5505d7c13045d50f276c4327b5a4ad9f2fc2da549e7a29ef8647fd1914862099

Analysis

max time kernel
188s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avastfreeantivirussetuponline.exe
Size

257KB
MD5

03576fa5627a3a26e9fcecb9ec5e72fa
SHA1

0c3db7f3fb398eb874c7684ea40cd340222706b4
SHA256

5505d7c13045d50f276c4327b5a4ad9f2fc2da549e7a29ef8647fd1914862099
SHA512

e4bab4f9e983251419b379e74d599bdfa0cefb5f6daf94f4a4a423f66265aa41e375d227e48dee9d1a3ff67e6b601848b3468e62f6f66301bfff4670745029d1
SSDEEP

3072:P2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhBn+Ts:P0KgGwHqwOOELha+sm2D2+Uhnguy8d4

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks for any installed AV software in registry 1 TTPs 50 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avastfreeantivirussetuponline.exe

Executes dropped EXE 8 IoCs

pid	Process
1580	avast_free_antivirus_setup_online_x64.exe
4980	instup.exe
444	instup.exe
4568	aswOfferTool.exe
4584	aswOfferTool.exe
1460	aswOfferTool.exe
2684	aswOfferTool.exe
4196	aswOfferTool.exe

Loads dropped DLL 11 IoCs

pid	Process
2996	avastfreeantivirussetuponline.exe
4980	instup.exe
4980	instup.exe
4980	instup.exe
4980	instup.exe
444	instup.exe
444	instup.exe
444	instup.exe
444	instup.exe
1460	aswOfferTool.exe
4196	aswOfferTool.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a07.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a07.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a07.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-a07.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1580	avast_free_antivirus_setup_online_x64.exe
1580	avast_free_antivirus_setup_online_x64.exe
444	instup.exe
444	instup.exe
444	instup.exe
444	instup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 32	1580	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	4980	instup.exe
Token: 32	4980	instup.exe
Token: SeDebugPrivilege	444	instup.exe
Token: 32	444	instup.exe
Token: SeDebugPrivilege	2684	aswOfferTool.exe
Token: SeImpersonatePrivilege	2684	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4980	instup.exe
444	instup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1580	2996	avastfreeantivirussetuponline.exe	85
PID 2996 wrote to memory of 1580	2996	avastfreeantivirussetuponline.exe	85
PID 1580 wrote to memory of 4980	1580	avast_free_antivirus_setup_online_x64.exe	88
PID 1580 wrote to memory of 4980	1580	avast_free_antivirus_setup_online_x64.exe	88
PID 4980 wrote to memory of 444	4980	instup.exe	90
PID 4980 wrote to memory of 444	4980	instup.exe	90
PID 444 wrote to memory of 4568	444	instup.exe	91
PID 444 wrote to memory of 4568	444	instup.exe	91
PID 444 wrote to memory of 4568	444	instup.exe	91
PID 444 wrote to memory of 4584	444	instup.exe	92
PID 444 wrote to memory of 4584	444	instup.exe	92
PID 444 wrote to memory of 4584	444	instup.exe	92
PID 444 wrote to memory of 1460	444	instup.exe	93
PID 444 wrote to memory of 1460	444	instup.exe	93
PID 444 wrote to memory of 1460	444	instup.exe	93
PID 444 wrote to memory of 2684	444	instup.exe	94
PID 444 wrote to memory of 2684	444	instup.exe	94
PID 444 wrote to memory of 2684	444	instup.exe	94

C:\Users\Admin\AppData\Local\Temp\avastfreeantivirussetuponline.exe
"C:\Users\Admin\AppData\Local\Temp\avastfreeantivirussetuponline.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Temp\asw.d27c8a15df07931d\avast_free_antivirus_setup_online_x64.exe
  "C:\Windows\Temp\asw.d27c8a15df07931d\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:57bfa3ec-cc4e-49d3-a673-575bfb20244d /edat_dir:C:\Windows\Temp\asw.d27c8a15df07931d
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\Temp\asw.9c5de385fa548ec7\instup.exe
    "C:\Windows\Temp\asw.9c5de385fa548ec7\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.9c5de385fa548ec7 /edition:1 /prod:ais /guid:37e79291-ba33-4774-b130-68074f37fc16 /ga_clientid:57bfa3ec-cc4e-49d3-a673-575bfb20244d /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:57bfa3ec-cc4e-49d3-a673-575bfb20244d /edat_dir:C:\Windows\Temp\asw.d27c8a15df07931d
    3⤵
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\instup.exe
      "C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.9c5de385fa548ec7 /edition:1 /prod:ais /guid:37e79291-ba33-4774-b130-68074f37fc16 /ga_clientid:57bfa3ec-cc4e-49d3-a673-575bfb20244d /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.d27c8a15df07931d /online_installer
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:444
    - - C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        
        PID:4568
    - - C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe" /check_secure_browser
        5⤵
        Executes dropped EXE
        
