xred | fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161

Analysis

max time kernel
111s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
Size

1011KB
MD5

cbe903f2feabfa1de7ab1b03bfc673e0
SHA1

5834083b53a4ca9ba001a2104e8aed4b3b9869fc
SHA256

fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161
SHA512

b3dbb1f045aac79c4402163e41b407e0cd62125083ec4ae3d213bd86483adcbf2ae376f826dd3c6d83f33392f650172d05ce083e3611f388a1ae63ff30dcb1f4
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9u40KgGXFhazmdVgxnG:WnsJ39LyjbJkQFMhmC+6GD9B072aCViG

Score

10^/10

xred backdoor bootkit discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Executes dropped EXE 7 IoCs

pid	Process
2544	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
264	Synaptics.exe
2648	._cache_Synaptics.exe
748	avast_premium_security_setup_online_x64.exe
3656	instup.exe
4308	instup.exe
2568	aswOfferTool.exe

Loads dropped DLL 9 IoCs

pid	Process
2544	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
3656	instup.exe
3656	instup.exe
3656	instup.exe
3656	instup.exe
4308	instup.exe
4308	instup.exe
4308	instup.exe
4308	instup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Checks for any installed AV software in registry 1 TTPs 52 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_premium_security_setup_online_x64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
File opened for modification	\??\PhysicalDrive0	avast_premium_security_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023cc9-293.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswOfferTool.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_premium_security_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_premium_security_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a57.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a57.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instup_x64_ais-a57.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a57.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "71"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a57.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7"	avast_premium_security_setup_online_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_premium_security_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3448	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
748	avast_premium_security_setup_online_x64.exe
748	avast_premium_security_setup_online_x64.exe
748	avast_premium_security_setup_online_x64.exe
748	avast_premium_security_setup_online_x64.exe
4308	instup.exe
4308	instup.exe
4308	instup.exe
4308	instup.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 32	748	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	748	avast_premium_security_setup_online_x64.exe
Token: SeDebugPrivilege	3656	instup.exe
Token: 32	3656	instup.exe
Token: SeDebugPrivilege	4308	instup.exe
Token: 32	4308	instup.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3656	instup.exe
4308	instup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 2544	3140	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	82
PID 3140 wrote to memory of 2544	3140	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	82
PID 3140 wrote to memory of 2544	3140	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	82
PID 3140 wrote to memory of 264	3140	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	83
PID 3140 wrote to memory of 264	3140	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	83
PID 3140 wrote to memory of 264	3140	fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	83
PID 264 wrote to memory of 2648	264	Synaptics.exe	84
PID 264 wrote to memory of 2648	264	Synaptics.exe	84
PID 264 wrote to memory of 2648	264	Synaptics.exe	84
PID 2544 wrote to memory of 748	2544	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	92
PID 2544 wrote to memory of 748	2544	._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe	92
PID 748 wrote to memory of 3656	748	avast_premium_security_setup_online_x64.exe	94
PID 748 wrote to memory of 3656	748	avast_premium_security_setup_online_x64.exe	94
PID 3656 wrote to memory of 4308	3656	instup.exe	100
PID 3656 wrote to memory of 4308	3656	instup.exe	100
PID 4308 wrote to memory of 2568	4308	instup.exe	101
PID 4308 wrote to memory of 2568	4308	instup.exe	101
PID 4308 wrote to memory of 2568	4308	instup.exe	101

C:\Users\Admin\AppData\Local\Temp\fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
"C:\Users\Admin\AppData\Local\Temp\fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Temp\asw.5efe7be684be71c8\avast_premium_security_setup_online_x64.exe
    "C:\Windows\Temp\asw.5efe7be684be71c8\avast_premium_security_setup_online_x64.exe" /ga_clientid:64183b7b-7fbe-4b69-bb78-2de807b1c99a /edat_dir:C:\Windows\Temp\asw.5efe7be684be71c8
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\Temp\asw.acda0f67376ae499\instup.exe
      "C:\Windows\Temp\asw.acda0f67376ae499\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.acda0f67376ae499 /edition:12 /prod:ais /stub_context:5fadc384-1a1e-4e4b-9498-e62ae4527c64:11119848 /guid:89e7e30f-c9d8-4c78-906a-117fd07723ac /ga_clientid:64183b7b-7fbe-4b69-bb78-2de807b1c99a /no_delayed_installation /ga_clientid:64183b7b-7fbe-4b69-bb78-2de807b1c99a /edat_dir:C:\Windows\Temp\asw.5efe7be684be71c8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Windows\Temp\asw.acda0f67376ae499\New_180c17fe\instup.exe
        
