4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe
Size

231KB
MD5

d7f7dfa376ae79bae6a0d295380998de
SHA1

fba36039752c612c0ddb8ad6d1977f956bfe0276
SHA256

4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1
SHA512

bdaa5a2b8d650ad5a091e6eca0deb62de63d080f9df2fe127a58d3432681d33f399d0575f97278e0af3566bda008295783981345b906d37a44c5a6a3d746f576
SSDEEP

3072:N1JbT4aQQlT4aI4AgymsMU5a44Av2E8heNdqMREhJLsyV9GGWPGWgnVFqQMeJq7n:NPTh45gy/R4Av2TS9EhN1qQMeQLtDB

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
2872	avast_one_essential_setup_online_x64.exe
2836	instup.exe
4360	instup.exe
1952	aswOfferTool.exe
4996	aswOfferTool.exe
116	aswOfferTool.exe
4128	aswOfferTool.exe
4016	aswOfferTool.exe
3144	aswOfferTool.exe

Loads dropped DLL 12 IoCs

pid	Process
4952	4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe
2836	instup.exe
2836	instup.exe
2836	instup.exe
2836	instup.exe
4360	instup.exe
4360	instup.exe
4360	instup.exe
4360	instup.exe
4996	aswOfferTool.exe
4128	aswOfferTool.exe
3144	aswOfferTool.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_one_essential_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_one_essential_setup_online_x64.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_one_essential_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe
File opened for modification	\??\PhysicalDrive0	avast_one_essential_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_one_essential_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_one_essential_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_one_essential_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_one_essential_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78"	avast_one_essential_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a45.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_one_essential_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_one_essential_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_one_essential_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_one_essential_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2872	avast_one_essential_setup_online_x64.exe
2872	avast_one_essential_setup_online_x64.exe
2872	avast_one_essential_setup_online_x64.exe
2872	avast_one_essential_setup_online_x64.exe
4360	instup.exe
4360	instup.exe
4360	instup.exe
4360	instup.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 32	2872	avast_one_essential_setup_online_x64.exe
Token: SeDebugPrivilege	2872	avast_one_essential_setup_online_x64.exe
Token: SeDebugPrivilege	2836	instup.exe
Token: 32	2836	instup.exe
Token: SeDebugPrivilege	4360	instup.exe
Token: 32	4360	instup.exe
Token: SeDebugPrivilege	4016	aswOfferTool.exe
Token: SeImpersonatePrivilege	4016	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	instup.exe
4360	instup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2872	4952	4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe	89
PID 4952 wrote to memory of 2872	4952	4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe	89
PID 2872 wrote to memory of 2836	2872	avast_one_essential_setup_online_x64.exe	92
PID 2872 wrote to memory of 2836	2872	avast_one_essential_setup_online_x64.exe	92
PID 2836 wrote to memory of 4360	2836	instup.exe	96
PID 2836 wrote to memory of 4360	2836	instup.exe	96
PID 4360 wrote to memory of 1952	4360	instup.exe	97
PID 4360 wrote to memory of 1952	4360	instup.exe	97
PID 4360 wrote to memory of 1952	4360	instup.exe	97
PID 4360 wrote to memory of 4996	4360	instup.exe	98
PID 4360 wrote to memory of 4996	4360	instup.exe	98
PID 4360 wrote to memory of 4996	4360	instup.exe	98
PID 4360 wrote to memory of 116	4360	instup.exe	99
PID 4360 wrote to memory of 116	4360	instup.exe	99
PID 4360 wrote to memory of 116	4360	instup.exe	99
PID 4360 wrote to memory of 4128	4360	instup.exe	100
PID 4360 wrote to memory of 4128	4360	instup.exe	100
PID 4360 wrote to memory of 4128	4360	instup.exe	100
PID 4360 wrote to memory of 4016	4360	instup.exe	101
PID 4360 wrote to memory of 4016	4360	instup.exe	101
PID 4360 wrote to memory of 4016	4360	instup.exe	101