        PID:4584
    - - C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1460
    - - C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
3KB

MD5
e671b8c17f28b8dd90e9411597554968

SHA1
e2369655648539d9322fd778f6389b3c38f9b305

SHA256
00c4d3b4a7000a2a6fab6bbe93b762a4e85fa221f0a1730747e2b99ce0c41dd7

SHA512
50fba2bc18d26bdbfdc15ad1ac8e38517c99a910753a1a9f87a3b070a52b3a717abaf0e7db909c03362c4cf67631403b110e51817670bbc47d324bce4cf60a91

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
24KB

MD5
50461ebb2cfe766c0a84291bdf7f9a4f

SHA1
d27380598e86579322723b2779c5b37c43d6b1ff

SHA256
57461aa6025c13e47658b7090b1751ffee4456d74b7fe0a0b3e69ce8161ed11a

SHA512
475122bac17f781ff01a6366bc2bad94a983cc214c041574557a2876798bdc11c05db4c90a6ab66914cde63cfbf0757c0de7a230034484de543a700debb32e33

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
11f96767f3fca5747016848b1b1c373e

SHA1
70d8da27ad0c94c087f3f03dd912cf78b92671cd

SHA256
51746016091b6d0f9188ae4a5b1ff01f8a5b2975ef6882bd9830ae83fdd30693

SHA512
78cd925a5ba33608d5d51717b3c28bb5fb3c0bad68e452227e935e780d5549728f9f33cdfb84a768f3fd971501ba05de6f6270c11901ecdb9368117c4aec1479

Download Submit
C:\Users\Public\Documents\aswOfferTool.exe

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Users\Public\Documents\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Users\Public\Documents\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\Instup.dll

Filesize
21.6MB

MD5
c32911b6c295295297c1d49bc9548ee7

SHA1
dcdc19f76e1e2b5d8fb486cee426fcee091d984e

SHA256
b7ad515105afe45d2a03445dc0be761ae9e70153b6fb758f547c7356bdf6a43b

SHA512
1a5bd873252bac22670252eb54327ea1f8edfab90d5aa03b082af07e33722928b38f190a9ad9bb97ba08f0363af7682f781161a3aaeb85714a07b7490efc14e9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\Instup.dll

Filesize
21.6MB

MD5
c32911b6c295295297c1d49bc9548ee7

SHA1
dcdc19f76e1e2b5d8fb486cee426fcee091d984e

SHA256
b7ad515105afe45d2a03445dc0be761ae9e70153b6fb758f547c7356bdf6a43b

SHA512
1a5bd873252bac22670252eb54327ea1f8edfab90d5aa03b082af07e33722928b38f190a9ad9bb97ba08f0363af7682f781161a3aaeb85714a07b7490efc14e9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\Instup.exe

Filesize
4.4MB

MD5
d1e2a16d1161176ee2b67ef67462b558

SHA1
cdeeab4c6b7a1a2af075c0e1ce68c695a68e3366

SHA256
2fc1e5dd27bf42851fdc85010af05f437a0b92b1c8807aa1f528e90d641b7892

SHA512
7b566b0cadbdc41ec359b35dcbc79e0a5094140aca7e135826a69612225d4250cf5c3d0a227db646c9588ab33fbdcb8670daaa03b1bc999381d0724f6b16e1f1

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\HTMLayout.dll

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\Instup.dll

Filesize
21.6MB

MD5
c32911b6c295295297c1d49bc9548ee7

SHA1
dcdc19f76e1e2b5d8fb486cee426fcee091d984e

SHA256
b7ad515105afe45d2a03445dc0be761ae9e70153b6fb758f547c7356bdf6a43b

SHA512
1a5bd873252bac22670252eb54327ea1f8edfab90d5aa03b082af07e33722928b38f190a9ad9bb97ba08f0363af7682f781161a3aaeb85714a07b7490efc14e9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\asw5a7ab3d67ec85395.tmp

