56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
Size

253KB
MD5

5ae58f7f53174ab6d40e73dc6fec8f60
SHA1

3ba8d0ae3466890d2f13740b33a15b77d268e8d9
SHA256

56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c
SHA512

676c12f0963100220b88eda58c87a544ad78616be47f03bbc912c1429ec750c82c97f6c7ec2724bf33d1a6ac82de6103e8325a99d8d015c79cc48ccfd35a1362
SSDEEP

3072:YKs2murv7P87bIW89bUnOF+Pzb2bXk1/EBW3i59+Y9f2BSvupDhpbNDvPTzBDhsd:YTurvj0MUnP2bXe/EA3hYQou/pxkpRZ7

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
4752	avast_free_antivirus_setup_online_x64.exe
900	instup.exe
3440	instup.exe
2976	aswOfferTool.exe
2844	aswOfferTool.exe
4140	aswOfferTool.exe
212	aswOfferTool.exe
5068	aswOfferTool.exe
1328	aswOfferTool.exe
3412	aswOfferTool.exe
3696	aswOfferTool.exe

Loads dropped DLL 13 IoCs

pid	Process
2392	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
900	instup.exe
900	instup.exe
900	instup.exe
900	instup.exe
3440	instup.exe
3440	instup.exe
3440	instup.exe
3440	instup.exe
4140	aswOfferTool.exe
5068	aswOfferTool.exe
3412	aswOfferTool.exe
3696	aswOfferTool.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a48.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a48.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4752	avast_free_antivirus_setup_online_x64.exe
4752	avast_free_antivirus_setup_online_x64.exe
4752	avast_free_antivirus_setup_online_x64.exe
4752	avast_free_antivirus_setup_online_x64.exe
3440	instup.exe
3440	instup.exe
3440	instup.exe
3440	instup.exe
3440	instup.exe
3440	instup.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 32	4752	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	4752	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	900	instup.exe
Token: 32	900	instup.exe
Token: SeDebugPrivilege	3440	instup.exe
Token: 32	3440	instup.exe
Token: SeDebugPrivilege	212	aswOfferTool.exe
Token: SeImpersonatePrivilege	212	aswOfferTool.exe
Token: SeDebugPrivilege	1328	aswOfferTool.exe
Token: SeImpersonatePrivilege	1328	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
900	instup.exe
3440	instup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4752	2392	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe	95
PID 2392 wrote to memory of 4752	2392	56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe	95
PID 4752 wrote to memory of 900	4752	avast_free_antivirus_setup_online_x64.exe	96
PID 4752 wrote to memory of 900	4752	avast_free_antivirus_setup_online_x64.exe	96
PID 900 wrote to memory of 3440	900	instup.exe	100
PID 900 wrote to memory of 3440	900	instup.exe	100
PID 3440 wrote to memory of 2976	3440	instup.exe	101
PID 3440 wrote to memory of 2976	3440	instup.exe	101
PID 3440 wrote to memory of 2976	3440	instup.exe	101
PID 3440 wrote to memory of 2844	3440	instup.exe	102
PID 3440 wrote to memory of 2844	3440	instup.exe	102
PID 3440 wrote to memory of 2844	3440	instup.exe	102
PID 3440 wrote to memory of 4140	3440	instup.exe	103
PID 3440 wrote to memory of 4140	3440	instup.exe	103
PID 3440 wrote to memory of 4140	3440	instup.exe	103
PID 3440 wrote to memory of 212	3440	instup.exe	104
PID 3440 wrote to memory of 212	3440	instup.exe	104
PID 3440 wrote to memory of 212	3440	instup.exe	104
PID 3440 wrote to memory of 1328	3440	instup.exe	107
PID 3440 wrote to memory of 1328	3440	instup.exe	107
PID 3440 wrote to memory of 1328	3440	instup.exe	107
PID 3440 wrote to memory of 3696	3440	instup.exe	109
PID 3440 wrote to memory of 3696	3440	instup.exe	109
PID 3440 wrote to memory of 3696	3440	instup.exe	109

