2ad86deced95f45253aa3286c5b7ede70fc985e29e0986ccc2a33933e70ae15e

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
Size

397KB
MD5

0096a649ed9e1efe82ae0cbaf866bdb0
SHA1

c042e604a826f625ca43a670dbacb10c04fea85c
SHA256

2ad86deced95f45253aa3286c5b7ede70fc985e29e0986ccc2a33933e70ae15e
SHA512

dd8613f1dc6365ecdbc64bd900038dad4789d1c706839d9021ab5bb7f3f35338620eab4c0e78b517a0a54b92122bdbb4d084a51856a9ed43ba53170632afb1a4
SSDEEP

6144:UsLqdufVUNDa89+qOLoaXjhenMGmmUEebVF+uoiAy6to8:PFUNDa89+pL/KMG5U/augyet

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
3056	icsys.icn.exe
2672	explorer.exe
2876	spoolsv.exe
2480	svchost.exe
2404	spoolsv.exe
832	avast_free_antivirus_setup_online_x64.exe
2304	instup.exe
2680	instup.exe

Loads dropped DLL 40 IoCs

pid	Process
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
3056	icsys.icn.exe
2672	explorer.exe
2876	spoolsv.exe
2480	svchost.exe
2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
1200	Process not Found
832	avast_free_antivirus_setup_online_x64.exe
832	avast_free_antivirus_setup_online_x64.exe
832	avast_free_antivirus_setup_online_x64.exe
832	avast_free_antivirus_setup_online_x64.exe
832	avast_free_antivirus_setup_online_x64.exe
832	avast_free_antivirus_setup_online_x64.exe
832	avast_free_antivirus_setup_online_x64.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2304	instup.exe
2680	instup.exe
2680	instup.exe
2680	instup.exe
2680	instup.exe
2680	instup.exe
2680	instup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 54 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile\InstupUpdatePending = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe
2252	schtasks.exe
2740	schtasks.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "85"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "56"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2672	explorer.exe
2480	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 32	832	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	2304	instup.exe
Token: 32	2304	instup.exe
Token: SeDebugPrivilege	2680	instup.exe
Token: 32	2680	instup.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
3056	icsys.icn.exe
3056	icsys.icn.exe
2672	explorer.exe
2672	explorer.exe
2876	spoolsv.exe
2876	spoolsv.exe
2480	svchost.exe
2480	svchost.exe
2404	spoolsv.exe
2404	spoolsv.exe
2304	instup.exe
2680	instup.exe
2680	instup.exe
2680	instup.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2288	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 3056	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 3056	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 3056	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 3056	2080	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	29
PID 3056 wrote to memory of 2672	3056	icsys.icn.exe	30
PID 3056 wrote to memory of 2672	3056	icsys.icn.exe	30
PID 3056 wrote to memory of 2672	3056	icsys.icn.exe	30
PID 3056 wrote to memory of 2672	3056	icsys.icn.exe	30
PID 2672 wrote to memory of 2876	2672	explorer.exe	31
PID 2672 wrote to memory of 2876	2672	explorer.exe	31
PID 2672 wrote to memory of 2876	2672	explorer.exe	31
PID 2672 wrote to memory of 2876	2672	explorer.exe	31
PID 2876 wrote to memory of 2480	2876	spoolsv.exe	32
PID 2876 wrote to memory of 2480	2876	spoolsv.exe	32
PID 2876 wrote to memory of 2480	2876	spoolsv.exe	32
PID 2876 wrote to memory of 2480	2876	spoolsv.exe	32
PID 2480 wrote to memory of 2404	2480	svchost.exe	33
PID 2480 wrote to memory of 2404	2480	svchost.exe	33
PID 2480 wrote to memory of 2404	2480	svchost.exe	33
PID 2480 wrote to memory of 2404	2480	svchost.exe	33
PID 2672 wrote to memory of 2512	2672	explorer.exe	34
PID 2672 wrote to memory of 2512	2672	explorer.exe	34
PID 2672 wrote to memory of 2512	2672	explorer.exe	34
PID 2672 wrote to memory of 2512	2672	explorer.exe	34
PID 2480 wrote to memory of 2956	2480	svchost.exe	35
PID 2480 wrote to memory of 2956	2480	svchost.exe	35
PID 2480 wrote to memory of 2956	2480	svchost.exe	35
PID 2480 wrote to memory of 2956	2480	svchost.exe	35
PID 2288 wrote to memory of 832	2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe	38
PID 2288 wrote to memory of 832	2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe	38
PID 2288 wrote to memory of 832	2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe	38
PID 2288 wrote to memory of 832	2288	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe	38
PID 832 wrote to memory of 2304	832	avast_free_antivirus_setup_online_x64.exe	39
PID 832 wrote to memory of 2304	832	avast_free_antivirus_setup_online_x64.exe	39
PID 832 wrote to memory of 2304	832	avast_free_antivirus_setup_online_x64.exe	39
PID 2304 wrote to memory of 2680	2304	instup.exe	40
PID 2304 wrote to memory of 2680	2304	instup.exe	40
PID 2304 wrote to memory of 2680	2304	instup.exe	40
PID 2480 wrote to memory of 2252	2480	svchost.exe	43
PID 2480 wrote to memory of 2252	2480	svchost.exe	43
PID 2480 wrote to memory of 2252	2480	svchost.exe	43
PID 2480 wrote to memory of 2252	2480	svchost.exe	43
PID 2480 wrote to memory of 2740	2480	svchost.exe	45
PID 2480 wrote to memory of 2740	2480	svchost.exe	45
PID 2480 wrote to memory of 2740	2480	svchost.exe	45
PID 2480 wrote to memory of 2740	2480	svchost.exe	45

