fd56fd95fbe90583ebd8013480ffee6cf983807da2f74e855980c0ee5c2f94d8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avast_free_antivirus_setup_online.exe
Size

257KB
MD5

cbe3a73d6fb2aeedb7465f80d00bb35f
SHA1

00cd64e442d0cd90e0834c18ccfcb529b8044b89
SHA256

fd56fd95fbe90583ebd8013480ffee6cf983807da2f74e855980c0ee5c2f94d8
SHA512

ea9c8cab2e092c064e770715b463a14e725ec2f5db6814ffbee883278f03e719d13653cd01183b794863d935661d4ac7e39557ead3ee377ac8c6b97108ef9abc
SSDEEP

3072:Z2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhBn+Tn:Z0KgGwHqwOOELha+sm2D2+Uhnguy8

Score

6^/10

bootkit persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe

Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

avast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Executes dropped EXE 11 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
3992	avast_free_antivirus_setup_online_x64.exe
5076	instup.exe
5044	instup.exe
4584	aswOfferTool.exe
3512	aswOfferTool.exe
3280	aswOfferTool.exe
1308	aswOfferTool.exe
3440	aswOfferTool.exe
4652	aswOfferTool.exe
444	aswOfferTool.exe
3020	aswOfferTool.exe

Loads dropped DLL 13 IoCs

Processes:

avast_free_antivirus_setup_online.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
1552	avast_free_antivirus_setup_online.exe
5076	instup.exe
5076	instup.exe
5076	instup.exe
5076	instup.exe
5044	instup.exe
5044	instup.exe
5044	instup.exe
5044	instup.exe
3280	aswOfferTool.exe
3440	aswOfferTool.exe
444	aswOfferTool.exe
3020	aswOfferTool.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe

Modifies registry class 64 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a39.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a39.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a39.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_free_antivirus_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exe

pid	process
3992	avast_free_antivirus_setup_online_x64.exe
3992	avast_free_antivirus_setup_online_x64.exe
5044	instup.exe
5044	instup.exe
5044	instup.exe
5044	instup.exe
5044	instup.exe
5044	instup.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exe

description	pid	process
Token: 32	3992	avast_free_antivirus_setup_online_x64.exe
Token: 32	5076	instup.exe
Token: SeDebugPrivilege	5076	instup.exe
Token: SeDebugPrivilege	5044	instup.exe
Token: 32	5044	instup.exe
Token: SeDebugPrivilege	1308	aswOfferTool.exe
Token: SeImpersonatePrivilege	1308	aswOfferTool.exe
Token: SeDebugPrivilege	4652	aswOfferTool.exe
Token: SeImpersonatePrivilege	4652	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

instup.exeinstup.exe

pid process

5076 instup.exe
5044 instup.exe

pid	process
5076	instup.exe
5044	instup.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

avast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	pid	process	target process
PID 1552 wrote to memory of 3992	1552	avast_free_antivirus_setup_online.exe	avast_free_antivirus_setup_online_x64.exe
PID 1552 wrote to memory of 3992	1552	avast_free_antivirus_setup_online.exe	avast_free_antivirus_setup_online_x64.exe
PID 3992 wrote to memory of 5076	3992	avast_free_antivirus_setup_online_x64.exe	instup.exe
PID 3992 wrote to memory of 5076	3992	avast_free_antivirus_setup_online_x64.exe	instup.exe
PID 5076 wrote to memory of 5044	5076	instup.exe	instup.exe
PID 5076 wrote to memory of 5044	5076	instup.exe	instup.exe
PID 5044 wrote to memory of 4584	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 4584	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 4584	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3512	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3512	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3512	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3280	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3280	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3280	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 1308	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 1308	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 1308	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 4652	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 4652	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 4652	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3020	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3020	5044	instup.exe	aswOfferTool.exe
PID 5044 wrote to memory of 3020	5044	instup.exe	aswOfferTool.exe