C:\Users\Admin\AppData\Local\Temp\56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe
"C:\Users\Admin\AppData\Local\Temp\56f0655ece61e37c2bb8d6c24ebbe958f3b4423e69ac85474b0a840a9e66732c.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Temp\asw.c6d9036d65598752\avast_free_antivirus_setup_online_x64.exe
  "C:\Windows\Temp\asw.c6d9036d65598752\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_sft_dlp_006_114_v /ga_clientid:538c3f6b-da4f-4df7-b9d8-eead28f61bce /edat_dir:C:\Windows\Temp\asw.c6d9036d65598752
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Temp\asw.b4e47d496e9978a3\instup.exe
    "C:\Windows\Temp\asw.b4e47d496e9978a3\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.b4e47d496e9978a3 /edition:1 /prod:ais /stub_context:7af6db19-c0fe-4cb4-9cd3-cc3a0861b5c3:9941352 /guid:25a3d73c-5caf-4497-a302-920bc96450eb /ga_clientid:538c3f6b-da4f-4df7-b9d8-eead28f61bce /no_delayed_installation /cookie:mmm_sft_dlp_006_114_v /ga_clientid:538c3f6b-da4f-4df7-b9d8-eead28f61bce /edat_dir:C:\Windows\Temp\asw.c6d9036d65598752
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\instup.exe
      "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.b4e47d496e9978a3 /edition:1 /prod:ais /stub_context:7af6db19-c0fe-4cb4-9cd3-cc3a0861b5c3:9941352 /guid:25a3d73c-5caf-4497-a302-920bc96450eb /ga_clientid:538c3f6b-da4f-4df7-b9d8-eead28f61bce /no_delayed_installation /cookie:mmm_sft_dlp_006_114_v /edat_dir:C:\Windows\Temp\asw.c6d9036d65598752 /online_installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe" /check_secure_browser
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
    - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4140
    - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5068
    - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3412
    - - C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
24KB

MD5
16ef216b54d1e54f3e10ab93380e95a3

SHA1
5929fcfe2a65d05f86701307e1aaca9c16d1bce0

SHA256
f2c199231e42ad8c2970d0b071e79f50595083b6853a070fd7c21b8c739b7c0d

SHA512
67001221006ac2ae341d152eabd8f64a9b8c41b4b1318278a89d5ede97f00f3d46c161c9c8c189336356ed282b6a96dcf7502fe192b8fb4354bd776855411b3d

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
c0cbc32daa4bc66ca7764f0d15abb179

SHA1
b5f3384fa1eca172ac6ecc2e74f73de5d0d3c2f2

SHA256
1d8f7669066776e5166c886792dac97d833d89eb700af9ee5a3711020e41da4a

SHA512
9680f8836bfb78207267652e06e42d7053558892752621047c3c0a11eb4fbc54bb8930e74628f86f2ff726b0392461325a8b85247dde46b15c8010a8271a6925

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
288bd04a5c2cf23c9f3a6b364ae30d96

SHA1
1026e2381c72809290a890ff7e6a2fe8d796f253

SHA256
19b3fb6bf60703b896bcb7097e041c5b3d3abbf11d887985b5e0bf3a54f4bb95

SHA512
df71ae230620bbc7a04a11bd6c26db253fbdf1c85edbdb9ae4f6a71539f70732b5c8163a4b27a2a2b7d517c73f502add5004b173733836d8b6cc9d17b4193fae

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\HTMLayout.dll

Filesize
4.0MB

MD5
fca65f25b34e4152300b34bc0535ef2c

SHA1
bdc1b00ade7fcb4baeb804ed49a27ff05b384d96

SHA256
ef97667682dc5b718235de3a8e5cd66d568a95c9a2d14897385077176c7bd7a9

SHA512
41119ff13c0d5d097141fcb6e14b8965c50756e0ed2f6ad5e718b1d1d45b4a6acff57ff11b32607f285395d1e295b3a96792e11634be43ef00e97dcad074829c

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\Instup.dll

Filesize
18.1MB

MD5
013420fdda6ec8a1de8997dfc51c463c

SHA1
f13f902db8ffb2bd91984b090530313f01391297

SHA256
b272662591c334f08b274c88102001fda20824f8b81cdffbf4f9079085fbee96

SHA512
ab0ed3001071edab997671b2929b067bcbab67fa58aca9b56284fd9ae16cd881a2a8e517d20c8a5f592bbec6c0d64d0a7074a59ff829672da13cc34fa17d4791

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\Instup.exe

Filesize
3.6MB

MD5
feafc9c134138295adc37b97608e7da8

SHA1
d8ef74f9ee5196f3526b03551939ef0d4739713f

SHA256
84ad7d9cb28a7d35642169f8d748e5da8e4a0b98dd432c6308bb7366363baabf

SHA512
02f4c36ddb0c4e2445dfc51b49f75b0213c45262f5995d76d97d6bbbaf535398d802afe197ae2fa227de7195d361d1fa8a5b07ab83251a95fe712a3781005f4f