C:\Users\Admin\AppData\Local\Temp\0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- \??\c:\users\admin\appdata\local\temp\0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\Temp\asw.27e6346d0c30c84d\avast_free_antivirus_setup_online_x64.exe
    "C:\Windows\Temp\asw.27e6346d0c30c84d\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a6l_m /ga_clientid:1a4b4bf4-f90d-4dce-b055-a207739ba5b0 /edat_dir:C:\Windows\Temp\asw.27e6346d0c30c84d
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\Temp\asw.ed143a3c2760f518\instup.exe
      "C:\Windows\Temp\asw.ed143a3c2760f518\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ed143a3c2760f518 /edition:1 /prod:ais /stub_context:82737e0a-2d69-4acd-9a66-62311c6a19c5:9946736 /guid:414b545f-5a38-48ae-9332-a074aa9c16b6 /ga_clientid:1a4b4bf4-f90d-4dce-b055-a207739ba5b0 /cookie:mmm_ava_012_999_a6l_m /ga_clientid:1a4b4bf4-f90d-4dce-b055-a207739ba5b0 /edat_dir:C:\Windows\Temp\asw.27e6346d0c30c84d
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\instup.exe
        
        "C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.ed143a3c2760f518 /edition:1 /prod:ais /stub_context:82737e0a-2d69-4acd-9a66-62311c6a19c5:9946736 /guid:414b545f-5a38-48ae-9332-a074aa9c16b6 /ga_clientid:1a4b4bf4-f90d-4dce-b055-a207739ba5b0 /cookie:mmm_ava_012_999_a6l_m /edat_dir:C:\Windows\Temp\asw.27e6346d0c30c84d /online_installer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2680
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3056
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2876
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:03 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2956
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:04 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2252
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:05 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2740
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
68e5234ff0064bd078d97e22e9f044dc

SHA1
8092972814e23258e6c0e70924cbc60e50bb256d

SHA256
f402890d0226394be40688dc9e549d2f394a9cc909a2060dd797643cd36cce4f

SHA512
90e8feafde0d966bd0eda499ef0e0a8c288fdf87651f26bff2145d828692cf45eac3fa16b88fd3b5d92ca23b569ed68026efb357776ce0c7d5fb356e6992c990

