xred | fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
Size

1011KB
MD5

cbe903f2feabfa1de7ab1b03bfc673e0
SHA1

5834083b53a4ca9ba001a2104e8aed4b3b9869fc
SHA256

fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161
SHA512

b3dbb1f045aac79c4402163e41b407e0cd62125083ec4ae3d213bd86483adcbf2ae376f826dd3c6d83f33392f650172d05ce083e3611f388a1ae63ff30dcb1f4
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9u40KgGXFhazmdVgxnG:WnsJ39LyjbJkQFMhmC+6GD9B072aCViG

Score

10^/10

xred backdoor bootkit discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
3004	Synaptics.exe
2780	._cache_Synaptics.exe
2820	avast_premium_security_setup_online_x64.exe
1196	Process not Found
1880	instup.exe
1680	instup.exe
2908	aswOfferTool.exe
2680	aswOfferTool.exe
2896	aswOfferTool.exe
2720	aswOfferTool.exe

Loads dropped DLL 35 IoCs

pid	Process
2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
3004	Synaptics.exe
3004	Synaptics.exe
1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1880	instup.exe
1680	instup.exe
2680	aswOfferTool.exe
2720	aswOfferTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_premium_security_setup_online_x64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
File opened for modification	\??\PhysicalDrive0	avast_premium_security_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000500000001a499-112.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "32"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "95"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-997.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "57"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "8"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75"	instup.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2796	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2820	avast_premium_security_setup_online_x64.exe
2820	avast_premium_security_setup_online_x64.exe
1680	instup.exe
1680	instup.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 32	2820	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	2820	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	1880	instup.exe
Token: 32	1880	instup.exe
Token: SeDebugPrivilege	1680	instup.exe
Token: 32	1680	instup.exe
Token: SeDebugPrivilege	2896	aswOfferTool.exe
Token: SeImpersonatePrivilege	2896	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2796	EXCEL.EXE
1880	instup.exe
1680	instup.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 1476	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	29
PID 2556 wrote to memory of 3004	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	30
PID 2556 wrote to memory of 3004	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	30
PID 2556 wrote to memory of 3004	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	30
PID 2556 wrote to memory of 3004	2556	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	30
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 3004 wrote to memory of 2780	3004	Synaptics.exe	31
PID 1476 wrote to memory of 2820	1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	34
PID 1476 wrote to memory of 2820	1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	34
PID 1476 wrote to memory of 2820	1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	34
PID 1476 wrote to memory of 2820	1476	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	34
PID 2820 wrote to memory of 1880	2820	avast_premium_security_setup_online_x64.exe	35
PID 2820 wrote to memory of 1880	2820	avast_premium_security_setup_online_x64.exe	35
PID 2820 wrote to memory of 1880	2820	avast_premium_security_setup_online_x64.exe	35
PID 1880 wrote to memory of 1680	1880	instup.exe	36
PID 1880 wrote to memory of 1680	1880	instup.exe	36
PID 1880 wrote to memory of 1680	1880	instup.exe	36
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2908	1680	instup.exe	37
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2680	1680	instup.exe	38
PID 1680 wrote to memory of 2896	1680	instup.exe	39
PID 1680 wrote to memory of 2896	1680	instup.exe	39
PID 1680 wrote to memory of 2896	1680	instup.exe	39
PID 1680 wrote to memory of 2896	1680	instup.exe	39
PID 1680 wrote to memory of 2896	1680	instup.exe	39
PID 1680 wrote to memory of 2896	1680	instup.exe	39
PID 1680 wrote to memory of 2896	1680	instup.exe	39

C:\Users\Admin\AppData\Local\Temp\fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
"C:\Users\Admin\AppData\Local\Temp\fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\Temp\asw.5f0146f839ed7ac6\avast_premium_security_setup_online_x64.exe
    "C:\Windows\Temp\asw.5f0146f839ed7ac6\avast_premium_security_setup_online_x64.exe" /ga_clientid:605da04d-94ab-4eff-b9d4-0ea3f4fe946a /edat_dir:C:\Windows\Temp\asw.5f0146f839ed7ac6
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\Temp\asw.c5e57f511a2c3f47\instup.exe
      "C:\Windows\Temp\asw.c5e57f511a2c3f47\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.c5e57f511a2c3f47 /edition:12 /prod:ais /stub_context:545f7960-6add-4381-898d-7616a1ac0e4a:11119848 /guid:7273e826-5392-4c78-9cbd-0de81f6aefc7 /ga_clientid:605da04d-94ab-4eff-b9d4-0ea3f4fe946a /no_delayed_installation /ga_clientid:605da04d-94ab-4eff-b9d4-0ea3f4fe946a /edat_dir:C:\Windows\Temp\asw.5f0146f839ed7ac6
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\instup.exe
        
