discordrat | f11a8e261149a800afb26b58b4c6444044d114341e4aee89162e660301e25931

Analysis

max time kernel
111s
max time network
123s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-10-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avast Premium Security 2024.zip
Size

6.9MB
MD5

a9e34919dba3ee85f0ca706ca0855688
SHA1

f0421be6133dedfaa6a8c39f8088d68059c3bae9
SHA256

f11a8e261149a800afb26b58b4c6444044d114341e4aee89162e660301e25931
SHA512

7ee11f73f5ef69032cfaf33d5bddf58403fc8036c9a32b920da69d0389b42ab6299d0f046933edb682319105400d8514dd41fab47c39a32e3965b7fc5ace2099
SSDEEP

196608:MoBzIz68ro1mRGUyCSbxJPjId9gnZGLg7UmseIaPnW:580UM6ynPkduAE4mseI4W

Score

10^/10

discordrat bootkit discovery persistence pyinstaller rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MjAzODMzMzg2MTU5MzE1OA.G5sZNP.gCLJmcjtZebekrSqtPvZ5vRbVRiD5QcS6QhRx0
server_id
1292036314178256939

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
4760	Avast Premium Security.exe
5028	Avast Premium Security.exe
956	inject.exe
1104	target.exe
4664	avast_premium_security_setup_online_x64.exe
220	instup.exe
5744	instup.exe
240	aswOfferTool.exe

Loads dropped DLL 8 IoCs

pid	Process
5028	Avast Premium Security.exe
5028	Avast Premium Security.exe
1104	target.exe
220	instup.exe
220	instup.exe
220	instup.exe
220	instup.exe
5744	instup.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_premium_security_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	target.exe
File opened for modification	\??\PhysicalDrive0	avast_premium_security_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001ac22-7.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000700000001ac3f-89.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	target.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_premium_security_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_premium_security_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_premium_security_setup_online_x64.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a4b.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-a4b.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a4b.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_premium_security_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-a4b.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe"	instup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4664	avast_premium_security_setup_online_x64.exe
4664	avast_premium_security_setup_online_x64.exe
4664	avast_premium_security_setup_online_x64.exe
4664	avast_premium_security_setup_online_x64.exe
5744	instup.exe
5744	instup.exe
5744	instup.exe
5744	instup.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	4624	7zG.exe
Token: 35	4624	7zG.exe
Token: SeSecurityPrivilege	4624	7zG.exe
Token: SeSecurityPrivilege	4624	7zG.exe
Token: SeRestorePrivilege	4464	7zG.exe
Token: 35	4464	7zG.exe
Token: SeSecurityPrivilege	4464	7zG.exe
Token: SeSecurityPrivilege	4464	7zG.exe
Token: SeDebugPrivilege	956	inject.exe
Token: 32	4664	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	4664	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	220	instup.exe
Token: 32	220	instup.exe
Token: SeDebugPrivilege	5744	instup.exe
Token: 32	5744	instup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4624	7zG.exe
4464	7zG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
220	instup.exe
5744	instup.exe
5744	instup.exe
5744	instup.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 5028	4760	Avast Premium Security.exe	82
PID 4760 wrote to memory of 5028	4760	Avast Premium Security.exe	82
PID 5028 wrote to memory of 956	5028	Avast Premium Security.exe	83
PID 5028 wrote to memory of 956	5028	Avast Premium Security.exe	83
PID 5028 wrote to memory of 1104	5028	Avast Premium Security.exe	84
PID 5028 wrote to memory of 1104	5028	Avast Premium Security.exe	84
PID 5028 wrote to memory of 1104	5028	Avast Premium Security.exe	84
PID 1104 wrote to memory of 4664	1104	target.exe	85
PID 1104 wrote to memory of 4664	1104	target.exe	85
PID 4664 wrote to memory of 220	4664	avast_premium_security_setup_online_x64.exe	86
PID 4664 wrote to memory of 220	4664	avast_premium_security_setup_online_x64.exe	86
PID 220 wrote to memory of 5744	220	instup.exe	87
PID 220 wrote to memory of 5744	220	instup.exe	87
PID 5744 wrote to memory of 240	5744	instup.exe	88
PID 5744 wrote to memory of 240	5744	instup.exe	88
PID 5744 wrote to memory of 240	5744	instup.exe	88