Filesize
19KB

MD5
66942b6f64f0400e100a254a523c2805

SHA1
bd116c8055b4b872323ff53b9e88407fcdbca38e

SHA256
29dcbe6989b8c5fe0c70488206eb3ca6aea0d9853135bb893790c18681e34f40

SHA512
9bb1e3003e7d804a87b8ec6d5773fc1e4724e924259baba8d7e7623ee8ba60b0e291d469258f085a5e87b07deec46cc5ff6511f777fbb3a4c5e585214134743e

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\aswOfferTool.exe

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\instup.dll

Filesize
21.6MB

MD5
c32911b6c295295297c1d49bc9548ee7

SHA1
dcdc19f76e1e2b5d8fb486cee426fcee091d984e

SHA256
b7ad515105afe45d2a03445dc0be761ae9e70153b6fb758f547c7356bdf6a43b

SHA512
1a5bd873252bac22670252eb54327ea1f8edfab90d5aa03b082af07e33722928b38f190a9ad9bb97ba08f0363af7682f781161a3aaeb85714a07b7490efc14e9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\New_170417ae\instup.exe

Filesize
4.4MB

MD5
d1e2a16d1161176ee2b67ef67462b558

SHA1
cdeeab4c6b7a1a2af075c0e1ce68c695a68e3366

SHA256
2fc1e5dd27bf42851fdc85010af05f437a0b92b1c8807aa1f528e90d641b7892

SHA512
7b566b0cadbdc41ec359b35dcbc79e0a5094140aca7e135826a69612225d4250cf5c3d0a227db646c9588ab33fbdcb8670daaa03b1bc999381d0724f6b16e1f1

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\asw8a1019002ccd2353.ini

Filesize
769B

MD5
f7943858dd3a39185d7e85853b19e301

SHA1
0140b25b5afaac582020b9a2adf85d42c3d1b34e

SHA256
507494028b9cdbc37add9dc21f81fe09ffd13ad4f3d46019034a0feb22675bfd

SHA512
2d618d98129be645322c311a3c2f271af6b8efa48f2fe3ea40c2b69203a0dbb875f1400ac83f4c0d598c1a90901c7b71423abc9f185c159af927e960d9937c41

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\asw8a1019002ccd2353.tmp

Filesize
27KB

MD5
8e887a123e50c54e33b4cdd9d7fee4e8

SHA1
648efc61c4b85dfd63596f58e18a2a9d460a4d3d

SHA256
d7e5c2d0307ed4c569c8e9b196c8aa4f7fb0c7f597372a354d87049af01b5e4e

SHA512
255dce4c9fcab8ed8741aa522d59bca14cfcfc1b2235e9a6a77b7efd77ef8bb3dd3b11dcfb5d499c353f4cc28fa696efe727454a2cb499fa03779eaba21dadea

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\aswd77ce75b0e5a906e.ini

Filesize
1KB

MD5
a961d0d08b32302c21f7179142893a3b

SHA1
f6ec7aaecb9cb9d554a8c9bf5e9763f4b5c20d4f

SHA256
1045e72b4ddfabfd728350c0d44964277c00f75b802a0676f0c1dc399a29506d

SHA512
9a7ef4822f2a02dc27057c63bca841c78dc3ce22098f6c621e32c3e0cde130ee92eb7b92183b4c243ee99b14186a260d44f21ea93529da64d2d197059e8a39d3

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\aswd77ce75b0e5a906e.tmp

Filesize
30KB

MD5
48c69c170a35e59edefe2730d0db73b7

SHA1
43db9ef32e54fe533c75629dbfb2497a5092a43b

SHA256
9a855ddf2ee988b603e02fe5b064ef1790725e79c5f34623f9ca185edc98e59b

SHA512
a20bc46d1075eec8bdc7fd6b3c1572559814fd94f06e3e40076e493b36a5221abd34040b3e719bc3ce271d95e6b710d0ab2c82326a1af38b755e418c14924596

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\avbugreport_x64_ais-a07.vpx