C:\Users\Admin\AppData\Local\Temp\4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe
"C:\Users\Admin\AppData\Local\Temp\4006c709faeedf03e8b58886eeff6b40353caec761847756e2df446f7c20bfa1.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\Temp\asw.c74098655873df49\avast_one_essential_setup_online_x64.exe
  "C:\Windows\Temp\asw.c74098655873df49\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_003_999_d8h_m:dlid_AVAST-ONE-FREE-WIN-PP /ga_clientid:a4e74983-7e0c-4560-bc2c-4127d86c9747 /edat_dir:C:\Windows\Temp\asw.c74098655873df49 /geo:GB
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\Temp\asw.c59dcc1361c77559\instup.exe
    "C:\Windows\Temp\asw.c59dcc1361c77559\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.c59dcc1361c77559 /edition:21 /prod:ais /stub_context:57e37b08-8a45-47a5-adc2-fb7cc4fb10e9:9930856 /guid:d474d78c-3c28-457a-b0de-63801c0d40fd /ga_clientid:a4e74983-7e0c-4560-bc2c-4127d86c9747 /no_delayed_installation /cookie:mmm_aon_003_999_d8h_m:dlid_AVAST-ONE-FREE-WIN-PP /ga_clientid:a4e74983-7e0c-4560-bc2c-4127d86c9747 /edat_dir:C:\Windows\Temp\asw.c74098655873df49 /geo:GB
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\instup.exe
      "C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.c59dcc1361c77559 /edition:21 /prod:ais /stub_context:57e37b08-8a45-47a5-adc2-fb7cc4fb10e9:9930856 /guid:d474d78c-3c28-457a-b0de-63801c0d40fd /ga_clientid:a4e74983-7e0c-4560-bc2c-4127d86c9747 /no_delayed_installation /cookie:mmm_aon_003_999_d8h_m:dlid_AVAST-ONE-FREE-WIN-PP /edat_dir:C:\Windows\Temp\asw.c74098655873df49 /geo:GB /online_installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4996
    - - C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe" /check_secure_browser
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:116
    - - C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4128
    - - C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
27KB

MD5
63bf666bf31e2b8ec6b996161c5dbc11

SHA1
a59cd942d62ff9779f00871547b32e6e644cc523

SHA256
8cf9ffd110694d59804403d4f1647bbde314aaed5a329c5c0a4df4467a3876e8

SHA512
b780a3095374baf0a41e957054a9dda4c103469a839f02ca9d57022f2ced2eb3c989cc2be68e4e7c92e1f0e45e92ef065c53bc0d80f4ab41b10b8518698acb0a

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
dc4e482a4ae7094a54e3fd4fba548175

SHA1
f45d5281506440320a7f5f6379331b322a33d6d6

SHA256
c4ee7433a27bd480b5a7c4933e35ad26026e094e859d0626e1543e821d07d8ec

SHA512
20161a97e291764da8eb13b31ae95bbfbf114868d8da9678f0a3e282320c64dcb0f91c1f9edca6d8ff2351159457f4a464988235742a6d35af1d6fdbf6702345

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
f91869bcb4267feae32336e96cfb7a51

SHA1
34fcb19112dc90721be1f917ac523d47b988f332

SHA256
6956019f8e3d3d6c9354780f24cce566276bb6d13ed371a6e0cc85bbbb15c5e7

SHA512
dffeaecfb8fd8860016198b545fd2d45cac36116f78e925c93db110474f8c721a2123f332ffe6c2ab8bffe703c2f6e8af9872034c5cedff064c9ccff116073e4

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\HTMLayout.dll

Filesize
4.0MB

MD5
110089114750b59cdb11577a55847b4a

SHA1
16fb4e9ccc686cc172b33fef2ff80761f752b0cc

SHA256
e3f9eb4243a735283fb32fd6fc0e3a37b0b761c56e913198ed4b5ed81f9cc122

SHA512
856bab9247f39b6a11a632b2982fc9ae50bbb2722173dce02d47eba15902afd10d874f63322bef83ee110258c436d74c3808b8a310bf6c13456cced111dd0483

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\Instup.dll

Filesize
18.1MB

MD5
4a69de3d8443601e0c071e7411927341

SHA1
cfda80f102bcfaec76ecaf323bbe0e66774195ab

SHA256
2911c58615f9bddc1447fb33f8567087abd02a3ab0e96091e61a20934c9f508e

SHA512
76cb66eb5a1f33901bd28414522e3763bf86795d23edd33fd5665057054b710022bf5332b9e3f770d8724f63447c6556ddebfd771ae60f978722b40e35c1a207

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\Instup.exe

Filesize
3.6MB

MD5
7342a3f59c64b20e80de29eb49d99389

SHA1
325fdfa1c71a1f0e78b5dde05359fdba4be6c0e9

SHA256
91bc0af21e485bf52feed853af7a761f2f17fa0d64fbd0d7869a394b49dba784

SHA512
490979636b7475f20106b5eb3a32b12d1ef78a95e652695fff933a4aa2f49f8a57cec6c5161e6a4a1101c148f813a7bd8d4bcc2b0bdbac0196154adffc611e21

