0dc7d3ecd014cb892c10b13fff6df11ed87f12c0b61e8ab9be78a16bed660c89

Analysis

max time kernel
1190s
max time network
1156s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

avast_grátis_antivírus_configuração_online.exe
Size

241KB
MD5

0948a846befb4dc3df4542cbc0706daf
SHA1

3ce3284574b00431508ccdb5d68b7cdd8efe8607
SHA256

0dc7d3ecd014cb892c10b13fff6df11ed87f12c0b61e8ab9be78a16bed660c89
SHA512

faf679948d5bec43bb72615f05ae19318107e4df4098c906e40808c7f305092da919dce0e3353a2336a6015d41a827ddabc05646e826f1ef59e1fa3cd478da39
SSDEEP

3072:U1JbT4aQQlT4aI4AgymsMU5a44Av2E8heNdqMREhJLsyV9GGWPGWgnVFWQMeJque:UPTh45gy/R4Av2TS9EhN1WQMeQqtD27

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe

Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avast_grátis_antivírus_configuração_online.exe

Executes dropped EXE 11 IoCs

pid	Process
1492	avast_free_antivirus_setup_online_x64.exe
3632	instup.exe
3756	instup.exe
1788	aswOfferTool.exe
812	aswOfferTool.exe
692	aswOfferTool.exe
1424	aswOfferTool.exe
1000	aswOfferTool.exe
2504	aswOfferTool.exe
1404	aswOfferTool.exe
1256	aswOfferTool.exe

Loads dropped DLL 13 IoCs

pid	Process
2076	avast_grátis_antivírus_configuração_online.exe
3632	instup.exe
3632	instup.exe
3632	instup.exe
3632	instup.exe
3756	instup.exe
3756	instup.exe
3756	instup.exe
3756	instup.exe
692	aswOfferTool.exe
1000	aswOfferTool.exe
1404	aswOfferTool.exe
1256	aswOfferTool.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avast_grátis_antivírus_configuração_online.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-a45.vpx"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a45.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71"	avast_free_antivirus_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-a45.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a45.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a45.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1492	avast_free_antivirus_setup_online_x64.exe
1492	avast_free_antivirus_setup_online_x64.exe
1492	avast_free_antivirus_setup_online_x64.exe
1492	avast_free_antivirus_setup_online_x64.exe
3756	instup.exe
3756	instup.exe
3756	instup.exe
3756	instup.exe
3756	instup.exe
3756	instup.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 32	1492	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	1492	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	3632	instup.exe
Token: 32	3632	instup.exe
Token: SeDebugPrivilege	3756	instup.exe
Token: 32	3756	instup.exe
Token: SeDebugPrivilege	1424	aswOfferTool.exe
Token: SeImpersonatePrivilege	1424	aswOfferTool.exe
Token: SeDebugPrivilege	2504	aswOfferTool.exe
Token: SeImpersonatePrivilege	2504	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3632	instup.exe
3756	instup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1492	2076	avast_grátis_antivírus_configuração_online.exe	82
PID 2076 wrote to memory of 1492	2076	avast_grátis_antivírus_configuração_online.exe	82
PID 1492 wrote to memory of 3632	1492	avast_free_antivirus_setup_online_x64.exe	83
PID 1492 wrote to memory of 3632	1492	avast_free_antivirus_setup_online_x64.exe	83
PID 3632 wrote to memory of 3756	3632	instup.exe	84
PID 3632 wrote to memory of 3756	3632	instup.exe	84
PID 3756 wrote to memory of 1788	3756	instup.exe	85
PID 3756 wrote to memory of 1788	3756	instup.exe	85
PID 3756 wrote to memory of 1788	3756	instup.exe	85
PID 3756 wrote to memory of 812	3756	instup.exe	86
PID 3756 wrote to memory of 812	3756	instup.exe	86
PID 3756 wrote to memory of 812	3756	instup.exe	86
PID 3756 wrote to memory of 692	3756	instup.exe	87
PID 3756 wrote to memory of 692	3756	instup.exe	87
PID 3756 wrote to memory of 692	3756	instup.exe	87
PID 3756 wrote to memory of 1424	3756	instup.exe	88
PID 3756 wrote to memory of 1424	3756	instup.exe	88
PID 3756 wrote to memory of 1424	3756	instup.exe	88
PID 3756 wrote to memory of 2504	3756	instup.exe	91
PID 3756 wrote to memory of 2504	3756	instup.exe	91
PID 3756 wrote to memory of 2504	3756	instup.exe	91
PID 3756 wrote to memory of 1256	3756	instup.exe	93
PID 3756 wrote to memory of 1256	3756	instup.exe	93
PID 3756 wrote to memory of 1256	3756	instup.exe	93

