1fb53cd33d285e2807dca6ee3005689f1425b363c46b377958a7431a46488207

Analysis

max time kernel
295s
max time network
259s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-07-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avast_free_antivirus_setup_online.exe
Size

257KB
MD5

5dd99460687fa202f26bef9565b2eb71
SHA1

d90930758b01570db7403b1e1130c99d5dfbac91
SHA256

1fb53cd33d285e2807dca6ee3005689f1425b363c46b377958a7431a46488207
SHA512

ef59d47099f738eedd457a7bbe4779af5e956f7afe073bc98f9d3b10ae57891a225402ad7494c055d656d111e59991fd54ccb00174d3b860e685cb6c49317f82
SSDEEP

3072:482RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhSn+K:480KgGwHqwOOELha+sm2D2+Uhngu7p

Score

6^/10

bootkit persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe

Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeavast_free_antivirus_setup_online.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online.exe

Executes dropped EXE 8 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
4984	avast_free_antivirus_setup_online_x64.exe
3344	instup.exe
5124	instup.exe
5556	aswOfferTool.exe
5584	aswOfferTool.exe
5632	aswOfferTool.exe
5680	aswOfferTool.exe
5828	aswOfferTool.exe

Loads dropped DLL 8 IoCs

Processes:

avast_free_antivirus_setup_online.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exe

pid	process
2360	avast_free_antivirus_setup_online.exe
3344	instup.exe
3344	instup.exe
3344	instup.exe
3344	instup.exe
5124	instup.exe
5632	aswOfferTool.exe
5828	aswOfferTool.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

instup.exeavast_free_antivirus_setup_online_x64.exeinstup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Modifies registry class 64 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-a42.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a42.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_free_antivirus_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a42.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exe

pid	process
4984	avast_free_antivirus_setup_online_x64.exe
4984	avast_free_antivirus_setup_online_x64.exe
4984	avast_free_antivirus_setup_online_x64.exe
4984	avast_free_antivirus_setup_online_x64.exe
5124	instup.exe
5124	instup.exe
5124	instup.exe
5124	instup.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

avast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exe

description	pid	process
Token: 32	4984	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	4984	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	3344	instup.exe
Token: 32	3344	instup.exe
Token: SeDebugPrivilege	5124	instup.exe
Token: 32	5124	instup.exe
Token: SeDebugPrivilege	5680	aswOfferTool.exe
Token: SeImpersonatePrivilege	5680	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

instup.exeinstup.exe

pid process

3344 instup.exe
5124 instup.exe

pid	process
3344	instup.exe
5124	instup.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

avast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exe

description	pid	process	target process
PID 2360 wrote to memory of 4984	2360	avast_free_antivirus_setup_online.exe	avast_free_antivirus_setup_online_x64.exe
PID 2360 wrote to memory of 4984	2360	avast_free_antivirus_setup_online.exe	avast_free_antivirus_setup_online_x64.exe
PID 4984 wrote to memory of 3344	4984	avast_free_antivirus_setup_online_x64.exe	instup.exe
PID 4984 wrote to memory of 3344	4984	avast_free_antivirus_setup_online_x64.exe	instup.exe
PID 3344 wrote to memory of 5124	3344	instup.exe	instup.exe
PID 3344 wrote to memory of 5124	3344	instup.exe	instup.exe
PID 5124 wrote to memory of 5556	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5556	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5556	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5584	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5584	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5584	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5632	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5632	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5632	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5680	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5680	5124	instup.exe	aswOfferTool.exe
PID 5124 wrote to memory of 5680	5124	instup.exe	aswOfferTool.exe

C:\Users\Admin\AppData\Local\Temp\avast_free_antivirus_setup_online.exe
"C:\Users\Admin\AppData\Local\Temp\avast_free_antivirus_setup_online.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\Temp\asw.57bba672884d277b\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.57bba672884d277b\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-FAD /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /edat_dir:C:\Windows\Temp\asw.57bba672884d277b
2⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\Temp\asw.31d43fabf4c75595\instup.exe
"C:\Windows\Temp\asw.31d43fabf4c75595\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.31d43fabf4c75595 /edition:1 /prod:ais /stub_context:a71d0be2-a0f4-4838-bdbb-770237630168:9925720 /guid:e7679111-c503-470c-b1df-3d7914a323b2 /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-FAD /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /edat_dir:C:\Windows\Temp\asw.57bba672884d277b
3⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\instup.exe
"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.31d43fabf4c75595 /edition:1 /prod:ais /stub_context:a71d0be2-a0f4-4838-bdbb-770237630168:9925720 /guid:e7679111-c503-470c-b1df-3d7914a323b2 /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-FAD /edat_dir:C:\Windows\Temp\asw.57bba672884d277b /online_installer
4⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5124