        "C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.c5e57f511a2c3f47 /edition:12 /prod:ais /stub_context:545f7960-6add-4381-898d-7616a1ac0e4a:11119848 /guid:7273e826-5392-4c78-9cbd-0de81f6aefc7 /ga_clientid:605da04d-94ab-4eff-b9d4-0ea3f4fe946a /no_delayed_installation /edat_dir:C:\Windows\Temp\asw.5f0146f839ed7ac6 /online_installer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
      - C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswOfferTool.exe" -checkChrome -elevated
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
      - C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFA
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFA
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2720
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
54bab288fcc3b5f270a3b008bbd39078

SHA1
f4eeb5e91b2fc2c203f850a0a83e79bfbbbca571

SHA256
93e4e92293ad8a7a29a38ddc97447aa19390f70d0b80a71ff8d40bf1543d3a01

SHA512
0f6bbde89eaa7a19afde72db23d1f57f713d7cab0e6233db534ab4277356c9bcd1170a84d6247843f19b7a408ab057203b994c1b2034387c707e45f421a5cf34

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
28KB

MD5
31aca7ee3b17bb4bb4bf87ba7c56239a

SHA1
4e21624f899ff487ef8e25fb071809511ceb06cb

SHA256
c3838e21ba582bc3cf628902627331cc16b4c48c12a63b4b59230e5a041ba3f6

SHA512
fb028fcc2e58ddc0e834b4745a8cdf0ca33cd872b7a6fa1960bc2673f9741f91f407dafdee55f4b900818ab47787f8c2e1f1390ef60dfe45692af33e4385d2a2

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
142B

MD5
2d24bf303f5f6b77f998cb4acd72165e

SHA1
c596e7c4c9190295be16dad61e0c1f537920da86

SHA256
4cb835363a0bed487254759515a1125c42c5b69c53b8d35cabfd24e0f860b6b8

SHA512
a2fd3c5a7485fc83297f455febdc571e3bc3a81edd6eabfee6d68a1b9a7f06818d5493e19e884c1a1dbcf55ab5a733ac097d2f3305e31e74fa79c5b4e4feccb4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1011KB

MD5
cbe903f2feabfa1de7ab1b03bfc673e0

SHA1
5834083b53a4ca9ba001a2104e8aed4b3b9869fc

SHA256
fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161

SHA512
b3dbb1f045aac79c4402163e41b407e0cd62125083ec4ae3d213bd86483adcbf2ae376f826dd3c6d83f33392f650172d05ce083e3611f388a1ae63ff30dcb1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qa9a12yq.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Public\Documents\gcapi_17374650682720.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Windows\Temp\asw.5f0146f839ed7ac6\eapt.edat

Filesize
52B

MD5
5884f2f4d5be779a7c06defb966fcc85

SHA1
369b59b1f46df696962d60b3994abe316374e4f5

SHA256
480051e3df9a84b333d2ed2275730380eefbeb5616d216a3f13c2a39053c18da

SHA512
43c9fde8e69909cf177e9ec24810c244cf78b8bcb5acbea55aae28d3c740b7156d9e4e8a1c42a25f49051eeecdba58efb48f4d3c96b11113331e002e501aa6e8

Download Submit
C:\Windows\Temp\asw.5f0146f839ed7ac6\eewk.edat

Filesize
20B

MD5
95fd8ee32226efed60e7c29d5cff1771

SHA1
4ce659b6dbd44ac9bf3ab4d0a082cf5342e97e06

SHA256
bfdffe481b9760f4e9abc207e1324b22a366a7ca55036fbbd14387cd14abe042

SHA512
0ab0a1cf598a018a76b656493f44d8204f78c65263d0b40f41aeaf58d172c8ecb8ce41748cea767bcf0238612e0ab7f9e10632b22e7f757365f4c9f340fecd29

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\Instup.dll

Filesize
21.9MB

MD5
a63c789221a7cb3055b4f96d49079c14

SHA1
1536bead7a9fb15cbfcfe89d98d5ea3ef7fa05af

SHA256
6628d923d640bd3699b238fcfd531b5d9bcb6de3af89fc8ce44f5a90ec2ee61c

SHA512
3e69250e68f093a062eacb6d6ef32a07b46e7754f8cf4da7f8a443c0ce283d701a7f0ac4cbd8bf80f14e817615e529a7ac20366dd3ae02272888f5ad3092cbaf