C:\Users\Admin\AppData\Local\Temp\avast_grátis_antivírus_configuração_online.exe
"C:\Users\Admin\AppData\Local\Temp\avast_grátis_antivírus_configuração_online.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Temp\asw.be518aa7b46b35b8\avast_free_antivirus_setup_online_x64.exe
  "C:\Windows\Temp\asw.be518aa7b46b35b8\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_e8h_m:dlid_FAV-PPC /ga_clientid:41f246b5-c464-4cdb-b85e-8077cf0dfab4 /edat_dir:C:\Windows\Temp\asw.be518aa7b46b35b8 /geo:GB
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\Temp\asw.461e67b848856ffb\instup.exe
    "C:\Windows\Temp\asw.461e67b848856ffb\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.461e67b848856ffb /edition:1 /prod:ais /stub_context:c7c0f3bf-cbda-4544-82f7-ddf08a73b4ed:9931880 /guid:13a9656d-225d-4f85-a58b-73741f892bf1 /ga_clientid:41f246b5-c464-4cdb-b85e-8077cf0dfab4 /no_delayed_installation /cookie:mmm_ava_012_999_e8h_m:dlid_FAV-PPC /ga_clientid:41f246b5-c464-4cdb-b85e-8077cf0dfab4 /edat_dir:C:\Windows\Temp\asw.be518aa7b46b35b8 /geo:GB
    3⤵
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\instup.exe
      "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.461e67b848856ffb /edition:1 /prod:ais /stub_context:c7c0f3bf-cbda-4544-82f7-ddf08a73b4ed:9931880 /guid:13a9656d-225d-4f85-a58b-73741f892bf1 /ga_clientid:41f246b5-c464-4cdb-b85e-8077cf0dfab4 /no_delayed_installation /cookie:mmm_ava_012_999_e8h_m:dlid_FAV-PPC /edat_dir:C:\Windows\Temp\asw.be518aa7b46b35b8 /geo:GB /online_installer
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
    - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe" /check_secure_browser
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:812
    - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:692
    - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1000
    - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1404
    - - C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
27KB

MD5
603df91fe01e78f85d1aa5e30c20041f

SHA1
1e4f3b6a613e0324340476401af60245a0325273

SHA256
ae22424962e1cc98da5ef5fa9dcd676cd55992f1ad02374f64a48431a681a59d

SHA512
6fe873a3bfe9511b554b721772b966a7af41e00d4f4cd7d5a19b7b72eb4ab44e2d19fcdfb0f979bec74df215666b4097a25c58fdc6f4c9ca03546b0cbbe0b004

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
2ccb3a277265bbad7e2b72c6da9f6d9e

SHA1
552389dd1bf27dbe980cb7aa918c9dbbab480a9e

SHA256
85e51bfeda8620990d1829198dbccc5eeff37b217e2d3b6a4e14a047d8a4fb70

SHA512
861d5a11d55fb4e37c62fda66bee41178b20c003bd33208f4797baaef421c7972953ba444e389dfb0133d4dce3174d1a4ef73ad5aef6a9dde7da6ee691ea28a1

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
e0adb2cda68d288fe8675042a68f1868

SHA1
7067234abc91c16c145f492c3ada859f932bfd5f

SHA256
0e8b3bd2fd0d2ab2de2b402d3d1e7dddb8b877587a1c1960e24cc8f0634db07d

SHA512
13741f3e7f2639ab0eefb17abe9922f3a434f7a90b0aaa4fe15624516112fa5acd9ae65f8825d226ef0bcf0beda1e51c5fa84678b02bb576267d8df5bc252c01