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\asw2ed6ac19a8ce18bc.tmp

Filesize
19KB

MD5
6be2f1a6317d2fe0ebbfd712beaa2f63

SHA1
988aae7b274206f6c90b67ccca93a75a839ff0ce

SHA256
246ffe781ab0fdee8f1d580bdb89176dd38b8560c451e5f1b5b809d48813e223

SHA512
9435dcadad328b2e44db9c78b3c530f21382e128a3457f3f110b44226414d8a33780e717727581947a55f3338f29aa34d07669ef623b88903a85d86d36cac4a6

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\New_180717ec\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\aswa2e9bf19d4a1ff23.ini

Filesize
1KB

MD5
1a04e2e34e0a7f71bf9db305e3bf4d3a

SHA1
4662c246b2e79da30f03d75ab7603929cdb60ff5

SHA256
4bed1131c7773457ef3c2f9ea7a10954b6b84955c6aa3efb9b6bb60e8d5ba17a

SHA512
3276ec5c6cd28f6d86bb6e4ef322c53e320f94944dafbd786f77524d0a3bf07a25892bb21a1443880516be5ce34686b2dab210aa8eb55fe884314687cd1724ed

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\avbugreport_x64_ais-a45.vpx

Filesize
4.7MB

MD5
5964e72271ad63668ea7652710e54400

SHA1
8b075adf2ce5d9165c3e7b808507e35cc1238390

SHA256
025b20f7e0313a8ea3f4123099a4d921e7532ecfa493f14a9240437a02a7a24a

SHA512
74ef5cc269e044d39f3706a3b0fe19397190036382e77f5220f1e613e266583c1e4fc701e2463375ca773d99c273b870f923f210b46ceb4ff6051315f7b5e5b0

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\avdump_x64_ais-a45.vpx

Filesize
3.3MB

MD5
a91d4ad0f091e237f39faa88049716f9

SHA1
874d461a8217acb500adbecd97400f01c30f9c62

SHA256
365f89460c8956420bca74c3b42e637f24dccd5a4b667c9185d7484e4403bc3d

SHA512
1c50106bc4cdc0a2663893a0646f5cc899f3bb9142468974c6a7663cafa5df0789994afa5e7c8af74875fac04fadaac45f8fe5556dd874bc51f0dc53aec28c83

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\config.def

Filesize
29KB

MD5
fcf68190fc0ba5391e263b655517aaa8

SHA1
c608bd9acbde6ec96919a29d46bc1c14a27b731e

SHA256
16c38a08f2ca7deae058ee282251e0d9e35cd6796b7329eba3e17c7131663f62

SHA512
ad991386bc68dda87f3401a7b7321323d81d04a6d1dea0b1ba221aa4a4acd2bc088185b4ee07db1bd572713c516d93f4f931effe91e78ef2ac3047a4985c2886

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\config.def

Filesize
31KB

MD5
8cb0b8fe478d9326adf94a4ecb8d116b

SHA1
bb22eab58bf24f8bd83c0f76b4b7cfd4de1f10cd

SHA256
4fd8e6e9d2bdee1a2c0bb901732c93947b122d5971be266cccf7ad6c929b05ad

SHA512
bf8f688fb312e1288bb78477cdbfbfbf131b3658655ad583bbcc47c6ff6f15351a9a30c3183499b9cce45fcb39ffa06f6439d6b2d8b85f8b993e440817b73d01

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\config.def

Filesize
37KB

MD5
4a8e3a49eb544af644f2d3a9f49f55f6

SHA1
28a6452915972c33e54969c02b127a0dfdd6c99c

SHA256
1d9d8b8f5c06975d23554cbab8476ed9b166f19f39d0bd305693275434cfc98f

SHA512
3ad0e6be3f83338fabe279807ad72796fff0ad6965735d25cf8b01e3279a8a92069d05491375b71e04dfb0fba0c9e7748a75ee418aca385ff072c7295cb0dd88

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\config.ini

Filesize
894B

MD5
8000b25c1829f052cf9147f447ed5a24

SHA1
63aeed4bc045d490c6d7392b447484c3c33ba88c

SHA256
fbd89c6b9b028060eb7c3d89b244afa5aaa83f062b161f30644223b2928fd672

SHA512
67155d2870b93d8ca0b9d1eb3ca305a96be41c4a22991518df9255c9619be2e3eea8c4d3b8a6b2a5f2ebf08ef92aaea351ddc1c7662074f7b98e758b96d10e62