C:\Users\Admin\AppData\Local\Temp\avast_free_antivirus_setup_online.exe
"C:\Users\Admin\AppData\Local\Temp\avast_free_antivirus_setup_online.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\Temp\asw.54b908f74e3af79e\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.54b908f74e3af79e\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:316923f4-22b7-4ccf-bdaf-8b5f690a2fcc /edat_dir:C:\Windows\Temp\asw.54b908f74e3af79e
2⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\Temp\asw.5d6fab038227d60e\instup.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.5d6fab038227d60e /edition:1 /prod:ais /stub_context:ba8a5f4a-6966-4f0f-a366-c17f48236010:9946736 /guid:597b6022-fb1e-4a0e-9234-3a3d4e9402ed /ga_clientid:316923f4-22b7-4ccf-bdaf-8b5f690a2fcc /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /ga_clientid:316923f4-22b7-4ccf-bdaf-8b5f690a2fcc /edat_dir:C:\Windows\Temp\asw.54b908f74e3af79e
3⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\instup.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.5d6fab038227d60e /edition:1 /prod:ais /stub_context:ba8a5f4a-6966-4f0f-a366-c17f48236010:9946736 /guid:597b6022-fb1e-4a0e-9234-3a3d4e9402ed /ga_clientid:316923f4-22b7-4ccf-bdaf-8b5f690a2fcc /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.54b908f74e3af79e /online_installer
4⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe" -checkGToolbar -elevated
5⤵
- Executes dropped EXE
PID:4584

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe" /check_secure_browser
5⤵
- Executes dropped EXE
PID:3512

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe" -checkChrome -elevated
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3280

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3440

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444

C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe
"C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\aswOfferTool.exe" -checkChrome -elevated
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
Filesize
26KB

MD5
562e449aeb25a115feb92a9583103d3d

SHA1
928f39f0c5189c798f544515c06155c25564eeec

SHA256
6e4276cf5238a3e50816d3f1fb3ad38fc96f62cfed414051e95c2d369163193e

SHA512
826a218f5511ddd4a092a728b9b5b3ec019b5725e77b591282526239b72f87a79645ea24500a2615203910c1545713892b8fc485ce270e8e38c1e783372c477f

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
Filesize
1KB

MD5
f11fd03d89c5861fbebceb947d3c7d89

SHA1
2f07d04d8a943baf9bd8ee4a2d7397051559b2d2

SHA256
c5e96ffb544d94dcb222d619f8c2b29eff2ce22f07a44a5940a7487d873382c5

SHA512
74f0ba4b86da86bdd3b71b191f5a37e48fb25c9e732a4fb319eac51f8cb45232872d00b9f84a6b8d275e6eb4f03ec438481c75d9df7f39978e2d5a4f52ae0385

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log
Filesize
281B

MD5
40893e4221bb951602165be97d6367b1

SHA1
bbe5161f30de369b461197b60ad1b4d9fb44ecf3

SHA256
5ad14002d1e362a6d3c3bdf3632aefa3c42bb413fea4c308fd9ba35a62122064

SHA512
a111d48f018925700163c129ac04310904471a5806ccfc844f733409dc5c48b5e3f4c11932b665fc880ba5ce970bfbe79bea616f4f248be402c21dfff5ccbabd

Download Submit
C:\Windows\Temp\asw.54b908f74e3af79e\avast_free_antivirus_setup_online_x64.exe
Filesize
9.5MB

MD5
7b37b5ca203b183e28476b049e31767e

SHA1
bc41127c693101c81268a0af7badab332b86be11

SHA256
f8da8197da1d8377ed67e37b2603fd32f82974c1eb28b817829bbee1ac775ad4

SHA512
a0d52ffbf224271ee3b38ae8463a966e8397d5f8f4cfa97ef90c14794ce6b37cfe18226dc2d03e8f48968b217af08c8ec257fc1a39e2033335cf941faf9be0aa

Download Submit
C:\Windows\Temp\asw.54b908f74e3af79e\ecoo.edat
Filesize
40B

MD5
0c3fb92e76191db5caf5b0b3faa37ce5

SHA1
c3def7847d3ee4a5f6f6977d0b1b95aa2ef3ded9

SHA256
c0b918fff0c176e58cb694ad6b830eddb0f987f3558583fc339b49681d5d3b46

SHA512
0d5935e4883ed4ad612c130e5542ff45e81431c2a52dbdb2319469b84927963f1cb138c612ed73e584f2222c4e53a5fc0ec29da8d5cbcd261bbf789356ab0e66

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\HTMLayout.dll
Filesize
4.0MB