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\asw830bb34346bd8523.tmp

Filesize
20KB

MD5
e0773e83692a4c7b1d634e28250994f7

SHA1
bbaeb069aaa3935618e5f28da6f3f165996b0286

SHA256
d93fded96c702fc4dc8c7482e5e5ffa6caee97e31187b890d610b039017ede55

SHA512
096b165e254a213e009a4bb661343ff31871626e3092b665960488da8ceeb6e80fdf89d7bf85dd9ac59f89ad15199683b23e53fca2861b60301007ada4af5676

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\New_180817ef\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\asw9d7de7852b9584d8.ini

Filesize
1KB

MD5
1d57c0b2a1594e75f0d3946f2d45a0c3

SHA1
253df5b5a01c8b0feb61a9f31062ed72861056ff

SHA256
c5ac65dd148ab9f53387e7bb9edddcbbd6421d2ce0c004422b1f45141e3b4db7

SHA512
c0ba2d4244a8af51e785cc61d913c4f8b0b9f78cd7cda0a416e043569e181a854fa042cdfd49bff16a972b3b6295dd8a59fc20abdd55f8b81119dd74d5185041

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\asw9d7de7852b9584d8.ini

Filesize
1KB

MD5
23397a73a2b1e5b9737aa5d03e41b3b0

SHA1
a0b645132384ea6ccd877b8e58be37f652caae85

SHA256
5b5d4e7dedae1bce3d6ad369e7e07eca3448816593344b9f1e4cc4a2249b16d3

SHA512
c7a505691bf5deff26a5273cb61911d092309254d83a2e6536385e981753a0f0266f22274eadf3ca701500b138688f71b19604a4379e4ebd1e133c70607d2b87

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\avbugreport_x64_ais-a48.vpx

Filesize
5.6MB

MD5
a9eca00cd4015ba86f9f6c9a5dfb8326

SHA1
9a6faa7fdb0e88716e7d9ea8dce5ab3dbb135076

SHA256
d269ad4f899ca2cdb86185931311f3c01b6e8a8e513421ef6b9d869f5c04b74c

SHA512
16af5e8de4100ab1ea8dbcb04f1e5b7733b7fbd43514a3f9f840592ac1afad62d4619b923a76b1f6dbed7ec772b3513d8f632a6fb925461e4ad4c37e4f2722a9

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\avdump_x64_ais-a48.vpx

Filesize
3.3MB

MD5
0945efa037059e768efab61aaf8d4673

SHA1
1ee6537acfadaec963d0fc8b22cbe3a6a33b8668

SHA256
03237fd13426593547d7461f7be9a5bcd96217cce980229ea009a5bd98ee65f1

SHA512
382b75380e376c32afc635a08b48a11cc63297781088296833d278526ab3e65fc37d25c4f9e91ece57ad025baf97e43d9e1afa4af354ebae34d43d5643c0b133

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\config.def

Filesize
29KB

MD5
753c88ab9f26c3ebb5f9825f1e836208

SHA1
4e4d7bcf9f5c74c4a28e0a21c8876e723f4b974e

SHA256
6e1d3f733686afed10ed11a416826921e6b9acafe0ed53eab37bf94f48df85a9

SHA512
697d47b31882b3d832001fdb9001006132145204eadd4f1993e2a4d8f0e03ff503e436acf6ccdcf71914d15b25ea0d73cfc90bd2704120f3093a88f11f62584a

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\config.def

Filesize
29KB

MD5
f429b8731985667c63f7f0265c3eee53

SHA1
3faca7fa02f8a7989f6ec2a33ed28b620076d717

SHA256
d69356c3cf006a51dd2e570c355f2e7bb6279d98a8f9381a8a37f6b6a5afd75b

SHA512
03b21db3b6c37178723213d41157be31fe141e42e0a6c638eeb863922e3445f29869195e71905351218b85f71fa55516056a08e391de14f263692a457939be7e

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\config.def

Filesize
36KB

MD5
e67a65de98a0305effeded7b26370330

SHA1
6946ae4f3d89037ffdf9162a6d70be28a036feb6

SHA256
04b666e847e865cc6181adee517e4c9b3d142bdf45296d0d91b3211f09a71680

SHA512
314a00b7f51790e551889c6cfaff6bbed6f53ed6a85a1ee34d5a00e19f6284a7e8b166514f1f2c59c3efe74599ba37315dec20faaf204b53f64ed7020961453e

