df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
Size

978KB
MD5

4e7d0d586916391e3fc0db565ea914fb
SHA1

a318f2992a662c6798d65264e4dab218ba050051
SHA256

df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02
SHA512

b48841516cfbeddde6cf3a58bc2784f704a39d34882dcec7a07ca0ed293856055405ec7aa088049747fe959899d91836e46d94029bd933fa09776a8e9aae7eff

Score

10^/10

bootkit macro persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4536 created 4496 4536 svchost.exe aswOfferTool.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4536 created 4496	4536	svchost.exe	aswOfferTool.exe

Executes dropped EXE 11 IoCs

Processes:

._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exeSynaptics.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
2276	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
4004	Synaptics.exe
744	avast_free_antivirus_setup_online_x64.exe
3296	instup.exe
1524	instup.exe
4336	aswOfferTool.exe
4376	aswOfferTool.exe
4412	aswOfferTool.exe
4448	aswOfferTool.exe
4496	aswOfferTool.exe
4696	aswOfferTool.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xJ2eq29W.xlsm	office_macros

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe

Loads dropped DLL 9 IoCs

Processes:

._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
2276	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
3296	instup.exe
3296	instup.exe
3296	instup.exe
3296	instup.exe
1524	instup.exe
4376	aswOfferTool.exe
4448	aswOfferTool.exe
4696	aswOfferTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe

Checks for any installed AV software in registry 1 TTPs 32 IoCs

Security Software Discovery

T1063

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

instup.exeinstup.exedf2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-99b.vpx"	instup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2184 EXCEL.EXE

pid	process
2184	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exe

pid	process
744	avast_free_antivirus_setup_online_x64.exe
744	avast_free_antivirus_setup_online_x64.exe
1524	instup.exe
1524	instup.exe
1524	instup.exe
1524	instup.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exesvchost.exe

description	pid	process
Token: 32	744	avast_free_antivirus_setup_online_x64.exe
Token: 32	3296	instup.exe
Token: SeDebugPrivilege	3296	instup.exe
Token: 32	1524	instup.exe
Token: SeDebugPrivilege	1524	instup.exe
Token: SeDebugPrivilege	4496	aswOfferTool.exe
Token: SeImpersonatePrivilege	4496	aswOfferTool.exe
Token: SeTcbPrivilege	4536	svchost.exe
Token: SeTcbPrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeRestorePrivilege	4536	svchost.exe
Token: SeBackupPrivilege	4536	svchost.exe
Token: SeRestorePrivilege	4536	svchost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

instup.exeEXCEL.EXEinstup.exe

pid process

3296 instup.exe
2184 EXCEL.EXE
2184 EXCEL.EXE
2184 EXCEL.EXE
1524 instup.exe
2184 EXCEL.EXE
2184 EXCEL.EXE

pid	process
3296	instup.exe
2184	EXCEL.EXE
2184	EXCEL.EXE
2184	EXCEL.EXE
1524	instup.exe
2184	EXCEL.EXE
2184	EXCEL.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exesvchost.exe

description	pid	process	target process
PID 2016 wrote to memory of 2276	2016	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
PID 2016 wrote to memory of 2276	2016	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
PID 2016 wrote to memory of 2276	2016	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
PID 2016 wrote to memory of 4004	2016	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	Synaptics.exe
PID 2016 wrote to memory of 4004	2016	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	Synaptics.exe
PID 2016 wrote to memory of 4004	2016	df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	Synaptics.exe
PID 2276 wrote to memory of 744	2276	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	avast_free_antivirus_setup_online_x64.exe
PID 2276 wrote to memory of 744	2276	._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe	avast_free_antivirus_setup_online_x64.exe
PID 744 wrote to memory of 3296	744	avast_free_antivirus_setup_online_x64.exe	instup.exe
PID 744 wrote to memory of 3296	744	avast_free_antivirus_setup_online_x64.exe	instup.exe
PID 3296 wrote to memory of 1524	3296	instup.exe	instup.exe
PID 3296 wrote to memory of 1524	3296	instup.exe	instup.exe
PID 1524 wrote to memory of 4336	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4336	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4336	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4376	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4376	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4376	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4412	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4412	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4412	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4448	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4448	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4448	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4496	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4496	1524	instup.exe	aswOfferTool.exe
PID 1524 wrote to memory of 4496	1524	instup.exe	aswOfferTool.exe
PID 4536 wrote to memory of 4696	4536	svchost.exe	aswOfferTool.exe
PID 4536 wrote to memory of 4696	4536	svchost.exe	aswOfferTool.exe
PID 4536 wrote to memory of 4696	4536	svchost.exe	aswOfferTool.exe

