Analysis
-
max time kernel
824s -
max time network
822s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
31-05-2024 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Nicht bestätigt 610671.exe
Resource
win10-20240404-en
wannacrybootkitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanworm
windows10-1703-x64
46 signatures
150 seconds
General
-
Target
Nicht bestätigt 610671.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
SSDEEP
98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
avDump.exedescription pid Process procid_target PID 10860 created 10804 10860 avDump.exe 221 -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 45 IoCs
Processes:
instup.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\asw115c54666a4ba9be.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswf5ddf4498b9d0eec.tmp instup.exe File created C:\Windows\system32\drivers\aswf18307f34832df58.tmp instup.exe File opened for modification C:\Windows\system32\drivers\asw4587bf3a7fec4fd4.tmp instup.exe File created C:\Windows\system32\drivers\aswff2935eae39305c2.tmp instup.exe File created C:\Windows\system32\drivers\asw9e33705c66b70985.tmp instup.exe File created C:\Windows\system32\drivers\asw5f5841db71127e0c.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswKbd.sys instup.exe File created C:\Windows\system32\drivers\aswabd2894e2da483c2.tmp instup.exe File opened for modification C:\Windows\system32\drivers\asw9e33705c66b70985.tmp instup.exe File opened for modification C:\Windows\system32\drivers\asw5f5841db71127e0c.tmp instup.exe File created C:\Windows\system32\drivers\aswd34a48701f4c2f22.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswd34a48701f4c2f22.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswStm.sys instup.exe File opened for modification C:\Windows\system32\drivers\asw1f638161f9e7f11e.tmp instup.exe File created C:\Windows\system32\drivers\asw148eefb2f7892a1f.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswbidsdriver.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswMonFlt.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswSP.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswRvrt.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswbidsh.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswVmm.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswabd2894e2da483c2.tmp instup.exe File created C:\Windows\system32\drivers\aswf25d078cd76dc329.tmp instup.exe File opened for modification C:\Windows\system32\drivers\asw24128f2407fbb2be.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswArPot.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswNetHub.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswf18307f34832df58.tmp instup.exe File created C:\Windows\system32\drivers\asw24128f2407fbb2be.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswRdr2.sys instup.exe File opened for modification C:\Windows\system32\drivers\asw9ab24ac7d498c931.tmp instup.exe File created C:\Windows\system32\drivers\asw1f638161f9e7f11e.tmp instup.exe File created C:\Windows\system32\drivers\aswf5ddf4498b9d0eec.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswSnx.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswArDisk.sys instup.exe File created C:\Windows\system32\drivers\asw115c54666a4ba9be.tmp instup.exe File created C:\Windows\system32\drivers\asw99b2c960096f7ca1.tmp instup.exe File opened for modification C:\Windows\system32\drivers\asw99b2c960096f7ca1.tmp instup.exe File created C:\Windows\system32\drivers\asw9ab24ac7d498c931.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswf25d078cd76dc329.tmp instup.exe File created C:\Windows\system32\drivers\asw4587bf3a7fec4fd4.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswff2935eae39305c2.tmp instup.exe File opened for modification C:\Windows\system32\drivers\asw148eefb2f7892a1f.tmp instup.exe File opened for modification C:\Windows\system32\drivers\aswElam.sys instup.exe File opened for modification C:\Windows\system32\drivers\aswbuniv.sys instup.exe -
Sets service image path in registry 2 TTPs 32 IoCs
Processes:
instup.exeinstup.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSP\ImagePath = "system32\\drivers\\aswSP.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbuniv\ImagePath = "system32\\drivers\\aswbuniv.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswStm\ImagePath = "system32\\drivers\\aswStm.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswStm\ImagePath = "system32\\drivers\\aswStm.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswKbd\ImagePath = "system32\\drivers\\aswKbd.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArDisk\ImagePath = "system32\\drivers\\aswArDisk.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswVmm\ImagePath = "system32\\drivers\\aswVmm.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsh\ImagePath = "system32\\drivers\\aswbidsh.