C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe
"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" -checkGToolbar -elevated
5⤵
- Executes dropped EXE
PID:5556

C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe
"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" /check_secure_browser
5⤵
- Executes dropped EXE
PID:5584

C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe
"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" -checkChrome -elevated
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5632

C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe
"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
25KB

MD5
8bfc982a9f4f09241f517915470ff7bc

SHA1
e63654a239a25a590c1ed2f8aeedc3e7e5f52fdf

SHA256
ae9a0ab8549e3098b4f6fb9da715e98b7a4bfcf0ecc4d4cee18e5f434fc41e59

SHA512
ec90432569007bfee56272fa0f645aa26b2a1330a8b35f5cace8636df3a405995505dc515be05f99a88d19fba23f572cbfcfecf3aa070ac8ea70444d2e802bb0

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
0f4f0b6ea49233d9ceac8c4ac75d8361

SHA1
064e6c9d1177030562a124d16cc4630d75f27965

SHA256
9349ce9147d7f836d971886f7268fbd0998abd3a68b5efa84341d66049c3cf42

SHA512
47f19bc3568c3cb82b6adb732272bf8d6fc984a76280e82b5fc08f9bf0f42e5d93c88e6b4ad790895c5a25e36aa7a1edc1a39ca360c2056cc1a4f57522dd7fb1

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
142B

MD5
ad692c8468fe3ea4836e90a402d76aa0

SHA1
a7517558fc4db96f44bef3969a0000130d238f30

SHA256
009ca5b54102509d098a8a2bdd027cd1d3926eb8732905a02e5744fe3b226d74

SHA512
9f05d97bd4976c1ba14219df9213e2df271f6d11784ad709201ead0699ad5e015c3ab92b8d266f9e645d7cee60deac706a803c0a681df4f17a4bbd0ceaafa8e4

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\HTMLayout.dll

Filesize
4.0MB

MD5
dfae82a37c609bb6f00ed781a58355f7

SHA1
92a9a702c64fd32668f3c334a770b4d3bdd49330

SHA256
9e8669adde471d36dff8cc760b1387d68f9370a668ac1669d1427fede56540b0

SHA512
d223c89cd8fe08b768c71297d46811538a21876dcfc1ad351d490392a7dc3811e4e26dbc52a89511b98d2955b28c91783c331cf9288a2f568d3cc753f6bc655a

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\Instup.dll

Filesize
18.1MB

MD5
cc9c6602502984f24aa849a4601166ab

SHA1
f35f44fbeebb1d6616a27641311470406b0619f3

SHA256
8add358f520ba6dde2aa14abf0f04a0a0739929465780e910af4bcfe47287932

SHA512
f724530c3da9e707ae70420948f23c1c1b309b31a6d37c98cb7af3aa5012419bf46fd75475baf336f451286eb103d07314a41d159b2f3b447af80734e2ae66c4

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\Instup.exe

Filesize
3.6MB

MD5
94422d2f5e7b7c2c394592ff42ffad97

SHA1
b0688c9013391abe0946d61a296e810aae4ec061

SHA256
778ef3bac5b93ab1848321b34922411403ee45972db240e2b5ec77688fd78985

SHA512
2ff75aabe2fafddb6d468f0e70bcf2988f01bc575e42333c0c1cfb1f0ba2df8f06bbe7fe0ac8fe228a869c778f17f1306277086957a045a1bfd0f96d2262d1d7

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\aswb391ae3e23cb5543.ini

Filesize
1KB

MD5
396f4fc164e192bff8a571f27a94e5ae

SHA1
4882ac97ef1a7470e5031d0e9b2bc2aaa16c6fd3

SHA256
2450334ce9131df9f659c2d22c09a22c964d53e8a181a88daf7aff2481bda74e

SHA512
ddd8871b4fca51c59f4bc41d0b76889b7857a8fe70218ff3961de463344009b5e5d75276eac024055fd473c53a1fe92cd35dd69f9cf4ee96993d245297b27d84