C:\Users\Admin\AppData\Local\Temp\df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
"C:\Users\Admin\AppData\Local\Temp\df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\Temp\asw.cb8a6502d6243082\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.cb8a6502d6243082\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_001_999_a4d_m /ga_clientid:2426c158-a1fb-4e91-9a96-894d508d43c9 /edat_dir:C:\Windows\Temp\asw.cb8a6502d6243082
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Temp\asw.15a17046cb8e82c4\instup.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.15a17046cb8e82c4 /edition:1 /prod:ais /guid:e1019fd6-b4cb-4e6e-8a1b-144b8a4abdb0 /ga_clientid:2426c158-a1fb-4e91-9a96-894d508d43c9 /cookie:mmm_ava_001_999_a4d_m /ga_clientid:2426c158-a1fb-4e91-9a96-894d508d43c9 /edat_dir:C:\Windows\Temp\asw.cb8a6502d6243082
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\instup.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.15a17046cb8e82c4 /edition:1 /prod:ais /guid:e1019fd6-b4cb-4e6e-8a1b-144b8a4abdb0 /ga_clientid:2426c158-a1fb-4e91-9a96-894d508d43c9 /cookie:mmm_ava_001_999_a4d_m /edat_dir:C:\Windows\Temp\asw.cb8a6502d6243082 /online_installer
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe" -checkGToolbar -elevated
6⤵
- Executes dropped EXE
PID:4336

C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe" -checkChrome -elevated
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4376

C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe" /check_secure_browser
6⤵
- Executes dropped EXE
PID:4412

C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe" -checkChrome -elevated
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4448

C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
"C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4696

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4004

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2184

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
MD5
55bde3aeb5a52f8343c0d24588a2a4a0

SHA1
3d264e614d35bccd221b76cc1f9d80b4fcbcbaf1

SHA256
644e6dda986e5aba5865977fe7986e69226a61e1289ecfac5c69ea68b087b375

SHA512
8b2ff88a1cd96ab82fbec21c18a8267a9becfeb0e81cbf7c9ca3dcfbc49a8a7c9a8b909e24a8934dc4319d8f41e607c497d561232fc7dcd8fdef4e2b085cf751

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
MD5
170e95cb1ea20ef6c267c06b051d5b0c

SHA1
e10e23fa371b21a8ad96bea94627d9f03aa974ca

SHA256
cf1234c252f70922d3682a8c19f58999bd9eed96e494dc5865bd26eaf6c5ffb8

SHA512
83a1b4c32ed01729ea9f4c8836abe6d4df1cc590bd4a09e6a5508a1afdca5afc78b700c11f650dd8ce4119cc6b1d233a69afefbeefbf9791ef688111abaf328b

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log
MD5
66277de6f237c9dfa369f0e794e7293d

SHA1
95c96d0f00833da64ba5fe323682387430b74ca2

SHA256
53830d1c40ddd13cfd254b6f64e87ca2a78001964615ac24fb8c31d428e9a94a

SHA512
1ee5fb10f5bb973ca3a5d40804a48164d18faf010424a3b6643890ba310d7eccb5709c44a14ba1d89c34a5424ddf617489f19ae39d92d71500c2684dc032d58e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
f47ba21a0625905bd2ce98bfd92825ce