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Avast Premium Security 2024.zip"
1⤵
PID:4540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3984

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Avast Premium Security 2024\" -spe -an -ai#7zMap22266:112:7zEvent32472
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4624

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security\" -spe -an -ai#7zMap15675:158:7zEvent11858
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4464

C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security\Avast Premium Security.exe
"C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security\Avast Premium Security.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security\Avast Premium Security.exe
  "C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security\Avast Premium Security.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\_MEI47602\cached_files\inject.exe
    "C:\Users\Admin\AppData\Local\Temp\_MEI47602\cached_files\inject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Users\Admin\AppData\Local\Temp\_MEI47602\cached_files\target.exe
    "C:\Users\Admin\AppData\Local\Temp\_MEI47602\cached_files\target.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\Temp\asw.0db7f1f7ddc526de\avast_premium_security_setup_online_x64.exe
      "C:\Windows\Temp\asw.0db7f1f7ddc526de\avast_premium_security_setup_online_x64.exe" /cookie:mmm_prw_998_999_000_m:dlid_PRW-ONLINE-PP /ga_clientid:6b4befdc-3292-4ce9-95d8-32347f4af19b /edat_dir:C:\Windows\Temp\asw.0db7f1f7ddc526de /geo:GB
      4⤵
      Executes dropped EXE
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\Temp\asw.0e0a77df0aee94c6\instup.exe
        
        "C:\Windows\Temp\asw.0e0a77df0aee94c6\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.0e0a77df0aee94c6 /edition:12 /prod:ais /stub_context:00ec4235-5ce7-472a-be0e-a66e13ee151c:11058160 /guid:bd2e95b9-9491-4162-8457-32e09f6af16f /ga_clientid:6b4befdc-3292-4ce9-95d8-32347f4af19b /no_delayed_installation /cookie:mmm_prw_998_999_000_m:dlid_PRW-ONLINE-PP /ga_clientid:6b4befdc-3292-4ce9-95d8-32347f4af19b /edat_dir:C:\Windows\Temp\asw.0db7f1f7ddc526de /geo:GB
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Windows\Temp\asw.0e0a77df0aee94c6\New_180917f2\instup.exe
        
        "C:\Windows\Temp\asw.0e0a77df0aee94c6\New_180917f2\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.0e0a77df0aee94c6 /edition:12 /prod:ais /stub_context:00ec4235-5ce7-472a-be0e-a66e13ee151c:11058160 /guid:bd2e95b9-9491-4162-8457-32e09f6af16f /ga_clientid:6b4befdc-3292-4ce9-95d8-32347f4af19b /no_delayed_installation /cookie:mmm_prw_998_999_000_m:dlid_PRW-ONLINE-PP /edat_dir:C:\Windows\Temp\asw.0db7f1f7ddc526de /geo:GB /online_installer
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5744
        
        C:\Windows\Temp\asw.0e0a77df0aee94c6\New_180917f2\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.0e0a77df0aee94c6\New_180917f2\aswOfferTool.exe" -checkGToolbar -elevated
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
27KB

MD5
50e09e3d5081b6899deeef4cf9d22281

SHA1
a19b193bb9e9d3a08bd2abd7802247c0a88f5281

SHA256
3e833ce4f56d78506751d03e88a5a0345b1730843d456819698bb4e5c7a858de

SHA512
e0ea39f65bfc38639bb19f520ef41176834d085481cf09ac6dee6e23b445c3918ba64c6c99f07ddb89edc8e0ca42084584880231c5c9a084d64eb14aea9bd7a6