MD5
5ac44187fb8ed4771a028a4f206708e5

SHA1
c9aaf33b0a1b0bef82e17197973ed3839472e0ca

SHA256
6100f12a2fd4267326da4ea65ff29935f8d1f8be3cdde9e2a895560e40192df8

SHA512
6537d0145037f4addbb480d6b8b44e8213b81093d3e751646103897c8b581559db5704b31948861893b73a9df1053bf12fd9522af7a888790162899e5b7e3eb4

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\Instup.dll
Filesize
18.2MB

MD5
615c4826108fad74f098d8afdd2a10b6

SHA1
7ea9f49b3da4961a91ca7027b5361888c6edfdc4

SHA256
46296f4c587013ef7ea0a7a263becb8b50fa824fbba938ab106cd48ab329de7a

SHA512
9bf90d6dbdee30629605a8c9f32b0201e37e86c44a5a6b48c4f422bfac7224d47a5e303625fd110f212972f231240564ebcd9fb81ab51c6a4d9cc214bd8e25cb

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\Instup.exe
Filesize
3.7MB

MD5
aeeb5645d1a42d73c10d466e071904a2

SHA1
8011cb95b74f202f3f931f42607b7c78231da219

SHA256
feac318f5a0b1e9a78f7e83a708edc3e66bf43c84803426dff4c8567e3895502

SHA512
d9803a1f3466b528a067e39fc514bdd8615f842da5f114436a058ea5efba5775f292598f626e7ae372e8d1d0dc2af50f26424034c32ca6519ae56017d859883b

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\asw526b695d36d8d69c.tmp
Filesize
19KB

MD5
e20c13667bf44e64a92f7b5c4a9be981

SHA1
4afc6572ec14b44cf541478bca2b2ebfe5c6b4e1

SHA256
05c29bcc4f1cc3fe8e77b9ba4e57ed93d66de1ceacc2519150e994b9b9fc236e

SHA512
11bcbd1292a1136ed6bb6a47ccc6c30b8b0b2ddfb80222a2e2d9522fc24e35eb91105dbac9747a4758881c3a523f8d1ca7ea71b441c54625444058b7be1f277f

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\New_180417e0\gcapi.dll
Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\asw3262036b78afb677.ini
Filesize
774B

MD5
4181a7f10f6ea214ea54336dd2c8ad58

SHA1
5c8dcd901d39da848b08f56a5c2c3ae9ba750ad7

SHA256
bf847d94f93a313043abba63ccd5a199d30add5b7282b9bfc2987c736bd5a8a1

SHA512
dd3a63735fd87bce80b769f33f4490b58822b53f9b9619180c1385dff097fe30d7e0fa4ab061e3a6b090287e2a865260eceea35aee7ce62c45ba690ab88e0492

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\asw7e99140d4b77f08a.ini
Filesize
1KB

MD5
5c713b8e7ef407bc3a05a44a3646e180

SHA1
5cc6abb7bc6c120d1dc14da37b279474cdff0be4

SHA256
514a526802e94ac0153ead29274ae532dd6fd34574839cc1030e92dea93ed94e

SHA512
c2dd561dc928194abb090f295c4fe2ae14dcbb503db2141dc72f4ac86069964aa6403d68f14d74e2c2ad314a6fb5960c5d6cafdcda2658f084f7063fd3298b5c

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\avbugreport_x64_ais-a39.vpx
Filesize
4.8MB

MD5
306bfbbe50ee620436b4e522eda1d3e3

SHA1
3f15e345ac87613c2bd911f000aad53cf8cdc6c0

SHA256
1fad5705c6ba3778495c3cccddd1040e5f5cc2e94c5da28011379464046bf486

SHA512
cde802e5585929183a0c57c381b9847f1329fb10957d32ce04c82d28d1af352610d7b7ea52e4899dfbfff1ec4ffff7ff8273ce2af97abf0999c00cc58cc99b75

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\avdump_x64_ais-a39.vpx
Filesize
3.4MB

MD5
cd3748f9c9f8f4a3a032ac901c4f0586

SHA1
9fd01b70bac4234c7126507e9965b9297460662b

SHA256
fb61b0d20f2905f10058ee64a761c21b53211ff996ec75665b74cd2055cd6b41

SHA512
e2b9305108f1548c0f6653ce567253f05eda371be41de5f6c6f321e28f58d2fe8d982c0bef8d22d6ff95d5724152454732902d60a65eae9ef20243e26cc06f55