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\HTMLayout.dll

Filesize
4.0MB

MD5
110089114750b59cdb11577a55847b4a

SHA1
16fb4e9ccc686cc172b33fef2ff80761f752b0cc

SHA256
e3f9eb4243a735283fb32fd6fc0e3a37b0b761c56e913198ed4b5ed81f9cc122

SHA512
856bab9247f39b6a11a632b2982fc9ae50bbb2722173dce02d47eba15902afd10d874f63322bef83ee110258c436d74c3808b8a310bf6c13456cced111dd0483

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\Instup.dll

Filesize
18.1MB

MD5
4a69de3d8443601e0c071e7411927341

SHA1
cfda80f102bcfaec76ecaf323bbe0e66774195ab

SHA256
2911c58615f9bddc1447fb33f8567087abd02a3ab0e96091e61a20934c9f508e

SHA512
76cb66eb5a1f33901bd28414522e3763bf86795d23edd33fd5665057054b710022bf5332b9e3f770d8724f63447c6556ddebfd771ae60f978722b40e35c1a207

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\Instup.exe

Filesize
3.6MB

MD5
7342a3f59c64b20e80de29eb49d99389

SHA1
325fdfa1c71a1f0e78b5dde05359fdba4be6c0e9

SHA256
91bc0af21e485bf52feed853af7a761f2f17fa0d64fbd0d7869a394b49dba784

SHA512
490979636b7475f20106b5eb3a32b12d1ef78a95e652695fff933a4aa2f49f8a57cec6c5161e6a4a1101c148f813a7bd8d4bcc2b0bdbac0196154adffc611e21

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\New_180717ec\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\asw08de2a99fad1d844.ini

Filesize
1KB

MD5
80b6643b6e0e0726f5ac2dfc18922e00

SHA1
d29faa868bd3a95603c90d8c32372ce969a0fcff

SHA256
e6e00e138cb73acb89634b75d7f6873aba181750261a72d14bf2293a7e35a89f

SHA512
63a91e588baf595a1d92449a6149ae425a373539f15e83dab8b137d0d2daa36786c79f74dc6d6019173b8dfae260c79783bf4578cd6da2bc7c3421fcb1c8f483

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\asw08de2a99fad1d844.ini

Filesize
1KB

MD5
d3eeea3cca0648e249149f4ef765bdcf

SHA1
ab2f4ba5a41f994d157bd52e9b76bcbd08614548

SHA256
4df0749e68068b8f8ea17e8e85f91f2e5ef9a0e40a5b96c1ac6ca774ffab9ca6

SHA512
c3512499ad62124cf736a1c42b1667e20bbe1872baf35e589ecba320f54bf1af9347dae6bbf1d5a2c1d05ee58d0e8e5ca72daf05eeb11d2b7a1068b7a5d186f3

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\asw633e8410d831b97e.ini

Filesize
786B

MD5
c65900f679a40271d5bf25e10fd98973

SHA1
d6fe5c82092554327d3dbb41a5c8f87bc7ac8dbe

SHA256
52d02c43cc02bd61182d2b4beeaad8f9e77f28375d51c4e85a72c9e659aed083

SHA512
0ee7a8aacb0ac3e395de97d706470381b9553f2f645e6e8082c7e45464c4b0a48e071f39ea1147493f8528a028e077e1f7f77e204815d28cb2227fccaa4a05d5

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\avbugreport_x64_ais-a45.vpx

Filesize
4.7MB

MD5
5964e72271ad63668ea7652710e54400

SHA1
8b075adf2ce5d9165c3e7b808507e35cc1238390

SHA256
025b20f7e0313a8ea3f4123099a4d921e7532ecfa493f14a9240437a02a7a24a

SHA512
74ef5cc269e044d39f3706a3b0fe19397190036382e77f5220f1e613e266583c1e4fc701e2463375ca773d99c273b870f923f210b46ceb4ff6051315f7b5e5b0