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
53KB

MD5
62ede85afb80de62b358d9905a44e958

SHA1
428ae199bfe5b89686c9e1cf9b3c241d630dee47

SHA256
3a46a607b076663a135b6c2f48b66dda8ad6669e21b6741e452126411036766a

SHA512
65484875fecbcdc0053c61fc0f20d7e833fac61fe4099efdeb6e297bb335d18c6f491e79f0ad2583028668a21276e5ef63b55b34110004f5696205c359223dbd

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
8143bfc61166b39aee70181429650d01

SHA1
a5553e389ae6d9f0c65ada979307b1c2013c7ccd

SHA256
98253a98c1c56d8d8e983c2279cc3a5c0cdb7626bc53f237e034887640c3c6e6

SHA512
71216b25b5cff5c642ca420d05abf5036ee657ab3e84dc74749b7ffb5004740674d70591aa7ecb7cd1a9c26c30e204d9ec827ec1dab7fe52c09f854f4d71057b

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
820c8046ab1ccb4e115623403c797c8a

SHA1
14d3d2c251c3ac2b2a925e9954d6c967764f885b

SHA256
850832ff1175568bf2b590c361c677af17087bc09262bb8f77c7ee51a86c6f37

SHA512
3a2742ad2455e9c25544fd5ce7439191c02d1170bf9f28c776e89b2ee7f69346022d0ed4e69371277bf36c93f23cfc5b16acae89465c4b164cbe339bee0123dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\_bz2.pyd

Filesize
82KB

MD5
fe499b0a9f7f361fa705e7c81e1011fa

SHA1
cc1c98754c6dab53f5831b05b4df6635ad3f856d

SHA256
160b5218c2035cccbaab9dc4ca26d099f433dcb86dbbd96425c933dc796090df

SHA512
60520c5eb5ccc72ae2a4c0f06c8447d9e9922c5f9f1f195757362fc47651adcc1cdbfef193ae4fec7d7c1a47cf1d9756bd820be996ae145f0fbbbfba327c5742

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\_decimal.pyd

Filesize
250KB

MD5
82321fb8245333842e1c31f874329170

SHA1
81abb1d3d5c55db53e8aca9bdf74f2dec0aba1a3

SHA256
b7f9603f98ef232a2c5bce7001d842c01d76ed35171afbd898e6d17facf38b56

SHA512
0cf932ee0d1242ea9377d054adcd71fdd7ec335abbac865e82987e3979e24cead6939cca19da63a08e08ac64face16950edce7918e02bfc7710f09645fd2fa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\_hashlib.pyd

Filesize
64KB

MD5
0abfee1db6c16e8ddaff12cd3e86475b

SHA1
b2dda9635ede4f2841912cc50cb3ae67eea89fe7

SHA256
b4cec162b985d34ab768f66e8fa41ed28dc2f273fde6670eeace1d695789b137

SHA512
0a5cae4e3442af1d62b65e8bf91e0f2a61563c2b971bbf008bfb2de0f038ee472e7bfcc88663dc503b2712e92e6a7e6a5f518ddab1fab2eb435d387b740d2d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\_lzma.pyd

Filesize
154KB

MD5
e3e7e99b3c2ea56065740b69f1a0bc12

SHA1
79fa083d6e75a18e8b1e81f612acb92d35bb2aea

SHA256
b095fa2eac97496b515031fbea5737988b18deee86a11f2784f5a551732ddc0c

SHA512
35cbc30b1ccdc4f5cc9560fc0149373ccd9399eb9297e61d52e6662bb8c56c6a7569d8cfad85aeb057c10558c9352ae086c0467f684fdcf72a137eadf563a909

