56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
Size

253KB
MD5

5ae58f7f53174ab6d40e73dc6fec8f60
SHA1

3ba8d0ae3466890d2f13740b33a15b77d268e8d9
SHA256

56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c
SHA512

676c12f0963100220b88eda58c87a544ad78616be47f03bbc912c1429ec750c82c97f6c7ec2724bf33d1a6ac82de6103e8325a99d8d015c79cc48ccfd35a1362
SSDEEP

3072:YKs2murv7P87bIW89bUnOF+Pzb2bXk1/EBW3i59+Y9f2BSvupDhpbNDvPTzBDhsd:YTurvj0MUnP2bXe/EA3hYQou/pxkpRZ7

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
2064	avast_free_antivirus_setup_online_x64.exe
1196	Process not Found
2072	instup.exe
872	instup.exe
2260	aswOfferTool.exe
612	aswOfferTool.exe
1592	aswOfferTool.exe
1660	aswOfferTool.exe
2104	aswOfferTool.exe
1884	aswOfferTool.exe
1528	aswOfferTool.exe
2948	aswOfferTool.exe

Loads dropped DLL 32 IoCs

pid	Process
2368	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
2368	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
2072	instup.exe
872	instup.exe
1592	aswOfferTool.exe
2104	aswOfferTool.exe
1528	aswOfferTool.exe
2948	aswOfferTool.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "74"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "79"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "20"	instup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2064	avast_free_antivirus_setup_online_x64.exe
2064	avast_free_antivirus_setup_online_x64.exe
872	instup.exe
872	instup.exe
872	instup.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 32	2064	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	2064	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	2072	instup.exe
Token: 32	2072	instup.exe
Token: SeDebugPrivilege	872	instup.exe
Token: 32	872	instup.exe
Token: SeDebugPrivilege	1660	aswOfferTool.exe
Token: SeImpersonatePrivilege	1660	aswOfferTool.exe
Token: SeDebugPrivilege	1884	aswOfferTool.exe
Token: SeImpersonatePrivilege	1884	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2072	instup.exe
872	instup.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2064	2368	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe	31
PID 2368 wrote to memory of 2064	2368	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe	31
PID 2368 wrote to memory of 2064	2368	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe	31
PID 2368 wrote to memory of 2064	2368	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe	31
PID 2064 wrote to memory of 2072	2064	avast_free_antivirus_setup_online_x64.exe	32
PID 2064 wrote to memory of 2072	2064	avast_free_antivirus_setup_online_x64.exe	32
PID 2064 wrote to memory of 2072	2064	avast_free_antivirus_setup_online_x64.exe	32
PID 2072 wrote to memory of 872	2072	instup.exe	33
PID 2072 wrote to memory of 872	2072	instup.exe	33
PID 2072 wrote to memory of 872	2072	instup.exe	33
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 2260	872	instup.exe	34
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 612	872	instup.exe	35
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1592	872	instup.exe	36
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1660	872	instup.exe	37
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 1884	872	instup.exe	40
PID 872 wrote to memory of 2948	872	instup.exe	42
PID 872 wrote to memory of 2948	872	instup.exe	42
PID 872 wrote to memory of 2948	872	instup.exe	42
PID 872 wrote to memory of 2948	872	instup.exe	42
PID 872 wrote to memory of 2948	872	instup.exe	42
PID 872 wrote to memory of 2948	872	instup.exe	42
PID 872 wrote to memory of 2948	872	instup.exe	42