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
27KB

MD5
7b7602c265f13c30c848eb17dea0ab24

SHA1
acd6b0ae3ffb1ccc76230bea774ce97efa599138

SHA256
2cab674824a5cbd87ff591e92a88c3ab75eb792971535af2065d86af34797d03

SHA512
a1a256317b6694b01821954455c863f2756468f437cdb9e2add85d328508e366df4f32db1937f20aaa3cdb0c65fb00355c94dfcab0a6f95e18c2c0a7713c1d61

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
a4238d8a873468cee4cea80f53f801b5

SHA1
d22d5bb816fb894d1444beece678e996b190f560

SHA256
a73e67a2edd91e8e15d5f9b19289f80a65194f3f9788e6a84c6c18cfd71eed53

SHA512
943a0cfc9ffd411d2a66bbec448d8b7d2591c78e730920c3e48c4524fda29368caa279015c231219492dc5a06f87883ac88c571d1c50402d3385c610fd085f94

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
38bbaa63bef0b68c2750e108b08989b7

SHA1
6dfe8a97c413db1ce5234b5633cdf83a8b07a423

SHA256
da41543a2d7a2301f42dc061021d6bc5e304981026148983e955ff966456dea0

SHA512
65659338e116532c11990495c2e0677e8181c0310bfd2c5589c21191882e43f3c26b406714b785f74cb530f023044ff93197b170c9412ce58c4da0edcae96e62

Download Submit
C:\Windows\Temp\asw.27e6346d0c30c84d\avast_free_antivirus_setup_online_x64.exe

Filesize
9.5MB

MD5
7b37b5ca203b183e28476b049e31767e

SHA1
bc41127c693101c81268a0af7badab332b86be11

SHA256
f8da8197da1d8377ed67e37b2603fd32f82974c1eb28b817829bbee1ac775ad4

SHA512
a0d52ffbf224271ee3b38ae8463a966e8397d5f8f4cfa97ef90c14794ce6b37cfe18226dc2d03e8f48968b217af08c8ec257fc1a39e2033335cf941faf9be0aa

Download Submit
C:\Windows\Temp\asw.27e6346d0c30c84d\ecoo.edat

Filesize
21B

MD5
0438aa47b76c29b6a0d5c202b9252963

SHA1
535f8ad1b38f12f8e62e58edadb00c3fb76a99db

SHA256
d4e883c822befa8a109f67f948c7f16766a9f9e2f5b35899ba9192efef7f335c

SHA512
d547c280398c20133813bfc3f7839512464b346c116a3c434ed0bc528ead8229dee0e4fa2dd1f830344afe702ce9e019e59f48a6d4770aef5c8b7932378d3e60

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\HTMLayout.dll

Filesize
4.0MB

MD5
5ac44187fb8ed4771a028a4f206708e5

SHA1
c9aaf33b0a1b0bef82e17197973ed3839472e0ca

SHA256
6100f12a2fd4267326da4ea65ff29935f8d1f8be3cdde9e2a895560e40192df8

SHA512
6537d0145037f4addbb480d6b8b44e8213b81093d3e751646103897c8b581559db5704b31948861893b73a9df1053bf12fd9522af7a888790162899e5b7e3eb4

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\Instup.dll

Filesize
18.2MB

MD5
615c4826108fad74f098d8afdd2a10b6

SHA1
7ea9f49b3da4961a91ca7027b5361888c6edfdc4

SHA256
46296f4c587013ef7ea0a7a263becb8b50fa824fbba938ab106cd48ab329de7a

SHA512
9bf90d6dbdee30629605a8c9f32b0201e37e86c44a5a6b48c4f422bfac7224d47a5e303625fd110f212972f231240564ebcd9fb81ab51c6a4d9cc214bd8e25cb

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\asw0dfed0f8472edd66.tmp

Filesize
3.1MB

MD5
b216fc28400c184a5108c0228fba86bc

SHA1
5d82203153963ebede19585b0054de8221c60509

SHA256
7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd

SHA512
6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\asw2a8e9b905f736fb2.tmp