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\_socket.pyd

Filesize
81KB

MD5
632336eeead53cfad22eb57f795d5657

SHA1
62f5f73d21b86cd3b73b68e5faec032618196745

SHA256
ce3090fff8575b21287df5fc69ae98806646fc302eefadf85e369ad3debad92b

SHA512
77965b45060545e210cdb044f25e5fd68d6a9150caf1cad7645dbafcf1ce8e1ccbdf8436fbdcbf5f9c293321c8916e114de30ed8897c7db72df7f8d1f98dfb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\base_library.zip

Filesize
1.3MB

MD5
bed03063e08a571088685625544ce144

SHA1
56519a1b60314ec43f3af0c5268ecc4647239ba3

SHA256
0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc

SHA512
c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\cached_files\inject.exe

Filesize
79KB

MD5
34ad968130ae158a13c6d889354d2d31

SHA1
e48221997e63222e2306c8b77d4a5961d729a57d

SHA256
d4db695d3970ff7dbd868beb0d24cb3b3f076f2e03bf447bbd71ef467fb473b5

SHA512
040d7d149b5e5fd4fffb81bee9f599ea9de80adc8b9e98b61d8f1080a033f2747c2d43608881eb7c1d9e94a3cfb236fd7ee57a85192c6106a713791752a7eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\cached_files\target.exe

Filesize
243KB

MD5
ebc22f976185361566ddef991eed6fc5

SHA1
4ad74a5df1e79cfe78b533798654f81e26d06de9

SHA256
c43faf4488f21843e7cd5285a3fb91caf896aa56251b4d55090138b7c98db3a4

SHA512
2b159e78472e8be1033f26c8ae2007d0048b365ae18e29d32f241292c4bcfaea817795079bb45e0713c9974d5ee52b1f8281920639a633aba54229a060fddc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\select.pyd

Filesize
30KB

MD5
7e871444ca23860a25b888ee263e2eaf

SHA1
aa43c9d3abdb1aabda8379f301f8116d0674b590

SHA256
dca5e6d39c5094ce599143cb82f6d8470f0c2a4ce4443499e73f32ed13333fd0

SHA512
2e260d3123f7ca612901513b90fe40739e85248da913297d4cca3b2ebd398d9697880d148830e168e474ebfc3d30ede10668c7316ed7668f8b39da7bca59e57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47602\unicodedata.pyd

Filesize
1.1MB

MD5
098cc6ad04199442c3e2a60e1243c2dc

SHA1
4c92c464a8e1e56e1c4d77cd30a0da474a026aaf

SHA256
64a162d6b11ba10cb11509f3cc445f17beb7acfd064f030b4d59faa1c9894b29

SHA512
73c28488b42a0bc2f0d2861fed3f5dcccf8959ce19d3121c13c998db496f2822deb40f36f86240c8d3954fd2dc2ba5d63c8a125b62324dcd92fb6c8ba49ff170

Download Submit
C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security.zip

Filesize
6.9MB

MD5
3fb15f8540e7a714d18a28830ad32861

SHA1
f2bb4a14ee1a0cc9fdecc52e635522efe44f0ec4

SHA256
c2de7bb7a958193c79166c33e8f5fefe4313106611b0a73ce4b459b7d1a2d479

SHA512
15e073f6e97215a9e527dd237f568b5041d8e4e2c918dadc1f22847b0e8647729bcb0ba7d14410886468d8829a83c77aba75d4a042abf49e9f2ab0201061f353

Download Submit
C:\Users\Admin\Desktop\Avast Premium Security 2024\Avast Premium Security\Avast Premium Security.exe

Filesize
7.0MB

MD5
7418d1cb402140d581214f792a9eed72

SHA1
d084251fb315d9d6e0ee0423203ce6db1012bede

SHA256
c2fc0017fb00ef19f72ef77e64ee4fa4ffff5e5a1a2740038696110edd71c607

SHA512
75bce7bd11308ec4c17fdf408f21b78ceb683e7ec81a9b94f482745e10708315dc4fd84d60085280eddc46a2b65d77ce69663a4d8ba0f7fec083344732bc1b68

