Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 12:50

General

  • Target

    71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe

  • Size

    212KB

  • MD5

    d577512bcc91096f2185b4f2d44461db

  • SHA1

    a8acdfc8e92b90e7bd4fd347bad465be32b02455

  • SHA256

    71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39

  • SHA512

    1058f7f42981de880a8b0cf7580561f8af3e068735a4336b69d4f1d525fd79bdbb9f9420212d2257f31f1f959fe7e218520643df9b321317411c6665eab48761

  • SSDEEP

    3072:csmIwp0Lr0cZMHeBw4kQkFAe5sWkn0VEqj+KHy+pDyXtLAcjaK7PuENhVPW0cokO:cGwqAHAw49UsWknOEqiJ+AXD7PPW0fdv

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 30 IoCs
  • Checks for any installed AV software in registry 1 TTPs 52 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe
    "C:\Users\Admin\AppData\Local\Temp\71299a484d71752fd0e1dfaad70a18237f31e516d29d1d3466fae93437f12f39.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe
      "C:\Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a5i_m /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /edat_dir:C:\Windows\Temp\asw.ca0b53132b010add
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe
        "C:\Windows\Temp\asw.e5c5dec041efd4a1\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.e5c5dec041efd4a1 /edition:1 /prod:ais /stub_context:75f70dbc-75fb-4054-ac07-252f37159f94:9897680 /guid:448ea62b-14df-4160-a38d-de8808b620a8 /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /cookie:mmm_ava_012_999_a5i_m /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /edat_dir:C:\Windows\Temp\asw.ca0b53132b010add
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Writes to the Master Boot Record (MBR)
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe
          "C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.e5c5dec041efd4a1 /edition:1 /prod:ais /stub_context:75f70dbc-75fb-4054-ac07-252f37159f94:9897680 /guid:448ea62b-14df-4160-a38d-de8808b620a8 /ga_clientid:c9576bd3-8e85-4c1b-bd6d-46103852da90 /cookie:mmm_ava_012_999_a5i_m /edat_dir:C:\Windows\Temp\asw.ca0b53132b010add /online_installer
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks for any installed AV software in registry
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:596
          • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
            "C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated
            5⤵
            • Executes dropped EXE
            PID:2500
          • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
            "C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" /check_secure_browser
            5⤵
            • Executes dropped EXE
            PID:2816
          • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
            "C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" -checkChrome -elevated
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2520
          • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe
            "C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
            • C:\Users\Public\Documents\aswOfferTool.exe
              "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:628

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
    Filesize

    26KB

    MD5

    ec335fa850a3377af69ba8217e4f2ee3

    SHA1

    dd801a3729a6cf617eb4689df9bf8d99b6d0745b

    SHA256

    aab96937596b21a1f2641fc13a1299710a020de218895372ab6c77d3a939d206

    SHA512

    5de7827f0e1d152356d80209d0ad8e44431612501aaa3b913813cfdd69805f80dad50898df3efd43babfe76e6c38771f82b2936e028e4250e231733b2bc1b7fc

  • C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
    Filesize

    2KB

    MD5

    e2a9808811de30eac6b324c062e809a8

    SHA1

    6691a55076521587d8de3aee270d67d84e93609a

    SHA256

    aa2ef18a6dc94efdc5135051be6890bdf4dd0dd026c5c184f963fc983ef3dd43

    SHA512

    29b7e2795b7eac02420c2b2a1c93a8f3086c9f2c7136d05e3e541b1f099c8ca838374e527e37b361d0a46132cc9a41c551dfdc2f40aa4bd842a9af93f89c45d4

  • C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log
    Filesize

    142B

    MD5

    8275cd59cf776e65ba3e5fa1558da630

    SHA1

    5b0ba63be0ef959fc3af4bd48cd447f373f5530e

    SHA256

    a2c178189a32ff3aaf779cea613d978aced74fb19fc0f5ff2276082e6da4b329

    SHA512

    972ba52c296426fe30449d800779697054f37e845628c9c5e67c7f6238331dafb1ee5d01b35e31f07c5d69da5e309802a893e4d6cbf5c786a7978a8331067656