        "C:\Windows\Temp\asw.acda0f67376ae499\New_180c17fe\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.acda0f67376ae499 /edition:12 /prod:ais /stub_context:5fadc384-1a1e-4e4b-9498-e62ae4527c64:11119848 /guid:89e7e30f-c9d8-4c78-906a-117fd07723ac /ga_clientid:64183b7b-7fbe-4b69-bb78-2de807b1c99a /no_delayed_installation /edat_dir:C:\Windows\Temp\asw.5efe7be684be71c8 /online_installer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\Windows\Temp\asw.acda0f67376ae499\New_180c17fe\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.acda0f67376ae499\New_180c17fe\aswOfferTool.exe" -checkGToolbar -elevated
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2648

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
17c4211a23c3000ea304c7bc38c3a97a

SHA1
549608f0311d390a87d784265e53baaa8388c183

SHA256
45fbba1a4b3bebc97603cec32ccdd59ed72b3cbcf0ce809dd0329b3302f84a9b

SHA512
bffb47d88880f4149ffe076c59119a251e68714a2141693fbead93d1dc7fd5ea7b8d0390350e75d38fbb41d7e10d93f60aa14fcf5c338e714805826fca48965b

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
28KB

MD5
7afb85d59ead53dd4c0929d472b8c936

SHA1
606761fa50b2a379f6374726c6ae6c4c198ffee8

SHA256
62555b397d8b31860816ca2c632c8a5ea781592b49585bea2bf1ce5909b6c88f

SHA512
bb3b2fba8aad1a51001beb6d782668dc1d582d72988f0bc1c8760dec46f37c951a8aa9f81aaf9efe3fdde63ef98af60eb9c5161eca9c03c29aabedbbb4d56f86

Download Submit
C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log

Filesize
142B

MD5
029c7321d312309e2ca006d229e04664

SHA1
c1e9a1471f860edd5515aa2b3586905a8733a8e8

SHA256
9f7861ce31f29073f36c7e9fab87789493ac725fa18b8efa06f9d28ea6e375ec

SHA512
6edf3d37dc97f5d3a2725c65d810202de7dd05ba142842353d09dba3dac9b613ec42846214a9725b5c044d3b4808fb5db61cf9382d417854707a751ff8bb1661

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1011KB

MD5
cbe903f2feabfa1de7ab1b03bfc673e0

SHA1
5834083b53a4ca9ba001a2104e8aed4b3b9869fc

SHA256
fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161

SHA512
b3dbb1f045aac79c4402163e41b407e0cd62125083ec4ae3d213bd86483adcbf2ae376f826dd3c6d83f33392f650172d05ce083e3611f388a1ae63ff30dcb1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_fdebabc8667143a1735ac967f807172450141bf8b44a7f72bf08d7874ddd7161N.exe

Filesize
257KB

MD5
036fb890ad760b84c36aec311eb760ed

SHA1
65370908562401dad9f2d666aafb008446210a04

SHA256
2a7580f9990d34925014e69ba5e05ff292d34918a9a7215814e17bf7782852c4

SHA512
d03e179a3ae93b14453ae48d6d8da431f6635c424b3b3b61ec02f2b7df6e95b9c56bcfbe77e878dedd111ca1f62c42dc1e363b1fd8422298ed7df3ccc6e4ad43