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\avdump_x64_ais-a45.vpx

Filesize
3.3MB

MD5
a91d4ad0f091e237f39faa88049716f9

SHA1
874d461a8217acb500adbecd97400f01c30f9c62

SHA256
365f89460c8956420bca74c3b42e637f24dccd5a4b667c9185d7484e4403bc3d

SHA512
1c50106bc4cdc0a2663893a0646f5cc899f3bb9142468974c6a7663cafa5df0789994afa5e7c8af74875fac04fadaac45f8fe5556dd874bc51f0dc53aec28c83

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\config.def

Filesize
29KB

MD5
f44710a48709d75afa288d507915e009

SHA1
ebf9701d1b81c2964037f5d07d921180187bb7fb

SHA256
f83d6136632192b58c39dedc5a078970c87d3c9a5bb73da34b5ceaade5b3d1d1

SHA512
7b77388bbd19db431c24313da47658635dca2184943b318e78ce81a371a983590972f77beeadb205511b2261b7b3320e28a8e8305f8f932051b1c2d3c320834c

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\config.def

Filesize
36KB

MD5
4741a287c839d94209fe50d691c9fb0b

SHA1
dbb954a627293b0affdc793f500290772c2c927f

SHA256
669453392e0e19d88cd3a5f4f5e8232697b7eae129d659a08b291dfc517a8013

SHA512
1552603d655c60cc33737c25ae96661167d7fea9e79eb260fff77ddbedfd8df23e9bb4c7dfc9817bafc28bcfebca4aaeb6c99b11b71e103d7d5cc26f620d789a

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\config.def

Filesize
29KB

MD5
fcf68190fc0ba5391e263b655517aaa8

SHA1
c608bd9acbde6ec96919a29d46bc1c14a27b731e

SHA256
16c38a08f2ca7deae058ee282251e0d9e35cd6796b7329eba3e17c7131663f62

SHA512
ad991386bc68dda87f3401a7b7321323d81d04a6d1dea0b1ba221aa4a4acd2bc088185b4ee07db1bd572713c516d93f4f931effe91e78ef2ac3047a4985c2886

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\config.ini

Filesize
883B

MD5
8d842a95ecc9c052ef0597e1f5314c63

SHA1
b082a3e0c6dbbf3a80d5c98e5a39af83eb3f955b

SHA256
5d2256fd128a979a8a8be8674c23124ac1429b949eb47b66e62d5486754681b9

SHA512
2645814c05bf18877310ec1b8df26858a6d3662908ec3eeec7e954eb88aaaf2b5f1f4f23dcbd755d6eb351fefb62e193f4be9e22780906c74499d55952aa618f

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\offertool_x64_ais-a45.vpx

Filesize
2.3MB

MD5
2d7ec737f3477c5f633a5dcf87e5f7df

SHA1
c9166b3fe38e298ddb29be936c5be99715b64d96

SHA256
a328dd17444283eff1cbd57bc22cc7afe21029c6516de9cc37857f80330bd38a

SHA512
b77587c70cd38350ef0455074b50b75eb3d8f2e29635d14ca014c7e63c28c20ab4ac2e9ca272eee8d6b752cdb61e223ce1972a08b3b89480207acf10268fdd52

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\part-jrog2-153e.vpx

Filesize
702B

MD5
dda0e40ff3698d5e2b529eb74b31c6c8

SHA1
5e82ee7e7089cb7bd5fb76dfeeec9d535589bc31

SHA256
7426620a1c92a58ef7f38f368cda97636f63349c1eeeb18f6e857d99c99e5a0a

SHA512
3477d07f74aee2a7ba10222aa10acb67a8c233a43db4486b4d8d1515a7bbc19bc2fc4445719392f10831a037723bfccc418466d284f00322a59391d14c29abca

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\part-prg_ais-180717ec.vpx

Filesize
74KB

MD5
863fc6ced83c3c1d2c0f86bb13c2ece5

SHA1
997799534bb6bad2a3f435f6f36ef80e4ccfb67c

SHA256
c2a34da73d79e47045f9393b8647c19f76e5a65275b183688e8c86365d92ebee

SHA512
8d9ab4380832e86f5d148add8d3157fbb06a1d2e639590dc0f04f5c08890a2f8f8ed72797d607e6391538cbaa8d77d50b2a2e4794a13db5f4d0da2909173b00b