Download Submit
C:\Windows\Temp\asw.0db7f1f7ddc526de\ecoo.edat

Filesize
40B

MD5
056aa0af28bf0bd60866e225b496f448

SHA1
2a992f4ffb35d6c6cf9bf2eb0d5eecaef4442e71

SHA256
2fdf8824b594348fb2165d293dfcea46dac158181189c6ba5e94dfb7eeafe3fd

SHA512
e3925983016d9ac9d936c6d6abb488e0646524d969359012db08f211ba7f19add6333412b7272bfb2d9276bfd0efe1a6a232615729fe04d824b8199b78bb3a56

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\HTMLayout.dll

Filesize
4.0MB

MD5
6029de198c35ac3349f3b1d10be55b37

SHA1
9b2aee7cb845fb9c31ae88b0724590ccaf4b6794

SHA256
8756cf92b0d5276c1eb13c04ee4325ed690df2678fb080c86d89cccdf16b9c62

SHA512
08dcf4c7c9f2bcc14e7ea7f3f096aae02d8b482005e82303cc021d7cb88febafbac642c39df7cecc349d7f7375ed82f3b684a6c7e2df55e3988c96dc29f7161b

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\Instup.dll

Filesize
21.7MB

MD5
12b3bb267be8c50e583262c5717874d6

SHA1
3f71955e2712ef520fbcc89f3c3109f2c5f6d41b

SHA256
6c5174dfd85744efdbc4c48976fa2ba7bbedb1ef3bb7dbc323dfb885b5d16f7c

SHA512
f0c79f63884a58328908aba2c69ccf425574239761bc5da83fa8deb849fc70faed4a03acb934307bfc329228ea5c66ce8284a9b614c1777b1edd98d0316032b5

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\Instup.exe

Filesize
3.7MB

MD5
9a5225fb05755190e45364c893e096c5

SHA1
b5bbf1de844e827cc62bb2c6f52a9569d1d67340

SHA256
38d53f31a8038410bb19e58dcdb9e92ebc266a2e24da555223a019f1d3cb6e50

SHA512
0ca67e35586bec8165f11f97b4d49c2bd7e99b698366d6d992f0c8463078989cea4140b11e8f12e13c5a1c4a830166645b02f5f62f09e46e6beac7542ad7be93

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\avbugreport_x64_ais-a4b.vpx

Filesize
5.6MB

MD5
6e323fc141953bfa27f108ef2596aedd

SHA1
00616792c58b5cb0f8e1ec82329b02ed0432dc58

SHA256
3ef34326db952a44e79ec169adbe99a22fa6d61e772cfae9e9163e97e42244d1

SHA512
c25fbef69bc1b369345303b71359d5507fa32ee4615d7a9476f1b501583b1694d88f75eb1db52a692a26295e266fc7d89fe454b1dd9e7b1fd6cfe847705f6931

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\avdump_x64_ais-a4b.vpx

Filesize
3.3MB

MD5
0c3a91eba631a13172a40f5f0e6bb5d5

SHA1
1a54675fad909d8850f8e7fc95424c10556ac406

SHA256
3fff391e4de446674aac8bc53b764c3e1beecd5a438b02ca423eb0f03472e6f3

SHA512
3c4c9af42a47501bfdb8f80b920815ea19e6af25a0f7bc50b3730f838af47c583b5d61f95f11cb20bba4ee667157a6c650af0dccc249830e1cc88f8c0ba9465c

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\avdump_x86_ais-a4b.vpx

Filesize
3.1MB

MD5
ecc8808eafc98b797d569990b8462e7b

SHA1
c25c2d77b97e4252d426c454b7b8f2ea7aa8430a

SHA256
6cd8c114f1b9527774e33bc6d25464a738caed7f6f63e2194152de4215bc75a8

SHA512
70bc600a8f29225a267815aec02e9959e97bf14bc30b3e55f3edb4535142fb331ad3bc4d1a75386f9016ab2fe5a81a5e4b02c39cd99fca5d01ce1465a6272f1c