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\config.def
Filesize
29KB

MD5
e439a6b6d998914385f7bae203a01543

SHA1
495d6dc45e3c2bdaafda6b7f6676d5a803cb19ba

SHA256
7d414bc4d3785a32b8e13a81cf2b52b5346cc442f4ea502080f306ee43eeb310

SHA512
06b4bc92ed285d556fe038d1c9c255232a37d2879160f9161bb6fed07c3b23937f3006bfd8bae90a34cf3444a0094f2acc14dc3f30a3881df7d6334b09d4e1fe

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\config.def
Filesize
35KB

MD5
d07d9ce519d6cd690e0b61cf9b466605

SHA1
29b1e5853d3f1ba5e822dc5005d0f34ee15ce076

SHA256
b023673e0181d990bb23312b363890643ef7682af2ab181f43defc5349703e8d

SHA512
cf14c6556bbfdbc4e439b36571d5fc3f59b105d265f5f10a7859e53e141dbff776540cf91aad6a5e661770b8e37642d7e6631cfcc3404ffa18ce09da52e606c9

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\config.def
Filesize
28KB

MD5
5a7719d8f91210806e0de046a2897b56

SHA1
7bd04389df2595ac430a2441418f60ce7c2d7846

SHA256
730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea

SHA512
17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\config.ini
Filesize
871B

MD5
2ef13872945ef0004f13464e0546c7a6

SHA1
426e5cb04f3e9ed418c4ec87929b14e145bb2a23

SHA256
1001bba1636cbc8680bb0eae8e5c0c27604cd5ed82e08ea8e2fc3924b3152c39

SHA512
9fd9a6eee59aa0e87e05abd4861b79e6e5d9e060d0ef74500e7d2e7752f17dac06d3b73b4f8efbe76762113e8026f920b9d435caa4d08896fca6a95408af5569

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\offertool_x64_ais-a39.vpx
Filesize
2.3MB

MD5
44645c9f6d213d0f87608f4461046731

SHA1
c5b6af10b2abb6e1422f27102f1ea1fac59099b6

SHA256
42ec9cd1f6ea316265a93119c865692108ecfd2ab6f007e6d4a2725214e56079

SHA512
27d7d698099ff3fe1c0200093174765f1f8e56c5b011cf2bb5ebdb60b3b2fcb3fe32bdac5cf79f349eb698cad269a3d75f6410c82b1e05e3a9ace1b9a5e1f4cd

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\part-jrog2-7d.vpx
Filesize
211B

MD5
102ebf923565e970b63ff115c8dc7711

SHA1
6066f42f3edffb9de1959c55cd5e409f2401aba2

SHA256
dcf00526dede9d6ce30c21ed6e5973e139cfcb83cf2ca8f70a4616200fe06b1e

SHA512
50a3e76e49a2983351f30e38829e147b1a673fc8313e91a36f4bca2181de6aa93f25c01fe9ecd8dde45ff80fbf4f07986e634edae2e16b05562633b65490ae85

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\part-prg_ais-180417e0.vpx
Filesize
74KB

MD5
010b32b4b577447101045f32f076e441

SHA1
9ddf3608765048d234cfc01fcce04f65ada018a0

SHA256
d3b2ea21a681047518df0ec68da6f2121ff26d4e10412665197361986ec9c2c3

SHA512
19ad1b0650321df771f61cad16838a607108f53707da471fd10de00a63756ac6ca4722ddc0e7e08a1cc26e2b4b4fdb32c45420f78f22d798adf868fe928cfba1

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\part-setup_ais-180417e0.vpx
Filesize
4KB

MD5
7d99b56ebdc9d7b916fc2f42f54c1171

SHA1
47c4ec171248c1e31de40062aec51ffd63d40cad

SHA256
2a47e8af3f7be4f14fbc1fb141ee1d2db8d53aae946d632dac45446f968e4619

SHA512
e4b45dcd90e14fb61ea861b3b56ea718bd51c97a436532855ff29dd856ccb1a8f9b9f6d58ae32887a956b29ae9d209fb387c9b90809bfc884541d2f53bed4dfa