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\aswb391ae3e23cb5543.ini

Filesize
1KB

MD5
1f4c7e779c43761037d6f1f6952f0e39

SHA1
2b50df92d08cef1dc43d7659a913f510457fcec8

SHA256
306b0c7b03f14bdc77e6e1b7943a685566737a0909344aa05cb54e34bf20aff5

SHA512
f792a3bae7eea928b9baf638e63d02225dd3b287c7dd71997ef35f3f7172084fd0bb744f7c49f3dfd69701e8260d432dad15afe464391d6671c4fbeff4ff325a

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\avbugreport_x64_ais-a42.vpx

Filesize
4.7MB

MD5
0e640c5ca12e01a50089c1497ab4f737

SHA1
5d0c22581c29f56bcf597e9be347f87bfb7efb20

SHA256
ffef8170d192509f527d6a23584528a0b9676f0c11b88ff5c079fb8b5e79c2f7

SHA512
7100dc0c067286fe5ba8b363d024f560fc57b8606b2e7d2e3a344bb3380b9b67f8c8e4b8b75e70d26e9caa947a42b3e78651f357775b6817230931f851403945

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\avdump_x64_ais-a42.vpx

Filesize
3.3MB

MD5
f0ddd08f9b933c3d49c5d738e52f6be0

SHA1
7a161fd561c7b014b3255256033c0d4a5ccaa682

SHA256
435b0c4824c9aa637ca7c3335d4123d7a67a6c6818348f88eb7c00d70ded8221

SHA512
e95a1337f6b00c69c33d7383f9a8076d5432dbe9c92c4e55dfe4fca5a56f51b5c73f0ba70b1e66ef913609012ef025b151931b4184c8ad6d8e55e391c3e224ad

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\config.def

Filesize
29KB

MD5
f603b1460d9c67a945d10fdca920232c

SHA1
ce0836271354e633a29137f86fc91a85f61f0aa1

SHA256
1f1e4dfd55a6c8e581f475790dce8d8fc1ac2676b2fcc16fd732916c307a75e9

SHA512
fac8ff10d6955490a5e1e56aa7ec08d10c7a12f5ee1ee546ac8a2ea9f6be163c947b737751b36b62de88ff53dd281e17c0742c1b9fe10c6d99655b19ec60ff8f

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\config.def

Filesize
29KB

MD5
74626fbf004a062b5449d1f73e320194

SHA1
167586af6b98c776635af5d7171a05fcb6415fd4

SHA256
3d3821629f9ef6b48081fee430668075e2bac601ff9215f574bf38ae8529a6ae

SHA512
0a353acc59af7ac371418db9dd5213e2becae44457c5c7bb681fd9f3b107b34b753c416140d7f3b6e2629aeffcd3b3a30c8c16c91ceb8dfcccab16054a7fb4c5

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\config.def

Filesize
36KB

MD5
c93aab0bbd869cd340112435e5fa184d

SHA1
f146fcf444697408796a7e1d0850d5ef9ebbaa20

SHA256
32e686bed39bdcdb0c7e2aaf4c71bab744ea18a7e66af0131c430865bc69c98f

SHA512
f8521b926734a3e590b0cc48af1612eb456a24e3b17540905a91a4c86365087dcef0dd141270af4ce6d949cb406fef5bf4450ec3429e4ea41acbbc440b38e77d

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\config.ini

Filesize
883B

MD5
6448210462f49aa74b31c47673c2eba9

SHA1
c56bf4480ee4ae8b0940d1a171dfc4def2a30013

SHA256
71f31a12075d375c7e382aa6d5be2659ed7f2b7926c44a0e6a845b015daa9ea0

SHA512
eab495d0f2ba13f8cabe484b4870ef397ba570c9971d39333da7881387692a9ed2a57145e17843be161d0aa1ab31734673f8fcf9ee76929b6c03da0f0fab4e44

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\offertool_x64_ais-a42.vpx

Filesize
2.3MB

MD5
4083a128d717e41f6eb3ad762fa9fad7

SHA1
c8e41bea43a06a7f8127f490d209ffbc99b936ec

SHA256
ef9ba8d3348eae59ffb7835eed786efb2f3f87babe784a2b7e3fb247bbf53cfd

SHA512
719a8a2c638ba8ed281933afa65f32f2d2d633fb2f1a515506f06efd6e7a39b942aaf9f82a457f47a11d68028c197ea011d060e26cc3f7730fc61d84a4b7f2cb

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\part-jrog2-1513.vpx

Filesize
695B

MD5
e4804fcb47654d7e8e4531ade30fdc39

SHA1
6dd1327984f63e725b60b776932920e63c5a9311

SHA256
5a85c46d8656abdca1e9971ed783f930d0fc612a728e73c4e6d8d6b525155a61

SHA512
c50bacad91d1f9eeb458dfad51aded1c4b8da258b0c238be375a65bb119d27d6320971129d9499c58110307de855c5240a82eba860bf0604f172829ada0db425

