2ad86deced95f45253aa3286c5b7ede70fc985e29e0986ccc2a33933e70ae15e

Analysis

max time kernel
159s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
Size

397KB
MD5

0096a649ed9e1efe82ae0cbaf866bdb0
SHA1

c042e604a826f625ca43a670dbacb10c04fea85c
SHA256

2ad86deced95f45253aa3286c5b7ede70fc985e29e0986ccc2a33933e70ae15e
SHA512

dd8613f1dc6365ecdbc64bd900038dad4789d1c706839d9021ab5bb7f3f35338620eab4c0e78b517a0a54b92122bdbb4d084a51856a9ed43ba53170632afb1a4
SSDEEP

6144:UsLqdufVUNDa89+qOLoaXjhenMGmmUEebVF+uoiAy6to8:PFUNDa89+pL/KMG5U/augyet

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
840	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
1380	icsys.icn.exe
4168	explorer.exe
1200	spoolsv.exe
1552	svchost.exe
440	spoolsv.exe
3628	avast_free_antivirus_setup_online_x64.exe
3120	instup.exe
4764	instup.exe
1136	aswOfferTool.exe
1260	aswOfferTool.exe
2156	aswOfferTool.exe
2848	aswOfferTool.exe
4872	aswOfferTool.exe

Loads dropped DLL 12 IoCs

pid	Process
840	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
3120	instup.exe
3120	instup.exe
3120	instup.exe
3120	instup.exe
4764	instup.exe
4764	instup.exe
4764	instup.exe
4764	instup.exe
4764	instup.exe
4764	instup.exe
2156	aswOfferTool.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a39.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
1380	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4168	explorer.exe
1552	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 32	3628	avast_free_antivirus_setup_online_x64.exe
Token: SeDebugPrivilege	3120	instup.exe
Token: 32	3120	instup.exe
Token: SeDebugPrivilege	4764	instup.exe
Token: 32	4764	instup.exe
Token: SeDebugPrivilege	2848	aswOfferTool.exe
Token: SeImpersonatePrivilege	2848	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
1380	icsys.icn.exe
1380	icsys.icn.exe
4168	explorer.exe
4168	explorer.exe
1200	spoolsv.exe
1200	spoolsv.exe
1552	svchost.exe
1552	svchost.exe
440	spoolsv.exe
440	spoolsv.exe
3120	instup.exe
4764	instup.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 840	4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 840	4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 840	4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	91
PID 4616 wrote to memory of 1380	4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	92
PID 4616 wrote to memory of 1380	4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	92
PID 4616 wrote to memory of 1380	4616	0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe	92
PID 1380 wrote to memory of 4168	1380	icsys.icn.exe	93
PID 1380 wrote to memory of 4168	1380	icsys.icn.exe	93
PID 1380 wrote to memory of 4168	1380	icsys.icn.exe	93
PID 4168 wrote to memory of 1200	4168	explorer.exe	94
PID 4168 wrote to memory of 1200	4168	explorer.exe	94
PID 4168 wrote to memory of 1200	4168	explorer.exe	94
PID 1200 wrote to memory of 1552	1200	spoolsv.exe	95
PID 1200 wrote to memory of 1552	1200	spoolsv.exe	95
PID 1200 wrote to memory of 1552	1200	spoolsv.exe	95
PID 1552 wrote to memory of 440	1552	svchost.exe	96
PID 1552 wrote to memory of 440	1552	svchost.exe	96
PID 1552 wrote to memory of 440	1552	svchost.exe	96
PID 840 wrote to memory of 3628	840	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe	97
PID 840 wrote to memory of 3628	840	0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe	97
PID 3628 wrote to memory of 3120	3628	avast_free_antivirus_setup_online_x64.exe	100
PID 3628 wrote to memory of 3120	3628	avast_free_antivirus_setup_online_x64.exe	100
PID 3120 wrote to memory of 4764	3120	instup.exe	108
PID 3120 wrote to memory of 4764	3120	instup.exe	108
PID 4764 wrote to memory of 1136	4764	instup.exe	109
PID 4764 wrote to memory of 1136	4764	instup.exe	109
PID 4764 wrote to memory of 1136	4764	instup.exe	109
PID 4764 wrote to memory of 1260	4764	instup.exe	110
PID 4764 wrote to memory of 1260	4764	instup.exe	110
PID 4764 wrote to memory of 1260	4764	instup.exe	110
PID 4764 wrote to memory of 2156	4764	instup.exe	111
PID 4764 wrote to memory of 2156	4764	instup.exe	111
PID 4764 wrote to memory of 2156	4764	instup.exe	111
PID 4764 wrote to memory of 2848	4764	instup.exe	112
PID 4764 wrote to memory of 2848	4764	instup.exe	112
PID 4764 wrote to memory of 2848	4764	instup.exe	112