Filesize
3.8MB

MD5
d9be57d4e1a25264b8317278f8b93396

SHA1
d3c98696582fed570f38ae45bf22b8197253b325

SHA256
a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3

SHA512
2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\asw528c0ab7d8cd8b88.tmp

Filesize
4.5MB

MD5
ef035189604e7f5d68a62827b985ccbb

SHA1
c094c6eef2640a71aee9f4b27123c2080d38136f

SHA256
64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740

SHA512
32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\asw8bf382f91a2fccce.tmp

Filesize
907KB

MD5
700b6740e6bfa7729f146572d8455348

SHA1
19d80fb0251f417283ed36fc20c43079b3f6fbb8

SHA256
d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e

SHA512
7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\aswb21f2634a870ac96.tmp

Filesize
831KB

MD5
c5665f1f93d9aabbcb1dde533e2c46e6

SHA1
732389de20c600d0222d61b4ee74b0be6412a45b

SHA256
adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a

SHA512
51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\aswb6f8d129316b1377.tmp

Filesize
19.1MB

MD5
9ee6528abdad768fbfa28bd1bb80ebe9

SHA1
f5582697e068ba1d56825fc32bd5ab1a71bd4d38

SHA256
61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4

SHA512
de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\New_15020997\aswefd14201100f8189.tmp

Filesize
15KB

MD5
13e9fbb02cb7497562b59a9ef8f1ee92

SHA1
047936e9296e77939b5b23c1a2af3056eaa2ae99

SHA256
40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a

SHA512
0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\asw3ea211b433d1f3e0.ini

Filesize
763B

MD5
857e24724694e495b1461ac600da0209

SHA1
0fa742f2f1b494e5316122e352ef7b97d55f680d

SHA256
046419c6efce9c72b0bd620802fb7c4a03965c25377a36dcfdabd9b5261c6bbf

SHA512
6f7952859e67dd7601327807b5482c1e553177c448c1b6099d9d53ed9d9c0128910a8c82647c94b4e6063bb9d7550064884b2bfd659f172977686e17c6d6c9c4

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\asw9c4cafb6f80e37d5.ini

Filesize
1KB

MD5
4483642a4596eaa18cd2c34485d0365f

SHA1
a87d6b0bd3e570a2d6c1a124468a8eadc43005f0

SHA256
95f367bda54bb18e4d0dd1b35400db2c862db9827e1bcecd3ae79b2b5aaa1c84

SHA512
d648bf0f8d3bd27974c8c5f0c77635ec0eb8e1e04b21e36e9efb86dbf1002487076b83e199716c4f910106a02a2cb3dc48818ffc90f06ff8e70513009e0bd30a

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\asw9c4cafb6f80e37d5.ini

Filesize
1KB

MD5
cc40e25b123ff459ec984e941658f110

SHA1
a617380e31525665ac4e60fdbae8e507800bb26c

SHA256
132ff9b9138ba30c48707e8095985038d1546fe554ae6e56c28461bb974e03a3

SHA512
422ca65ac7f8cca87ad694ea498352868afc03f138a3ae3b59249cffe0fdf4d4a1e89e807d970c5b3c5744bd97fb20bcdb51da7c5fe2f6d5e0007c0f61cbfc81

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\config.def

Filesize
34KB

MD5
5630ac645fc317bd84cf274644fb83dc

SHA1
6cc37b179c7d04e449070f221bc88909d0523e95

SHA256
6748cc046920d3494b9b744599d2d363afde9c4ad99823883d95400714e2aeb8

SHA512
d1011254011641b7093a46971506d853becc7177c66c72ce19028a47dbfc71b39e59c9ba12d40fe136ae6a7df1b0d7ffafd17b977b69bf65ffb0b57cfe00a8b7

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\config.def

Filesize
28KB

MD5
5a7719d8f91210806e0de046a2897b56

SHA1
7bd04389df2595ac430a2441418f60ce7c2d7846

SHA256
730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea

SHA512
17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\config.def

Filesize
29KB

MD5
d193d95ed38414a787f608693655635d

SHA1
a331b09404b40bcdf0d7893083a2bdd5306fc931

SHA256
7bdb8fb2c92d8c79a7a4ca060218d8047924b0592e4c1c43854ae5a0c282c03a

SHA512
0a6cd9f090eae30646d0f359d55607ad99040700cfccd01d31d3a0add3ff7e857c9ba30d955844f73841d4185fbe259be80f825310b14ab21b96683162b627ed