C:\Users\Admin\AppData\Local\Temp\56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
"C:\Users\Admin\AppData\Local\Temp\56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\Temp\asw.28c454be71e05bf9\avast_free_antivirus_setup_online_x64.exe
  "C:\Windows\Temp\asw.28c454be71e05bf9\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_sft_dlp_006_114_v /ga_clientid:7fcd9bf2-07df-46dc-aadd-19b39af2b6b4 /edat_dir:C:\Windows\Temp\asw.28c454be71e05bf9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\Temp\asw.dc1d70224cc7513c\instup.exe
    "C:\Windows\Temp\asw.dc1d70224cc7513c\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.dc1d70224cc7513c /edition:1 /prod:ais /stub_context:35143081-8cb3-45ac-997a-fc50809b9b69:9941352 /guid:811342a5-e908-4fbc-bbdc-c5c6d6968bab /ga_clientid:7fcd9bf2-07df-46dc-aadd-19b39af2b6b4 /no_delayed_installation /cookie:mmm_sft_dlp_006_114_v /ga_clientid:7fcd9bf2-07df-46dc-aadd-19b39af2b6b4 /edat_dir:C:\Windows\Temp\asw.28c454be71e05bf9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\instup.exe
      "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.dc1d70224cc7513c /edition:1 /prod:ais /stub_context:35143081-8cb3-45ac-997a-fc50809b9b69:9941352 /guid:811342a5-e908-4fbc-bbdc-c5c6d6968bab /ga_clientid:7fcd9bf2-07df-46dc-aadd-19b39af2b6b4 /no_delayed_installation /cookie:mmm_sft_dlp_006_114_v /edat_dir:C:\Windows\Temp\asw.28c454be71e05bf9 /online_installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
    - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe" /check_secure_browser
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:612
    - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1592
    - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1528
    - - C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
27KB

MD5
510372c3d1ca87c2ffaa4f7f436c8e59

SHA1
81e67c70b0697b376d0db9ac669c711b080d4770

SHA256
72aee65da630ef374e16e14cdb1bff46b9af12a2065eb875575913022d664f90

SHA512
6e035a8967260c0d39f017f14cfc9183d7f03a8e17fad489eed5e5df52822c2a428eb88318c729b8461bd01b7318c44c2662641653d1663c1fb324490319d691

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
2KB

MD5
e20111e0d4103c31279e26001e883d54

SHA1
6db06e0f4135d7b32a9a9abe7920155f009eeaf8

SHA256
4971b2e81f4e2a02e16b8aa749274130b92e5cdb9afc96f7a7fd6124e6ba8f5b

SHA512
22fe85fc3b98f1f147e9c30dd1c0c5ef073d8463525faaafa666e9628b6d677bfb55c8f349325de1639f845c67aac09a588634fc4254cb37ed1b3bb29bbb19fc

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
142B

MD5
87b7e31b248622967866399ac2b91683

SHA1
5418c015aaea8e82acdb710058c96a5b5d72371e

SHA256
e3604175f038f21d1117207f24bf5509087c983656778110ae69f438b4ea90b1

SHA512
79e4d4ecd9661372bd4f4b6bb9a993508c360951b1362080b2d416e5a5ce6c9f948e21d4f5f243767fca15f326b7bd560340b8c7420e75dcd7c1be682c8dafe6

Download Submit
C:\Windows\Temp\asw.28c454be71e05bf9\ecoo.edat

Filesize
21B

MD5
1ea978aaf85c67ca89b29149631d5f67

SHA1
05e90d2a5c90f6fa75592155b56d8992878ade9c

SHA256
28965a972fd323e95ab943543d5bf17ed14b9af03c5d0e842b282a01092faf0d

SHA512
04aba5f98d9ce773f881a1125bcd8da651f4375895af404b48df81ac856d49f829b15f80a33eac16d3ab50e286d06f33f46f58ca19650cfbf489c70692a6e0c6

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\HTMLayout.dll

Filesize
4.0MB

MD5
fca65f25b34e4152300b34bc0535ef2c

SHA1
bdc1b00ade7fcb4baeb804ed49a27ff05b384d96

SHA256
ef97667682dc5b718235de3a8e5cd66d568a95c9a2d14897385077176c7bd7a9

SHA512
41119ff13c0d5d097141fcb6e14b8965c50756e0ed2f6ad5e718b1d1d45b4a6acff57ff11b32607f285395d1e295b3a96792e11634be43ef00e97dcad074829c

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\Instup.dll

Filesize
18.1MB

MD5
013420fdda6ec8a1de8997dfc51c463c

SHA1
f13f902db8ffb2bd91984b090530313f01391297

SHA256
b272662591c334f08b274c88102001fda20824f8b81cdffbf4f9079085fbee96

SHA512
ab0ed3001071edab997671b2929b067bcbab67fa58aca9b56284fd9ae16cd881a2a8e517d20c8a5f592bbec6c0d64d0a7074a59ff829672da13cc34fa17d4791