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C75E00

Filesize
22KB

MD5
5e26f567379c4ae919d0282e8433a3ad

SHA1
47ca2f352c80af5f4eeae0486ccb0822bc8fe1aa

SHA256
4ea356f8cbd04d7456fd1ca6c796afdbcae422ebd1724751e11f0c6980fa25d4

SHA512
95ed5ed807e34c194da2fe77046ff5f3d05ac9fb5c42f63dd986eb3ccd5d1da94b6dcbc7ec3f561e12a19b861d7ffff2971c25fc7a644a934df46abe49c13880

Download Submit
C:\Users\Admin\AppData\Local\Temp\zps4iZ4g.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Temp\asw.5efe7be684be71c8\avast_premium_security_setup_online_x64.exe

Filesize
10.6MB

MD5
d815ba481671114df2dedd6e7a6ec7b9

SHA1
fd2e36eb57fab67dc8dd06efa6e89ef17444aa70

SHA256
603ede9564ae4c01f5de2b6af1a1f00d05acc0a13d5e66579b23ccc07daf3a2a

SHA512
fbadd8174ea65a49413634f24aaff76cbc9be226da7339a0b78b109941824d70bd6c8807f35b4e25f36725f68e6687daf23c55d25a91b1f1ecfb417ead6eecd0

Download Submit
C:\Windows\Temp\asw.5efe7be684be71c8\eapt.edat

Filesize
52B

MD5
5884f2f4d5be779a7c06defb966fcc85

SHA1
369b59b1f46df696962d60b3994abe316374e4f5

SHA256
480051e3df9a84b333d2ed2275730380eefbeb5616d216a3f13c2a39053c18da

SHA512
43c9fde8e69909cf177e9ec24810c244cf78b8bcb5acbea55aae28d3c740b7156d9e4e8a1c42a25f49051eeecdba58efb48f4d3c96b11113331e002e501aa6e8

Download Submit
C:\Windows\Temp\asw.5efe7be684be71c8\eewk.edat

Filesize
20B

MD5
95fd8ee32226efed60e7c29d5cff1771

SHA1
4ce659b6dbd44ac9bf3ab4d0a082cf5342e97e06

SHA256
bfdffe481b9760f4e9abc207e1324b22a366a7ca55036fbbd14387cd14abe042

SHA512
0ab0a1cf598a018a76b656493f44d8204f78c65263d0b40f41aeaf58d172c8ecb8ce41748cea767bcf0238612e0ab7f9e10632b22e7f757365f4c9f340fecd29

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\HTMLayout.dll

Filesize
4.0MB

MD5
53552d268511ec403d8358ce50f01cb4

SHA1
cc64aadcbbe826231d005fd2309161e217f11021

SHA256
830ea16df827614120406602593ef66107031177423ac1a9c07cb1ef6104793e

SHA512
4a0fc01e1de6b9fb9da33ee4fa98981657e3a61e426be4351ee1b98778ed7071938342deb0bcc1e124e58716f44005d564200d5811ac95a28e722c85034f30c2

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\Instup.dll

Filesize
21.9MB

MD5
a63c789221a7cb3055b4f96d49079c14

SHA1
1536bead7a9fb15cbfcfe89d98d5ea3ef7fa05af

SHA256
6628d923d640bd3699b238fcfd531b5d9bcb6de3af89fc8ce44f5a90ec2ee61c

SHA512
3e69250e68f093a062eacb6d6ef32a07b46e7754f8cf4da7f8a443c0ce283d701a7f0ac4cbd8bf80f14e817615e529a7ac20366dd3ae02272888f5ad3092cbaf

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\Instup.exe

Filesize
3.7MB

MD5
38469e27d942ac60e1db3820d978199e

SHA1
400a3afc5205a233fa2fcf6fa720f5655195dbbb

SHA256
cac059e8cc3a51d9e6d69e4957c298f8214ea19fc741564ab24617484fa56a61

SHA512
9a53390188726f0897659effae9521b2bec7c4836f52bc99b621b004f28083e48bf9cc844b74de67465e6317a087f0f6e3e93cd29f84bbecfe3ff323b12db234