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\config.def

Filesize
31KB

MD5
fd06e6276cbcd200b92152656712c967

SHA1
6a3c3deae93d140c562c8345a650c230f3f3ef31

SHA256
d6c45d321a51585807b8c9d2e3440bb8d56de5b3adaba388588770a2209563fd

SHA512
02498203349792d3b12a226e3c4665a1e35f269a8d5d5ff670b181a6358a5d8ba1d1cb7133bf276b348eb6cd173e9ca14560bbb8fc001a26334d9ba0229d46fb

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\config.def

Filesize
38KB

MD5
f4986d0c90736ab0818eee480cd729cb

SHA1
555d646d2dd1d739761d953506566cd5d5c1db69

SHA256
19b022555b91bc11e28719b01de0f82f3ebc72848e2fc6e51084254372d27284

SHA512
e4c8335cece899f95a660e26fe319f3ef3e5a03d84cee5fa107a15c5524bbbc428e617906667e6d7129f8bea9c4d98fa0d79fbd7803aa688c057a25bdf05c7c4

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\config.def

Filesize
29KB

MD5
595387ef06071bdf27fe1d5abe4db946

SHA1
508be5937844011d7544d11ed7925c6994ae0dfb

SHA256
ade65311a4c9083933abb0362df4a43b6c9933d4a1f73a38077cf51b6c132f0b

SHA512
91105db6bcca8d4c0ddb10bcb4cb0c86875675ebad710e604667dfcee7c80fe656bd7da0be34d0f4d809d1260777d53c329fcb667261f1037702d61e1e86905d

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\config.ini

Filesize
917B

MD5
3b34358b4ea477018aa4f6ef58494523

SHA1
37f69ca955dbb34260bf208c5250a69b9b7d52db

SHA256
7d1288b8531d987953ec430631aacd272b26c5d2e975b799972d56e9a776a8a1

SHA512
8a10c60079975de7b52bc0f884890fa3365e5a08461f2de6998c9f119a39878d4e0fd6bf708c5dd5f7ed1d296e3c3dcbefa3bbfdd975fe324618cea5464cf5e5

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\offertool_x64_ais-a4b.vpx

Filesize
2.4MB

MD5
1ea0e91dd5ea3a0f3907fda9bd3d6bdf

SHA1
4a84854a5d183fd7ef0948178a15d3fa74404182

SHA256
f4a63b16c8e96062445fd85fbe9b11035f7dddcdf2d120ff6d90c7c4dca3a636

SHA512
70d675d794fab961ed2c3c1f4dbea4e7c121d2b31bc7a1946fa3ea6e8667bd3b8e65dcbcaac1e0e3519d228ef8020c0896d1957c80e82f36cbb8ad72f380dc55

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\part-jrog2-15f8.vpx

Filesize
679B

MD5
230c22415ce7dab8c5d811ffa683379a

SHA1
e0e1e1a2cb0b24f7df7f47c3d59b196eadac8060

SHA256
54338ecbe8028dd6cc5cc658c20be00469a4abb4a87b5bb57092272ce621f1e2

SHA512
ece773e99b83e5888089f04e095bea941dea4d2c35542f048a1cc3c77b345d3ee9c61aaacdfe2fb060dfec62aa204fe7401d596d966f2d7d17af1876c64a3dcf

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\part-prg_ais-180917f2.vpx

Filesize
74KB

MD5
8cd8c2d152180790e53446872011e51e

SHA1
e53f99b3fc251a0f0ef420081d034a04d769e780

SHA256
17b58fb53fd9a5c92dd224cab1dbe1ba48498e015eda3f4140a5ba322d27e5fb

SHA512
906033a237ede302853b0675764e49bf5c369dafc80aa40a6ed72841c7cd5876c4b88f30e55138a060b7cdfb7b095eea13e8c2cc8153fe8d08ae7747a4feb1c0