SHA1
b744ef5b7edbde6536f3d5928f9efe57581fcbb2

SHA256
21e714286bc85aab5db3cf9e77c589bbed5f05dbc36a2281a90b4a550fae2c09

SHA512
b6608758c9c6b969b47edbe9338170b5011956d69d5475ebe93c62e0c3615bb580a9f979003741f3caa4642cf69a2d3fab511656a27b49c73c565c84a6b817d9

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
f47ba21a0625905bd2ce98bfd92825ce

SHA1
b744ef5b7edbde6536f3d5928f9efe57581fcbb2

SHA256
21e714286bc85aab5db3cf9e77c589bbed5f05dbc36a2281a90b4a550fae2c09

SHA512
b6608758c9c6b969b47edbe9338170b5011956d69d5475ebe93c62e0c3615bb580a9f979003741f3caa4642cf69a2d3fab511656a27b49c73c565c84a6b817d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_df2c30b656736db75a14747f344d78b6b176434ef09dc55ec0a074089bbdad02.exe
MD5
1e6ac168aebfc10c511f9c34d11317b5

SHA1
7a9015ce9de60f277747628f62034655d0fdec1e

SHA256
3868797ffd83e52ce30c0c97f820f0fa38a0b000c9ce51682cda6ccd476b525a

SHA512
d5cdf1e3d8e18319baf22ddc9f4af566cdfabdeade60685af7c3fc476b89bb5fc77bb620b8cc994ac686c83aaf3a02039752102c69f3b8b79b0486c92eccdebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xJ2eq29W.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Public\Documents\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\HTMLayout.dll
MD5
68b1aec679de6b450a0f6f4ba1300e46

SHA1
d73f9270ad9256e277e1ff94131614e03e69e84b

SHA256
84f2f2a224123903935742c70a0534b372d0508a636b57cb3ad59bf9581ed6d1

SHA512
8420c4e53b4ca7640ca7b6fb7ffb817286b46e56d1391e1ad7a1fdc76317c6378de68ed693e998daf60463d57c1b00a2d0c74981425945a613030d1cd9b1c6eb

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\Instup.dll
MD5
ee119838160ff79e2889aa7e5e68b7c4

SHA1
8ba9dd96eca83ef12db1040b3a57ce0698738017

SHA256
fb370ed08f9c6b28b2c1fcaee4fb0568a8a24eccc5f882994451dd1de83ee93a

SHA512
edd0ec5b8f355f9350d963d36dc6e8d68b80811a2442296955c2ce6a53fb22338952b0cea354d338b962d31907c254090e9584cdbda4c8149907b99058880a55

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\Instup.exe
MD5
9761cff1f4b644ea65871953560a9d88

SHA1
34b8d77886194221fbc611670f6858e0dd71c23e

SHA256
d0a1f56ac2e5984d5704c48220397bfa0d753a6f6bd901124456ca0ccdd9542d

SHA512
03960eed2b5c43f4a92510ec3ffd8a45250a8ddb6c88e0fa401370dc40ca8d9a473547ea958da2fac3e2dd0198a51c95cb8be4cce6d1b0b5fa46fc5a812dab28

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\HTMLayout.dll
MD5
68b1aec679de6b450a0f6f4ba1300e46

SHA1
d73f9270ad9256e277e1ff94131614e03e69e84b

SHA256
84f2f2a224123903935742c70a0534b372d0508a636b57cb3ad59bf9581ed6d1

SHA512
8420c4e53b4ca7640ca7b6fb7ffb817286b46e56d1391e1ad7a1fdc76317c6378de68ed693e998daf60463d57c1b00a2d0c74981425945a613030d1cd9b1c6eb

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\Instup.dll
MD5
ee119838160ff79e2889aa7e5e68b7c4

SHA1
8ba9dd96eca83ef12db1040b3a57ce0698738017

SHA256
fb370ed08f9c6b28b2c1fcaee4fb0568a8a24eccc5f882994451dd1de83ee93a

SHA512
edd0ec5b8f355f9350d963d36dc6e8d68b80811a2442296955c2ce6a53fb22338952b0cea354d338b962d31907c254090e9584cdbda4c8149907b99058880a55