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\config.ini

Filesize
860B

MD5
bb4a3437ebab633f599dfe7949cc237d

SHA1
50dc8efb21230949ad9d15dafad18c587322060d

SHA256
f30b3d6531b90997a11880844230d7a05d461d3f09cca1ad867d01a06661ec6a

SHA512
2cd27001733f18d44c4c60f5a081e7bac433058f14d8c4abf97506e91f81705b6dde92173c42569656c2db240d486479a7c96bd9ede6b25fb4d5c0bbc309ad8f

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\part-jrog2-78.vpx

Filesize
212B

MD5
2e39a76d634dfbf7b1f81205e2494945

SHA1
900929990a49b5e615d350cba65b25fd5cdfa433

SHA256
cfc16e927bf7ff3cef650ae991bec2aadc8ed09d762d247e4cc1aee937fc6cee

SHA512
8ecb5803caf583e071541f9063b37220d7e72551a8f60dde6f1c5771a569c78902213448b62d6a2ee7293b4ca5b3caa0d9b136caff0b62b9dda6d4aec2fbd903

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\part-prg_ais-15020997.vpx

Filesize
188KB

MD5
b898fa20bf9b0321b50a8d4946aae799

SHA1
4e173a99dc9a9ef507112857525ad53991f4d2a0

SHA256
6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c

SHA512
c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\part-setup_ais-15020997.vpx

Filesize
5KB

MD5
365b6ee6fbde00af486fc012251db2da

SHA1
8050ba5a9b6321f067fc694527011ba00767d4a2

SHA256
01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830

SHA512
949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\part-vps_windows-24052099.vpx

Filesize
7KB

MD5
bb27003f675eb14f48566dc06bf0d1e0

SHA1
5e8f89d24bb7e0a6a80bc3c7fbc2237e890bd25e

SHA256
6513f7be56bdcaf29fe31f798ef251492718ca2e1394d034a75399ff393d0be6

SHA512
7fee0a2083e33d059669bae85d8cac41e0f3c5f7d79763a59048505e17cc554f064ead0d906896411ac01c380200bcc4f0edc111d1166c77d906290fcc100fbd

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\prod-pgm.vpx

Filesize
572B

MD5
f767ec2c67fcb174088857a0e5a7dfe9

SHA1
1f82e0ebabc7a81b8440f2cc658bc36ef80aa058

SHA256
026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c

SHA512
ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\prod-vps.vpx

Filesize
344B

MD5
3d6229735be0de243d57ed765e21f391

SHA1
967b83c77716e2e500f10f44008b2c196064652e

SHA256
182a84959f3ff27c94083e233e319ad6328453eddb367dd369226a843324090b

SHA512
8774e32b9f2967a03640554106a19ad7547b028ed3554cd23dac49bb1aa4788185225b1dfb6b73482e92f73647912222d1065f3c237ec6b7f1c673945468d11d

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\prod-vps.vpx

Filesize
341B

MD5
0bec8baf4c60f1c626f440e9ee896078

SHA1
6173a964b076c23a56571d5ab730984109797379

SHA256
313a8cf266df08fda34d243e72b6006b6808b1f695cd5a8dd291e22ddf391c13

SHA512
35320b54b8cc3fab4cb24b026e429a56607a50ffb17b8ec0f4d6cbcd483a9da3ee21430f3629799f8fe35a2aba866de6f5464d67efb2ce72a4a38ffa4cdd09c6