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbIDSAgent\ImagePath = "\"C:\\Program Files\\Avast Software\\Avast\\aswidsagent.exe\"" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus\ImagePath = "\"C:\\Program Files\\Avast Software\\Avast\\AvastSvc.exe\" /runassvc" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsdriver\ImagePath = "system32\\drivers\\aswbidsdriver.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsh\ImagePath = "system32\\drivers\\aswbidsh.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArDisk\ImagePath = "system32\\drivers\\aswArDisk.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArPot\ImagePath = "system32\\drivers\\aswArPot.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswNetHub\ImagePath = "system32\\drivers\\aswNetHub.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRdr\ImagePath = "system32\\drivers\\aswRdr2.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswVmm\ImagePath = "system32\\drivers\\aswVmm.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSnx\ImagePath = "system32\\drivers\\aswSnx.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsdriver\ImagePath = "system32\\drivers\\aswbidsdriver.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbuniv\ImagePath = "system32\\drivers\\aswbuniv.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswElam\ImagePath = "system32\\drivers\\aswElam.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt\ImagePath = "system32\\drivers\\aswMonFlt.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRvrt\ImagePath = "system32\\drivers\\aswRvrt.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswNetHub\ImagePath = "system32\\drivers\\aswNetHub.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSnx\ImagePath = "system32\\drivers\\aswSnx.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswElam\ImagePath = "system32\\drivers\\aswElam.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSP\ImagePath = "system32\\drivers\\aswSP.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswKbd\ImagePath = "system32\\drivers\\aswKbd.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRdr\ImagePath = "system32\\drivers\\aswRdr2.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRvrt\ImagePath = "system32\\drivers\\aswRvrt.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt\ImagePath = "system32\\drivers\\aswMonFlt.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArPot\ImagePath = "system32\\drivers\\aswArPot.sys" instup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Drops startup file 2 IoCs
Processes:
Nicht bestätigt 610671.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD772A.tmp Nicht bestätigt 610671.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7731.tmp Nicht bestätigt 610671.exe -
Executes dropped EXE 64 IoCs
Processes:
taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exeavast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online.exetaskse.exe@[email protected]taskdl.exeavast_free_antivirus_setup_online (1).exetaskse.exe@[email protected]taskdl.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exe@[email protected]taskse.exetaskdl.exetaskdl.exetaskse.exe@[email protected]SetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeAvEmUpdate.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeAvastNM.exeSetupInf.exeoverseer.exeengsup.exewsc_proxy.exeavDump.exeengsup.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exepid Process 3168 taskdl.exe 1092 @[email protected] 3340 @[email protected] 3240 taskhsvc.exe 2084 taskdl.exe 2892 taskse.exe 1608 @[email protected] 2612 taskdl.exe 2408 taskse.exe 3204 @[email protected] 3760 taskse.exe 2912 @[email protected] 3336 taskdl.exe 5996 avast_free_antivirus_setup_online.exe 5300 avast_free_antivirus_setup_online.exe 6520 taskse.exe 6528 @[email protected] 6580 taskdl.exe 628 avast_free_antivirus_setup_online (1).exe 4692 taskse.exe 712 @[email protected] 356 taskdl.exe 2888 avast_free_antivirus_setup_online_x64.exe 6364 instup.exe 7624 instup.exe 4256 aswOfferTool.exe 1252 aswOfferTool.exe 7184 aswOfferTool.exe 7200 aswOfferTool.exe 7428 aswOfferTool.exe 7592 aswOfferTool.exe 7576 aswOfferTool.exe 7556 aswOfferTool.exe 7856 sbr.exe 3216 @[email protected] 3076 taskse.exe 4604 taskdl.exe 9604 taskdl.exe 9584 taskse.exe 7356 @[email protected] 13976 SetupInf.exe 13260 SetupInf.exe 11928 SetupInf.exe 4204 SetupInf.exe 6352 SetupInf.exe 9352 AvEmUpdate.exe 8216 AvEmUpdate.exe 4516 RegSvr.exe 4376 RegSvr.exe 8664 RegSvr.exe 9136 RegSvr.exe 8800 AvastNM.exe 8704 SetupInf.exe 8368 overseer.exe 8336 engsup.exe 10804 wsc_proxy.exe 10860 avDump.exe 10556 engsup.exe 9444 taskse.exe 9436 @[email protected] 9364 taskdl.exe 9232 taskse.exe 9236 @[email protected] 8284 taskdl.exe -
Loads dropped DLL 64 IoCs
Processes:
taskhsvc.exeavast_free_antivirus_setup_online (1).exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeAvEmUpdate.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeengsup.exewsc_proxy.exeengsup.exepid Process 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 628 avast_free_antivirus_setup_online (1).exe 6364 instup.exe 6364 instup.exe 6364 instup.exe 6364 instup.exe 7624 instup.exe 7184 aswOfferTool.exe 7428 aswOfferTool.exe 7576 aswOfferTool.exe 7556 aswOfferTool.exe 8216 AvEmUpdate.exe 8216 AvEmUpdate.exe 8216 AvEmUpdate.exe 8216 AvEmUpdate.exe 8216 AvEmUpdate.exe 8216 AvEmUpdate.exe 4516 RegSvr.exe 4376 RegSvr.exe 8664 RegSvr.exe 8664 RegSvr.exe 8664 RegSvr.exe 8664 RegSvr.exe 9136 RegSvr.exe 9136 RegSvr.exe 9136 RegSvr.exe 9136 RegSvr.exe 9136 RegSvr.exe 9136 RegSvr.exe 9136 RegSvr.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 8336 engsup.exe 10804 wsc_proxy.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe 10556 engsup.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 29 IoCs
Processes:
instup.exeRegSvr.exeRegSvr.exeinstup.exeRegSvr.exeRegSvr.exeRegSvr.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ThreadingModel = "Apartment" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32 RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32 instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ThreadingModel = "Apartment" RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32 instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ThreadingModel = "Apartment" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\asOutExt.dll" RegSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32 RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ThreadingModel = "Both" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll" RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32 RegSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32 RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32 RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\asOutExt.dll" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ReleaseName = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32 RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ThreadingModel = "Both" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ReleaseName = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ThreadingModel = "Both" RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32 RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ThreadingModel = "Apartment" RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ThreadingModel = "Both" RegSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32 RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32 RegSvr.exe -
Processes:
instup.exeinstup.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av instup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\PROVIDER\AV\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} instup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\PROVIDER\AV\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} instup.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeinstup.exeinstup.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grgzzewzdng210 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\Avast Software\\Avast\\setup\\instup.exe\" /instop:repair /wait" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\Avast Software\\Avast\\setup\\instup.exe\" /instop:repair /wait" instup.exe -
Checks for any installed AV software in registry 1 TTPs 64 IoCs
Processes:
SetupInf.exeRegSvr.exewsc_proxy.exeSetupInf.exeAvEmUpdate.exeRegSvr.exeinstup.exeSetupInf.exeinstup.exeAvEmUpdate.exeRegSvr.exeinstup.exeinstup.exeSetupInf.exewsc_proxy.exeSetupInf.exeSetupInf.exeavast_free_antivirus_setup_online_x64.exeRegSvr.exeengsup.exeRegSvr.exeSetupInf.exeRegSvr.exeRegSvr.exeSetupInf.exeAvEmUpdate.exeinstup.exeRegSvr.exeRegSvr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder SetupInf.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages RegSvr.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10} wsc_proxy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder SetupInf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder AvEmUpdate.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common RegSvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Version SetupInf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{A9682249-08E7-4BBF-B870-EFBC63AA2888} instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CB6AE6F8-D9A8-4794-B2BF-53A84058C58F}\Job = "Scan" instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10} SetupInf.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\BuildVersion AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\SelfDefense RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\ instup.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Scanner instup.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common SetupInf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode RegSvr.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast\properties\settings wsc_proxy.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings instup.