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\offertool_x64_ais-a45.vpx

Filesize
2.3MB

MD5
2d7ec737f3477c5f633a5dcf87e5f7df

SHA1
c9166b3fe38e298ddb29be936c5be99715b64d96

SHA256
a328dd17444283eff1cbd57bc22cc7afe21029c6516de9cc37857f80330bd38a

SHA512
b77587c70cd38350ef0455074b50b75eb3d8f2e29635d14ca014c7e63c28c20ab4ac2e9ca272eee8d6b752cdb61e223ce1972a08b3b89480207acf10268fdd52

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\part-jrog2-155a.vpx

Filesize
695B

MD5
276c3f00c2aee07687c54c8532e8f7b6

SHA1
0108032bdfb0a38f861ed82f80580d2f0442155c

SHA256
7ecbb65aee2acb18a3febb7cac08e26db934660a2cebfb3604ad954c2b218cdf

SHA512
3ab2bb4143f59d6129fa1353ff2197168ff6a0709c8a906b56ece77891c1f78749390c2cfd3bb4c8a6bb350e4338b62b56b45b2e54bdd1468686d4f7cec0b675

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\part-prg_ais-180717ec.vpx

Filesize
74KB

MD5
863fc6ced83c3c1d2c0f86bb13c2ece5

SHA1
997799534bb6bad2a3f435f6f36ef80e4ccfb67c

SHA256
c2a34da73d79e47045f9393b8647c19f76e5a65275b183688e8c86365d92ebee

SHA512
8d9ab4380832e86f5d148add8d3157fbb06a1d2e639590dc0f04f5c08890a2f8f8ed72797d607e6391538cbaa8d77d50b2a2e4794a13db5f4d0da2909173b00b

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\part-setup_ais-180717ec.vpx

Filesize
4KB

MD5
800eb47562108eace0cc37408ea5d784

SHA1
b198d6f98eea23345bd515934ba65bf75ac58fe5

SHA256
9da22bd173fcb3eba2df079878c41e28616748be45297298eb294e193f1a4833

SHA512
7dc7e9e11860a94a7415068eb68371da484c53c2a257972e19ca747f4760c214fc39e4e4000aebea491c91e28a29ee968cc679590bcdf38cb9468e96fa0a49ad

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\part-vps_windows-24081306.vpx

Filesize
11KB

MD5
8a5d63b591c9bcd0ff45f0ebce5fb080

SHA1
3bc02aa1ec4cd10e107a076b48ddb478bc488a74

SHA256
b55fc94a76735b4591e557cd9627ac70ebb06bc5bccbc734cf510b925f0c3d60

SHA512
767d37ed85658d4b44a28234c59458727d691f84e29dd3800ca20da3cb0f9e6ef22bd2424a6251126bfa927d699975d006c5d4dcf63e2020d4ad93cffcee53fe

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\prod-pgm.vpx

Filesize
571B

MD5
1edd4c0a0428f8f05df0ad463224c839

SHA1
e3345b667431361eb70ee0832ab868a11b296e94

SHA256
fa8eb5231cc8efefe0b9e5f3fd50b90234e46a2dd3ec8469c3e783d0f5398cf6

SHA512
329e1239b09bd0501d9fc31d93fd1b1363d3c8af8e8eab8fe049cf63125a8bef6f4a169f4c9827e94a5291fd30207c298a4633d30be5deb8c8f9d4e4c782aae3

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\prod-vps.vpx

Filesize
341B

MD5
cb735f402a40af7524e40c985f2d6a73

SHA1
448bdad7f28fcccb8d6cfb32902505bca72e551d

SHA256
3da748535868af14439a64817a334daf08c6c7d6f865af5d5130e22d49a270b0

SHA512
e8f476794d40f47ca0ea2bd9162439f96377c41bfa84810f3f06e54c72ee8f8cfd268be7725bf9ecf1ff39850e0585b8f65b08774ddbc6760ae7d2360a7bf070

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\prod-vps.vpx

Filesize
343B

MD5
e4b8bb327726824d94fe86f6d9a535b8

SHA1
84d5bb8cef9e21f2a7fa72666360c3aee2b70fb4

SHA256
1c89fb9c22e40feea36c077b2d7fd55085a7333b96d8a9fd44faff1296d87863

SHA512
05df177c1cb7c1812c10e913043a2a92201058cd862ec0dae6c546b2f159000e8169cf45d9d10a99392925f1a412fb4e79a6f7960dc1371d0ef95c0eee974d3f