Filesize
5.3MB

MD5
348dab6c7e3f81c0fd1ee3121343fd46

SHA1
1d47202c4a316c302229e47acc5664c769626857

SHA256
a4b727710e17bfa40d40e82a27d10f0ebd197ed9301719e43aa9103f4d388590

SHA512
bb28714c6f8bf51eefa747786e9c39bb467330acd2ca3a6d5855b786453af5f7f039eee3957eb79b0ea179791f3e78218ff7b2da392fb91e5c64534879766029

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\avdump_x64_ais-a07.vpx

Filesize
1.0MB

MD5
030b6b9f65117fd0621d9e99aa57b426

SHA1
12e7b7d18a527af048b039582aaa3469c9efbfde

SHA256
90920c1dd5d625d07c8ccafa51889e45216b6763f934c65105ff46932cfd841d

SHA512
8e0e35dd4bf6236d26afb2daaa7752b2b13b8bfa37a24a79bb490a5be7f71e0f894f583c16af145120d1a34e44543cfb64fd80f06efcc983fcb27c15491c8394

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\config.def

Filesize
27KB

MD5
8cb90ffe8b9453bc1538e56936b2116a

SHA1
0111c9f3a0746d964b6ccf17a74ec42ceafe0150

SHA256
12a4d2e500accc29e4d6a0ef9de696c9c744e05304e709eb64b0962dc2269cc9

SHA512
ae5b470dfe4f1e95e023a16764bf743c440096f882191a9b3bb713df362a8077dbb0a150c3627a7be28162c0e579e05b99fa1b65a3fb0e5b52f3af9a5ebe6005

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\config.ini

Filesize
769B

MD5
f7943858dd3a39185d7e85853b19e301

SHA1
0140b25b5afaac582020b9a2adf85d42c3d1b34e

SHA256
507494028b9cdbc37add9dc21f81fe09ffd13ad4f3d46019034a0feb22675bfd

SHA512
2d618d98129be645322c311a3c2f271af6b8efa48f2fe3ea40c2b69203a0dbb875f1400ac83f4c0d598c1a90901c7b71423abc9f185c159af927e960d9937c41

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\instcont_x64_ais-a07.vpx

Filesize
4.4MB

MD5
d1e2a16d1161176ee2b67ef67462b558

SHA1
cdeeab4c6b7a1a2af075c0e1ce68c695a68e3366

SHA256
2fc1e5dd27bf42851fdc85010af05f437a0b92b1c8807aa1f528e90d641b7892

SHA512
7b566b0cadbdc41ec359b35dcbc79e0a5094140aca7e135826a69612225d4250cf5c3d0a227db646c9588ab33fbdcb8670daaa03b1bc999381d0724f6b16e1f1

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\instcont_x64_ais-a07.vpx

Filesize
4.4MB

MD5
d1e2a16d1161176ee2b67ef67462b558

SHA1
cdeeab4c6b7a1a2af075c0e1ce68c695a68e3366

SHA256
2fc1e5dd27bf42851fdc85010af05f437a0b92b1c8807aa1f528e90d641b7892

SHA512
7b566b0cadbdc41ec359b35dcbc79e0a5094140aca7e135826a69612225d4250cf5c3d0a227db646c9588ab33fbdcb8670daaa03b1bc999381d0724f6b16e1f1

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\instup_x64_ais-a07.vpx

Filesize
21.6MB

MD5
c32911b6c295295297c1d49bc9548ee7

SHA1
dcdc19f76e1e2b5d8fb486cee426fcee091d984e

SHA256
b7ad515105afe45d2a03445dc0be761ae9e70153b6fb758f547c7356bdf6a43b

SHA512
1a5bd873252bac22670252eb54327ea1f8edfab90d5aa03b082af07e33722928b38f190a9ad9bb97ba08f0363af7682f781161a3aaeb85714a07b7490efc14e9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\instup_x64_ais-a07.vpx

Filesize
21.6MB

MD5
c32911b6c295295297c1d49bc9548ee7

SHA1
dcdc19f76e1e2b5d8fb486cee426fcee091d984e

SHA256
b7ad515105afe45d2a03445dc0be761ae9e70153b6fb758f547c7356bdf6a43b

SHA512
1a5bd873252bac22670252eb54327ea1f8edfab90d5aa03b082af07e33722928b38f190a9ad9bb97ba08f0363af7682f781161a3aaeb85714a07b7490efc14e9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\offertool_x64_ais-a07.vpx