C:\Users\Admin\AppData\Local\Temp\0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0096a649ed9e1efe82ae0cbaf866bdb0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616
- \??\c:\users\admin\appdata\local\temp\0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\Temp\asw.3fc4bd0f3a40ccd2\avast_free_antivirus_setup_online_x64.exe
    "C:\Windows\Temp\asw.3fc4bd0f3a40ccd2\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_012_999_a6l_m /ga_clientid:fd2937a8-4c67-437d-93a7-33be436a4c3b /edat_dir:C:\Windows\Temp\asw.3fc4bd0f3a40ccd2
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\Temp\asw.683045df30e063ce\instup.exe
      "C:\Windows\Temp\asw.683045df30e063ce\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.683045df30e063ce /edition:1 /prod:ais /stub_context:9185bd1c-3398-46a2-83b0-53df5b5fb039:9946736 /guid:9c0244f2-6325-4c55-8e1e-5ca553d25ddb /ga_clientid:fd2937a8-4c67-437d-93a7-33be436a4c3b /cookie:mmm_ava_012_999_a6l_m /ga_clientid:fd2937a8-4c67-437d-93a7-33be436a4c3b /edat_dir:C:\Windows\Temp\asw.3fc4bd0f3a40ccd2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\instup.exe
        
        "C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.683045df30e063ce /edition:1 /prod:ais /stub_context:9185bd1c-3398-46a2-83b0-53df5b5fb039:9946736 /guid:9c0244f2-6325-4c55-8e1e-5ca553d25ddb /ga_clientid:fd2937a8-4c67-437d-93a7-33be436a4c3b /cookie:mmm_ava_012_999_a6l_m /edat_dir:C:\Windows\Temp\asw.3fc4bd0f3a40ccd2 /online_installer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe" -checkGToolbar -elevated
        6⤵
        Executes dropped EXE
        
        PID:1136
      - C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe" /check_secure_browser
        6⤵
        Executes dropped EXE
        
        PID:1260
      - C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2156
      - C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
        7⤵
        Executes dropped EXE
        
        PID:4872
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1380
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1200
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
26KB

MD5
91d645f29beb470b334a295345515bc4

SHA1
5b70be2f55b0209c272ac63ea9decfed3ab2b406

SHA256
b56aabde1f271135edc6f51d8fee22e269455b8644fed771924639f7e024b339

SHA512
c7817806009aba6d0897448649b9bb2f3785a5c00b2a236f809fc7685feab411a946e3a6a5bf770a326a0d7841edc9528013265cefe7b9870c03d7520ccc7701

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
89d2cdeefc9da13e36b9235b0141444d

SHA1
bd0089def77fe01deb3cc17e6ee9e67f2f0aa0bf

SHA256
a82a768778080407f111682c98e0fc2615692d508ca88dd68a1633dae406699d

SHA512
9f26460b232b0fcc47e523980a11a6b9257ffbf2d58ca5d31e0d6b4733b0062524da2f90313981063b3d6fa82d8b32a9fed64e43a36c3f5bef8093863c333c5b

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
281B

MD5
4164a081069cbc9e25992c9c04c83751

SHA1
9285baa4723be1b14b459bd76bbef0c83ae2bff4

SHA256
92c4eb9a9410bced0dc6d02bbdf04e830749d2c321153136e3fbb0515da19d9f

SHA512
7693146d7e098d2f3ccf30ed5f8b7d2555d587947a09dd64404e263da9f7607de79a9ffbfb2a228b6fbc4ee622532d61a406ff5002ca60b609ace7fd6e57045f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0096a649ed9e1efe82ae0cbaf866bdb0_neikianalytics.exe

