95c16c2f74bfe9878117d341d4b259c5327f87fc10e8407b27e9a905aff0ac11

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56354f6191810e362bf2ae7b3f6e82b4.exe
Size

256KB
MD5

56354f6191810e362bf2ae7b3f6e82b4
SHA1

98260eb9dbec4ef777939937b4ca797ac336e3ff
SHA256

95c16c2f74bfe9878117d341d4b259c5327f87fc10e8407b27e9a905aff0ac11
SHA512

fb40abe4838e4026a4b1c826566454ff181e68bf7f7929777f2ea63e55a8242c65f12dffb274e8c46f5f1bcb7f42661c41e7b2a62ed39050814a45de54ab8b30
SSDEEP

6144:bCfHrZae3GFqRQcMeh4WpywpjchNCPnAeb:bCfLZadcM24fRNXe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
3732	avast_free_antivirus_setup_online_x64.exe
4304	instup.exe
4624	instup.exe
2352	aswOfferTool.exe
980	aswOfferTool.exe
752	aswOfferTool.exe
4256	aswOfferTool.exe
3820	aswOfferTool.exe

Loads dropped DLL 13 IoCs

pid	Process
5084	56354f6191810e362bf2ae7b3f6e82b4.exe
4304	instup.exe
4304	instup.exe
4304	instup.exe
4304	instup.exe
4624	instup.exe
4624	instup.exe
4624	instup.exe
4624	instup.exe
4624	instup.exe
4624	instup.exe
752	aswOfferTool.exe
3820	aswOfferTool.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	56354f6191810e362bf2ae7b3f6e82b4.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-a03.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a03.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3732	avast_free_antivirus_setup_online_x64.exe
3732	avast_free_antivirus_setup_online_x64.exe
4624	instup.exe
4624	instup.exe
4624	instup.exe
4624	instup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 32	3732	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	4304	instup.exe
Token: 32	4304	instup.exe
Token: SeDebugPrivilege	4624	instup.exe
Token: 32	4624	instup.exe
Token: SeDebugPrivilege	4256	aswOfferTool.exe
Token: SeImpersonatePrivilege	4256	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4304	instup.exe
4624	instup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 3732	5084	56354f6191810e362bf2ae7b3f6e82b4.exe	86
PID 5084 wrote to memory of 3732	5084	56354f6191810e362bf2ae7b3f6e82b4.exe	86
PID 3732 wrote to memory of 4304	3732	avast_free_antivirus_setup_online_x64.exe	88
PID 3732 wrote to memory of 4304	3732	avast_free_antivirus_setup_online_x64.exe	88
PID 4304 wrote to memory of 4624	4304	instup.exe	91
PID 4304 wrote to memory of 4624	4304	instup.exe	91
PID 4624 wrote to memory of 2352	4624	instup.exe	93
PID 4624 wrote to memory of 2352	4624	instup.exe	93
PID 4624 wrote to memory of 2352	4624	instup.exe	93
PID 4624 wrote to memory of 980	4624	instup.exe	94
PID 4624 wrote to memory of 980	4624	instup.exe	94
PID 4624 wrote to memory of 980	4624	instup.exe	94
PID 4624 wrote to memory of 752	4624	instup.exe	95
PID 4624 wrote to memory of 752	4624	instup.exe	95
PID 4624 wrote to memory of 752	4624	instup.exe	95
PID 4624 wrote to memory of 4256	4624	instup.exe	96
PID 4624 wrote to memory of 4256	4624	instup.exe	96
PID 4624 wrote to memory of 4256	4624	instup.exe	96

C:\Users\Admin\AppData\Local\Temp\56354f6191810e362bf2ae7b3f6e82b4.exe
"C:\Users\Admin\AppData\Local\Temp\56354f6191810e362bf2ae7b3f6e82b4.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\Temp\asw.ee0642573309b554\avast_free_antivirus_setup_online_x64.exe
  "C:\Windows\Temp\asw.ee0642573309b554\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_tst_007_402_a /ga_clientid:68aed8cf-38b6-4ba8-b8c1-076170ec5e11 /edat_dir:C:\Windows\Temp\asw.ee0642573309b554
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\Temp\asw.aa40d4087078208f\instup.exe
    "C:\Windows\Temp\asw.aa40d4087078208f\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.aa40d4087078208f /edition:1 /prod:ais /guid:d5993096-bc16-499f-8829-4eea23c1f237 /ga_clientid:68aed8cf-38b6-4ba8-b8c1-076170ec5e11 /cookie:mmm_ava_tst_007_402_a /ga_clientid:68aed8cf-38b6-4ba8-b8c1-076170ec5e11 /edat_dir:C:\Windows\Temp\asw.ee0642573309b554
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\instup.exe
      "C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.aa40d4087078208f /edition:1 /prod:ais /guid:d5993096-bc16-499f-8829-4eea23c1f237 /ga_clientid:68aed8cf-38b6-4ba8-b8c1-076170ec5e11 /cookie:mmm_ava_tst_007_402_a /edat_dir:C:\Windows\Temp\asw.ee0642573309b554 /online_installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        
        PID:2352
    - - C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe" /check_secure_browser
        5⤵
        Executes dropped EXE
        