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\aswOfferTool.exe
MD5
8634a86c4f0870d442a80e75b3a0990d

SHA1
3d0e6ac491683263b3723b2090ba9955acaa955a

SHA256
c0b51323a4bcc3e966216ec0f016721b34be5e7e4c1976f0ddbf26374d03222e

SHA512
34d833a383e02b0e7942ce447d35e62e5c494994796302bae1e31a65e69d20b69a4c8d4d400fc0f2f7948b182ea532fb61b5388db0ec02227fdb80277fd0ec77

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\instup.exe
MD5
9761cff1f4b644ea65871953560a9d88

SHA1
34b8d77886194221fbc611670f6858e0dd71c23e

SHA256
d0a1f56ac2e5984d5704c48220397bfa0d753a6f6bd901124456ca0ccdd9542d

SHA512
03960eed2b5c43f4a92510ec3ffd8a45250a8ddb6c88e0fa401370dc40ca8d9a473547ea958da2fac3e2dd0198a51c95cb8be4cce6d1b0b5fa46fc5a812dab28

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\config.def
MD5
c25b2d9a8f9234ae9504947fcc0d6f9f

SHA1
41156bc0f57be0e7ad4921948a1b4e3991c893fb

SHA256
82a87ed7c947e18baaad16a50ae89e6a395fb97f98703efc6d72db1cf98747d3

SHA512
14a0e55033c5dbc52e77fc5ffd61d2a0e74c1d292ba8e9d31b2e3f8de523093f30bd546e7a696e31e6557890fcbd301a19bde99deb48ee5d1078323ea120b532

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\config.def
MD5
1a2cd2a0059d7d2000120f6cfbd0ccc3

SHA1
cd56f0165915950eae4f7e2522d629db17e501e3

SHA256
3411c6812c7e29dc76f3616f4bf7649c63a974674867e65e1c0db66490068ed1

SHA512
2235cbb41221f201f180753aea13afd27712cdd3ba1d4120143554b0968146dd07473f0b7d31c2a10e99398b9509adc6cf1a5035172910cde36a03377d3c8a19

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\config.ini
MD5
3d77e16cd8ef69c5421b305a3cbe6635

SHA1
ed05896946434de9842754e828beb0ce2fbf0f40

SHA256
f7dda752ded6de8ecddcb709d866fca35e3de782387a872e8f69a116864a19fb

SHA512
4fe2a665678dfaa1bc9863bcf3769fcba86e21c0de9f268a4663c1e41738fb28be2533dacfac067a8f5f379092ba70e8fabaea1bf572270fdf43c30354df6e7e

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\instcont_x64_ais-99b.vpx
MD5
9761cff1f4b644ea65871953560a9d88

SHA1
34b8d77886194221fbc611670f6858e0dd71c23e

SHA256
d0a1f56ac2e5984d5704c48220397bfa0d753a6f6bd901124456ca0ccdd9542d

SHA512
03960eed2b5c43f4a92510ec3ffd8a45250a8ddb6c88e0fa401370dc40ca8d9a473547ea958da2fac3e2dd0198a51c95cb8be4cce6d1b0b5fa46fc5a812dab28

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\instup_x64_ais-99b.vpx
MD5
f02755dfbd03b6814c608f8878b16b88

SHA1
a78a8d51448a3c1efcf9ec3ca204b63807d0db17

SHA256
ea97c2e7cab3075c08c933fd1f7180ef457ce6a5693c9ef92db1eae87c226533

SHA512
c0a1ed3213086594d1efbd0385a62fd2f67d770468eb928c076937739683f9904c025f0f5f1bca4c9402f4324c99310c2ec67cb5c5d026ff081c23ba12f13666

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\part-prg_ais-1503099b.vpx
MD5
656752398a9e41bede48e1c5b415438e

SHA1
b16b6e7720875bab55f0fa6e5382254a42fb082d

SHA256
cd9c4aed3232a16c1aad7523c5c41b103ac06c7f477b397f4d069d3bdbf18751

SHA512
1b4cc45577e0d811e221e838432964f1ddb29fec8c135737302da3fcb9bc99cb89e37049a577ae9f023fccdff815e00becb7199255d88dd161c8d4dda5e52066