Filesize
262KB

MD5
201ca8720abe35c93f9d904c1bfca4c7

SHA1
32c1606445ccd25be1b6cf72627624174c2cf5c1

SHA256
f1a5b8c9d34891b4898c183d721361f72edc263d864b2ca0a8f3a5aaea2ff08b

SHA512
55f6964b312bbae2163e13d2763de2649dacb67af9294f2a89339cf336932e2a5b484317cd7a48b72fe1bd343bc76f1f561d9a2166ca6a7896149996b0dd8a85

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
ebe718a26ff9216f6bfb9241163431b1

SHA1
3bee7e6829df924976e9a501ddb2caf8fb762e57

SHA256
52255a26f764b0717b9daceb3092b40729f2cb12b27c5e28cc5f07f6e413dd6d

SHA512
f61e42fbb97b4b3347d80b166e386436f3633f9df8d1c4f8dc19326a989d8f6f7cd72f0e82baa1bdacb6edf91dcb128bcce5658176ff2dc92901f38ffb493860

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
38bbaa63bef0b68c2750e108b08989b7

SHA1
6dfe8a97c413db1ce5234b5633cdf83a8b07a423

SHA256
da41543a2d7a2301f42dc061021d6bc5e304981026148983e955ff966456dea0

SHA512
65659338e116532c11990495c2e0677e8181c0310bfd2c5589c21191882e43f3c26b406714b785f74cb530f023044ff93197b170c9412ce58c4da0edcae96e62

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
8a9eb5e35021b77357c49f653c47cfe2

SHA1
74645411c7ba716865b4fddafe49fa4d7086615e

SHA256
a6799ce73dac674055c0ee905b91a1b05915810996da707bf2665e273cf3feee

SHA512
19390e14bfe798f8f9ed6109650b378fb00d2c01f0a013f256743a6a1f9fead48967bdb7cbfd2f4e9cb0b7685841f2b2f8d64efa6fb6f6a7295a8cb1c9b49a00

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
6ed80d6556348fdf7dc9972af8b45985

SHA1
37463e6b3c05d828bc46c4e6715813be61551b88

SHA256
3ac679ca392e91827887771971e29b5067d1751495ec246984209a9ddeca0141

SHA512
2982549a8b16add89e4123cb5b76a22e927036bac3171ec7b8b858e0daacf4c7151f0320903a6d3205548ef34739aa30596c324d65db8ebb26d5e93cd6fc102d

Download Submit
C:\Windows\Temp\asw.3fc4bd0f3a40ccd2\avast_free_antivirus_setup_online_x64.exe

Filesize
9.5MB

MD5
7b37b5ca203b183e28476b049e31767e

SHA1
bc41127c693101c81268a0af7badab332b86be11

SHA256
f8da8197da1d8377ed67e37b2603fd32f82974c1eb28b817829bbee1ac775ad4

SHA512
a0d52ffbf224271ee3b38ae8463a966e8397d5f8f4cfa97ef90c14794ce6b37cfe18226dc2d03e8f48968b217af08c8ec257fc1a39e2033335cf941faf9be0aa

Download Submit
C:\Windows\Temp\asw.3fc4bd0f3a40ccd2\ecoo.edat

Filesize
21B

MD5
0438aa47b76c29b6a0d5c202b9252963

SHA1
535f8ad1b38f12f8e62e58edadb00c3fb76a99db

SHA256
d4e883c822befa8a109f67f948c7f16766a9f9e2f5b35899ba9192efef7f335c

SHA512
d547c280398c20133813bfc3f7839512464b346c116a3c434ed0bc528ead8229dee0e4fa2dd1f830344afe702ce9e019e59f48a6d4770aef5c8b7932378d3e60

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\HTMLayout.dll

Filesize
4.0MB

MD5
5ac44187fb8ed4771a028a4f206708e5

SHA1
c9aaf33b0a1b0bef82e17197973ed3839472e0ca

SHA256
6100f12a2fd4267326da4ea65ff29935f8d1f8be3cdde9e2a895560e40192df8

SHA512
6537d0145037f4addbb480d6b8b44e8213b81093d3e751646103897c8b581559db5704b31948861893b73a9df1053bf12fd9522af7a888790162899e5b7e3eb4