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common SetupInf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder SetupInf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\UpdateVersion = "528" AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\SelfDefense RegSvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupFolder SetupInf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode SetupInf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages SetupInf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\SelfDefense instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\ SetupInf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder engsup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupVersion instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\SelfDefense RegSvr.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{EC4ECEDA-3E3B-4027-ABFE-29A5122D64D6} instup.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{FDC844BC-62CE-4A58-A28B-77AA70274062} wsc_proxy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupFolder SetupInf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode SetupInf.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{EC4ECEDA-3E3B-4027-ABFE-29A5122D64D6} SetupInf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\CrashGuard instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode RegSvr.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\SelfDefense RegSvr.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings RegSvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile SetupInf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\UpdateVersion = "439" AvEmUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{A9682249-08E7-4BBF-B870-EFBC63AA2888}\Report = "None" instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile engsup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Registration instup.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast RegSvr.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages RegSvr.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10} wsc_proxy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode RegSvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common\SoftTrialActivated instup.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings RegSvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions instup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry RegSvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{19EA8BF0-A12F-1AF0-FB25-293AD7155932} SetupInf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupVersion RegSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common\InstallTree = "NTg0LEM6XFdpbmRvd3NcU3lzdGVtMzJcd2lubG9nb24uZXhlOzMzOTIsQzpcV2luZG93c1xTeXN0ZW0zMlx1c2VyaW5pdC5leGU7MzQxMixDOlxXaW5kb3dzXGV4cGxvcmVyLmV4ZTs1NzgwLEM6XFVzZXJzXEFkbWluXERvd25sb2Fkc1xhdmFzdF9mcmVlX2FudGl2aXJ1c19zZXR1cF9vbmxpbmUgKDEpLmV4ZTsyNzU2LEM6XFdpbmRvd3NcVGVtcFxhc3cuOWUxZjFlZjA2YjFkYjY4MlxhdmFzdF9mcmVlX2FudGl2aXJ1c19zZXR1cF9vbmxpbmVfeDY0LmV4ZTsxMjkwMCxDOlxQcm9ncmFtIEZpbGVzXEF2YXN0IFNvZnR3YXJlXEF2YXN0XHNldHVwXFNmeFxpbnN0dXAuZXhl" instup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 39 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
avast_free_antivirus_setup_online (1).exeinstup.exeinstup.exeSetupInf.exeoverseer.exeavast_free_antivirus_setup_online (1).exeMEMZ.exeAvEmUpdate.exeRegSvr.exeRegSvr.exeRegSvr.exeavast_free_antivirus_setup_online_x64.exeinstup.exeSetupInf.exeSetupInf.exeRegSvr.exewsc_proxy.exeavast_free_antivirus_setup_online_x64.exeinstup.exeSetupInf.exeSetupInf.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeoverseer.exeinstup.exeRegSvr.exeSetupInf.exeSetupInf.exeSetupInf.exeRegSvr.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exewsc_proxy.exeinstup.exedescription ioc Process File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online (1).exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 overseer.exe File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online (1).exe File opened for modification \??\PhysicalDrive0 MEMZ.exe File opened for modification \??\PhysicalDrive0 AvEmUpdate.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 wsc_proxy.exe File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 overseer.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 RegSvr.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 SetupInf.exe File opened for modification \??\PhysicalDrive0 AvEmUpdate.exe File opened for modification \??\PhysicalDrive0 wsc_proxy.exe File opened for modification \??\PhysicalDrive0 instup.exe -
Drops file in System32 directory 6 IoCs
Processes:
instup.exeSetupInf.exeinstup.exedescription ioc Process File created C:\Windows\system32\aswa9b450be06e250ad.tmp instup.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt SetupInf.exe File opened for modification C:\Windows\system32\asw17946b51e3239fb2.tmp instup.exe File created C:\Windows\system32\asw17946b51e3239fb2.tmp instup.exe File opened for modification C:\Windows\system32\aswBoot.exe instup.exe File opened for modification C:\Windows\system32\aswa9b450be06e250ad.tmp instup.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" Nicht bestätigt 610671.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Program Files directory 64 IoCs