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\asw2034fd3033c259bd.tmp

Filesize
831KB

MD5
c5665f1f93d9aabbcb1dde533e2c46e6

SHA1
732389de20c600d0222d61b4ee74b0be6412a45b

SHA256
adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a

SHA512
51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\asw21b0f64d6a4f49e3.tmp

Filesize
19.1MB

MD5
9ee6528abdad768fbfa28bd1bb80ebe9

SHA1
f5582697e068ba1d56825fc32bd5ab1a71bd4d38

SHA256
61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4

SHA512
de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\asw76f912a5d605ca1a.tmp

Filesize
907KB

MD5
700b6740e6bfa7729f146572d8455348

SHA1
19d80fb0251f417283ed36fc20c43079b3f6fbb8

SHA256
d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e

SHA512
7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\asw82872226b8a5ae34.tmp

Filesize
3.1MB

MD5
b216fc28400c184a5108c0228fba86bc

SHA1
5d82203153963ebede19585b0054de8221c60509

SHA256
7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd

SHA512
6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswa220f6757ecad8b5.tmp

Filesize
4.5MB

MD5
ef035189604e7f5d68a62827b985ccbb

SHA1
c094c6eef2640a71aee9f4b27123c2080d38136f

SHA256
64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740

SHA512
32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswa811c25d108c637c.tmp

Filesize
3.8MB

MD5
d9be57d4e1a25264b8317278f8b93396

SHA1
d3c98696582fed570f38ae45bf22b8197253b325

SHA256
a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3

SHA512
2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\aswc8a6da5326ee5c91.tmp

Filesize
15KB

MD5
13e9fbb02cb7497562b59a9ef8f1ee92

SHA1
047936e9296e77939b5b23c1a2af3056eaa2ae99

SHA256
40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a

SHA512
0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\aswfe3ed8780f48f963.ini

Filesize
825B

MD5
a7f158e014ce4dc1310b056ff8bff56a

SHA1
02edc20a457c13120a5fbbde130dadbd00939b94

SHA256
1433ea6392f3285c8642c069128a915d76569eb5bf980e5833d72e8750467f36

SHA512
11b09ef6538ee235c4d630c9f3a53d9a004c104900ea4176a66a79b8bf72019daf11e51b2fc65ff607e3ebe2378310b24fcfe8056e51d8ef61a468718d7f5499

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\aswfe3ed8780f48f963.ini

Filesize
922B

MD5
d0e1899a82054b8c364c9a259da6ac21

SHA1
d74e9c2d36d4d806bd74a8e3909abd564b0182ee

SHA256
4a43863c30bf3da3f1e4919e3cd33522e3b5a6ebfcc914e583b740cc2c864a31

SHA512
8aa365aa37ac1d280012331ad638bc1e4be78eae6b63dd0bf7d5c63c07911db87f9f9ab52da9ba4a38ef3ab8f3f08cca1f32659ca6e6c25c916aeb78019f558e

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\config.def

Filesize
29KB

MD5
753c88ab9f26c3ebb5f9825f1e836208

SHA1
4e4d7bcf9f5c74c4a28e0a21c8876e723f4b974e

SHA256
6e1d3f733686afed10ed11a416826921e6b9acafe0ed53eab37bf94f48df85a9

SHA512
697d47b31882b3d832001fdb9001006132145204eadd4f1993e2a4d8f0e03ff503e436acf6ccdcf71914d15b25ea0d73cfc90bd2704120f3093a88f11f62584a

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\config.def

Filesize
29KB

MD5
cde9498ec9580df8d197ff50efcd29c8

SHA1
50501459e58d2bd5073e8b266047bdcce9a45832

SHA256
3cdb4ca4adc3f557d104f2a2c2da935355da74a17d4585bf5f18fb421efdad81

SHA512
be0a40e6ce6dd7b3afe5575f1eb6919243acc5064f43d85c39fe08317fe4dd354013896ed381053d26e62742b37b385c96c414df6720a68e4148e4ef98d78f2c