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\part-setup_ais-180917f2.vpx

Filesize
4KB

MD5
eb3e2e907360fcd70e257ee6e3c20646

SHA1
24494ff225acf71b5ed8c35b63809335d9178575

SHA256
fe2cd11a3fe690bc6c4b24bedc5422dae65b5e1b954f3679e6fab2050177d233

SHA512
c44f24f5b6c586f7a147ba5421c3b8f095af56343e7bfd9e7613190179dbf295c1a968732077cc2bc1184eddad21f31dc5389f110b498caacb491422df5e3197

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\part-vps_windows-24100500.vpx

Filesize
11KB

MD5
303b7c67b282516b832e9876b6bc10dd

SHA1
37e219fb068ce33918f35c0aabc2a35abbd71a41

SHA256
0b91d16d50c8c36a76b2d842771aba8a33c33bc45e2c726481df36494267cc27

SHA512
363167ba7e677fd5857fcff9a983fc5f88f3539fc7003a1b065b9654b25f7279f9a65e336658fb1129005b03bb9d24768959993c286d20656f972de6d0814815

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\prod-pgm.vpx

Filesize
571B

MD5
d173feacf62936a3e363bf15acd90f43

SHA1
7041e8d784a8899e20fbbc5890c9503f41eacbe1

SHA256
f65db8a2e171d5192d272816917badb49f75476a26af39a575700016e73e09da

SHA512
b868d8aad0028567dfbcb588bb10aa7e9cdb4b07830015dd8453e5df93fc38d8c784fd2cdd9a61c97a59e7fd6441ba44a6b02a0ba0e1930bde5ed7705854445e

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\prod-vps.vpx

Filesize
344B

MD5
649744f2a68b7c9c5d2ed4c3d66a2d66

SHA1
0e28240b41e1c5860ec2099835da21da904c41f2

SHA256
ff1b4ad4bf7cc7a1f52d7b44e0abb136096912a6b57c98160d5874e8e13ff1cd

SHA512
b6e7d269fc24768d096f137ddd6b705ec6beb77cacfc816ef7f19644e1625ea7ad2158aecaf319bcbae92b282d28a6933e9e7eab3def99c8681a1feec800cc7d

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\prod-vps.vpx

Filesize
343B

MD5
082c1e447aaacbe89f41356a48a328e5

SHA1
8711549cefb839cf200a677c85cec98b27b38783

SHA256
9b5e9c1226a50a70f37ad441d57e4b8217b6f78ac3e954e93afdc350ad1934db

SHA512
45430216f7cd53476d8b5c761f80e1d15f6b402baccb1a765ec770ec1b95f65716e7f1c90b0f2f580e1d66f9ef2a16f16cdd2dc0845af59af939bf7df82c2102

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\sbr_x64_ais-a4b.vpx

Filesize
20KB

MD5
26806428c7b1ccf32bc567cc6c5d10bc

SHA1
080a1662689c2e16cbdc1087bd0753ca0b74a80b

SHA256
c4c308a2dfa121e6dacc0472b1d37d7796191fec4c8b2c104ba73f486da76886

SHA512
bad313ce96d9a61a059bd14e16bb69c57dad652b4046aaba789a6c3c8153d840ba96be6101fbf88123563dd77dde3ff1461602823b09e59bb198a9f412d9deea

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\servers.def

Filesize
29KB

MD5
106d6ba0fb4f9cdbab29513f81b326dd

SHA1
3fa33df7139a407ebdaae7b6e17180375999090d

SHA256
18fbda33b8483118828bffd0d908a63c37007ccf9c218df3029ae9763180046b

SHA512
948879d872be34541f015a11779533c6c8eb594f9a8271bc9cf6303827d824d50693fc69066a31d37eb12ad079350bafb32915a340fb15d86e4b1abde525c998