        PID:980
    - - C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:752
    - - C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
2KB

MD5
5b8516aa20b9b6827f875c7e7c5b2bf3

SHA1
a089ab558fd973c4fd260b1c4d14dd2e728941c8

SHA256
d29d89bfa4fecfda1cfd335e406a251167ba7d3d5345b0f5afa8a7ab2509e717

SHA512
6abaebdfc515d917c242c22894e14b749ee4e30f42abb05dec53ad7fc96b291414581b7924ff97f4d5dfc9e9ac05f15f1f31aa9c71bbaba096e50103202799de

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
24KB

MD5
e7a04590506047d72d68482cd347c850

SHA1
84ec572f6375e1cf84635e27be03059ade9e33b8

SHA256
c8e33b23e5525e3ce61388496bf81198bb858a5b8b43b2a1faf9bfdb9b37f51a

SHA512
8e9cad6507f75dab47af57b681f1b0168eb730c976013902cdab1fdb06fbd7e471670e4f5ba6b2b1f0927bee2918d8a5713e9576cafec7635ed818fef0fcdc3c

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
f374518f598f5708fba86eca54097b88

SHA1
0768e58787a1177905649617b549a0400d62929d

SHA256
32d34065974176c6b1c0e8055b9ca6a9053804db934b37003ee7561d9e3dcd6d

SHA512
c5d6466b2f61c4741c41f9af3e8bcddc149d4aa6b562370fefc057785a6d155904b77eaf680a8fc7e46f545a78df402707df321f9154a4fc9fc764cf1e4be662

Download Submit
C:\Users\Public\Documents\aswOfferTool.exe

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Users\Public\Documents\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Users\Public\Documents\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\Instup.dll

Filesize
21.3MB

MD5
0c850f388279bc3da2032ed646cf605d

SHA1
f5a8e0c6ad149b1628840ea31ede32479f419cad

SHA256
9020c157c8e1dceb33de63536236831c4e4b7ac208104b349ad1589d5e35b194

SHA512
99fb95014bb393eb0624d1b632199b2aedb10a3c89a243dd02934133b02d6a03d0e697e20b28cbc393161bc1df9ae5337bdb6a55a2d12660bba46bc0bc7cb3d0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\Instup.dll

Filesize
21.3MB

MD5
0c850f388279bc3da2032ed646cf605d

SHA1
f5a8e0c6ad149b1628840ea31ede32479f419cad

SHA256
9020c157c8e1dceb33de63536236831c4e4b7ac208104b349ad1589d5e35b194

SHA512
99fb95014bb393eb0624d1b632199b2aedb10a3c89a243dd02934133b02d6a03d0e697e20b28cbc393161bc1df9ae5337bdb6a55a2d12660bba46bc0bc7cb3d0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\Instup.exe

Filesize
4.4MB

MD5
2867ea130a8933ce025c293d20481e91

SHA1
c47a8c65855835419fd82995a8aacaa06b11a7ac

SHA256
2b7ab04d1d325b83d225c2a5d2570020141640478b30b7367d9dbc3ddd9d5175

SHA512
1ef65447120ebf2703243842ed452900e4f3519116ea15435f579abc58dc8fe3e425d25a0d6b74ae3818cad271533cd5370ddc2ea25a74dc654d27e9a4bfe8cb

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\HTMLayout.dll

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\Instup.dll

Filesize
21.3MB

MD5
0c850f388279bc3da2032ed646cf605d

SHA1
f5a8e0c6ad149b1628840ea31ede32479f419cad

SHA256
9020c157c8e1dceb33de63536236831c4e4b7ac208104b349ad1589d5e35b194

SHA512
99fb95014bb393eb0624d1b632199b2aedb10a3c89a243dd02934133b02d6a03d0e697e20b28cbc393161bc1df9ae5337bdb6a55a2d12660bba46bc0bc7cb3d0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\asw65771bdaa19d8564.tmp