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\asw8f7d377b59856efb.tmp

Filesize
19.1MB

MD5
9ee6528abdad768fbfa28bd1bb80ebe9

SHA1
f5582697e068ba1d56825fc32bd5ab1a71bd4d38

SHA256
61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4

SHA512
de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswb24ddd9169ec7292.tmp

Filesize
3.1MB

MD5
b216fc28400c184a5108c0228fba86bc

SHA1
5d82203153963ebede19585b0054de8221c60509

SHA256
7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd

SHA512
6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswbbd39eb309e25e5d.tmp

Filesize
4.5MB

MD5
ef035189604e7f5d68a62827b985ccbb

SHA1
c094c6eef2640a71aee9f4b27123c2080d38136f

SHA256
64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740

SHA512
32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswbe92c1b67c398263.tmp

Filesize
3.8MB

MD5
d9be57d4e1a25264b8317278f8b93396

SHA1
d3c98696582fed570f38ae45bf22b8197253b325

SHA256
a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3

SHA512
2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswd14564a8883daa96.tmp

Filesize
907KB

MD5
700b6740e6bfa7729f146572d8455348

SHA1
19d80fb0251f417283ed36fc20c43079b3f6fbb8

SHA256
d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e

SHA512
7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\New_15020997\aswd2f9ce726d14d4bf.tmp

Filesize
831KB

MD5
c5665f1f93d9aabbcb1dde533e2c46e6

SHA1
732389de20c600d0222d61b4ee74b0be6412a45b

SHA256
adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a

SHA512
51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\aswecfecb9c9563704b.ini

Filesize
963B

MD5
1403d386dd2e12cd7d74e5e12a7ef2b1

SHA1
7a76e1da677a3a5734475e0d80c7c21503b73471

SHA256
cfbd81726e25e4ac130403e349162bb91dac2444a8e4550f9ede37f5766a20f2

SHA512
882cdf5641b001959844094c75584ce68da56570a30af3be29f8ab28dcf881dca6b4be8a3bd0a29ab1f5d9bc5c7b821c0ff68273125419539b7efbf8276938b9

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\config.def

Filesize
32KB

MD5
9c7c17c2fd22626db24906bd14db821d

SHA1
37695c8c2a0a9de9dc482d44fa0747b80fa62c67

SHA256
4d7dbdbf806457a71b2e4ad97b05c4a077fb45e583ea2ec940387b49b620c17c

SHA512
5e2832179fbe305e9c844cfeee53b5adcd316e99448a06879c2e123088c666237f9e2edb1cd5801c03a1eb81f7cca7d0b307c7729eba5fe0248cd1231af78482

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\config.def

Filesize
33KB

MD5
1b58ee0d797e92470ec0af83e5378434

SHA1
a3402c55c00dd1400146c6ce9a42ebf7868845bb

SHA256
120d4fa79fbe0292688cf342e53d8427999da1b0027d213f42707775649f65f1

SHA512
fd2424dfe8d061edcd742b6fce4237cd83885f3a51a5107b5836969b6d74b795725bc656b4cecc4ac8aad7cefae4ac2c70b955640088d5ff50d6a06c4c0159f1

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\config.def

Filesize
38KB

MD5
cacc20d6298362da89157e7bbf795e7f

SHA1
44643ae37d689b3915690576f0331beef4c41110

SHA256
3ae9ae245298ea67d897350c01b9b3b0acab29216005d25563a897df997e3a2a

SHA512
aa1afee600d1f76f539f6adbd04eb78aa4e133e0d28a96d3c92c3e3fb4d9055786ac49067c5429396383297a2d98235b7385f9851b5cd9e499811299c073b90f

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\part-jrog2-1724.vpx

Filesize
696B

MD5
53b37191999798442e9c83a9c4139016

SHA1
533034667ad1aa4fa1266a15023fb96ec3f50e48

SHA256
d1d267be72eafc866f1daf9f0cd940b88191417641dcba1fd3835772ac5dfb46

SHA512
f595f8203a19aab1baa7b4bca0d8c59d29024319da4a10bd44593c86aa3c35430662ca74f2446eb8eba7ce1a617290c4eee37950dd803f91c019e013d0ef853d

