xred | cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
Size

1011KB
MD5

e610228c78a89fb511090c70ddabf0a5
SHA1

bd3de44307ce176dc2d4b219861592dabcfd60c7
SHA256

cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68
SHA512

c3c74877dc9d5cc3a9b1c139befec46c11205c57a8e743f125e55075fca0d47fa90e307f4ad8caeb08b86d92d94c4196c92cfeb4433bc2deb8b6e1f8cb5a726b
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9u40KgGXFhazmdVgxn2:WnsJ39LyjbJkQFMhmC+6GD9B072aCVi2

Score

10^/10

xred backdoor bootkit discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
2804	Synaptics.exe
2536	._cache_Synaptics.exe
2512	avast_premium_security_setup_online_x64.exe
1212	Process not Found
1808	instup.exe

Loads dropped DLL 33 IoCs

pid	Process
2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
2804	Synaptics.exe
2804	Synaptics.exe
2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
1212	Process not Found
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe
1808	instup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe

Checks for any installed AV software in registry 1 TTPs 31 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_premium_security_setup_online_x64.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile\InstupUpdatePending = "1"	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
File opened for modification	\??\PhysicalDrive0	avast_premium_security_setup_online_x64.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000500000001949e-92.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35"	avast_premium_security_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-997.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Host unreachable."	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_premium_security_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1444	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2512	avast_premium_security_setup_online_x64.exe
2512	avast_premium_security_setup_online_x64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 32	2512	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	2512	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	1808	instup.exe
Token: 32	1808	instup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	instup.exe
1444	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2468	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	31
PID 2108 wrote to memory of 2804	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	32
PID 2108 wrote to memory of 2804	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	32
PID 2108 wrote to memory of 2804	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	32
PID 2108 wrote to memory of 2804	2108	cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	32
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2536	2804	Synaptics.exe	33
PID 2468 wrote to memory of 2512	2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	34
PID 2468 wrote to memory of 2512	2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	34
PID 2468 wrote to memory of 2512	2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	34
PID 2468 wrote to memory of 2512	2468	._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe	34
PID 2512 wrote to memory of 1808	2512	avast_premium_security_setup_online_x64.exe	35
PID 2512 wrote to memory of 1808	2512	avast_premium_security_setup_online_x64.exe	35
PID 2512 wrote to memory of 1808	2512	avast_premium_security_setup_online_x64.exe	35

C:\Users\Admin\AppData\Local\Temp\cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
"C:\Users\Admin\AppData\Local\Temp\cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\Temp\asw.9839ccf1c46e1474\avast_premium_security_setup_online_x64.exe
    "C:\Windows\Temp\asw.9839ccf1c46e1474\avast_premium_security_setup_online_x64.exe" /ga_clientid:dbdc7e0e-71c4-4906-9a23-8c8445b65dbb /edat_dir:C:\Windows\Temp\asw.9839ccf1c46e1474
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\Temp\asw.d02f2407ac55779b\instup.exe
      "C:\Windows\Temp\asw.d02f2407ac55779b\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.d02f2407ac55779b /edition:12 /prod:ais /stub_context:6b11ec2f-7e4b-4b79-9e1e-7ce21fbb3e25:11119848 /guid:38153b02-2f2f-46b7-8c70-f44121efe47e /ga_clientid:dbdc7e0e-71c4-4906-9a23-8c8445b65dbb /no_delayed_installation /ga_clientid:dbdc7e0e-71c4-4906-9a23-8c8445b65dbb /edat_dir:C:\Windows\Temp\asw.9839ccf1c46e1474
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1808
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2536

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
2KB

MD5
e71a2ee45e00eb3c3e61af9942720feb

SHA1
a400beff185eeaa2b9b3ebbcc7f9550307b091a3

SHA256
d3b07117393a3f2655933c7516af0214e42a0932c4371b7c351f8e1fcc53078c

SHA512
b057e02ce3c7333ef793e13c0c75e6ec5d88d4e2961257c84ca97d08949f8e4e878ef13bad9c6783cb6b64d630530300245dbee8a644d16454c63c21442e9c45