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\part-setup_ais-180717ec.vpx

Filesize
4KB

MD5
800eb47562108eace0cc37408ea5d784

SHA1
b198d6f98eea23345bd515934ba65bf75ac58fe5

SHA256
9da22bd173fcb3eba2df079878c41e28616748be45297298eb294e193f1a4833

SHA512
7dc7e9e11860a94a7415068eb68371da484c53c2a257972e19ca747f4760c214fc39e4e4000aebea491c91e28a29ee968cc679590bcdf38cb9468e96fa0a49ad

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\part-vps_windows-24080204.vpx

Filesize
11KB

MD5
fa4d4121de069cef3967fcab303efa38

SHA1
5fac0f5c83446e353c2b4e08eec91c672aa71328

SHA256
386bb94e3966e244970b24608d931573a5142aaf45882739bf43fcbfc7903cc0

SHA512
ff4a8f3590ff83eaf518c7a675216b35965e85fcce7d832130a0c74bd0b089dd1418efa72fb6155cfd6747fd57f638fe145580803cda7281468b8ade3a6bd222

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\prod-pgm.vpx

Filesize
571B

MD5
1edd4c0a0428f8f05df0ad463224c839

SHA1
e3345b667431361eb70ee0832ab868a11b296e94

SHA256
fa8eb5231cc8efefe0b9e5f3fd50b90234e46a2dd3ec8469c3e783d0f5398cf6

SHA512
329e1239b09bd0501d9fc31d93fd1b1363d3c8af8e8eab8fe049cf63125a8bef6f4a169f4c9827e94a5291fd30207c298a4633d30be5deb8c8f9d4e4c782aae3

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\prod-vps.vpx

Filesize
341B

MD5
cb735f402a40af7524e40c985f2d6a73

SHA1
448bdad7f28fcccb8d6cfb32902505bca72e551d

SHA256
3da748535868af14439a64817a334daf08c6c7d6f865af5d5130e22d49a270b0

SHA512
e8f476794d40f47ca0ea2bd9162439f96377c41bfa84810f3f06e54c72ee8f8cfd268be7725bf9ecf1ff39850e0585b8f65b08774ddbc6760ae7d2360a7bf070

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\prod-vps.vpx

Filesize
343B

MD5
982564cd0cafc0e3f79fcb27294457e5

SHA1
da277def65af997333d3590eb4e44693c3f915e1

SHA256
d14cfcc9987bddfd63a684267fa56a00e69ebc710fd5af375685ffafd7469f1c

SHA512
f92e822a08c1216b9f1e6b7af4f9d4f43a41894519f7aea4520481427682fa89f5c3f5a15333b039c85d8ded21b430f65c48c1ccbe37a440909643f8ad351676

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\sbr_x64_ais-a45.vpx

Filesize
19KB

MD5
6be2f1a6317d2fe0ebbfd712beaa2f63

SHA1
988aae7b274206f6c90b67ccca93a75a839ff0ce

SHA256
246ffe781ab0fdee8f1d580bdb89176dd38b8560c451e5f1b5b809d48813e223

SHA512
9435dcadad328b2e44db9c78b3c530f21382e128a3457f3f110b44226414d8a33780e717727581947a55f3338f29aa34d07669ef623b88903a85d86d36cac4a6

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\servers.def

Filesize
29KB

MD5
39d82cf162f1202304841ea2fa5caee9

SHA1
da05b98f0acd2c960346db0441a58200bbff3a83

SHA256
3121e33cff95aaa9e5e9ca4eb4f2ffbc79954eef840031656d8d390a64cada53

SHA512
3575623caeb39d78ae00f1c1246fb52c78ba265791de58f15f53d09de5c03b6860eeea9f4965d08c5cca7abd8ba380bc5cfe59ef5f8257f91d058cdaa0f05140