Filesize
1.5MB

MD5
d62cc5ae0a8b63554c19237b8663e124

SHA1
1b4959fc39a8994d514c467e2cfee958da90945f

SHA256
8b06aa98d9176fcec8ea2d3276b9ed6dc81d06ed76aacff25bb4999808447b4e

SHA512
a81a5d6d1a05bb1fcdcda9767a39465347c1f686e6da8b519af68432684e254f91f8069940084e730d29de0cb4c021fc31619c0640aa32dbce9d57464a45ff46

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\part-jrog2-cc.vpx

Filesize
211B

MD5
355a6ab4f57d0e8ddef0c1139665b222

SHA1
2b6ab717d7bb0e170fc39a224cf17f3889964a0c

SHA256
0d8df16e280d32f2c921c980cbe310b71904b88646dd0a7847f0c1741f00fd66

SHA512
6e66af28b6db555720ac50ec8d5a45abc6abebf59d863add6e2a08f541f7817ec3c0442b73bfa50cf08b3a4f0366f83898f867a49d1b8a01a4c5a7e38aa4e8a6

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\part-prg_ais-170417ae.vpx

Filesize
73KB

MD5
ef8596b726a89950a0bceeda4ef22770

SHA1
201caa3287087389f41b5bbbddaf76d957f71016

SHA256
3a9e0b81bf558938ad9e1bda905a38da85e3f831cf29a8b8205552cf9650f20c

SHA512
34f76dc886639f91a05724ba14fb17cfd0f2f51b7015746849d6ebb453475cb41e88f64426d21685e29c4a2f6543f4b5f25c8c381246ad7fdd9dfdab3bfe52d9

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\part-setup_ais-170417ae.vpx

Filesize
4KB

MD5
9b535eecfb9194a6c921b9923bb82bec

SHA1
a15f18401b8ca047bb2f1cc12944b55dc5430dbc

SHA256
40051f8828525659249af06d8b7a5cc248226b97b2d93f259227f59eefb2f6a7

SHA512
f1178de572d07bf2e6735407393e32b82a8ddc10cb8bf971f89a8a0d219551f11fc80ea770b49f6ca847a3707bd3bdf001d07fb4daf6827dd70ad627775cdca5

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\part-vps_windows-23051099.vpx

Filesize
7KB

MD5
b801cef80e42d7674514c94f98b76be8

SHA1
d27d768ef9a6a9993595f1b8c5fc6bf8709032a4

SHA256
ca07d6dcfd0429319bc1307b4f9ff7091e247f12632f60b00388cae6728d64da

SHA512
1b90fb5c29e825694fb3e7c8c964efb4b13eb875c6a0a3322b6333bcd0dda144533eeae023b36ac99a40f9b20ea2d4f31c368f4f2b1d1d7653258bd34e150d54

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\prod-pgm.vpx

Filesize
573B

MD5
a4d5b608fcef702d8f65fb951cfc8a38

SHA1
52d2dca6e46402f768f83c2f1c14b8a14723ef44

SHA256
62310b594e9413606ad0ddf9ca84bc07e4b6f941b3f0922b80bfbccad39a4405

SHA512
00a65aec9fd18e974776476b8d810c0432674fd0b9ad1286dc3fc770158de0003b74e839f649766012b5881ca9dc75dce3db7f554ce544b6c092af155a0f6432

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\prod-vps.vpx

Filesize
342B

MD5
5bc2c0309aa0b452308a617857a22805

SHA1
d9eb4bff5b16f7d894b0324cdce8eef4b8bc8004

SHA256
e663c82b441f0498dc9438ff891ed26765ffd6c46e526f00ead8d925b89f71c0

SHA512
74aed952e68d3a15e9985f87e7385b43d028acfb58415babe24add0f6f2e9b4655c9ba39c3ddd5bb1ca56dbd0fb30145d0cbbeb84645c177f3d4e5b209610b6c

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\prod-vps.vpx

Filesize
339B

MD5
02207523135de18302395766f010b9fd

SHA1
a606c15ab84b58b95c5df59f3fff35db3ece9397

SHA256
6f139932639d0c67e0e2c4b7a1c6d92bab651e9fdb88cc0179f2fa4063e2a108

SHA512
9f0a4f83bd8e6ecc404f9a61f073f0372de02fbd771dd5e57ff27524dfc75f8772e33e66b5c3ef3fc29e962d3454d57b5aef8b7783fdb996e3f2b5c761a64e2c