  • C:\Windows\Temp\asw.ca0b53132b010add\ecoo.edat
    Filesize

    21B

    MD5

    781913e64dab08a0e3b91831fc565591

    SHA1

    78f33d91ee3544222d240061176f8bb491190957

    SHA256

    f82d46c7e5a50f0936541029fa529e3a12ba943a4dc9f0a810a496dd08c9ec00

    SHA512

    15e08d08e8f3182be18b20ccea74ef6ae31c82ee96bdbbbaa806218f3e86a56cc22b85ae84a6e84624e18a83808a96130677289af5dfb418eeef78a423d47710

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\HTMLayout.dll
    Filesize

    4.0MB

    MD5

    39a20f9d67d6d4bac0ff081c62b13996

    SHA1

    b5b6b70e943a96a8697f07759245702e026be7e7

    SHA256

    825288012e4c15035b3d7fdfda396912b83992bf0683f9d2a5d55dfa1306b5a1

    SHA512

    798f6616b4f07bc75c5833a906735c1cc44d2ac044ceed4119005601e6f0266327ffb4819a44bac49bc0cde8b2ac7a021d098a12da586689de1119914e2032b0

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\Instup.dll
    Filesize

    18.1MB

    MD5

    3b6abc970f7227284d87acd2d95c7c5a

    SHA1

    02b1248aa23cb8aee91b06a9b8b044fa93b469b1

    SHA256

    ecf706e38e489c6840b68db5b6fdb4687a175ec6c325c8673f27f7cbf01234fa

    SHA512

    bd06e9599fee8ac872ad6cb5e539a78137daf8b831eb7be3df8bc773d91f9eb4883d01404b7c6724997e6ec1526af213ed1988780c9e40ba98227649ee91a2b1

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\Instup.exe
    Filesize

    3.6MB

    MD5

    4aed041ad383def5407e438fd5597675

    SHA1

    6a5d6ddeb83b4e6425cc77190b0539b6e5dffbc4

    SHA256

    1cb887579ece5a1d11832d0543f0b02c338ac8581d54909bc641abe13e294abf

    SHA512

    4b2c07668565f4a01f4e7f124e1050bd12228dc2547a00add12921b2300a71588387d8c2d3c0de4303222c5ea2e65bfafe2ab342417d2c5ab8ac300c40d5c171

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\asw5fd8600493e4cff2.tmp
    Filesize

    3.8MB

    MD5

    d9be57d4e1a25264b8317278f8b93396

    SHA1

    d3c98696582fed570f38ae45bf22b8197253b325

    SHA256

    a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3

    SHA512

    2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\asw918978de40cf8c71.tmp
    Filesize

    3.1MB

    MD5

    b216fc28400c184a5108c0228fba86bc

    SHA1

    5d82203153963ebede19585b0054de8221c60509

    SHA256

    7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd

    SHA512

    6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\asw9675bdf82e93b4c1.tmp
    Filesize

    907KB

    MD5

    700b6740e6bfa7729f146572d8455348

    SHA1

    19d80fb0251f417283ed36fc20c43079b3f6fbb8

    SHA256

    d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e

    SHA512

    7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswc5f13fb0fcd7102c.tmp
    Filesize

    19.1MB

    MD5

    9ee6528abdad768fbfa28bd1bb80ebe9

    SHA1

    f5582697e068ba1d56825fc32bd5ab1a71bd4d38

    SHA256

    61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4

    SHA512

    de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\aswdf9c56347b8453d9.tmp
    Filesize

    4.5MB

    MD5

    ef035189604e7f5d68a62827b985ccbb

    SHA1

    c094c6eef2640a71aee9f4b27123c2080d38136f

    SHA256

    64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740

    SHA512

    32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\asw8fab2e6575e76ce4.ini
    Filesize

    781B

    MD5

    4e6a46a09da8418eb103af1e22578352

    SHA1

    91cd4b59b5c8f94dda2eee9d80c24e910c4523f7

    SHA256

    41056264ee53f3aa8ac9a60b589973f411235384f8c42f469fcd1bcf0801f757

    SHA512

    f4d6b1dd5ab8162d5c8b62e6eb43f2a9e8d0a1185433ec7a6bdb25590205ca9e8e91ddfc30702689659f4f361aee13d3e08a2957fc3c0c27de1847d66887dc6b

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\asw8fab2e6575e76ce4.ini
    Filesize