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1011KB

MD5
e610228c78a89fb511090c70ddabf0a5

SHA1
bd3de44307ce176dc2d4b219861592dabcfd60c7

SHA256
cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68

SHA512
c3c74877dc9d5cc3a9b1c139befec46c11205c57a8e743f125e55075fca0d47fa90e307f4ad8caeb08b86d92d94c4196c92cfeb4433bc2deb8b6e1f8cb5a726b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIvWITgE.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIvWITgE.xlsm

Filesize
20KB

MD5
3e00c44996cc2dd2eeb708619e19e067

SHA1
222e35a9fb47459bd42371d6ab1ff36278d3d2f7

SHA256
2e59cb66dccfcecfdd9fc834817ba4e998259e728a3779b5e3e978e98d9bcba0

SHA512
b6466f8aa96aae563bd2f02b7db837dcd98461fe7f9561a9dd8215a9a06fe076541596889d7b7861dff0acc9196631cd48aa181828bf216548ccd93fd2ee399c

Download Submit
C:\Windows\Temp\asw.9839ccf1c46e1474\eapt.edat

Filesize
52B

MD5
5884f2f4d5be779a7c06defb966fcc85

SHA1
369b59b1f46df696962d60b3994abe316374e4f5

SHA256
480051e3df9a84b333d2ed2275730380eefbeb5616d216a3f13c2a39053c18da

SHA512
43c9fde8e69909cf177e9ec24810c244cf78b8bcb5acbea55aae28d3c740b7156d9e4e8a1c42a25f49051eeecdba58efb48f4d3c96b11113331e002e501aa6e8

Download Submit
C:\Windows\Temp\asw.9839ccf1c46e1474\eewk.edat

Filesize
20B

MD5
95fd8ee32226efed60e7c29d5cff1771

SHA1
4ce659b6dbd44ac9bf3ab4d0a082cf5342e97e06

SHA256
bfdffe481b9760f4e9abc207e1324b22a366a7ca55036fbbd14387cd14abe042

SHA512
0ab0a1cf598a018a76b656493f44d8204f78c65263d0b40f41aeaf58d172c8ecb8ce41748cea767bcf0238612e0ab7f9e10632b22e7f757365f4c9f340fecd29

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\HTMLayout.dll

Filesize
4.0MB

MD5
53552d268511ec403d8358ce50f01cb4

SHA1
cc64aadcbbe826231d005fd2309161e217f11021

SHA256
830ea16df827614120406602593ef66107031177423ac1a9c07cb1ef6104793e

SHA512
4a0fc01e1de6b9fb9da33ee4fa98981657e3a61e426be4351ee1b98778ed7071938342deb0bcc1e124e58716f44005d564200d5811ac95a28e722c85034f30c2

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\Instup.dll

Filesize
21.9MB

MD5
a63c789221a7cb3055b4f96d49079c14

SHA1
1536bead7a9fb15cbfcfe89d98d5ea3ef7fa05af

SHA256
6628d923d640bd3699b238fcfd531b5d9bcb6de3af89fc8ce44f5a90ec2ee61c

SHA512
3e69250e68f093a062eacb6d6ef32a07b46e7754f8cf4da7f8a443c0ce283d701a7f0ac4cbd8bf80f14e817615e529a7ac20366dd3ae02272888f5ad3092cbaf

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\New_15020997\asw24c139df4ac5bf46.tmp

Filesize
831KB

MD5
c5665f1f93d9aabbcb1dde533e2c46e6

SHA1
732389de20c600d0222d61b4ee74b0be6412a45b

SHA256
adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a

SHA512
51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\New_15020997\asw394723bd7adade01.tmp

Filesize
4.5MB

MD5
ef035189604e7f5d68a62827b985ccbb

SHA1
c094c6eef2640a71aee9f4b27123c2080d38136f

SHA256
64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740

SHA512
32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\New_15020997\asw3d87324e34f6f14f.tmp

Filesize
907KB

MD5
700b6740e6bfa7729f146572d8455348

SHA1
19d80fb0251f417283ed36fc20c43079b3f6fbb8

SHA256
d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e

SHA512
7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\New_15020997\asw7de6e5b0f020a959.tmp

Filesize
19.1MB

MD5
9ee6528abdad768fbfa28bd1bb80ebe9

SHA1
f5582697e068ba1d56825fc32bd5ab1a71bd4d38

SHA256
61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4

SHA512
de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\New_15020997\aswd5bbc8ab66d62552.tmp