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\part-setup_ais-1503099b.vpx
MD5
59ccdecb7107f1b5873baf415735f283

SHA1
39d216977997b75e7bba2f6bcebe38547fe06fcf

SHA256
b5e5f04d84420b79cb76e04f8f2a207960f8a2e4f623a8c12f7be1c6d5b18fbd

SHA512
21023084696edd874e1c0d16d351d4f814a10d90ee1ca50a7ecd394247042d97a7513372b08c6b2c9bf3370f9890c73424722b546cd8d8485c0f9f4ae2b5c135

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\prod-pgm.vpx
MD5
8de4fbba4e8a3bf54adcd170332e50c0

SHA1
00e268dd13d0485f6b39c430f24e31b06b79e297

SHA256
3943261e773d357b82a3297bfede157fdb9e2111aefcd75d87ba2a4298530a18

SHA512
369296ae3f332d8dcbb6b317b91dc98b3cee3aa5dfe76b5e464533e5e85dae6f118c01e7be37d66f7854cb13de57387bb654099bfa3ca4fcca065180501d7af2

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\prod-pgm.vpx
MD5
8de4fbba4e8a3bf54adcd170332e50c0

SHA1
00e268dd13d0485f6b39c430f24e31b06b79e297

SHA256
3943261e773d357b82a3297bfede157fdb9e2111aefcd75d87ba2a4298530a18

SHA512
369296ae3f332d8dcbb6b317b91dc98b3cee3aa5dfe76b5e464533e5e85dae6f118c01e7be37d66f7854cb13de57387bb654099bfa3ca4fcca065180501d7af2

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\prod-vps.vpx
MD5
f4abebab786e30b1dcf94b7501f87deb

SHA1
86560917d30cdcac3ffbe3e9d8550e6feb72cc50

SHA256
53a8c7527fc0d5ab77f7b850ebe2944e45598db565abd1c2cfc1924c2bf3762b

SHA512
cb8fee15329401b2dd0ba7a82f4dca68016afc7220e39f102c77f07a55d29bd8e986a8f8f7df6d5e1e351b283d89e427fd1c1afd6c896f44ef5c40a67462f8f6

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\servers.def
MD5
f94de26c9bb7b9697b237f42da3ada80

SHA1
2e16c372c87a469b1e2556951ee148d94807094e

SHA256
c04d9b4aab66d4bf1c404af5870200195b79f5b6e64f8e81bd1d7413fdd348b9

SHA512
ce3629c948fb11fbcaa19df8a7f1f658b91d0f482acfadba4bfe9f25313084624a4347690a78a6533fa38e31f7bc68875d05a92561999dcf8828607fdd26573e

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\servers.def
MD5
f94de26c9bb7b9697b237f42da3ada80

SHA1
2e16c372c87a469b1e2556951ee148d94807094e

SHA256
c04d9b4aab66d4bf1c404af5870200195b79f5b6e64f8e81bd1d7413fdd348b9

SHA512
ce3629c948fb11fbcaa19df8a7f1f658b91d0f482acfadba4bfe9f25313084624a4347690a78a6533fa38e31f7bc68875d05a92561999dcf8828607fdd26573e

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\servers.def.vpx
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\setgui_x64_ais-99b.vpx
MD5
68b1aec679de6b450a0f6f4ba1300e46

SHA1
d73f9270ad9256e277e1ff94131614e03e69e84b

SHA256
84f2f2a224123903935742c70a0534b372d0508a636b57cb3ad59bf9581ed6d1

SHA512
8420c4e53b4ca7640ca7b6fb7ffb817286b46e56d1391e1ad7a1fdc76317c6378de68ed693e998daf60463d57c1b00a2d0c74981425945a613030d1cd9b1c6eb

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\setup.def
MD5
1679de65d5a28b984dc40324e2e49ff7