    878B

    MD5

    5690a82fc21d862aec1d7e35ff53ab78

    SHA1

    11037a31a79f265b1347738d8dc9e576e45779a5

    SHA256

    ab0f1c33c2a917f05b41797b9581f4c92e08535a55080ecffd7edb2a23b196fe

    SHA512

    2cd6e1d8f505a0e4e1a2d0090846ec73d3ae53797cf02cca191b5f2951350b221f445b2a7b3d77cdd7ec8a2acc0b313e8afa9fa6852e135322688f36c521d90f

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\config.def
    Filesize

    28KB

    MD5

    da59c9092a31f572c882d563c600a34f

    SHA1

    0ec1cb7f7c16252d637d71e08e9363bfe96a5842

    SHA256

    563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766

    SHA512

    ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\config.def
    Filesize

    29KB

    MD5

    c04456aee0cecffd8b230f2cc6bdb484

    SHA1

    89b8958011ad1755478f13a38970199d27365674

    SHA256

    882a391578959256a190480e38cdede4fa7286b8abc470df4788d649ebd363e3

    SHA512

    de6b8aef25f8dfc1cbdbe700be09f5b1378ef222edbf43934173525be81dfb6d68ff12e72eaac2ffd36f33a36a59fbba565c335a70227a62e3313dff735a615f

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\config.def
    Filesize

    34KB

    MD5

    c40ddecd1b7621224f298b91681619fe

    SHA1

    a3422cfc6bc6bc67495be790414c2252924d76f0

    SHA256

    0298787c069cff59eacfb8e1ecd6a0f744df9c8dea0040866f2ce308fd9114ce

    SHA512

    94ef11de6fe8ebe1cefa092724a56e0a311ab3ee9e370bc8fdaaffb45e7c3a6ccbc2a77a1459fe62265c0f454283a1adef6812f65e93801468fb85a5ad3e0ea9

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\offertool_x64_ais-997.vpx
    Filesize

    831KB

    MD5

    c5665f1f93d9aabbcb1dde533e2c46e6

    SHA1

    732389de20c600d0222d61b4ee74b0be6412a45b

    SHA256

    adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a

    SHA512

    51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\part-jrog2-90.vpx
    Filesize

    211B

    MD5

    a3feee18df3f2ef19f6fe6f493afb123

    SHA1

    005ee607c0f3f6459a30675f906689616ddd99eb

    SHA256

    be994b277f65df1872557d53e7f55c62f3af4b50e744bca93998311363093ec9

    SHA512

    5881f379d63d58ed61467cf9a92cf53f40ed6aca9e6576af29a6dc4602e3200e4a6decb69b0dfac7ae9052de820f5132da881f2cc02a7c5ed0171eda05b241b9

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\part-prg_ais-15020997.vpx
    Filesize

    188KB

    MD5

    b898fa20bf9b0321b50a8d4946aae799

    SHA1

    4e173a99dc9a9ef507112857525ad53991f4d2a0

    SHA256

    6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c

    SHA512

    c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\part-setup_ais-15020997.vpx
    Filesize

    5KB

    MD5

    365b6ee6fbde00af486fc012251db2da

    SHA1

    8050ba5a9b6321f067fc694527011ba00767d4a2

    SHA256

    01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830

    SHA512

    949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\part-vps_windows-24061199.vpx
    Filesize

    7KB

    MD5

    d00a98ab97227224d17c17924aac4e5e

    SHA1

    9c6c80a4e6c799a3b562b2597fe567ff8bd5f404

    SHA256

    8a3b5176bff78d05a4589c08a9ba7b6af7de744cfbd45821b77816d7149fa842

    SHA512

    dd76fb5e3212f0beac81a559a4a438c11604a8c125e2e4567af4f33ee210f4aff48581033e447bfd3fafe675a60939a924e4027d3f30e49ebd1ce2ef017eb7f4

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\prod-pgm.vpx
    Filesize

    572B

    MD5

    d4f72d1329501105ec7111178ac7c98f

    SHA1

    17bfc1e8299b43c46b18442b7e74f84953dc6193

    SHA256

    e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7

    SHA512

    570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\prod-vps.vpx
    Filesize