Filesize
19KB

MD5
73afb835ea55062e29a3c6bddd03cd4b

SHA1
67c0e0aeeb7e50b0f6a6798d4bc6bee83399f37c

SHA256
35138dceb7dedfa49a6b5e35cd6a2ba0d11679eb0e90aad64cf91fc5280d6299

SHA512
60e091b0ef23d9c64131c8ecd878c11af79d7cf5e373e39a3fa67c4ae23d3fe122961a9afc3036964b5c9105ac367715cdf2769b561b3e1ced3669d97cd0d467

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\aswOfferTool.exe

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\instup.dll

Filesize
21.3MB

MD5
0c850f388279bc3da2032ed646cf605d

SHA1
f5a8e0c6ad149b1628840ea31ede32479f419cad

SHA256
9020c157c8e1dceb33de63536236831c4e4b7ac208104b349ad1589d5e35b194

SHA512
99fb95014bb393eb0624d1b632199b2aedb10a3c89a243dd02934133b02d6a03d0e697e20b28cbc393161bc1df9ae5337bdb6a55a2d12660bba46bc0bc7cb3d0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\New_170317aa\instup.exe

Filesize
4.4MB

MD5
2867ea130a8933ce025c293d20481e91

SHA1
c47a8c65855835419fd82995a8aacaa06b11a7ac

SHA256
2b7ab04d1d325b83d225c2a5d2570020141640478b30b7367d9dbc3ddd9d5175

SHA512
1ef65447120ebf2703243842ed452900e4f3519116ea15435f579abc58dc8fe3e425d25a0d6b74ae3818cad271533cd5370ddc2ea25a74dc654d27e9a4bfe8cb

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\asw796d8a3b6bb5d734.ini

Filesize
744B

MD5
f591082d5a6f192c975bc1b6e58e7524

SHA1
8ed1a44074b7f03f77251f882d6ef99eb238314f

SHA256
89092a4a7c5c35fa871c8be34ae0d65710ed651e96f573b508a1a395cc3bbb45

SHA512
e6292a10c48ebc69f87a133c590c1a90221c36f7a350b1816da7c53f5d6d76be9d52d0e95a855b59cadd9e100c901a9c8c88d6c1b741b4a9d733cce8769de15f

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\asw796d8a3b6bb5d734.tmp

Filesize
27KB

MD5
769d5b33022d1c18169cd559b141405c

SHA1
e8ce47f5e969dbde4205665dc134f8028f293816

SHA256
0482bab99470adf319b18a925eb824220820eaad515662cc9fb20a31cb3e14bb

SHA512
861e88ddfefdae6717be022652dbdc85f35a7239eb2a314f10bbf530c0341b68ae682500af68b9a56a99da9e721175992ab62a6c6a767e4964fc863b49006fc1

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\asw798e7b69a8afd460.ini

Filesize
1KB

MD5
67043485523e507249aae9a18a846508

SHA1
f000c6c79bbf976fd488a5f47210e1dd0cf3ee7d

SHA256
58ddeec9f7107d6d3df33085e509a7994b7ae281add3b0a20c781b6b83fd0da1

SHA512
cc0c33a3f379b1c88ed3d26f52194bf1fdc36b5fd3aedabac2e1b2dd68e9c629e8dbf7f403e9456949c099e789a740cc37dc4638dca24dfac2bec767e3415fc4

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\asw798e7b69a8afd460.tmp

Filesize
30KB

MD5
ceeef8fa0626080dc429f8ba0e4a77cc

SHA1
e71f157488bed181bf3810faa9a3accaa8767a94

SHA256
c2c39f0dbafc68ba376a236c5fc37976e9a676fdfabcaec4a924fc2ba5dbbfe9

SHA512
94cd98da19d06c7c88cc8f661660418d16efcdb3da50f46c344639c1ac1553e2f301ad181b103bf1aae96862fc40f1276f2e772599f3b38e767d042247a7a6a1

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\avbugreport_x64_ais-a03.vpx