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\servers.def

Filesize
29KB

MD5
39d82cf162f1202304841ea2fa5caee9

SHA1
da05b98f0acd2c960346db0441a58200bbff3a83

SHA256
3121e33cff95aaa9e5e9ca4eb4f2ffbc79954eef840031656d8d390a64cada53

SHA512
3575623caeb39d78ae00f1c1246fb52c78ba265791de58f15f53d09de5c03b6860eeea9f4965d08c5cca7abd8ba380bc5cfe59ef5f8257f91d058cdaa0f05140

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\servers.def.vpx

Filesize
2KB

MD5
61935e97073241b3694a5933da1a010e

SHA1
5412b0d796a5459f146623e67e0212f84572f17f

SHA256
631204381d7a3fbffb56766010704b9128ea8fe7ec4854220effc2c5ab9a68ef

SHA512
201770b01657cb1fb5db53a7e5b806211947ff3ffdade5e8f0e0b9aca53ee48ca2194169ad4e5903edbb7360df49811adc0763a722f1bb28ad6249747f3c299d

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\setup.def

Filesize
38KB

MD5
24b473cf564fabc3a55cebcb8aa7a7c9

SHA1
795e24a972b2ff67545e4d61b42d29059a0fa1c8

SHA256
5b561e4a1587711fa7a9d710400ba537c4d73a01af95074b048d56f6b4131e7d

SHA512
262d84fb320899ec0c12fe217da608cc1ed7fd662c3f75ce4913a5d6ca91b1ed264f023f186655f280131b6fae1cbe24481a0ab6055677632a9e04a1a1dbe21b

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\uat64.dll

Filesize
29KB

MD5
9e2f415514d2e408661d3e71bf4a80c4

SHA1
d92f4d356272b424eac0beece46686093aa7dcdc

SHA256
4d4281642981c71556111db06cabcb494669261340ccb70089b5f12a952984d7

SHA512
c8ffbfa956e0de5262e4d5f0626b671bd1657af2b93d389054227cde01f71b7cd7b28f1b6ed2415b91d5a09a52d00f75bdace7961f101337f7cc621d0a93bc5a

Download Submit
C:\Windows\Temp\asw.c59dcc1361c77559\uat64.vpx

Filesize
16KB

MD5
e7908971c7f59401ceb35db59cbadded

SHA1
ebc24da66bc206a8ff7be80c7c48ad942fbb4963

SHA256
0bf0605894b5660daf656c950606f1fcfebc480921f1bc09c5726af08c1d16f4

SHA512
8dcd7f7a39578aeae46b8c014c618d4fd97f560ec3037a839c13bd60717dcfebf7ba456c287c5a6e041c1ee717079647b63579ef4b1170f0916c67a9fb1e3d8a

Download Submit
C:\Windows\Temp\asw.c74098655873df49\avast_one_essential_setup_online_x64.exe

Filesize
9.5MB

MD5
3cb9ff19d049fffc674a3d8b01e98376

SHA1
eef0fc5734f9d7d386b926e53f96efefbb94673b

SHA256
4f5e15321ab95d6a07c4d2e2317eaedcf3d377200cc3b4ca63247477660b3a98

SHA512
03af8a34b03010a4846bd6d99c2421b4cccbe176307c279f8ff8544b1a776511ec625c1e56381fd94b863b00d2f9faf9d1e0dde6c1fa4cee8c5065d83a25918b

Download Submit
C:\Windows\Temp\asw.c74098655873df49\ecoo.edat

Filesize
48B

MD5
d3f03cf318f375c37f6f18a86658075f

SHA1
764de8920442848bd5cf39f46374e5114a1dcd95

SHA256
e240645f55293d5c7c0fb4262b187d198e2d99f0a2b26aad471a0e0a62e33f82

SHA512
49cc310aedb40035d534af439a930e5170750362bd5a449ec5434d32b25324a7b6884cec83103a720db6175e0eaee0f7b11b390154307a91572a87a52e322b33

Download Submit
C:\Windows\Temp\asw.c74098655873df49\eref.edat

Filesize
51B

MD5
4997817e815ed0be335fe3b814babc0d

SHA1
36b38aff94d70493accb962f6a358b23d6da17c0

SHA256
022b7e09e3e6edf04d64f91f5b38fd68e4b7f3d3583b3dbede352c9831bbee8d

SHA512
71f2c13eadec93a09b79a74e13e616960e74aac12663eb5caa14a02d98a25f356cdb6a2e2dca040a8e8f4e38233073f5e3d4d8944ee3d7ccb4ed2b967532d639

Download Submit