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\asw9150537577f72c6f.ini

Filesize
924B

MD5
b0268a729a0da36d421807ffe840e6fe

SHA1
be4c4988e38a5c11a64a0042e4a04076a8cfc6f6

SHA256
4c071bcf092338d701431971dee3918181a046ce2cb56aa656e711aa0d1655ca

SHA512
aa05580280d93f3451500474aeac9f73422d3c6a08211c1acdd36728e237fef660c5b5ea9acb536d8554f7d37c77d7e5d62a1452f91c533bb66badbc6e881ad6

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\aswd74ccfcbdf8d8513.ini

Filesize
1KB

MD5
ab7114502caf3769ca436909513f95b3

SHA1
b4ed933ffa7134e7fb3578447683be817191e3a6

SHA256
2fd0c5936def4cc1005b519cd46e4f57d2880f8f871b255605640a44ea2af569

SHA512
5dafe190c263cebff10999d9ec88de40f80f92053c6a514df44d95be330faa480a94fa1d01d6ba87eb9fe4956cc7c117b7b201202cf11db3d4dac2048a2d826f

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\avbugreport_x64_ais-a57.vpx

Filesize
5.7MB

MD5
d3539807b49f74c95be61853f827436e

SHA1
dc719cb47de6ae86d4b6f54f24fa32da83d81acc

SHA256
92485d85f83033e9c1f783b5a1b90994a10836fdcf9dad480631201762c6f410

SHA512
28cad1615d18733536c4a5cfdcc9e788ee576bd57de4173aeb82cdcd0f31c8b7c7137a6783c01c747d1ab95d65cedbbab3925f010c97f0e7db58dcc4b961d292

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\avdump_x64_ais-a57.vpx

Filesize
3.3MB

MD5
d87c497e9467d49fe34474e28d8128d9

SHA1
3ca88b8469407bd848bc79ea41f6f524b6507c39

SHA256
345b5539ff488a3fe187581061f294a17874756c071000a915087c64b14e9ecf

SHA512
623735c4f5c578f6f75133428952cf58ea6e2d942b52d3ed7999bf43569fffd8eb9f418329e77dc55819b962e53281abb173ed5b8069984cdf2fb044e0f0add7

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\config.def

Filesize
32KB

MD5
9c7c17c2fd22626db24906bd14db821d

SHA1
37695c8c2a0a9de9dc482d44fa0747b80fa62c67

SHA256
4d7dbdbf806457a71b2e4ad97b05c4a077fb45e583ea2ec940387b49b620c17c

SHA512
5e2832179fbe305e9c844cfeee53b5adcd316e99448a06879c2e123088c666237f9e2edb1cd5801c03a1eb81f7cca7d0b307c7729eba5fe0248cd1231af78482

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\config.def

Filesize
33KB

MD5
1ab9c5c2e2a84f2a609b2c83ef123f1e

SHA1
05d3dd926c90d2e339a70edb329ddf77e125168f

SHA256
f3961ce694801dcc92d3847aa9bb8401953085f731f0a52d2a271672ff0a658f

SHA512
fb2b00bee0240088491b4308642421dafd5f6fa895ac17da845875059c9cef4adaefcd6b54afb9f3e8a7ebb2109e1103b8f32d9edf65bc4014ef9771618a3cc2

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\config.def

Filesize
40KB

MD5
4fcca649e1b7b583417a1509ea0f4181

SHA1
946e43150c08357cbede631a7ca1bd3bef54028f

SHA256
bfda0549f47c988bb3681087dc1681dd34867629ae631132051b69b0b0431cc7

SHA512
4084f93462b165c823d434bb40adf82d8b532a04d8ca7b033dd08fec73eb32c41923f0db75ea05c9ba4a67aa2e9c272f2122e369b1d9fe3867b31d90f03815d3

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\offertool_x64_ais-a57.vpx

Filesize
2.4MB

MD5
ad12f89f60267d858919dc503ee3e5ab

SHA1
0179248a4c43269a2e7352721f5e80610d7c43ef

SHA256
4c1918e14f6ef353791390da1b93cf5ac6a6b416d46c5e849db572e53a194bcd

SHA512
37d2e54aa90083012efb86d87116d47d72c5ed4fc4e5f2d68f49b89bc876abe8ef906fdd764a690573651d983c1628e08a3b03f6a8639c5bb20b31eb2958a321