Filesize
4.8MB

MD5
3682ad9cae7b8baef837c05660beffd7

SHA1
07b0b1a97582094e497f35cc90b1146bde3ab69f

SHA256
ff930f3dc1f1e896bfe4780ba750c9b66cb8480d9a7b61760a8970877f87e31f

SHA512
f81355a6ef5053649468ba30564b9a3990e92fb8dce3b3fdb5cddcc5fd81e630fca3878f555793350c196d6419039203e3b1abbb5f29754d32e0c1411bdeefb8

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\avdump_x64_ais-a03.vpx

Filesize
1.0MB

MD5
b446d61c5aef2372c1519c62a9576b68

SHA1
0720f4c7401d7e84bf0f0d086466829158bc49df

SHA256
f12c90698d263eadf2708a6bfbef03c4b6f008aad674b0cd871b20de3421c2a8

SHA512
f356d106c3fe5e3eff216dc54294de035cdb6ca6ce45ef05ca72cc6cfcac1c9907ff84a75ba7b86008c3fecc878603aef62c6b644ac28589d3d73ea4bb094469

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\config.def

Filesize
26KB

MD5
3b865e130895b68f29e06d8c873ebcbf

SHA1
36b60f66e726433a7c3baacba7a7833b7ac44278

SHA256
ec2220bb2b23dd2e98afff05db85637827fb07e85c0617beac88ee26d024c363

SHA512
9d10b5f3c0c1ed21087a53230ce279fb3b115193b9674a46c5694dc44cd2ad5ca4c6ff4bf0b9fe0d11ce48a48b5c9d8b0f4059c8789103cc8943c28c374b4645

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\config.ini

Filesize
744B

MD5
f591082d5a6f192c975bc1b6e58e7524

SHA1
8ed1a44074b7f03f77251f882d6ef99eb238314f

SHA256
89092a4a7c5c35fa871c8be34ae0d65710ed651e96f573b508a1a395cc3bbb45

SHA512
e6292a10c48ebc69f87a133c590c1a90221c36f7a350b1816da7c53f5d6d76be9d52d0e95a855b59cadd9e100c901a9c8c88d6c1b741b4a9d733cce8769de15f

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\instcont_x64_ais-a03.vpx

Filesize
4.4MB

MD5
2867ea130a8933ce025c293d20481e91

SHA1
c47a8c65855835419fd82995a8aacaa06b11a7ac

SHA256
2b7ab04d1d325b83d225c2a5d2570020141640478b30b7367d9dbc3ddd9d5175

SHA512
1ef65447120ebf2703243842ed452900e4f3519116ea15435f579abc58dc8fe3e425d25a0d6b74ae3818cad271533cd5370ddc2ea25a74dc654d27e9a4bfe8cb

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\instcont_x64_ais-a03.vpx

Filesize
4.4MB

MD5
2867ea130a8933ce025c293d20481e91

SHA1
c47a8c65855835419fd82995a8aacaa06b11a7ac

SHA256
2b7ab04d1d325b83d225c2a5d2570020141640478b30b7367d9dbc3ddd9d5175

SHA512
1ef65447120ebf2703243842ed452900e4f3519116ea15435f579abc58dc8fe3e425d25a0d6b74ae3818cad271533cd5370ddc2ea25a74dc654d27e9a4bfe8cb

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\instup_x64_ais-a03.vpx

Filesize
21.3MB

MD5
0c850f388279bc3da2032ed646cf605d

SHA1
f5a8e0c6ad149b1628840ea31ede32479f419cad

SHA256
9020c157c8e1dceb33de63536236831c4e4b7ac208104b349ad1589d5e35b194

SHA512
99fb95014bb393eb0624d1b632199b2aedb10a3c89a243dd02934133b02d6a03d0e697e20b28cbc393161bc1df9ae5337bdb6a55a2d12660bba46bc0bc7cb3d0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\instup_x64_ais-a03.vpx

Filesize
21.3MB

MD5
0c850f388279bc3da2032ed646cf605d

SHA1
f5a8e0c6ad149b1628840ea31ede32479f419cad

SHA256
9020c157c8e1dceb33de63536236831c4e4b7ac208104b349ad1589d5e35b194

SHA512
99fb95014bb393eb0624d1b632199b2aedb10a3c89a243dd02934133b02d6a03d0e697e20b28cbc393161bc1df9ae5337bdb6a55a2d12660bba46bc0bc7cb3d0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\offertool_x64_ais-a03.vpx