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\servers.def

Filesize
29KB

MD5
a59d5fa2d4e416651a3da8f0434c8eb3

SHA1
d731446639ce3d73638580ecd34583ad07faf192

SHA256
a16c7c0c3fbb0926288b717f5dd80c8b6d4d8635440ea1c966159cd20c34daaf

SHA512
9a935c1bb13285ac2fbdda088cb20caccdecc2877829b56aaa3d2b18e3bd428278d4e5e8da1d4a83edfb1f6f7d521917408dca48821aa6b51a53ee73aa53b97d

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\servers.def

Filesize
29KB

MD5
a59d5fa2d4e416651a3da8f0434c8eb3

SHA1
d731446639ce3d73638580ecd34583ad07faf192

SHA256
a16c7c0c3fbb0926288b717f5dd80c8b6d4d8635440ea1c966159cd20c34daaf

SHA512
9a935c1bb13285ac2fbdda088cb20caccdecc2877829b56aaa3d2b18e3bd428278d4e5e8da1d4a83edfb1f6f7d521917408dca48821aa6b51a53ee73aa53b97d

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\servers.def.lkg

Filesize
29KB

MD5
a59d5fa2d4e416651a3da8f0434c8eb3

SHA1
d731446639ce3d73638580ecd34583ad07faf192

SHA256
a16c7c0c3fbb0926288b717f5dd80c8b6d4d8635440ea1c966159cd20c34daaf

SHA512
9a935c1bb13285ac2fbdda088cb20caccdecc2877829b56aaa3d2b18e3bd428278d4e5e8da1d4a83edfb1f6f7d521917408dca48821aa6b51a53ee73aa53b97d

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\servers.def.vpx

Filesize
2KB

MD5
2e586d09c2a4aa8391f437b1b4f30adf

SHA1
f134c24750708eb0edf83ae3d08803b97434a853

SHA256
f17775f5e4a64d7e078f2a036783090b606b119a095b92bc398f4ba86dd862d9

SHA512
95ad5d26b862f7ebc8a52e0ed35aa6e8585414573ff63c45857bd7599053b3f26a8d380d7fa0da8aab0e399bb997de35570a77a83d42a0eadc18ca6d84c32707

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\setgui_x64_ais-a07.vpx

Filesize
4.0MB

MD5
1aeddb8555da1d6fe9edce95646214d8

SHA1
f229f179b62eb8ed8c5b59cd64d04dd388da0b37

SHA256
57790abe3575428c1ad8cfedbabaee633d25a7efda77d686f4217b427da114a8

SHA512
15b39eb9c35e5f1fe059744c5b4e7c3b90a68328a5b791bc70f5bcf5d4343e1cbf60ba90616d3d0f15ffc4ce464ebb06a1634f5851f927cbc4272b2894d67b74

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\setup.def

Filesize
38KB

MD5
7b461d2a1ebcc5903d404933fe484cbc

SHA1
6521b6360d1922a0c352aa837fe1d995e6832837

SHA256
358d1188098b117695eccbce3e342233c17f672694fa0b83c04b97bf2719ae9e

SHA512
2d659d725e7b694730779362d81e9e6daf4677d8a7665c5e999140c554929be4bbc2923294c558ef3996b690a278e70bca56d697ec0edb871cd0e9aec63d6bf2

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\uat64.dll

Filesize
29KB

MD5
238e6c8a03aea9c3034b912a394997d1

SHA1
0f54a35d58dbd513e64e22584d0aa26e1d0c66a2

SHA256
e5ff5180496093cc89eb95127e6568a4cb38692feff36b2291d3fb5bfa557372

SHA512
9ab9129b8a213c443b117e186dd6f476d5dec1d1417df1e9f403d09be7e9079115f1ec6fb348044d65a963ba28ef30f33e5d28c77ac2de6bbc8bfe0fcf8b9ebf

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\uat64.dll

Filesize
29KB

MD5
238e6c8a03aea9c3034b912a394997d1

SHA1
0f54a35d58dbd513e64e22584d0aa26e1d0c66a2

SHA256
e5ff5180496093cc89eb95127e6568a4cb38692feff36b2291d3fb5bfa557372

SHA512
9ab9129b8a213c443b117e186dd6f476d5dec1d1417df1e9f403d09be7e9079115f1ec6fb348044d65a963ba28ef30f33e5d28c77ac2de6bbc8bfe0fcf8b9ebf