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\config.ini

Filesize
883B

MD5
7bfbf005ff124ccd5b0627fa291f43d4

SHA1
018e8f2d9321fae871a8948f1011997ade1dcdb2

SHA256
e2f7615e695b29be1f5f927557449de50cebc0f7c30283cc8a0a53658efa678f

SHA512
d67159378ac96cd483f1b3b7ff41af9e977d4cc91eabee0afc1c2d64a4d9836446fca238ea2d0c3e73473a7c09b4d689b45112dd2438a1f9dd0c94edc9e609a5

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\offertool_x64_ais-a48.vpx

Filesize
2.4MB

MD5
cfaa7925eae8f368df6b54cdc827f276

SHA1
95f30e25fbc21804a2cc69477da1d2c23d3e0604

SHA256
586bc918318439dfdacfc9fadb2c05201a0d5f78bdfa4026b1bd63186190df14

SHA512
f79f367e99c856d4e18f3162c2ab12c7321863f63e1162b2939c82282d32a9ed90d23e79b54f9bc4962c1516c94e76b34bea89a0104a9291d72d514738edcd0f

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\part-jrog2-1574.vpx

Filesize
699B

MD5
8a758d8ca05991bea545317c24813812

SHA1
9ac4fb2b311e9a9dc3d3148472dc95285d99eff6

SHA256
6e37c70ea507775fc2f225f9dc411c768d7e7838cebe3084a47ba64c3e1edc48

SHA512
86c13a248fbdad1a2c212b3faaa59fef750ae5b6f3980e59485cf71fd8f4d94710d07ae6b40b13ef1d1c20ef70a60c96b28c320c75145aa5dc41418816b417d7

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\part-prg_ais-180817ef.vpx

Filesize
74KB

MD5
37dfcd41dd4ec41358417837d01e0a63

SHA1
5ec999faac7e265f90688c50269bc3ea4c59a861

SHA256
9e605c42f11fa4d7c6055d7017c350c973944f197e5bae6437b98a9d9cca7227

SHA512
015e14c5c232d089d4c97242afd272025acfd86d60ae14c698d818279a5eb53d5c61754d476843277441a2cc8062c36d1ff394d0cc9e5ec172cce5fa1e58d38a

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\part-setup_ais-180817ef.vpx

Filesize
4KB

MD5
134b8d628c16ad8fb5caac6b55b29de3

SHA1
d58d0de11de07aa8d421fb7d9022aeb913b80b9f

SHA256
07962aba3ce63e90d12299bb387297b845e1ad338fe07cb0b09524e8a4896418

SHA512
77697266cf2f479b0c096e9cd94178a4fb4b252a25146fcb492e3b180da6056e4d00baefe43967de496876d290042fd9c9380126b7143c2a2f7fde68a33d2828

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\part-vps_windows-24082110.vpx

Filesize
11KB

MD5
28aafc2820c7432628a97d03955d8228

SHA1
d5dd1e3fd02bad90f79bb3d4d41b4d5d92373d57

SHA256
c20429bfa37b95ba2ce7a35f5646b4a0fe4ad407d421564f5fbf8e97e76dc395

SHA512
c1cd4f1532496a45d93e0502c3b071c2144d0907674e4be2a4bf6ff406e0c5de049e186950dcc7f8c5e0421a58cb19128e743aaee69df3a3acfa6c538982083a

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\prod-pgm.vpx

Filesize
572B

MD5
28261c70b4ba0225da4726ad7ec13266

SHA1
23b0c2cce16066b7820cf769bcff052bb03604ab

SHA256
384d3f757cfd167db8815880bddb79d6fed849cd0412c38c9ca998b742f3300b

SHA512
b066fe542795ef6dd6cf9d59fb2e776ad2daaf99c7da23646898688e5c5207be8502f17463b90912c6aefff3ab91b4e1df515d7b97325b59bd797764a5a5d735

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\prod-vps.vpx

Filesize
343B

MD5
e35f8deddc765868c66b9cc697336f90

SHA1
53f0d82825d69e8950fe1a07e76e9263109f6f17

SHA256
de5297f0def76e48e644c6a91ad4a9a6c934c62c2a0b845ff7407e294f7a1f11

SHA512
b5287c8f030e856656984bcfa7f76ca2a9813df146cbed15444ac503671733e341c4d72c356c6117affef819841d5f2c77946ff5857c5e3e47f9863cb9fc3606