Filesize
1.5MB

MD5
d95cee795cb83c1ab7e89a1f75461a47

SHA1
c0ae1a348469e81aea634b42f962202e46a580a6

SHA256
1d1aea8fc8364e78de9cc33b5d4fbc0dffcaae816fb52a0a6022341ecedf1ebd

SHA512
82658cc5304769279373f1acd863d87bf0796c9f34120d358658a60042780f4d58d8b02a63d9243f0a48a69bbe30cfbd5e46bcd9ff66856d6efa1a0a30918108

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\part-jrog2-ae.vpx

Filesize
211B

MD5
7a4052f3778efb3ee04a3e0543be2f41

SHA1
c1b65eb9a4e5a043dc867d0df5bab9512aac29ce

SHA256
07bc8a5181a40239cca18ebe970b3122789da48eb7638fdd8e8204d1de02a714

SHA512
8c5b2b37cb218048537e8c5cd83f253738409d735ea118b2596d0515443549823ad1bb0d631c72e4a31f901e4f3ba16a435b9360b32973afd03c62d07255536d

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\part-prg_ais-170317aa.vpx

Filesize
73KB

MD5
332dfee9bb11bfc81862d6e4c3d4b3c4

SHA1
52b81242a52503b49240c21ecddfa302d8c23c4c

SHA256
34402b3de572c43aeee22948b565e519435ceeb134aeb2503055662be68f294c

SHA512
4e827970f8b32204aada61862fa62782eff62b46eb442edbabfc5bb0e5df183ae7be1b01baf7e6f4e86fef33c7d5ec96069046f60c0a3e9822310e672ce586a2

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\part-setup_ais-170317aa.vpx

Filesize
4KB

MD5
c5e5d2ffc13939196ccb76699fdd8437

SHA1
cbbe6f509574cc41395ce91d6e3bc494a4a08e59

SHA256
778206d3ec04e09a013987ac4f78535cf916863a80021b03cc06c8bb215ffd89

SHA512
20b104e5b292ee4c06616e02acec3ef8f2c877536b6e26a44a04c2b28a24eec07cc7539f6707639765ac0ce9e82df077a3e9d92383540a93bcc7175735a6d021

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\part-vps_windows-23041999.vpx

Filesize
7KB

MD5
08824572c43bd0959bc556f15bf45091

SHA1
ad6687302db7508148074bb6f2aa0bd816a86670

SHA256
0b790aa1f700e344bd4bd4a298da368124bf453db202599f572d04a0b87032ff

SHA512
9b2c99c6ca421fd7d44454be9fb96a2b9ac1dd7cc2bfd41fd869a4adf3e60122592a1b89aeb70f8855a29efa63b1dd06200114e6bb0a3884413ae3de6ce83ac0

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\prod-pgm.vpx

Filesize
573B

MD5
ed1797a76007b34e279d19348d39be79

SHA1
2acd7eb0ce19badd414e11dbc66b796ac4967916

SHA256
a21a9b4f058237a9ecda21007fd353dfe0bf2551e378f48c066038d642dd0aaa

SHA512
5725346eb9b455789463a3b58d81d9f6555d7f813d6e3492ec79a0dd564cb5a1459843f86048f9096c97c7c143687640d692da1cb8bdc339e3f0d6a9d47a3d3d

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\prod-vps.vpx

Filesize
342B

MD5
6faf4094f768d1a56228db0339ab1507

SHA1
b7ba7d8f8bfd4236ebd20fb7ff5b8f8c9db26e9a

SHA256
7bd97ae3a3e1c93b3a456b3963a6e07020c60a189dae878a16551917d4850c23

SHA512
caf0c8c4d373cfa60fabc1a40164c10911eb38cad6f830b0ee8da8f8a013662e07c8f2c699ad1f5593576ac78e8f5f716969278dd0f773f5b570f88c7f412635

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\prod-vps.vpx

Filesize
341B

MD5
c627f19e10d1b080d5884c3eac42d8a7

SHA1
6b12baf2650af45a5262d35b625e97f73a5f36be

SHA256
905b72d1d81091350b54f808d228e1387c19bdde47322ead7e28c232bf81f897

SHA512
bdd50fe8368bc3002d3c35f7d17741c37f5752d2167cc717be542b601a66e40b04ee6e0deb8e8cf2cbc156fe190e21122e4131bda19370d0dd79f199a96ab7de