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\part-vps_windows-24052399.vpx
Filesize
7KB

MD5
e4325c38fa3265c7d343e288bc8266ca

SHA1
e8db336734a31c0548d7f4224c7e0be2524a75a1

SHA256
e0e13d626515f30d5e82cf8b541c1121b9ab84f4403be98365f7f1e8868a2879

SHA512
77ea95df39bde40dd30a2b788c95ab3ecfffbeb837eaae054a92d450f16a4b53d33625b0be0b99323da35e9fff8d222bd3df3e20b33be085249534cd63f6af7b

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\prod-pgm.vpx
Filesize
572B

MD5
f767ec2c67fcb174088857a0e5a7dfe9

SHA1
1f82e0ebabc7a81b8440f2cc658bc36ef80aa058

SHA256
026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c

SHA512
ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\prod-vps.vpx
Filesize
344B

MD5
3d6229735be0de243d57ed765e21f391

SHA1
967b83c77716e2e500f10f44008b2c196064652e

SHA256
182a84959f3ff27c94083e233e319ad6328453eddb367dd369226a843324090b

SHA512
8774e32b9f2967a03640554106a19ad7547b028ed3554cd23dac49bb1aa4788185225b1dfb6b73482e92f73647912222d1065f3c237ec6b7f1c673945468d11d

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\prod-vps.vpx
Filesize
340B

MD5
493c264c3a5abe23f86f5663c2af0325

SHA1
db2664601bf688cc7a0019d5db6a61cfddbabb83

SHA256
9691b7d04168ba623ea1f9ffcd114f90eb6a9e2f77dedfd584ad95f067e30e31

SHA512
b757b135e537af85a908510b376e4c529dbeef72d9afe507b26288d7b71f9170fbcb18627200b20e2887cad89c78f4f33d6d3cd70578e795ebd6d4a459e2479d

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\servers.def
Filesize
29KB

MD5
8625cc598545b4313acb4c34cec05821

SHA1
5ff65be78f84c547f43e7109604fb579c98c0f2a

SHA256
4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d

SHA512
04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\servers.def.vpx
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\servers.def.vpx
Filesize
2KB

MD5
ada78e665ef2fcf8709bdd7386974119

SHA1
594d311379ce3373b4470a022eb0bc723b0caf53

SHA256
9a0e8da65a6824441e1deb5533ee21c1084398a2c8023d3b730d63e49d3861bd

SHA512
23aa516fb8edc6e090a2776a75da9c92a3cf97b4c002df305f07364da17ec53607016e9ed90ef814968a5b651a9b05f9caefd588c58f06495975ef8f27915de9

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\setup.def
Filesize
38KB

MD5
6b562cc4d2da62c444f04eada6c802eb

SHA1
7aa6e391d326b79bb2b2c9754b573a072fada07b

SHA256
71529a98a66e4f9a31de5db119697f6fcf327572f77f29a550b26337240d9909

SHA512
57ceed0b1bbe9a65423b7af2b12f3456393cb2a7d40574b189f8db8a37e78b9d8fe7ddc560fdb203a4484f42f86fca551143edb0c3892e831f80ad20fcad8b96

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\uat64.dll
Filesize
29KB

MD5
852a3b7a54e53295b24413aad55e1459

SHA1
1b2cf1d539e249c6014841dbea451e21f13a8515

SHA256
067b4f049fe07ea3af37c5dfdb7b237e49db432035361a3d0afdc527fa5d6a2c

SHA512
5df4a7f42814f069205d3f5e6337b250b287089e9d48a3711b8d5092b9ee04526a5d1b08c8b6a58d58b44296879001569747d9470542d8db17e3df14b3b3e843

Download Submit
C:\Windows\Temp\asw.5d6fab038227d60e\uat64.vpx
Filesize
16KB

MD5
a316b5ffdc1c260e65dd95a6f5f33732

SHA1
7c363d9ab0e87711f5c5cfe3a7553ba754a923fb

SHA256
649d7c2a0f3837145cfb32b40526aeae55ef392525933e9d78a555e6e4a74ea2

SHA512
45987010693402f3a6d6bc0efa532f968fc39ef280e0b19819b0e1feab62cc6e4ba0e374286ec2a852a806b411075a02f603ed1416c21354119ad40c4cbeb07b

Download Submit