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\prod-vps.vpx

Filesize
341B

MD5
9b8fb34eab96b651e73b0c6f28fd9c18

SHA1
d91af7565931144a958753f89cba2d43d5c2e1de

SHA256
0c9b0be5a7c304541b504df63b6f571c7f521bf0e0f8301ba65c5066292de304

SHA512
8bdc6da401fcd18f7b04414766ed9ca10fffda230624865eedecf960511b28c44bbbe6156b79ba8345d3ddef82fb034ec69264939f1c6e4281feaea8eb84c75a

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\servers.def

Filesize
29KB

MD5
a2c488fb7d3c5db6f578fb1736d49741

SHA1
622d7554f8380fe469e59e31f165697e578031f2

SHA256
9e4ceb50486625cc529947ee4868e79f289ef06937ad343ad49ed8e086292ccc

SHA512
2e23f30e95e29e79c639c2b587ec7cc189a0ff2ac9d138f6552b87f4a5f3e872baec9b0716a38c95ea39aefd19643aa9da4b87b96a4d389b5205cff702cc34b5

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\servers.def.vpx

Filesize
2KB

MD5
471cee2ad3a83091a8d7a1e9d731c038

SHA1
d69ca6d220d0de5650cd0d2f85c721946e1b44c0

SHA256
b5316c662a915427271db3e5f274a08e7486fcbd14d288d61a75153c04e48648

SHA512
2921c6119bec13bf5de8f684503119258799fe24576d438524ebd2603e87818437c7211ff9bd356c9995deba03025ff02b656bed1dda91e55b1d06188a86e23a

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\setup.def

Filesize
38KB

MD5
1f9dc3dfac80bf6ead321b9550ba95f4

SHA1
efa8b31fbae0a67025b591c628b6addfb5fb5e35

SHA256
501a62926af0f1fe8f724357291340d8fd013922a1ec5c5c7022ae78c2fa7119

SHA512
14afef1188fa95145a6ac35a73a81b6bbae8df215daa84fcf65f9f8248f2c11b8818ee7aa888db67547ef1bfbc2126113256fa389ee4644677d154d05b3cabba

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\uat64.dll

Filesize
29KB

MD5
1eac709f7fe0e42741e40dd6570fc1cc

SHA1
5b153e03f643741c2fce6e00fa02ea2104f69c43

SHA256
bbe8a947d5d034816f135a205972a9c16235405042c749ff9ea691a62c8f888c

SHA512
0ac678e2ec443f24d3808501fc5042a1ec6a305ac0d08b47f58b38e31d664036e79866baca876d64f7b42d9d3f7e74a344eac5ae93cd2e826ce60f2f69e5061d

Download Submit
C:\Windows\Temp\asw.b4e47d496e9978a3\uat64.vpx

Filesize
16KB

MD5
a6854bde365fff8396637a000127bf15

SHA1
13f40de9b8afeba832b15e5dc08dfd4b9166451e

SHA256
0b510e0aa383267eadfc96867fb9f2254ffa07ab177b0648ffd08947c867220d

SHA512
d084ea77b328d38e4044625a734f56db70b07753a158eef0844c4c48dbb02163bcd1eb5cbc4f844a9c021aed63d763c6c4e0b78c64484cd60644d9d2ff4cfd64

Download Submit
C:\Windows\Temp\asw.c6d9036d65598752\avast_free_antivirus_setup_online_x64.exe

Filesize
9.5MB

MD5
b33b79f946ce60fe1c12ff71dd15093c

SHA1
74bc14477b10545d7dfa3e5f29d56193051bc045

SHA256
25cf377a539dc81025e8370ed3b6d4a89c083d0ec2b806f89b8abf55e1d7bd4b

SHA512
fdf5679cb8a7a3f737f32dc1d7464aa4ab795abff2c628f6dffd9118eb13497269e9150c708e31a535b230fe2faff031d8944cb51de7884574a75e446f12fef4

Download Submit
C:\Windows\Temp\asw.c6d9036d65598752\ecoo.edat

Filesize
21B

MD5
1ea978aaf85c67ca89b29149631d5f67

SHA1
05e90d2a5c90f6fa75592155b56d8992878ade9c

SHA256
28965a972fd323e95ab943543d5bf17ed14b9af03c5d0e842b282a01092faf0d

SHA512
04aba5f98d9ce773f881a1125bcd8da651f4375895af404b48df81ac856d49f829b15f80a33eac16d3ab50e286d06f33f46f58ca19650cfbf489c70692a6e0c6

Download Submit