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\servers.def

Filesize
29KB

MD5
f322c05d176f1f422687c46b3a155217

SHA1
3c94ba83f57bfd44133e057c808fb759927e9228

SHA256
0c4cec7d059871bee779af5dd1b80dff8370c6732228e7caf9215e2f593d5748

SHA512
d3a5930ae072403128dbd0dabe0d41fa6f9e6ea3d7ca70fcc988e3aa165fba428f747607baa30c19f122775e2cb39c5b50ebdefa91145091252ccd11ac365a42

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\servers.def

Filesize
29KB

MD5
f322c05d176f1f422687c46b3a155217

SHA1
3c94ba83f57bfd44133e057c808fb759927e9228

SHA256
0c4cec7d059871bee779af5dd1b80dff8370c6732228e7caf9215e2f593d5748

SHA512
d3a5930ae072403128dbd0dabe0d41fa6f9e6ea3d7ca70fcc988e3aa165fba428f747607baa30c19f122775e2cb39c5b50ebdefa91145091252ccd11ac365a42

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\servers.def.lkg

Filesize
29KB

MD5
f322c05d176f1f422687c46b3a155217

SHA1
3c94ba83f57bfd44133e057c808fb759927e9228

SHA256
0c4cec7d059871bee779af5dd1b80dff8370c6732228e7caf9215e2f593d5748

SHA512
d3a5930ae072403128dbd0dabe0d41fa6f9e6ea3d7ca70fcc988e3aa165fba428f747607baa30c19f122775e2cb39c5b50ebdefa91145091252ccd11ac365a42

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\servers.def.vpx

Filesize
2KB

MD5
eace36f864ae1892942fedc1a6c63c97

SHA1
c8cf45ee1d89c55c7aea490b83106d7fea54731b

SHA256
d10b59b09cdc3941055ba705ef540f4a767367edda21f267fd3cc5049925f17f

SHA512
fa1c66e87f2d1b040016787bf1acf8d7b11c60943c5e4ea18df99ca7fa494b6a69430e11d7c9f6c4e0a2aa3ed34c6c304e49b85e70ef0d38258edb6c518ad1cf

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\setgui_x64_ais-a03.vpx

Filesize
4.0MB

MD5
e441fc6eaa2dfdd45e1aefbe7a704ebb

SHA1
79940b74a36090d29145a50ef55424210b83dffd

SHA256
0fcc95a4d46e375dbf2ec30130e054c2b601be16d5c87f3ea59fafd21d8d9ed5

SHA512
3ff5312204e1c36b2fb5739f4527dbdc4faa88bf127ca5ae64b8a45d7c4ed751e91b8b39207d7955153a0c0f299e4fb36ce080d097e0f6664374201f6e3fdb97

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\setup.def

Filesize
38KB

MD5
237b3a98decb46e71b6e5853d7f870d1

SHA1
2dcc67e442122e7d6833c686a9a30546f94ff050

SHA256
16e3d8e79367396f34a53d34cebf491c46dcc63a6426ebe101c6dce168ae144a

SHA512
89fd8028608ddc50f59790247cd82957109e38350dc5bd32c6b451e0ebf59e6870e5ee8ed766d2a7eb763bfba6d17988b6518e14e347c18be713fd0a581cb962

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\uat64.dll

Filesize
29KB

MD5
34c30295f51e0474f13018e1a1896ee4

SHA1
2d58fa2033351fafc85b11772fb5220979bd8b8b

SHA256
f6a1c83b11580dcf5117ac82b5a4f896728848d48ce384d2e157cfd0c6e2536b

SHA512
c315dd83712534ce84fa66512fe23ea8828429c5d544f827281b9ac65f6bc56185df8b6c6520be0ce05affbeeff1f0bb64ce318c7f84d5f302560319482e4429

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\uat64.dll

Filesize
29KB

MD5
34c30295f51e0474f13018e1a1896ee4

SHA1
2d58fa2033351fafc85b11772fb5220979bd8b8b

SHA256
f6a1c83b11580dcf5117ac82b5a4f896728848d48ce384d2e157cfd0c6e2536b

SHA512
c315dd83712534ce84fa66512fe23ea8828429c5d544f827281b9ac65f6bc56185df8b6c6520be0ce05affbeeff1f0bb64ce318c7f84d5f302560319482e4429