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\part-jrog2-1724.vpx

Filesize
696B

MD5
53b37191999798442e9c83a9c4139016

SHA1
533034667ad1aa4fa1266a15023fb96ec3f50e48

SHA256
d1d267be72eafc866f1daf9f0cd940b88191417641dcba1fd3835772ac5dfb46

SHA512
f595f8203a19aab1baa7b4bca0d8c59d29024319da4a10bd44593c86aa3c35430662ca74f2446eb8eba7ce1a617290c4eee37950dd803f91c019e013d0ef853d

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\part-prg_ais-180c17fe.vpx

Filesize
74KB

MD5
34d8d165f0b07cefef9f9d78eebbe251

SHA1
916c77d2673d211b6b63ba446efa454ef715c51d

SHA256
1e501c642ad7002809a51a035ec00008dcfb29166d23bf139d5a853b8d44304d

SHA512
fb22145ba13c349aad9d301a11c6c337979a4740000cc85a523eff5b2c7b8c7ca5f82a7e6f8115fab01b8e619d6a8c2a713e10b7fe6c94eaa3a1a9f8d2892f29

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\part-setup_ais-180c17fe.vpx

Filesize
4KB

MD5
140b4a33c78d3c9b90ada1cad981c494

SHA1
f60c758eb5921ce4f9abfe7c9afdf0e17ecdf880

SHA256
33a15d1a8ac7a71708afdc6af91cc33d7bf645860f6e275be11ed284f94688ca

SHA512
849beb02930f42fd62ad052d0306f21c62430de26a7ee3891a2548a45e0d166045bb8298ee44e5e18c0fcc651729670fe52862d8ff06d381a9547be003ba32ce

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\part-vps_windows-25012100.vpx

Filesize
11KB

MD5
b7227b0ccd1454e5ee267514b0a4cbbb

SHA1
7d224547bbab97bae46c812fe12e152ee0a59b5a

SHA256
c0af2972a67056d5f89070bb1c0369a4e2651d4cb8ed489085cc9f7505f5d33c

SHA512
9d4ac4542aca6e74153a51f16980114e2acd8b869b6c6338fd076e375b7d9810b156814d186c3ff7d1f78a791058d27505b8d21f4f173af401e8b560908a34a8

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\prod-pgm.vpx

Filesize
571B

MD5
e966e55c5985d7f2ab33a9171b85bf6b

SHA1
21fe7414580a7ab0310aa8743553579e68573e52

SHA256
97938b707c9251ffbc5c5b0e05fb6061fd8cdd714d60e6b48593e59858df1c85

SHA512
33596e2ca9ba3bea43eb77db90f8691c3ba1b05b22b919ecc30323d2e8d528743c8851af93041f87feffc19ac43f6a37f4b0e8c2b9982975d31fbba6043991ac

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\prod-vps.vpx

Filesize
343B

MD5
55e34248abb24f88e39f08781e0b836a

SHA1
67519409303d4b5642f1fc4875a2a64d4dd495a4

SHA256
ee058664787b72dd09ebdde034f6b2836ed4bdfa817674950c79243e70af65e5

SHA512
9d0d8daa210eaf6c8939cf1f18178fda4eddea9d180488b38481b483c2b3c042f769a898d2c04dc6e083c55a8f5ef52388504d6f6b2a6e4bdfeb428f4538e1e6

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\prod-vps.vpx

Filesize
343B

MD5
20e24f00fa1d87a9f0efb12762021c1f

SHA1
4f4f61669c00057f98f876548af4f1d8c4dbc05b

SHA256
e432bfbfe1498637aed457061c6ce9df66919e6ad81145bdb9726d7638f3516d

SHA512
7216eb1529e4ed145f6ea16b5dac9c12faad3472ebdbdabdbd7dc1d8734c81bc37c5895306f447d0ba68ccb5d9495dca8020d4725534eeed258cb7ef64fd2588