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\part-prg_ais-180617e9.vpx

Filesize
74KB

MD5
bb77ea8a833437ce4f5214d8315ab7a7

SHA1
b76edcaa6275852232d613753d9dd9511af18694

SHA256
eb01d6e0b5d1519c05720040a8887782c3e73adf9e406fc739e2afb2cdc4e0e1

SHA512
a2acd616484843fdb4fe8c6121719f2a3b20cf06627a127d7b3cfec65ad0532c7397362464c582cee09e8d011ef0b97e69eb3bd73bd4578a121c935656f162f4

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\part-setup_ais-180617e9.vpx

Filesize
4KB

MD5
e63ce56d9b211d7432d327bfa3cf27f7

SHA1
53297bde156f132f1caf07d6bf63ea6dbb54efe4

SHA256
d3b0db1d7070d8917811b2e0b2b662ab0c7b01b74567b2e655b7f03a35237c5b

SHA512
bab3d082ba77a9dd6fb1c5f5cca13356541256d36db63255bf2a6614f4ff8289921746602f419c7ec9d080b3c2e822c89a34d5c16fdafd0395b28240ae3b6098

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\part-vps_windows-24071806.vpx

Filesize
11KB

MD5
220968cc7ae466348d1026dadd65735e

SHA1
a393f164470aa795d650734016b1d3fba5250b1b

SHA256
42e41b74eeecc3b52db3c3e40868663dd9b9f2c0f089e4d99c66c7769b9f78ef

SHA512
a481f591b67b021bcaecf177bfa661a63eeaa156deddc48a142cfc84dc86cce83dafdab5bdcc0f1371e25649fd9d0f85594a7b188c8fc3fb132d5fbfd4cbe1c2

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\prod-pgm.vpx

Filesize
573B

MD5
730e37ee15e02dcf1febfe34d83fc308

SHA1
72488fb7c771a8b09e9a488514cf18b2535cee7c

SHA256
94d3fafb73f128ec140815eef45bc9dcf8166d54fb575527108effc0e7bb1e39

SHA512
d43aa2dac183f1bcf22a84e17535deed9eba7e7225412736bb91206fea9a6c071226ff3e02f1496a51bc1f8d986f87523844461deea6d5e36eabcf88473acbe8

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\prod-vps.vpx

Filesize
342B

MD5
e688ee6baf97d6bdc8cbf19b95a8c3d3

SHA1
3729393c3a1ddb5caaffa71f83ee1c890f292893

SHA256
dce2bf3c5b81259cd50c8e61dcd2da461ecadba256a5aa82fc1e1de2f66f9666

SHA512
72100577944efca60e16515967f3def58bfff676ac9694e65da56b11e34ad3b62054a409f918b4bd5416174546ccf114f34fc0503065584afb0e9d5a6ca68077

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\prod-vps.vpx

Filesize
343B

MD5
072703fc85994aa98010f7aa9a6b3934

SHA1
aa0467cd97c47afad02f96974d19ba132f920846

SHA256
c9a8b3971644ae9dbb026053768ce326e61656a13e5f3e1071a2d485bd903fcc

SHA512
234a8db4cf96fc4552c65b160d9407e8654b6c67c5c5bae65622f46a2707df779b582ea5f3731511088209306cbb32ea590f75e8cfb40cf52f1190e17361b070

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\sbr_x64_ais-a42.vpx

Filesize
19KB

MD5
01f81005dda7a7da7c970292c188e9c1

SHA1
9a72b263853f33ba1d28cf98e990ad58b5592945

SHA256
6c6ba59c14e1518f8f3c5d5426a402391088f096dbc1328c7557dfc65c38feb6

SHA512
de3ad9ebea124cbedb170b7a897463fba47d3725883edd55a82a3615fa8a008d7bd766f909e22ebd6c5b3797fcefe245b42b2974b0e5b856d5fa9d6546da7085

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\servers.def

Filesize
29KB

MD5
64cbbd842c50e8489587b82a7b14ab4c

SHA1
d63da443a36de0976f78ca816cefb6e66f97b9d0

SHA256
fc454821159496cc8c3e5fdb41e3f3c855746ea94b27b6247677c2e8e4c30624

SHA512
22d7a03ac884419aada04483ecfd454fe7d6fdea25cf508783226b9532cfa373c84d50394a75effd2f219d25d6a216056a28847268e30c1758e19683b284f4e2