Filesize
3.1MB

MD5
b216fc28400c184a5108c0228fba86bc

SHA1
5d82203153963ebede19585b0054de8221c60509

SHA256
7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd

SHA512
6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\New_15020997\aswd77dda3aa0298b8a.tmp

Filesize
3.8MB

MD5
d9be57d4e1a25264b8317278f8b93396

SHA1
d3c98696582fed570f38ae45bf22b8197253b325

SHA256
a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3

SHA512
2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\avdump_x86_ais-997.vpx

Filesize
767KB

MD5
4f2f4b4cae5bc3e568a2eb165ac6b74f

SHA1
f18b957799c48f18f0be8007ed4c6d3e721577c0

SHA256
52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b

SHA512
8536eb2e4ada2920d93806cb70cc35b7879119dfffe1ddc0a4710dddea7c0234257d25fe14fff45a58c820a4389e5ffc968f81c5bbeb9b77870962e608b5d45a

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\config.def

Filesize
32KB

MD5
9c7c17c2fd22626db24906bd14db821d

SHA1
37695c8c2a0a9de9dc482d44fa0747b80fa62c67

SHA256
4d7dbdbf806457a71b2e4ad97b05c4a077fb45e583ea2ec940387b49b620c17c

SHA512
5e2832179fbe305e9c844cfeee53b5adcd316e99448a06879c2e123088c666237f9e2edb1cd5801c03a1eb81f7cca7d0b307c7729eba5fe0248cd1231af78482

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\config.def

Filesize
33KB

MD5
f196294a5837380796c7c2c64d0bb630

SHA1
0651753b188f613f21004b723db059f36f91409a

SHA256
5af60e81365a297685c8caa47c3bdc9175b9593aeba413791010f94d14f3c3b4

SHA512
a83c24d780f816a8e6c320a642c84e42dc422c19ff77dfd05636fb60512af6cf86c349011c3e86f0eeb9ab3f906ea8d7e99852fa58e702b2d4b739766a078238

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\config.ini

Filesize
963B

MD5
dcbc7117c876d5de08ecac6ac906d4cc

SHA1
ac497fc22e526a30dc5bb122a061c6fff3a3fc36

SHA256
fec8ed715029c095817c1bda86f0059e43f9c7509b488b7ce966837619978d4e

SHA512
f1880f6bfac619be4da3c250789712129a5e89401a44926727c690b7dcc24185dbf6bdd7687e2476b7199deaa6cfec408be2232f5fd32ce129c9d77d52dc1b1f

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\part-setup_ais-15020997.vpx

Filesize
5KB

MD5
365b6ee6fbde00af486fc012251db2da

SHA1
8050ba5a9b6321f067fc694527011ba00767d4a2

SHA256
01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830

SHA512
949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\prod-pgm.vpx

Filesize
571B

MD5
e966e55c5985d7f2ab33a9171b85bf6b

SHA1
21fe7414580a7ab0310aa8743553579e68573e52

SHA256
97938b707c9251ffbc5c5b0e05fb6061fd8cdd714d60e6b48593e59858df1c85

SHA512
33596e2ca9ba3bea43eb77db90f8691c3ba1b05b22b919ecc30323d2e8d528743c8851af93041f87feffc19ac43f6a37f4b0e8c2b9982975d31fbba6043991ac

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\prod-vps.vpx

Filesize
343B

MD5
55e34248abb24f88e39f08781e0b836a

SHA1
67519409303d4b5642f1fc4875a2a64d4dd495a4

SHA256
ee058664787b72dd09ebdde034f6b2836ed4bdfa817674950c79243e70af65e5

SHA512
9d0d8daa210eaf6c8939cf1f18178fda4eddea9d180488b38481b483c2b3c042f769a898d2c04dc6e083c55a8f5ef52388504d6f6b2a6e4bdfeb428f4538e1e6