SHA1
35207e464572844399c450852e8032a1525093bd

SHA256
47384aa741fc61e0b61b30ff221d809e2002fa962d59ea6ee0e6526dfbfed49b

SHA512
5ec148d7d0c5a955521fce671420905162d5e6d133301fb0e2f49216494a0f118d3f87e7b389269847487b3a001549d2dc566e1dd7ee749c7f7b2823c5e2aaea

Download Submit
C:\Windows\Temp\asw.15a17046cb8e82c4\uat64.vpx
MD5
93415d146a88024e9e78be98f1c2cf37

SHA1
715491fce018a4797e6a51d85062a96ace7ba924

SHA256
ede59a8df2362dc623214a489acfe7bd0433ed19a448cbd3fcddc0d1828cee40

SHA512
b6ee1a0497bbefd74c5a9469715bb80af0f6d4360c2dfdba991a8b474490f7e8ca3ef70fcd4ee33e39024268acb24d0dda4492632bad80a053fdf261eccd702f

Download Submit
C:\Windows\Temp\asw.cb8a6502d6243082\avast_free_antivirus_setup_online_x64.exe
MD5
2ad53bb24623ae87972dcc2fee251504

SHA1
8fc9c7d143962051f025d7feb4d8d79737e450e6

SHA256
d1bcb36f797b9660a94964e1a16f54f4a77d9522acc2375297f4b6406966c290

SHA512
12146a05bd2a85cb04dca79fd843754a23b197d5462526c42a459e766161c8144e9d33867da061184e1d15443322205b40a037f99ba4fc83dae24f36bddd8612

Download Submit
C:\Windows\Temp\asw.cb8a6502d6243082\avast_free_antivirus_setup_online_x64.exe
MD5
2ad53bb24623ae87972dcc2fee251504

SHA1
8fc9c7d143962051f025d7feb4d8d79737e450e6

SHA256
d1bcb36f797b9660a94964e1a16f54f4a77d9522acc2375297f4b6406966c290

SHA512
12146a05bd2a85cb04dca79fd843754a23b197d5462526c42a459e766161c8144e9d33867da061184e1d15443322205b40a037f99ba4fc83dae24f36bddd8612

Download Submit
C:\Windows\Temp\asw.cb8a6502d6243082\ecoo.edat
MD5
4887735424cf86eccfd399be9235e528

SHA1
599dad623cddcbeda0ed743fce27826d5f85236b

SHA256
c9d72900e45494231cbe75ddb8426632cb6b20582cbec1d9cce8c68519e50489

SHA512
1c7117a44377946bdef7bc2d7e93befd018056fd5a640c4c47a3b5cd37e650698ded15d038d6b4a2625e229266befee9a5fd3541035c471b0bf8426a065dfcd9

Download Submit
\Users\Public\Documents\gcapi_16207248294696.dll
MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\HTMLayout.dll
MD5
68b1aec679de6b450a0f6f4ba1300e46

SHA1
d73f9270ad9256e277e1ff94131614e03e69e84b

SHA256
84f2f2a224123903935742c70a0534b372d0508a636b57cb3ad59bf9581ed6d1

SHA512
8420c4e53b4ca7640ca7b6fb7ffb817286b46e56d1391e1ad7a1fdc76317c6378de68ed693e998daf60463d57c1b00a2d0c74981425945a613030d1cd9b1c6eb

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\HTMLayout.dll
MD5
68b1aec679de6b450a0f6f4ba1300e46

SHA1
d73f9270ad9256e277e1ff94131614e03e69e84b

SHA256
84f2f2a224123903935742c70a0534b372d0508a636b57cb3ad59bf9581ed6d1

SHA512
8420c4e53b4ca7640ca7b6fb7ffb817286b46e56d1391e1ad7a1fdc76317c6378de68ed693e998daf60463d57c1b00a2d0c74981425945a613030d1cd9b1c6eb

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\Instup.dll
MD5
ee119838160ff79e2889aa7e5e68b7c4