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\Instup.dll

Filesize
18.2MB

MD5
615c4826108fad74f098d8afdd2a10b6

SHA1
7ea9f49b3da4961a91ca7027b5361888c6edfdc4

SHA256
46296f4c587013ef7ea0a7a263becb8b50fa824fbba938ab106cd48ab329de7a

SHA512
9bf90d6dbdee30629605a8c9f32b0201e37e86c44a5a6b48c4f422bfac7224d47a5e303625fd110f212972f231240564ebcd9fb81ab51c6a4d9cc214bd8e25cb

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\Instup.exe

Filesize
3.7MB

MD5
aeeb5645d1a42d73c10d466e071904a2

SHA1
8011cb95b74f202f3f931f42607b7c78231da219

SHA256
feac318f5a0b1e9a78f7e83a708edc3e66bf43c84803426dff4c8567e3895502

SHA512
d9803a1f3466b528a067e39fc514bdd8615f842da5f114436a058ea5efba5775f292598f626e7ae372e8d1d0dc2af50f26424034c32ca6519ae56017d859883b

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\asw94cfb26a84941663.tmp

Filesize
19KB

MD5
e20c13667bf44e64a92f7b5c4a9be981

SHA1
4afc6572ec14b44cf541478bca2b2ebfe5c6b4e1

SHA256
05c29bcc4f1cc3fe8e77b9ba4e57ed93d66de1ceacc2519150e994b9b9fc236e

SHA512
11bcbd1292a1136ed6bb6a47ccc6c30b8b0b2ddfb80222a2e2d9522fc24e35eb91105dbac9747a4758881c3a523f8d1ca7ea71b441c54625444058b7be1f277f

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\New_180417e0\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\asw10e785befac26551.ini

Filesize
1KB

MD5
739d7f4037c3e6c9499280ddd9243e37

SHA1
84da708a76a5d3e753b7c2969abc22343c84e231

SHA256
19c658c3f0265c91fac890d614190d4c83b5a89daf9f1a12b132c6e2c4069af9

SHA512
4f4e6cce96b97488dc63096b526dabb548fa9cfe8e7ea4849bd4bfe670f9c418bc66518894d988f231927cb7f02a18e565a2d1ab880ec75f915b94fb3781363f

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\asw10e785befac26551.ini

Filesize
1KB

MD5
3cb275486f7544d3131f261a8689be8a

SHA1
34ad5d806f5bf18ab4cee271ddc165f0956bb8ce

SHA256
596a86cbfbfd79925d964141c1dc6babbb99a19a3461df817dd19ae308a57911

SHA512
ab7ee1a90d6130d27ade92afbd089618197d84af578b19fc85aebf9a97da2277224079a4ff6ab47550703383eea19276e0233556066ba9ce43de798a831f4fb3

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\aswa4ddb03309829dff.ini

Filesize
749B

MD5
77b6dd97d9406506b5f4909c5479ccd6

SHA1
75f68504e4f489ab006236c71d816a10371bc2e8

SHA256
c918d77fd1e6176bcedfa95e1ec45640928b9c4eeac7828b1a849e6259e3998e

SHA512
74cae447f38f5e77c11c1728433ddbfe00130f0c24a8880e50aaf60488c5c1be80ef452886407117d658ae8e8f7a549ff9b2ad06e90efe88be765eab6efa92e0

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\avbugreport_x64_ais-a39.vpx

Filesize
4.8MB

MD5
306bfbbe50ee620436b4e522eda1d3e3

SHA1
3f15e345ac87613c2bd911f000aad53cf8cdc6c0

SHA256
1fad5705c6ba3778495c3cccddd1040e5f5cc2e94c5da28011379464046bf486

SHA512
cde802e5585929183a0c57c381b9847f1329fb10957d32ce04c82d28d1af352610d7b7ea52e4899dfbfff1ec4ffff7ff8273ce2af97abf0999c00cc58cc99b75

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\avdump_x64_ais-a39.vpx

Filesize
3.4MB

MD5
cd3748f9c9f8f4a3a032ac901c4f0586

SHA1
9fd01b70bac4234c7126507e9965b9297460662b

SHA256
fb61b0d20f2905f10058ee64a761c21b53211ff996ec75665b74cd2055cd6b41

SHA512
e2b9305108f1548c0f6653ce567253f05eda371be41de5f6c6f321e28f58d2fe8d982c0bef8d22d6ff95d5724152454732902d60a65eae9ef20243e26cc06f55