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\part-prg_ais-15020997.vpx

Filesize
188KB

MD5
b898fa20bf9b0321b50a8d4946aae799

SHA1
4e173a99dc9a9ef507112857525ad53991f4d2a0

SHA256
6a2b3de2d13269bc9b3d68b7fbffd9edcfa94dea83ffd3d5f7a03f05bda09a6c

SHA512
c34e5b9f04c2322ec0ce24f582be148554ebff9aee8b312ba272b94b54f077370d345ec24d284ea66db67bd7104b343fa9c2646100d64d3b6361ab7ffe7e2810

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\part-setup_ais-15020997.vpx

Filesize
5KB

MD5
365b6ee6fbde00af486fc012251db2da

SHA1
8050ba5a9b6321f067fc694527011ba00767d4a2

SHA256
01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830

SHA512
949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\part-vps_windows-25012100.vpx

Filesize
11KB

MD5
b7227b0ccd1454e5ee267514b0a4cbbb

SHA1
7d224547bbab97bae46c812fe12e152ee0a59b5a

SHA256
c0af2972a67056d5f89070bb1c0369a4e2651d4cb8ed489085cc9f7505f5d33c

SHA512
9d4ac4542aca6e74153a51f16980114e2acd8b869b6c6338fd076e375b7d9810b156814d186c3ff7d1f78a791058d27505b8d21f4f173af401e8b560908a34a8

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\prod-pgm.vpx

Filesize
571B

MD5
e966e55c5985d7f2ab33a9171b85bf6b

SHA1
21fe7414580a7ab0310aa8743553579e68573e52

SHA256
97938b707c9251ffbc5c5b0e05fb6061fd8cdd714d60e6b48593e59858df1c85

SHA512
33596e2ca9ba3bea43eb77db90f8691c3ba1b05b22b919ecc30323d2e8d528743c8851af93041f87feffc19ac43f6a37f4b0e8c2b9982975d31fbba6043991ac

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\prod-vps.vpx

Filesize
343B

MD5
55e34248abb24f88e39f08781e0b836a

SHA1
67519409303d4b5642f1fc4875a2a64d4dd495a4

SHA256
ee058664787b72dd09ebdde034f6b2836ed4bdfa817674950c79243e70af65e5

SHA512
9d0d8daa210eaf6c8939cf1f18178fda4eddea9d180488b38481b483c2b3c042f769a898d2c04dc6e083c55a8f5ef52388504d6f6b2a6e4bdfeb428f4538e1e6

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\prod-vps.vpx

Filesize
343B

MD5
20e24f00fa1d87a9f0efb12762021c1f

SHA1
4f4f61669c00057f98f876548af4f1d8c4dbc05b

SHA256
e432bfbfe1498637aed457061c6ce9df66919e6ad81145bdb9726d7638f3516d

SHA512
7216eb1529e4ed145f6ea16b5dac9c12faad3472ebdbdabdbd7dc1d8734c81bc37c5895306f447d0ba68ccb5d9495dca8020d4725534eeed258cb7ef64fd2588

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\sbr_x64_ais-997.vpx

Filesize
15KB

MD5
13e9fbb02cb7497562b59a9ef8f1ee92

SHA1
047936e9296e77939b5b23c1a2af3056eaa2ae99

SHA256
40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a

SHA512
0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\servers.def

Filesize
29KB

MD5
46dcb43d6cf012d148e843bdd6dbb30f

SHA1
de6948ab39e15dc2fe9d64053a9d384deede7df3

SHA256
a447b543904d421e105e53eb8b58150dfdf98f3d1b882760f5fd5d1374041e2c

SHA512
e95d46b64591b8236dc592aadd5a9deb19e5687672081c6ebac0a7cebe19943b9708e21c83f686b0c5c37a8e34e8b3f48d80444874958d395df0a45c405aebaf

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\servers.def.vpx

Filesize
2KB

MD5
3645e173ccedd64a11197eea591e01b7

SHA1
7f5da709bd2ee1b763657f43a45b82fa71efd0ec

SHA256
6fff4292babcee0e804334e5f3faa7e5593f853283915bba4590896af160cf65

SHA512
0f2f8ece730b15568b8a1bf32c691304d34efc92673a2a44e048bdac0aa8db8eb5119e154528723a8ae412a00e734abbb60d5ad98620bc557af7383089374d04

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\setup.def

Filesize
37KB

MD5
be793535c4acf02d4ad13b20d0c84deb

SHA1
65dd6b4891a75848042c10057808535298cee3e1

SHA256
31f9f4cfff1900e8a4ece24ddb5da2736409779b970e29e4bf9fe00b985c65cd

SHA512
7f6c482103757d353b6cc50ccd6c618454f653d3e7eeef743e0bc74cae71c72f56ee0f1213deeeb4ad6e1cce244d7d017044e928c80a507de343cacd89238f62