    343B

    MD5

    0066d9b938e4d92eed90d515c0da993f

    SHA1

    60f4f31c64671349b100505428a618c9a9033820

    SHA256

    bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209

    SHA512

    d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\prod-vps.vpx
    Filesize

    340B

    MD5

    85f4992f7b075bcc8fc6cc4f5e24afd4

    SHA1

    abe54ed56c0d23d3e1184bd500ba0fb6cf03fdde

    SHA256

    3dc8281c192753aafe5408485d3344df73209c96989b0524fe2db5a081d848a0

    SHA512

    271ab9967418f12041eeecc39b16881d4f46b0ea4ab59b8dbf7c88c22ef99b1c069a1060f8f94784e39e37d6cc0e6bd68f734d41999055727cc1f12c29cc1ee1

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\sbr_x64_ais-997.vpx
    Filesize

    15KB

    MD5

    13e9fbb02cb7497562b59a9ef8f1ee92

    SHA1

    047936e9296e77939b5b23c1a2af3056eaa2ae99

    SHA256

    40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a

    SHA512

    0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\servers.def
    Filesize

    29KB

    MD5

    e76e81467cf59e07920fa8350f262269

    SHA1

    e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94

    SHA256

    cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8

    SHA512

    5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\servers.def.vpx
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\servers.def.vpx
    Filesize

    2KB

    MD5

    dc5709c442df025a33cb2ca0d22133af

    SHA1

    5007da1e31f4705932c1f272dd4975b14bef268d

    SHA256

    6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744

    SHA512

    c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\setup.def
    Filesize

    37KB

    MD5

    be793535c4acf02d4ad13b20d0c84deb

    SHA1

    65dd6b4891a75848042c10057808535298cee3e1

    SHA256

    31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd

    SHA512

    7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

  • C:\Windows\Temp\asw.e5c5dec041efd4a1\uat64.vpx
    Filesize

    16KB

    MD5

    11bb373887fe44e1edea08b70c638095

    SHA1

    e887149cb489a3aec8092636379ac4c64e389089

    SHA256

    a2f66db4a802a3aeb977d40a22e399382d8b82da216645defa5b5009602fa358

    SHA512

    d9933cb1b8258f13b21d3bf6a648ed81de1608663e1166a8eaf1baea60f4bc5017ac218f277beb4e65e6719ca57d2910cd6c268ee8a5f8766c13680e86fba879

  • \Windows\Temp\asw.ca0b53132b010add\avast_free_antivirus_setup_online_x64.exe
    Filesize

    9.4MB

    MD5

    54aaadc43b9a0a026a86db8d350a2cd3

    SHA1

    d1b767200495717f9abbd808c3b38079c64be877

    SHA256

    de1fa4badf89ecf4beedfd8f00f79e145e3f492be540e0964ef7468213a20844

    SHA512

    1d75da2ad226d1a6e744854a49b05416db10d4ef68ddf0d7d2d93f01b30a28cb84ae2b1a9c9ddc1817781a98409ed9556c02822f57965ab6f8865e3c55c36f3a

  • \Windows\Temp\asw.e5c5dec041efd4a1\New_15020997\gcapi_17181966572520.dll
    Filesize

    348KB

    MD5

    2973af8515effd0a3bfc7a43b03b3fcc

    SHA1

    4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

    SHA256

    d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

    SHA512

    b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

  • \Windows\Temp\asw.e5c5dec041efd4a1\uat64.dll
    Filesize

    29KB

    MD5

    c0719ef096798494a616f84f587282d7

    SHA1

    ee38158f887bc2189234330c4891f12f9d902d7a

    SHA256

    ba4d8d0ba809d934004da646ec31a72650dc16e4288404badd761e4bed6a982a

    SHA512

    7b22ac9c0c2c881674333d325363aa1d378d3b3c75700a7713a7f33b6ee144c43cd209d9fe9ff31a93b329881dc14c873cb2338af4695d44724afd5ddda5d298

  • memory/596-318-0x000007FEF37D0000-0x000007FEF3BAA000-memory.dmp
    Filesize

    3.9MB

  • memory/596-317-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp
    Filesize

    19.2MB

  • memory/596-319-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp
    Filesize

    19.2MB

  • memory/596-329-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp
    Filesize

    19.2MB

  • memory/596-331-0x000007FEF3BB0000-0x000007FEF4EDB000-memory.dmp
    Filesize

    19.2MB