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\uat64.dll

Filesize
29KB

MD5
34c30295f51e0474f13018e1a1896ee4

SHA1
2d58fa2033351fafc85b11772fb5220979bd8b8b

SHA256
f6a1c83b11580dcf5117ac82b5a4f896728848d48ce384d2e157cfd0c6e2536b

SHA512
c315dd83712534ce84fa66512fe23ea8828429c5d544f827281b9ac65f6bc56185df8b6c6520be0ce05affbeeff1f0bb64ce318c7f84d5f302560319482e4429

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\uat64.dll

Filesize
29KB

MD5
34c30295f51e0474f13018e1a1896ee4

SHA1
2d58fa2033351fafc85b11772fb5220979bd8b8b

SHA256
f6a1c83b11580dcf5117ac82b5a4f896728848d48ce384d2e157cfd0c6e2536b

SHA512
c315dd83712534ce84fa66512fe23ea8828429c5d544f827281b9ac65f6bc56185df8b6c6520be0ce05affbeeff1f0bb64ce318c7f84d5f302560319482e4429

Download Submit
C:\Windows\Temp\asw.aa40d4087078208f\uat64.vpx

Filesize
16KB

MD5
f0f4216820077f141b93e00ae89cf250

SHA1
b87d7866013ba646b520d52d3fbf58dd6a0c0dc2

SHA256
40d9dedffc307b2e6c3012a41767efbfa490cfc61a4e805a6e176fc23d52ec6c

SHA512
3a65fdccc9e903bf959138fbb9c77316dfdcd5d67e4af3db1b1efb7970ac2721f87d844c006bb2a2c1e897beb81deef345436f6609493ee2eac82fabab68a71e

Download Submit
C:\Windows\Temp\asw.ee0642573309b554\avast_free_antivirus_setup_online_x64.exe

Filesize
10.0MB

MD5
8cb214bdae852c44ec3ce2a61814d0f6

SHA1
24c4744fd23a3d63deb2e2940aad1d1f54c4cccb

SHA256
ed40295ca6a410cb9b3740271629ecaaa91b121db0f8eeeb76c1b32c30e774ae

SHA512
968ef5fb0a4230a21e1ff303bebb0edf9560ed145c278d4959c584ee685bc8f1396b2edcf46e81f66808c64b1c4e38d80f359afe486fc4c8415926b4a5a7b5a9

Download Submit
C:\Windows\Temp\asw.ee0642573309b554\avast_free_antivirus_setup_online_x64.exe

Filesize
10.0MB

MD5
8cb214bdae852c44ec3ce2a61814d0f6

SHA1
24c4744fd23a3d63deb2e2940aad1d1f54c4cccb

SHA256
ed40295ca6a410cb9b3740271629ecaaa91b121db0f8eeeb76c1b32c30e774ae

SHA512
968ef5fb0a4230a21e1ff303bebb0edf9560ed145c278d4959c584ee685bc8f1396b2edcf46e81f66808c64b1c4e38d80f359afe486fc4c8415926b4a5a7b5a9

Download Submit
C:\Windows\Temp\asw.ee0642573309b554\avast_free_antivirus_setup_online_x64.exe

Filesize
10.0MB

MD5
8cb214bdae852c44ec3ce2a61814d0f6

SHA1
24c4744fd23a3d63deb2e2940aad1d1f54c4cccb

SHA256
ed40295ca6a410cb9b3740271629ecaaa91b121db0f8eeeb76c1b32c30e774ae

SHA512
968ef5fb0a4230a21e1ff303bebb0edf9560ed145c278d4959c584ee685bc8f1396b2edcf46e81f66808c64b1c4e38d80f359afe486fc4c8415926b4a5a7b5a9

Download Submit
C:\Windows\Temp\asw.ee0642573309b554\ecoo.edat

Filesize
21B

MD5
58d47cfa451dfb6748be33a8f4069f49

SHA1
7ca703bc598c8ed5d98407833ecebe7d5efec80b

SHA256
8ebbec1ccab81b5ab09770e38ed72b0f830c5bbdabd1e68979c9dd79bb278883

SHA512
4f636e1664c3884f6406aede91d8c6e2a0cff876d1be45014307c8a247f267f8b8db8a67edf43ee989fd59e1a74ab047d96cbac308d57cb00576cf4af14d4afb

Download Submit
memory/4624-441-0x0000023E1CFA0000-0x0000023E1D39C000-memory.dmp

Filesize
4.0MB

Download
memory/4624-445-0x0000023E1CFA0000-0x0000023E1D39C000-memory.dmp

Filesize
4.0MB

Download