Download Submit
C:\Windows\Temp\asw.c5e57f511a2c3f47\uat64.vpx

Filesize
16KB

MD5
8dc023703473338ca7b308b13941bf89

SHA1
9b063d3ea61cd8fb5d554534000010fc79fe5eaa

SHA256
a2b1f4c807748fcb2f5af7e6dc2ed6439f5bdf01ee5768c8170fdca07a50c981

SHA512
06831bc64d1491e49dce1976841aa23d307efce05ed5878189075a966a0dbbeae6d3b3a0a51c85d0647ce7ffd5ddd890ac7f0c48d56229efb1a96f91e79aec0d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Filesize
257KB

MD5
036fb890ad760b84c36aec311eb760ed

SHA1
65370908562401dad9f2d666aafb008446210a04

SHA256
2a7580f9990d34925014e69ba5e05ff292d34918a9a7215814e17bf7782852c4

SHA512
d03e179a3ae93b14453ae48d6d8da431f6635c424b3b3b61ec02f2b7df6e95b9c56bcfbe77e878dedd111ca1f62c42dc1e363b1fd8422298ed7df3ccc6e4ad43

Download Submit
\Windows\Temp\asw.5f0146f839ed7ac6\avast_premium_security_setup_online_x64.exe

Filesize
10.6MB

MD5
d815ba481671114df2dedd6e7a6ec7b9

SHA1
fd2e36eb57fab67dc8dd06efa6e89ef17444aa70

SHA256
603ede9564ae4c01f5de2b6af1a1f00d05acc0a13d5e66579b23ccc07daf3a2a

SHA512
fbadd8174ea65a49413634f24aaff76cbc9be226da7339a0b78b109941824d70bd6c8807f35b4e25f36725f68e6687daf23c55d25a91b1f1ecfb417ead6eecd0

Download Submit
\Windows\Temp\asw.c5e57f511a2c3f47\HTMLayout.dll

Filesize
4.0MB

MD5
53552d268511ec403d8358ce50f01cb4

SHA1
cc64aadcbbe826231d005fd2309161e217f11021

SHA256
830ea16df827614120406602593ef66107031177423ac1a9c07cb1ef6104793e

SHA512
4a0fc01e1de6b9fb9da33ee4fa98981657e3a61e426be4351ee1b98778ed7071938342deb0bcc1e124e58716f44005d564200d5811ac95a28e722c85034f30c2

Download Submit
\Windows\Temp\asw.c5e57f511a2c3f47\Instup.exe

Filesize
3.7MB

MD5
38469e27d942ac60e1db3820d978199e

SHA1
400a3afc5205a233fa2fcf6fa720f5655195dbbb

SHA256
cac059e8cc3a51d9e6d69e4957c298f8214ea19fc741564ab24617484fa56a61

SHA512
9a53390188726f0897659effae9521b2bec7c4836f52bc99b621b004f28083e48bf9cc844b74de67465e6317a087f0f6e3e93cd29f84bbecfe3ff323b12db234

Download Submit
\Windows\Temp\asw.c5e57f511a2c3f47\uat64.dll

Filesize
29KB

MD5
ffa717db56042a79b5546ee5ebe1719a

SHA1
d0e9681e55b6a20b184f556998eeaaeacc87e587

SHA256
af0096cf631c026e6b2de0382965ef9b797200a544d473aefcc19a8e6b86dc2a

SHA512
2c3f76a0644bcebeecb0e01127040921143065cc3dcaf90c363dafbe760733d70737296c8ae564dc83d3204d5052cd8e7bb5ccea3386f2c2f4e603608ee0a544

Download Submit
memory/1680-447-0x000007FEF3A40000-0x000007FEF4D6B000-memory.dmp

Filesize
19.2MB

Download
memory/1680-448-0x000007FEF3660000-0x000007FEF3A3A000-memory.dmp

Filesize
3.9MB

Download
memory/1680-397-0x000007FEF3A40000-0x000007FEF4D6B000-memory.dmp

Filesize
19.2MB

Download
memory/1680-420-0x000007FEF3660000-0x000007FEF3A3A000-memory.dmp

Filesize
3.9MB

Download
memory/1680-419-0x000007FEF3A40000-0x000007FEF4D6B000-memory.dmp

Filesize
19.2MB

Download
memory/2556-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2556-27-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2796-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-446-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3004-57-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3004-64-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download