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\config.def

Filesize
28KB

MD5
5a7719d8f91210806e0de046a2897b56

SHA1
7bd04389df2595ac430a2441418f60ce7c2d7846

SHA256
730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea

SHA512
17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\config.def

Filesize
29KB

MD5
57491affc41fe45ab5c5a3f035bb7235

SHA1
8936297cfd25db6e11e2920620bb0dd112e11eb3

SHA256
6b1c62ddec7b22c3bd6e3ee9b3a60bc4832fa4b481fe49f2687834f9b53cc36c

SHA512
367bd2c666eba0c711a1e3ad22a771706305cf3a8d110fbcba7c0444e59b4b4d994026e7869ec977b3693726488f36cbdb952e7390a71ea8f705f4590fa42c84

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\config.def

Filesize
35KB

MD5
e0abf4e7dcf332456fae9656856ba982

SHA1
06df89818869556cf849ebd8147f3d2a3c722af3

SHA256
6455a35c2478719d24378a10d6ba7f4d647dacbc0967328ca1887209efe026ee

SHA512
096bb93f7300647d221f7b35930cac57bb389a58953605ac8405d424b6993f244f7175ad7008b5f5806d38cb646d377d29d027ae5e23fa0a0644f823d3e447d7

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\config.ini

Filesize
846B

MD5
12daf3b3966aab52575a750bb237ed4e

SHA1
4b8ae900ce73be1f06e56f457ef1cb1b29485f4e

SHA256
d67245b3c26048042f1a8c20708f669b4d8ae8802a8edb7b32f08157e923ab49

SHA512
8bb44a722338815feda15bc9ad0f58a2fc14b50e743d3a81ed8f8077832ab0205ee34ff7c45b13ed28aaea50584830de478c40a66f7a9c4c0e4a913d04428842

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\offertool_x64_ais-a39.vpx

Filesize
2.3MB

MD5
44645c9f6d213d0f87608f4461046731

SHA1
c5b6af10b2abb6e1422f27102f1ea1fac59099b6

SHA256
42ec9cd1f6ea316265a93119c865692108ecfd2ab6f007e6d4a2725214e56079

SHA512
27d7d698099ff3fe1c0200093174765f1f8e56c5b011cf2bb5ebdb60b3b2fcb3fe32bdac5cf79f349eb698cad269a3d75f6410c82b1e05e3a9ace1b9a5e1f4cd

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\part-jrog2-78.vpx

Filesize
212B

MD5
2e39a76d634dfbf7b1f81205e2494945

SHA1
900929990a49b5e615d350cba65b25fd5cdfa433

SHA256
cfc16e927bf7ff3cef650ae991bec2aadc8ed09d762d247e4cc1aee937fc6cee

SHA512
8ecb5803caf583e071541f9063b37220d7e72551a8f60dde6f1c5771a569c78902213448b62d6a2ee7293b4ca5b3caa0d9b136caff0b62b9dda6d4aec2fbd903

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\part-prg_ais-180417e0.vpx

Filesize
74KB

MD5
010b32b4b577447101045f32f076e441

SHA1
9ddf3608765048d234cfc01fcce04f65ada018a0

SHA256
d3b2ea21a681047518df0ec68da6f2121ff26d4e10412665197361986ec9c2c3

SHA512
19ad1b0650321df771f61cad16838a607108f53707da471fd10de00a63756ac6ca4722ddc0e7e08a1cc26e2b4b4fdb32c45420f78f22d798adf868fe928cfba1

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\part-setup_ais-180417e0.vpx

Filesize
4KB

MD5
7d99b56ebdc9d7b916fc2f42f54c1171

SHA1
47c4ec171248c1e31de40062aec51ffd63d40cad

SHA256
2a47e8af3f7be4f14fbc1fb141ee1d2db8d53aae946d632dac45446f968e4619

SHA512
e4b45dcd90e14fb61ea861b3b56ea718bd51c97a436532855ff29dd856ccb1a8f9b9f6d58ae32887a956b29ae9d209fb387c9b90809bfc884541d2f53bed4dfa

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\part-vps_windows-24052099.vpx