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\servers.def.vpx

Filesize
2KB

MD5
cd422269b5064d2933ec08433af005ba

SHA1
1a1f6a7b936effad893f5643f83a6f378c753e05

SHA256
966f9a17ce9c3fec563752e00642354e10ef0eb9aa6eeb1580a78c9f9254c1a4

SHA512
6619c42a5eddd5354b9194950ea3d72839ef72adc380f016f6528ca2129b0c0fae047e478ce01ba700e9b0633e93a5006aa25f310cbf7f9a4b7584d4b4bde945

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\setup.def

Filesize
38KB

MD5
c86e1733c3402c8ff7d4d92c73c340c1

SHA1
0858c90ae104272dd09746c610f23fdea62ed43b

SHA256
667fc20167988962a800dea02b9ccb5bb06ba2ef4e68b889c9de4fc68ab12e6f

SHA512
7a8e56ca35b3f7fe630b436f2036ca77509b49669328e96d8a981948b801c2e204a1edc3b56eb63c34c7a57b8c6fb6cd1f3d30a542b6b8b6d5a3742010cf2e76

Download Submit
C:\Windows\Temp\asw.0e0a77df0aee94c6\uat64.vpx

Filesize
16KB

MD5
40f79bbbffb4cbda1291dfd8591fffaf

SHA1
253879cdc65f1e249d178385ddb771a8d50491cc

SHA256
e18749a890f519f53b22cbc66f18d406e4b8995aae7eb404e2cff0f7232d44f8

SHA512
faaf0f7ccf7f723ff81cb3ab7cccafe8fe716fa06802f32f01d667612c2a6243fc51e3f30645ba9a379b8ed7ebc7651ba9a62d0034a674149734f6d60c15f579

Download Submit
\Windows\Temp\asw.0db7f1f7ddc526de\avast_premium_security_setup_online_x64.exe

Filesize
10.5MB

MD5
d8d0d8043c98f7d1928f7168bd4da6d2

SHA1
9a1064a74b4e4145a33feb2d8cab4168c6a9f3fb

SHA256
a5aaaca95a29e7e186db20725334eb6afc26ec336ea5db2c903573b7ce7dc57a

SHA512
253ed185e7d62750b466980ec3af78c742d4611e96493d7b6a24739e6c2ed752574ac5555545f4bd0ba39a709df3e327f3fc6c463ae35c7d5cbd51b532bdefc8

Download Submit
\Windows\Temp\asw.0e0a77df0aee94c6\uat64.dll

Filesize
29KB

MD5
ef7e58daad98102fea0517546aa982cc

SHA1
63c2d702311d8a51c0177185fd51d6cbf94673f4

SHA256
48beb380c480a1bff485f37b4ef631a1b6c0e1bf641c68905c657c21ab1e5504

SHA512
8a085b8796721cd470701fd5bb336e5a44d806db3071743c4cef7cd49b7977d88eacd0c036f41f96b7df27b6e0a51307c993f0c71cfaba880e98ab3bc85bf9e5

Download Submit
memory/956-45-0x00000209277C0000-0x0000020927CE6000-memory.dmp

Filesize
5.1MB

Download
memory/956-44-0x0000020926FC0000-0x0000020927182000-memory.dmp

Filesize
1.8MB

Download
memory/956-42-0x000002090CA20000-0x000002090CA38000-memory.dmp

Filesize
96KB

Download
memory/5744-2981-0x00007FFCBE430000-0x00007FFCBE829000-memory.dmp

Filesize
4.0MB

Download
memory/5744-2980-0x00007FFCB78C0000-0x00007FFCB8E87000-memory.dmp

Filesize
21.8MB

Download
memory/5744-3161-0x00007FFCBE430000-0x00007FFCBE829000-memory.dmp

Filesize
4.0MB

Download
memory/5744-3160-0x00007FFCB78C0000-0x00007FFCB8E87000-memory.dmp

Filesize
21.8MB

Download