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\sbr_x64_ais-a57.vpx

Filesize
20KB

MD5
afdf77d822bdb25ecb92b0891d5dce49

SHA1
6f46d2cfd3c108b215d56829fa7fdb1987ac069b

SHA256
550471ece946e78cc7ac9c5c82c10d64b55543abc526ca91090c78432dc68ff0

SHA512
cb55c1f1d7b76fa4d3ca111c5c5bffe94a00c8c84cb61f5c0e9269a71a4423bde7d2c706da699ae953f28ab746fbe75b5edbd51539be1b41b3ca52431fbcd39e

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\servers.def

Filesize
29KB

MD5
46dcb43d6cf012d148e843bdd6dbb30f

SHA1
de6948ab39e15dc2fe9d64053a9d384deede7df3

SHA256
a447b543904d421e105e53eb8b58150dfdf98f3d1b882760f5fd5d1374041e2c

SHA512
e95d46b64591b8236dc592aadd5a9deb19e5687672081c6ebac0a7cebe19943b9708e21c83f686b0c5c37a8e34e8b3f48d80444874958d395df0a45c405aebaf

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\servers.def.vpx

Filesize
2KB

MD5
3645e173ccedd64a11197eea591e01b7

SHA1
7f5da709bd2ee1b763657f43a45b82fa71efd0ec

SHA256
6fff4292babcee0e804334e5f3faa7e5593f853283915bba4590896af160cf65

SHA512
0f2f8ece730b15568b8a1bf32c691304d34efc92673a2a44e048bdac0aa8db8eb5119e154528723a8ae412a00e734abbb60d5ad98620bc557af7383089374d04

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\setup.def

Filesize
38KB

MD5
c9cbc948e6d98b3edfadc65505592989

SHA1
305099e660169230f854cfa820a42a6bdb94d46e

SHA256
306405475617af7d40cbf4ef3b2e576017a3d3e985af469ed472493e91512029

SHA512
134404b6822bc4db3ff0a5e5a1aa6506c13d20478b28727bdcdbbefee1378b6ac9fbd17ed8dca582d4d848690fda558f0a7fc8cf89564fa1774d7ef4f90eb35b

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\uat64.dll

Filesize
29KB

MD5
ffa717db56042a79b5546ee5ebe1719a

SHA1
d0e9681e55b6a20b184f556998eeaaeacc87e587

SHA256
af0096cf631c026e6b2de0382965ef9b797200a544d473aefcc19a8e6b86dc2a

SHA512
2c3f76a0644bcebeecb0e01127040921143065cc3dcaf90c363dafbe760733d70737296c8ae564dc83d3204d5052cd8e7bb5ccea3386f2c2f4e603608ee0a544

Download Submit
C:\Windows\Temp\asw.acda0f67376ae499\uat64.vpx

Filesize
16KB

MD5
8dc023703473338ca7b308b13941bf89

SHA1
9b063d3ea61cd8fb5d554534000010fc79fe5eaa

SHA256
a2b1f4c807748fcb2f5af7e6dc2ed6439f5bdf01ee5768c8170fdca07a50c981

SHA512
06831bc64d1491e49dce1976841aa23d307efce05ed5878189075a966a0dbbeae6d3b3a0a51c85d0647ce7ffd5ddd890ac7f0c48d56229efb1a96f91e79aec0d

Download Submit
memory/264-248-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/264-382-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/264-630-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/264-244-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/264-618-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/264-130-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/264-243-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3140-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3140-128-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3448-194-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

Filesize
64KB

Download
memory/3448-195-0x00007FFF731C0000-0x00007FFF731D0000-memory.dmp

Filesize
64KB

Download
memory/3448-196-0x00007FFF731C0000-0x00007FFF731D0000-memory.dmp

Filesize
64KB

Download
memory/3448-193-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

Filesize
64KB

Download
memory/3448-192-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

Filesize
64KB

Download
memory/3448-191-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

Filesize
64KB

Download
memory/3448-190-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

Filesize
64KB

Download