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\config.def

Filesize
35KB

MD5
52e620fe1660097baee2005d8c0ffc42

SHA1
197dd3fdefede50d354eeec85b913d642b3c560d

SHA256
ad3407080e267826440d609762b2a13c23b875a9739cb83f3c7a21af0115120f

SHA512
5d6be2e5926f5c820fcacc1c2f95dc744a732f655fb3b2ba7dab72e2a4f69c16f243fbc82c32dc2b1090705560fc1c9dfa231230a1449a4d499fdfa7baffc335

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\part-jrog2-1574.vpx

Filesize
699B

MD5
8a758d8ca05991bea545317c24813812

SHA1
9ac4fb2b311e9a9dc3d3148472dc95285d99eff6

SHA256
6e37c70ea507775fc2f225f9dc411c768d7e7838cebe3084a47ba64c3e1edc48

SHA512
86c13a248fbdad1a2c212b3faaa59fef750ae5b6f3980e59485cf71fd8f4d94710d07ae6b40b13ef1d1c20ef70a60c96b28c320c75145aa5dc41418816b417d7

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\part-prg_ais-15020997.vpx

Filesize
188KB

MD5
b898fa20bf9b0321b50a8d4946aae799

SHA1
4e173a99dc9a9ef507112857525ad53991f4d2a0

SHA256
6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c

SHA512
c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\part-setup_ais-15020997.vpx

Filesize
5KB

MD5
365b6ee6fbde00af486fc012251db2da

SHA1
8050ba5a9b6321f067fc694527011ba00767d4a2

SHA256
01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830

SHA512
949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\part-vps_windows-24082110.vpx

Filesize
11KB

MD5
28aafc2820c7432628a97d03955d8228

SHA1
d5dd1e3fd02bad90f79bb3d4d41b4d5d92373d57

SHA256
c20429bfa37b95ba2ce7a35f5646b4a0fe4ad407d421564f5fbf8e97e76dc395

SHA512
c1cd4f1532496a45d93e0502c3b071c2144d0907674e4be2a4bf6ff406e0c5de049e186950dcc7f8c5e0421a58cb19128e743aaee69df3a3acfa6c538982083a

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\prod-pgm.vpx

Filesize
572B

MD5
28261c70b4ba0225da4726ad7ec13266

SHA1
23b0c2cce16066b7820cf769bcff052bb03604ab

SHA256
384d3f757cfd167db8815880bddb79d6fed849cd0412c38c9ca998b742f3300b

SHA512
b066fe542795ef6dd6cf9d59fb2e776ad2daaf99c7da23646898688e5c5207be8502f17463b90912c6aefff3ab91b4e1df515d7b97325b59bd797764a5a5d735

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\prod-vps.vpx

Filesize
343B

MD5
e35f8deddc765868c66b9cc697336f90

SHA1
53f0d82825d69e8950fe1a07e76e9263109f6f17

SHA256
de5297f0def76e48e644c6a91ad4a9a6c934c62c2a0b845ff7407e294f7a1f11

SHA512
b5287c8f030e856656984bcfa7f76ca2a9813df146cbed15444ac503671733e341c4d72c356c6117affef819841d5f2c77946ff5857c5e3e47f9863cb9fc3606

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\prod-vps.vpx

Filesize
341B

MD5
9b8fb34eab96b651e73b0c6f28fd9c18

SHA1
d91af7565931144a958753f89cba2d43d5c2e1de

SHA256
0c9b0be5a7c304541b504df63b6f571c7f521bf0e0f8301ba65c5066292de304

SHA512
8bdc6da401fcd18f7b04414766ed9ca10fffda230624865eedecf960511b28c44bbbe6156b79ba8345d3ddef82fb034ec69264939f1c6e4281feaea8eb84c75a

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\servers.def

Filesize
29KB

MD5
a2c488fb7d3c5db6f578fb1736d49741

SHA1
622d7554f8380fe469e59e31f165697e578031f2

SHA256
9e4ceb50486625cc529947ee4868e79f289ef06937ad343ad49ed8e086292ccc

SHA512
2e23f30e95e29e79c639c2b587ec7cc189a0ff2ac9d138f6552b87f4a5f3e872baec9b0716a38c95ea39aefd19643aa9da4b87b96a4d389b5205cff702cc34b5