SHA1
8ba9dd96eca83ef12db1040b3a57ce0698738017

SHA256
fb370ed08f9c6b28b2c1fcaee4fb0568a8a24eccc5f882994451dd1de83ee93a

SHA512
edd0ec5b8f355f9350d963d36dc6e8d68b80811a2442296955c2ce6a53fb22338952b0cea354d338b962d31907c254090e9584cdbda4c8149907b99058880a55

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\gcapi_16207248284376.dll
MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\New_1503099b\gcapi_16207248294448.dll
MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\uat_1524.dll
MD5
1e92808253c5f34fa8ba620f22120819

SHA1
baba99426834b37b862a73cd7b4874efaa4b75b0

SHA256
ef726a0ed4fb3463e6e9fa9e9285f9e77a5bb58f2e7e63e653b04fc65f950908

SHA512
fe34cef26666e46d0eeea810df80e539fe2c4fd06079583c74f958105f4c4d74c824ee256ebe7229395c1b4bc9b1a9d9788de56339b4cc020839945999931778

Download Submit
\Windows\Temp\asw.15a17046cb8e82c4\uat_3296.dll
MD5
1e92808253c5f34fa8ba620f22120819

SHA1
baba99426834b37b862a73cd7b4874efaa4b75b0

SHA256
ef726a0ed4fb3463e6e9fa9e9285f9e77a5bb58f2e7e63e653b04fc65f950908

SHA512
fe34cef26666e46d0eeea810df80e539fe2c4fd06079583c74f958105f4c4d74c824ee256ebe7229395c1b4bc9b1a9d9788de56339b4cc020839945999931778

Download Submit
\Windows\Temp\asw.cb8a6502d6243082\avast_free_antivirus_setup_online_x64.exe
MD5
2ad53bb24623ae87972dcc2fee251504

SHA1
8fc9c7d143962051f025d7feb4d8d79737e450e6

SHA256
d1bcb36f797b9660a94964e1a16f54f4a77d9522acc2375297f4b6406966c290

SHA512
12146a05bd2a85cb04dca79fd843754a23b197d5462526c42a459e766161c8144e9d33867da061184e1d15443322205b40a037f99ba4fc83dae24f36bddd8612

Download Submit
memory/744-125-0x0000000000000000-mapping.dmp

Download
memory/1524-157-0x0000000000000000-mapping.dmp

Download
memory/2016-114-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2184-149-0x00007FFDCA390000-0x00007FFDCA3A0000-memory.dmp

Filesize
64KB

Download
memory/2184-142-0x00007FFDCA390000-0x00007FFDCA3A0000-memory.dmp

Filesize
64KB

Download
memory/2184-139-0x00007FFDCA390000-0x00007FFDCA3A0000-memory.dmp

Filesize
64KB

Download
memory/2184-156-0x00007FFDE3700000-0x00007FFDE55F5000-memory.dmp

Filesize
31.0MB

Download
memory/2184-123-0x00007FF6F6110000-0x00007FF6F96C6000-memory.dmp

Filesize
53.7MB

Download
memory/2184-153-0x000002DE962A0000-0x000002DE9738E000-memory.dmp

Filesize
16.9MB

Download
memory/2184-144-0x00007FFDCA390000-0x00007FFDCA3A0000-memory.dmp

Filesize
64KB

Download
memory/2184-141-0x00007FFDCA390000-0x00007FFDCA3A0000-memory.dmp

Filesize
64KB

Download
memory/2276-115-0x0000000000000000-mapping.dmp

Download
memory/3296-129-0x0000000000000000-mapping.dmp

Download
memory/4004-119-0x0000000000000000-mapping.dmp

Download
memory/4004-122-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4336-202-0x0000000000000000-mapping.dmp

Download
memory/4376-207-0x0000000000000000-mapping.dmp

Download
memory/4412-212-0x0000000000000000-mapping.dmp

Download
memory/4448-218-0x0000000000000000-mapping.dmp

Download
memory/4496-226-0x0000000000000000-mapping.dmp

Download
memory/4696-237-0x0000000000000000-mapping.dmp

Download