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\servers.def

Filesize
29KB

MD5
8625cc598545b4313acb4c34cec05821

SHA1
5ff65be78f84c547f43e7109604fb579c98c0f2a

SHA256
4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d

SHA512
04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\servers.def.vpx

Filesize
2KB

MD5
ada78e665ef2fcf8709bdd7386974119

SHA1
594d311379ce3373b4470a022eb0bc723b0caf53

SHA256
9a0e8da65a6824441e1deb5533ee21c1084398a2c8023d3b730d63e49d3861bd

SHA512
23aa516fb8edc6e090a2776a75da9c92a3cf97b4c002df305f07364da17ec53607016e9ed90ef814968a5b651a9b05f9caefd588c58f06495975ef8f27915de9

Download Submit
C:\Windows\Temp\asw.ed143a3c2760f518\uat64.vpx

Filesize
16KB

MD5
a316b5ffdc1c260e65dd95a6f5f33732

SHA1
7c363d9ab0e87711f5c5cfe3a7553ba754a923fb

SHA256
649d7c2a0f3837145cfb32b40526aeae55ef392525933e9d78a555e6e4a74ea2

SHA512
45987010693402f3a6d6bc0efa532f968fc39ef280e0b19819b0e1feab62cc6e4ba0e374286ec2a852a806b411075a02f603ed1416c21354119ad40c4cbeb07b

Download Submit
\Users\Admin\AppData\Local\Temp\0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe

Filesize
262KB

MD5
201ca8720abe35c93f9d904c1bfca4c7

SHA1
32c1606445ccd25be1b6cf72627624174c2cf5c1

SHA256
f1a5b8c9d34891b4898c183d721361f72edc263d864b2ca0a8f3a5aaea2ff08b

SHA512
55f6964b312bbae2163e13d2763de2649dacb67af9294f2a89339cf336932e2a5b484317cd7a48b72fe1bd343bc76f1f561d9a2166ca6a7896149996b0dd8a85

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
a92a7d704a8e1e61a95fad4723c8ea63

SHA1
8cdfb74ebe03239fcff40335deae783830898d2b

SHA256
a64c86e444a3a5585eac9f0e5c38c3fc827175dd1632d56a5f3cd7fde75c2e40

SHA512
8e165247e94913fe7ab7e1d0a0681c2ea1a01ffc359993248c4a15d9e263e5aabd5377674eb49a661aabb264f7790c55554de33eb05b64e221573f3b94b7ad38

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
39d0e0b6747b3c0461e67e4e306f853c

SHA1
f8284f21537b877b144d206b58c5a98ecfdbe55e

SHA256
02e2e9f857f73674c803231b65353cc41431da3dd285eb2fd0b3cc8d5669f155

SHA512
ebcd9ef771b62582369e26c77a8e74f60ea88f29e9d18f43172d6e493cdce58648aad45c1f0b778dd80319d543a87dab5cf63a543e828489555051ba27fbd74b

Download Submit
\Windows\Temp\asw.ed143a3c2760f518\Instup.exe

Filesize
3.7MB

MD5
aeeb5645d1a42d73c10d466e071904a2

SHA1
8011cb95b74f202f3f931f42607b7c78231da219

SHA256
feac318f5a0b1e9a78f7e83a708edc3e66bf43c84803426dff4c8567e3895502

SHA512
d9803a1f3466b528a067e39fc514bdd8615f842da5f114436a058ea5efba5775f292598f626e7ae372e8d1d0dc2af50f26424034c32ca6519ae56017d859883b

Download Submit
\Windows\Temp\asw.ed143a3c2760f518\uat64.dll

Filesize
29KB

MD5
852a3b7a54e53295b24413aad55e1459

SHA1
1b2cf1d539e249c6014841dbea451e21f13a8515

SHA256
067b4f049fe07ea3af37c5dfdb7b237e49db432035361a3d0afdc527fa5d6a2c

SHA512
5df4a7f42814f069205d3f5e6337b250b287089e9d48a3711b8d5092b9ee04526a5d1b08c8b6a58d58b44296879001569747d9470542d8db17e3df14b3b3e843

Download Submit
memory/2080-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-15-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2080-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2404-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-45-0x0000000001B70000-0x0000000001B8F000-memory.dmp

Filesize
124KB

Download
memory/2876-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download