XTA
.CRT$XTA
.CRT$XTZ
.CRT$XTZ
.cfguard
.cfguard
.rdata
.rdata
.rdata$r
.rdata$r
.rdata$sxdata
.rdata$sxdata
.rdata$zETW0
.rdata$zETW0
.rdata$zETW1
.rdata$zETW1
.rdata$zETW2
.rdata$zETW2
.rdata$zETW9
.rdata$zETW9
.rdata$zzzdbg
.rdata$zzzdbg
.rtc$IAA
.rtc$IAA
.rtc$IZZ
.rtc$IZZ
.rtc$TAA
.rtc$TAA
.rtc$TZZ
.rtc$TZZ
.xdata$x
.xdata$x
.idata$2
.idata$2
.idata$3
.idata$3
.idata$4
.idata$4
.idata$6
.idata$6
.data
.data
.data$r
.data$r
.rsrc$01
.rsrc$01
.rsrc$02
.rsrc$02
VERSION.dll
VERSION.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
Instup.dll
Instup.dll
RPCRT4.dll
RPCRT4.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVwindows_file_codecvt@@
.?AVwindows_file_codecvt@@
.?AVunsupported_os@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AVinvalid_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AV?$Exportable@VIEventConnection@mi@asw@@@mi@asw@@
.?AV?$Exportable@VIEventConnection@mi@asw@@@mi@asw@@
.?AVExportedFromModule@mi@asw@@
.?AVExportedFromModule@mi@asw@@
.?AVIExportable@mi@asw@@
.?AVIExportable@mi@asw@@
.?AU_Crt_new_delete@std@@
.?AU_Crt_new_delete@std@@
.?AV?$Exportable@VILogger@log@asw@@@mi@asw@@
.?AV?$Exportable@VILogger@log@asw@@@mi@asw@@
8#9 939;9
8#9 939;9
: :$:(:,:0:4:8:\:
: :$:(:,:0:4:8:\:
0"1-191?1
0"1-191?1
0 1$1(1,1014181
0 1$1(1,1014181
2%2s2
2%2s2
5%5s5
5%5s5
3=3
3=3
9 9$9(9,90949
9 9$9(9,90949
2$2(2,2024282
2$2(2,2024282
combase.dll
combase.dll
advapi32.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
__crt_strtox::floating_point_value::as_float
mscoree.dll
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
portuguese-brazilian
\\.\ASWSP_Open
\\.\ASWSP_Open
avast! Self-Defense trust was not acquired. Code %s
avast! Self-Defense trust was not acquired. Code %s
Cannot initialize Instup, return code %s
Cannot initialize Instup, return code %s
Error returned by Instup, return code %s
Error returned by Instup, return code %s
Error in Instup cleanup, return code %s
Error in Instup cleanup, return code %s
--send dumps|report
--send dumps|report
hu/hu/hu hu:hu:hu END: Avast installer/updater, return code %s
hu/hu/hu hu:hu:hu END: Avast installer/updater, return code %s
The operation completed successfully
The operation completed successfully
Operation was cancelled
Operation was cancelled
Proxy login needed
Proxy login needed
HTTP error
HTTP error
Retrying operation
Retrying operation
%d (0xX)
%d (0xX)
dbghelp.dll
dbghelp.dll
Install failed: cannot get filename of current process due to error: %d
Install failed: cannot get filename of current process due to error: %d
Minidump generation failed with error: %d
Minidump generation failed with error: %d
Minidump created successfully. Exception code is: %x
Minidump created successfully. Exception code is: %x
Attempted to WriteDump while another operation is already in progress
Attempted to WriteDump while another operation is already in progress
unp%u%u.mdmp
unp%u%u.mdmp
"%s" --pid %d --exception_ptr %p --thread_id %d --dump_level %d --dump_file "%s" --comment "%s"
"%s" --pid %d --exception_ptr %p --thread_id %d --dump_level %d --dump_file "%s" --comment "%s"
Failed to start process dumper at '%s' due to error: %d
Failed to start process dumper at '%s' due to error: %d
Failed to get exit code from dumper process, error: %d
Failed to get exit code from dumper process, error: %d
avDump32.exe
avDump32.exe
User-initiated crash in %d ms
User-initiated crash in %d ms
ekernel32.dll
ekernel32.dll
rKernel32.dll
rKernel32.dll
KERNEL32.DLL
KERNEL32.DLL
.tmp.
.tmp.
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\\.\GLOBALROOT
\\.\GLOBALROOT
\\.\aswSP_Handler
\\.\aswSP_Handler
\\.\ASWSP
\\.\ASWSP
daavmGlob.cnt
daavmGlob.cnt
aavmGlob.mtx
aavmGlob.mtx
aavmRefr.now
aavmRefr.now
aavmSema.apc
aavmSema.apc
asw.script_blocking.conf_data
asw.script_blocking.conf_data
asw.script_blocking.conf_data_protect
asw.script_blocking.conf_data_protect
aswAavmUp.evt
aswAavmUp.evt
aswArPotTest.evt
aswArPotTest.evt
aswLogDebug.mtx
aswLogDebug.mtx
AswMailSvc.Evt
AswMailSvc.Evt
aswUpdateNow.evt
aswUpdateNow.evt
Avast5.ChestMutex
Avast5.ChestMutex
AvWsCfgChg.evt
AvWsCfgChg.evt
AvWsTrm.evt
AvWsTrm.evt
vpsNew.sig
vpsNew.sig
vpsUpdat.sig
vpsUpdat.sig
Avast5.XLayer.AavmMutex
Avast5.XLayer.AavmMutex
AswProxyCfgChg.evt
AswProxyCfgChg.evt
AswProxy.evt
AswProxy.evt
avResWss64.mtx
avResWss64.mtx
avResE2K64.mtx
avResE2K64.mtx
avResSPM64.mtx
avResSPM64.mtx
avResMai64.mtx
avResMai64.mtx
%SystemRoot%
%SystemRoot%
avast5.ini
avast5.ini
aswCmnOS.dll
aswCmnOS.dll
%s\Oem\%s
%s\Oem\%s
KeyFolder
KeyFolder
ReportFolder
ReportFolder
report
report
CertificateFile
CertificateFile
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
\\.\%s
\\.\%s
NTDLL.DLL
NTDLL.DLL
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_USERS
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_av_iup.tm~a02100\New_c0308e8\instup.exe
12.3.3154.0
12.3.3154.0
InstCont.exe
InstCont.exe