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\uat64.dll

Filesize
29KB

MD5
238e6c8a03aea9c3034b912a394997d1

SHA1
0f54a35d58dbd513e64e22584d0aa26e1d0c66a2

SHA256
e5ff5180496093cc89eb95127e6568a4cb38692feff36b2291d3fb5bfa557372

SHA512
9ab9129b8a213c443b117e186dd6f476d5dec1d1417df1e9f403d09be7e9079115f1ec6fb348044d65a963ba28ef30f33e5d28c77ac2de6bbc8bfe0fcf8b9ebf

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\uat64.dll

Filesize
29KB

MD5
238e6c8a03aea9c3034b912a394997d1

SHA1
0f54a35d58dbd513e64e22584d0aa26e1d0c66a2

SHA256
e5ff5180496093cc89eb95127e6568a4cb38692feff36b2291d3fb5bfa557372

SHA512
9ab9129b8a213c443b117e186dd6f476d5dec1d1417df1e9f403d09be7e9079115f1ec6fb348044d65a963ba28ef30f33e5d28c77ac2de6bbc8bfe0fcf8b9ebf

Download Submit
C:\Windows\Temp\asw.9c5de385fa548ec7\uat64.vpx

Filesize
16KB

MD5
464d3da19ec42eec0fbee1f03d61cd8a

SHA1
2eade4513b578c69065500e81023e8cc0224cb57

SHA256
1171eddcdb192bdb5b75aba9020d087e0f598b990808c3b9805f0e5ecb3d3c75

SHA512
62573a840b728e3d634d958d4085d85f597342067921005c3a478023707765bc7b280870778c7577e3d47ebd935020cfc1086420213dc89f8970518539eed322

Download Submit
C:\Windows\Temp\asw.d27c8a15df07931d\avast_free_antivirus_setup_online_x64.exe

Filesize
10.1MB

MD5
64063ee51c2f28dc60346d91e232569c

SHA1
2d4aae36a064a04775208798d94394577f712cc7

SHA256
1df04efbc5afe8ad8795c52e8b275e5cf2d698efcee653a4f8dadb3e63391d4b

SHA512
8b568d181f74c1f98ba4a7951b2a8b56064ef54a9af1590f9282b3e4a0d3d5fb94af5f07a782c6df38290941661fa6b77efc637923d597eae854b976a915eba6

Download Submit
C:\Windows\Temp\asw.d27c8a15df07931d\avast_free_antivirus_setup_online_x64.exe

Filesize
10.1MB

MD5
64063ee51c2f28dc60346d91e232569c

SHA1
2d4aae36a064a04775208798d94394577f712cc7

SHA256
1df04efbc5afe8ad8795c52e8b275e5cf2d698efcee653a4f8dadb3e63391d4b

SHA512
8b568d181f74c1f98ba4a7951b2a8b56064ef54a9af1590f9282b3e4a0d3d5fb94af5f07a782c6df38290941661fa6b77efc637923d597eae854b976a915eba6

Download Submit
C:\Windows\Temp\asw.d27c8a15df07931d\avast_free_antivirus_setup_online_x64.exe

Filesize
10.1MB

MD5
64063ee51c2f28dc60346d91e232569c

SHA1
2d4aae36a064a04775208798d94394577f712cc7

SHA256
1df04efbc5afe8ad8795c52e8b275e5cf2d698efcee653a4f8dadb3e63391d4b

SHA512
8b568d181f74c1f98ba4a7951b2a8b56064ef54a9af1590f9282b3e4a0d3d5fb94af5f07a782c6df38290941661fa6b77efc637923d597eae854b976a915eba6

Download Submit
C:\Windows\Temp\asw.d27c8a15df07931d\ecoo.edat

Filesize
40B

MD5
0c3fb92e76191db5caf5b0b3faa37ce5

SHA1
c3def7847d3ee4a5f6f6977d0b1b95aa2ef3ded9

SHA256
c0b918fff0c176e58cb694ad6b830eddb0f987f3558583fc339b49681d5d3b46

SHA512
0d5935e4883ed4ad612c130e5542ff45e81431c2a52dbdb2319469b84927963f1cb138c612ed73e584f2222c4e53a5fc0ec29da8d5cbcd261bbf789356ab0e66

Download Submit