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\servers.def.vpx

Filesize
2KB

MD5
61935e97073241b3694a5933da1a010e

SHA1
5412b0d796a5459f146623e67e0212f84572f17f

SHA256
631204381d7a3fbffb56766010704b9128ea8fe7ec4854220effc2c5ab9a68ef

SHA512
201770b01657cb1fb5db53a7e5b806211947ff3ffdade5e8f0e0b9aca53ee48ca2194169ad4e5903edbb7360df49811adc0763a722f1bb28ad6249747f3c299d

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\setup.def

Filesize
38KB

MD5
24b473cf564fabc3a55cebcb8aa7a7c9

SHA1
795e24a972b2ff67545e4d61b42d29059a0fa1c8

SHA256
5b561e4a1587711fa7a9d710400ba537c4d73a01af95074b048d56f6b4131e7d

SHA512
262d84fb320899ec0c12fe217da608cc1ed7fd662c3f75ce4913a5d6ca91b1ed264f023f186655f280131b6fae1cbe24481a0ab6055677632a9e04a1a1dbe21b

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\uat64.dll

Filesize
29KB

MD5
9e2f415514d2e408661d3e71bf4a80c4

SHA1
d92f4d356272b424eac0beece46686093aa7dcdc

SHA256
4d4281642981c71556111db06cabcb494669261340ccb70089b5f12a952984d7

SHA512
c8ffbfa956e0de5262e4d5f0626b671bd1657af2b93d389054227cde01f71b7cd7b28f1b6ed2415b91d5a09a52d00f75bdace7961f101337f7cc621d0a93bc5a

Download Submit
C:\Windows\Temp\asw.461e67b848856ffb\uat64.vpx

Filesize
16KB

MD5
e7908971c7f59401ceb35db59cbadded

SHA1
ebc24da66bc206a8ff7be80c7c48ad942fbb4963

SHA256
0bf0605894b5660daf656c950606f1fcfebc480921f1bc09c5726af08c1d16f4

SHA512
8dcd7f7a39578aeae46b8c014c618d4fd97f560ec3037a839c13bd60717dcfebf7ba456c287c5a6e041c1ee717079647b63579ef4b1170f0916c67a9fb1e3d8a

Download Submit
C:\Windows\Temp\asw.be518aa7b46b35b8\avast_free_antivirus_setup_online_x64.exe

Filesize
9.5MB

MD5
c2626794e09a2197c5ac2fecc2f611a2

SHA1
e1ec4ae41bbba62de63cebebd4b37dced421e789

SHA256
64b255d3c9c3e0c244ff26a70351d873231495eb102dc6154c8bc9ea205b292a

SHA512
70609e6d758eae7fe552ae609aa3894465d11eb7b0bd171bc74cc41fd41cf8c31b2b80a8d5a1b91942142b9c8b16f05796c68d0ee8e907bac1bf2179950ed6df

Download Submit
C:\Windows\Temp\asw.be518aa7b46b35b8\ecoo.edat

Filesize
34B

MD5
f79b5469edec7ee78dc71b941b4ec49b

SHA1
aaa605edb9ec9d65d1f9a1b9a975dd5c89c195f1

SHA256
1faa9bd0c9c6506afac80d1f88f4e67f7709e2cfd8794462f60211d8879551b0

SHA512
f40c49204d5eb204993d555eb55b61452c1af811173b77bccb4066f3f062affd76247d2448ef46192e8d7a134c9bbde16f76de140e737e1e7af26757aa2cd95f

Download Submit
C:\Windows\Temp\asw.be518aa7b46b35b8\eref.edat

Filesize
51B

MD5
800b9fcb11840370aa72c0f2db8ebe29

SHA1
1a3ca4ca6674babead35cd1d0d7919cf8487895d

SHA256
fffb7cff7b5fb48e348e122b2de2efa0dffe35ed1b1916aae03a78bab1ba5898

SHA512
ff77342f50a12e141f73defa2794c4159f7103be157943f3a472a46b2413b703280517df4fbbf089a2d798ab72d052cafadd6a7eac82469e79902f61209790ef

Download Submit