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\sbr_x64_ais-997.vpx

Filesize
15KB

MD5
13e9fbb02cb7497562b59a9ef8f1ee92

SHA1
047936e9296e77939b5b23c1a2af3056eaa2ae99

SHA256
40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a

SHA512
0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\servers.def

Filesize
29KB

MD5
46dcb43d6cf012d148e843bdd6dbb30f

SHA1
de6948ab39e15dc2fe9d64053a9d384deede7df3

SHA256
a447b543904d421e105e53eb8b58150dfdf98f3d1b882760f5fd5d1374041e2c

SHA512
e95d46b64591b8236dc592aadd5a9deb19e5687672081c6ebac0a7cebe19943b9708e21c83f686b0c5c37a8e34e8b3f48d80444874958d395df0a45c405aebaf

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\servers.def.vpx

Filesize
2KB

MD5
3645e173ccedd64a11197eea591e01b7

SHA1
7f5da709bd2ee1b763657f43a45b82fa71efd0ec

SHA256
6fff4292babcee0e804334e5f3faa7e5593f853283915bba4590896af160cf65

SHA512
0f2f8ece730b15568b8a1bf32c691304d34efc92673a2a44e048bdac0aa8db8eb5119e154528723a8ae412a00e734abbb60d5ad98620bc557af7383089374d04

Download Submit
C:\Windows\Temp\asw.d02f2407ac55779b\uat64.vpx

Filesize
16KB

MD5
8dc023703473338ca7b308b13941bf89

SHA1
9b063d3ea61cd8fb5d554534000010fc79fe5eaa

SHA256
a2b1f4c807748fcb2f5af7e6dc2ed6439f5bdf01ee5768c8170fdca07a50c981

SHA512
06831bc64d1491e49dce1976841aa23d307efce05ed5878189075a966a0dbbeae6d3b3a0a51c85d0647ce7ffd5ddd890ac7f0c48d56229efb1a96f91e79aec0d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cac5c008247639f4e4a5a4b3c9047a86b874d929455c84dd2c8378f3d64b3c68.exe

Filesize
257KB

MD5
036fb890ad760b84c36aec311eb760ed

SHA1
65370908562401dad9f2d666aafb008446210a04

SHA256
2a7580f9990d34925014e69ba5e05ff292d34918a9a7215814e17bf7782852c4

SHA512
d03e179a3ae93b14453ae48d6d8da431f6635c424b3b3b61ec02f2b7df6e95b9c56bcfbe77e878dedd111ca1f62c42dc1e363b1fd8422298ed7df3ccc6e4ad43

Download Submit
\Windows\Temp\asw.9839ccf1c46e1474\avast_premium_security_setup_online_x64.exe

Filesize
10.6MB

MD5
d815ba481671114df2dedd6e7a6ec7b9

SHA1
fd2e36eb57fab67dc8dd06efa6e89ef17444aa70

SHA256
603ede9564ae4c01f5de2b6af1a1f00d05acc0a13d5e66579b23ccc07daf3a2a

SHA512
fbadd8174ea65a49413634f24aaff76cbc9be226da7339a0b78b109941824d70bd6c8807f35b4e25f36725f68e6687daf23c55d25a91b1f1ecfb417ead6eecd0

Download Submit
\Windows\Temp\asw.d02f2407ac55779b\Instup.exe

Filesize
3.7MB

MD5
38469e27d942ac60e1db3820d978199e

SHA1
400a3afc5205a233fa2fcf6fa720f5655195dbbb

SHA256
cac059e8cc3a51d9e6d69e4957c298f8214ea19fc741564ab24617484fa56a61

SHA512
9a53390188726f0897659effae9521b2bec7c4836f52bc99b621b004f28083e48bf9cc844b74de67465e6317a087f0f6e3e93cd29f84bbecfe3ff323b12db234

Download Submit
\Windows\Temp\asw.d02f2407ac55779b\uat64.dll

Filesize
29KB

MD5
ffa717db56042a79b5546ee5ebe1719a

SHA1
d0e9681e55b6a20b184f556998eeaaeacc87e587

SHA256
af0096cf631c026e6b2de0382965ef9b797200a544d473aefcc19a8e6b86dc2a

SHA512
2c3f76a0644bcebeecb0e01127040921143065cc3dcaf90c363dafbe760733d70737296c8ae564dc83d3204d5052cd8e7bb5ccea3386f2c2f4e603608ee0a544

Download Submit
memory/1444-233-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1444-192-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2108-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2108-27-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2804-84-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2804-325-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2804-191-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2804-190-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2804-389-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2804-421-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download