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\servers.def.vpx

Filesize
2KB

MD5
471cee2ad3a83091a8d7a1e9d731c038

SHA1
d69ca6d220d0de5650cd0d2f85c721946e1b44c0

SHA256
b5316c662a915427271db3e5f274a08e7486fcbd14d288d61a75153c04e48648

SHA512
2921c6119bec13bf5de8f684503119258799fe24576d438524ebd2603e87818437c7211ff9bd356c9995deba03025ff02b656bed1dda91e55b1d06188a86e23a

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\setup.def

Filesize
37KB

MD5
be793535c4acf02d4ad13b20d0c84deb

SHA1
65dd6b4891a75848042c10057808535298cee3e1

SHA256
31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd

SHA512
7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

Download Submit
C:\Windows\Temp\asw.dc1d70224cc7513c\uat64.vpx

Filesize
16KB

MD5
a6854bde365fff8396637a000127bf15

SHA1
13f40de9b8afeba832b15e5dc08dfd4b9166451e

SHA256
0b510e0aa383267eadfc96867fb9f2254ffa07ab177b0648ffd08947c867220d

SHA512
d084ea77b328d38e4044625a734f56db70b07753a158eef0844c4c48dbb02163bcd1eb5cbc4f844a9c021aed63d763c6c4e0b78c64484cd60644d9d2ff4cfd64

Download Submit
\Windows\Temp\asw.28c454be71e05bf9\avast_free_antivirus_setup_online_x64.exe

Filesize
9.5MB

MD5
b33b79f946ce60fe1c12ff71dd15093c

SHA1
74bc14477b10545d7dfa3e5f29d56193051bc045

SHA256
25cf377a539dc81025e8370ed3b6d4a89c083d0ec2b806f89b8abf55e1d7bd4b

SHA512
fdf5679cb8a7a3f737f32dc1d7464aa4ab795abff2c628f6dffd9118eb13497269e9150c708e31a535b230fe2faff031d8944cb51de7884574a75e446f12fef4

Download Submit
\Windows\Temp\asw.dc1d70224cc7513c\Instup.exe

Filesize
3.6MB

MD5
feafc9c134138295adc37b97608e7da8

SHA1
d8ef74f9ee5196f3526b03551939ef0d4739713f

SHA256
84ad7d9cb28a7d35642169f8d748e5da8e4a0b98dd432c6308bb7366363baabf

SHA512
02f4c36ddb0c4e2445dfc51b49f75b0213c45262f5995d76d97d6bbbaf535398d802afe197ae2fa227de7195d361d1fa8a5b07ab83251a95fe712a3781005f4f

Download Submit
\Windows\Temp\asw.dc1d70224cc7513c\New_15020997\gcapi_17242895621592.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Windows\Temp\asw.dc1d70224cc7513c\uat64.dll

Filesize
29KB

MD5
1eac709f7fe0e42741e40dd6570fc1cc

SHA1
5b153e03f643741c2fce6e00fa02ea2104f69c43

SHA256
bbe8a947d5d034816f135a205972a9c16235405042c749ff9ea691a62c8f888c

SHA512
0ac678e2ec443f24d3808501fc5042a1ec6a305ac0d08b47f58b38e31d664036e79866baca876d64f7b42d9d3f7e74a344eac5ae93cd2e826ce60f2f69e5061d

Download Submit
memory/872-300-0x000007FEF3CF0000-0x000007FEF501B000-memory.dmp

Filesize
19.2MB

Download
memory/872-341-0x000007FEF3910000-0x000007FEF3CEA000-memory.dmp

Filesize
3.9MB

Download
memory/872-340-0x000007FEF3CF0000-0x000007FEF501B000-memory.dmp

Filesize
19.2MB

Download
memory/872-343-0x000007FEF3910000-0x000007FEF3CEA000-memory.dmp

Filesize
3.9MB

Download
memory/872-342-0x000007FEF3CF0000-0x000007FEF501B000-memory.dmp

Filesize
19.2MB

Download
memory/872-352-0x000007FEF3CF0000-0x000007FEF501B000-memory.dmp

Filesize
19.2MB

Download
memory/872-354-0x000007FEF3CF0000-0x000007FEF501B000-memory.dmp

Filesize
19.2MB

Download