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\servers.def.vpx

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\servers.def.vpx

Filesize
2KB

MD5
a304f0c6ef97e5a3111a3f0a37f675d7

SHA1
d8798250d97781d598cdb8ba26c4fa8f78d0d0a0

SHA256
3c362bbb1014fa517abc47ecc325989ddd6b8fdd22302506591ea9ea4f7a2aeb

SHA512
039e3d51bba4c2f70c1eb720b57a533769cb9f9b3f812e1cf62ebb259d50bcbc42742c58a7911a3b974ae1ff4286a9b9f843ddc01fade99bc6f1e209511eb4b9

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\setup.def

Filesize
38KB

MD5
a0f2f8de6dccac4049ba23049750cdfe

SHA1
e46b4ebc196ff434a1077fa86304cc3d0216ccd4

SHA256
dbccb1e807254fc3abd86c1a094289eb68d7129631069c3ece96ad032f84da7c

SHA512
f827ec92781a3768eb56778d1db7a50694591f9dd4a963fc3da955013f6f4e2731cf8f6952ca8f7cc92adb2a30b95a8d370452b46024cd039d20d08aa66dbb74

Download Submit
C:\Windows\Temp\asw.31d43fabf4c75595\uat64.vpx

Filesize
16KB

MD5
86097d9281937c5a0add13b7ea2c39d0

SHA1
40b12c59e085561953828537c2a55346a370105e

SHA256
884d7de18df38995ab864b9daec048a1ba8c8d3bcf54642d4c366b5c9a29a1ed

SHA512
0a47292a1da0532867862b9b2464927ae5894d92522923c3cedcf9cdd0af95b9002746084954e92aea785f813b658e877912d5c182264c15903a55059cd0cdff

Download Submit
C:\Windows\Temp\asw.57bba672884d277b\ecoo.edat

Filesize
41B

MD5
becf40c99cebb8c75f02968502839ad3

SHA1
6719271fe168541b01bf923b41011ed258a2d8d4

SHA256
1dd1226be9bebecf9b526e5ad68b5d1c26c2d9d5dc375ce715c3fb010ea4e519

SHA512
ae5e04a42116cf806e9eb42b976c40ba6ab0d16a22c8e2e74e25793f3e4b7b09adf86b5cb02fd3b82c682d73f216ad3db43f2ee440c4b0a61fd8b4e530b92d6d

Download Submit
\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
\Windows\Temp\asw.31d43fabf4c75595\uat64.dll

Filesize
29KB

MD5
645b5c948e61171982650feb0762fee2

SHA1
2424182a5e1957d963e10340236cf12ab28570a5

SHA256
c240e8b6271c51c11dccf41a5ac3b6f312208e3205336087af4785d433841a0f

SHA512
5cf9155b9504343d6ab6cf540feb3c47628b3add3a6089b9d787349efa3280964577c9fc101f9ba4f0f44c5d22bc31f2d12bea1a6a44ea4e72645972a49dddcd

Download Submit
\Windows\Temp\asw.57bba672884d277b\avast_free_antivirus_setup_online_x64.exe

Filesize
9.5MB

MD5
dfe0cd9972fb69dbc922ae92f830351e

SHA1
65238b6df365683283e0278b65de8f5e41a7e3ae

SHA256
f552e5fc3f987f3d6140b315e8166febefcbdc1b1a7a104368c6c20df2f5825d

SHA512
4211836c80a9df377d0eceb55eee9d9bcca679f1380f07b158aba985daf0799228aaa8679c2a33667c90a8912e710e1b9121a495c24cb3e5d9263b4b371015c4

Download Submit
memory/5124-3050-0x00007FFAD7040000-0x00007FFAD7439000-memory.dmp

Filesize
4.0MB

Download
memory/5124-3049-0x00007FFAD7440000-0x00007FFAD8671000-memory.dmp

Filesize
18.2MB

Download
memory/5124-3051-0x00007FFAD7440000-0x00007FFAD8671000-memory.dmp

Filesize
18.2MB

Download
memory/5124-3105-0x00007FFAD7440000-0x00007FFAD8671000-memory.dmp

Filesize
18.2MB

Download
memory/5124-3116-0x00007FFAD7040000-0x00007FFAD7439000-memory.dmp

Filesize
4.0MB

Download
memory/5124-3115-0x00007FFAD7440000-0x00007FFAD8671000-memory.dmp

Filesize
18.2MB

Download