Filesize
7KB

MD5
bb27003f675eb14f48566dc06bf0d1e0

SHA1
5e8f89d24bb7e0a6a80bc3c7fbc2237e890bd25e

SHA256
6513f7be56bdcaf29fe31f798ef251492718ca2e1394d034a75399ff393d0be6

SHA512
7fee0a2083e33d059669bae85d8cac41e0f3c5f7d79763a59048505e17cc554f064ead0d906896411ac01c380200bcc4f0edc111d1166c77d906290fcc100fbd

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\prod-pgm.vpx

Filesize
572B

MD5
f767ec2c67fcb174088857a0e5a7dfe9

SHA1
1f82e0ebabc7a81b8440f2cc658bc36ef80aa058

SHA256
026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c

SHA512
ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\prod-vps.vpx

Filesize
344B

MD5
3d6229735be0de243d57ed765e21f391

SHA1
967b83c77716e2e500f10f44008b2c196064652e

SHA256
182a84959f3ff27c94083e233e319ad6328453eddb367dd369226a843324090b

SHA512
8774e32b9f2967a03640554106a19ad7547b028ed3554cd23dac49bb1aa4788185225b1dfb6b73482e92f73647912222d1065f3c237ec6b7f1c673945468d11d

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\prod-vps.vpx

Filesize
341B

MD5
0bec8baf4c60f1c626f440e9ee896078

SHA1
6173a964b076c23a56571d5ab730984109797379

SHA256
313a8cf266df08fda34d243e72b6006b6808b1f695cd5a8dd291e22ddf391c13

SHA512
35320b54b8cc3fab4cb24b026e429a56607a50ffb17b8ec0f4d6cbcd483a9da3ee21430f3629799f8fe35a2aba866de6f5464d67efb2ce72a4a38ffa4cdd09c6

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\servers.def

Filesize
29KB

MD5
8625cc598545b4313acb4c34cec05821

SHA1
5ff65be78f84c547f43e7109604fb579c98c0f2a

SHA256
4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d

SHA512
04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\servers.def.vpx

Filesize
2KB

MD5
ada78e665ef2fcf8709bdd7386974119

SHA1
594d311379ce3373b4470a022eb0bc723b0caf53

SHA256
9a0e8da65a6824441e1deb5533ee21c1084398a2c8023d3b730d63e49d3861bd

SHA512
23aa516fb8edc6e090a2776a75da9c92a3cf97b4c002df305f07364da17ec53607016e9ed90ef814968a5b651a9b05f9caefd588c58f06495975ef8f27915de9

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\setup.def

Filesize
38KB

MD5
6b562cc4d2da62c444f04eada6c802eb

SHA1
7aa6e391d326b79bb2b2c9754b573a072fada07b

SHA256
71529a98a66e4f9a31de5db119697f6fcf327572f77f29a550b26337240d9909

SHA512
57ceed0b1bbe9a65423b7af2b12f3456393cb2a7d40574b189f8db8a37e78b9d8fe7ddc560fdb203a4484f42f86fca551143edb0c3892e831f80ad20fcad8b96

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\uat64.dll

Filesize
29KB

MD5
852a3b7a54e53295b24413aad55e1459

SHA1
1b2cf1d539e249c6014841dbea451e21f13a8515

SHA256
067b4f049fe07ea3af37c5dfdb7b237e49db432035361a3d0afdc527fa5d6a2c

SHA512
5df4a7f42814f069205d3f5e6337b250b287089e9d48a3711b8d5092b9ee04526a5d1b08c8b6a58d58b44296879001569747d9470542d8db17e3df14b3b3e843

Download Submit
C:\Windows\Temp\asw.683045df30e063ce\uat64.vpx

Filesize
16KB

MD5
a316b5ffdc1c260e65dd95a6f5f33732

SHA1
7c363d9ab0e87711f5c5cfe3a7553ba754a923fb

SHA256
649d7c2a0f3837145cfb32b40526aeae55ef392525933e9d78a555e6e4a74ea2

SHA512
45987010693402f3a6d6bc0efa532f968fc39ef280e0b19819b0e1feab62cc6e4ba0e374286ec2a852a806b411075a02f603ed1416c21354119ad40c4cbeb07b

Download Submit
memory/440-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1380-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4616-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4616-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4764-361-0x000002C0B89A0000-0x000002C0B8D99000-memory.dmp

Filesize
4.0MB

Download