Processes:
instup.exeinstup.exeengsup.exeAvEmUpdate.exeAvEmUpdate.exedescription ioc Process File opened for modification C:\Program Files\Avast Software\Avast\setup\instup_x64_ais-a3d.vpx instup.exe File opened for modification C:\Program Files\Avast Software\Avast\SecurityProductInformation.ini instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\asw891af82854e5ba4b.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw3e72de2422fe5e07.tmp instup.exe File created C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\aswc35a1a8c8e49fc82.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\list_d.txt.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll instup.exe File created C:\Program Files\Avast Software\Avast\defs\24053099\avast.local_vc142.crt\api-ms-win-core-interlocked-l1-1-0.dll engsup.exe File created C:\Program Files\Avast Software\Avast\defs\24053099\asw0d13deb27d5ba20a.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw766f194940c774d1.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-crt-filesystem-l1-1-0.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053100\fwAux.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\Licenses\asw770cd15560e55478.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\vaarclient.dll.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\vcruntime140.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\setup\setup.ini instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053100\asw97479861fd17249e.tmp instup.exe File created C:\Program Files\Avast Software\Avast\defs\24053100\asw72045955fae22658.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\aswca21b302dcfdb1dd.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\ashServ.dll instup.exe File created C:\Program Files\Avast Software\Avast\defs\24053099\asw2d9a84107ba0f290.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\fltlib_wrapper.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\setup instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053100\aswQcr.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\asw767079ffa4b9b609.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-datetime-l1-1-0.dll.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-profile-l1-1-0.dll.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\setup\servers.def.vpx instup.exe File opened for modification C:\Program Files\Avast Software\Avast\asw7c5a50eab90d72a6.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\db_o7.sig.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-core-processenvironment-l1-1-0.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\1033\avast.local_vc142.crt\aswedbafa305650355c.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\asw4660ca3bd8f2ee90.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\aswfbc1c176950a0924.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\Setup\5e17e440-521c-4b34-93dc-a158eaba7902 AvEmUpdate.exe File created \??\c:\program files\avast software\avast\setup\5e96f61d-5066-4db2-b6ae-bb4b8503792a\21C2EC8A7F38D38D8E67944D6E7217CA.rmt AvEmUpdate.exe File opened for modification C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\aswc96567026b93dfc0.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\aswEngLdr.dll.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\msvcp140_codecvt_ids.dll.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\setup\Inf\x64\aswbuniv.sys instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053100\def.ini.sum instup.exe File created C:\Program Files\Avast Software\Avast\defs\24053099\asw1bbc6b2d4f5fe299.tmp instup.exe File created C:\Program Files\Avast Software\Avast\asw0af19ec12c81bdb7.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\def.ini.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\mfc140.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll instup.exe File created C:\Program Files\Avast Software\Avast\1033\avast.local_vc142.crt\aswe09db923dc86def0.tmp instup.exe File created C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw4ea32f7edaa77473.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\aswa3730503f3dfc3a0.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053099\db_cmd.sig.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\asOutExt.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\setup\prod-pgm.vpx instup.exe File opened for modification C:\Program Files\Avast Software\Avast\aswidpm.dll.sum instup.exe File opened for modification C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\ucrtbase.dll instup.exe File created C:\Program Files\Avast Software\Avast\defs\24053099\avast.local_vc142.crt\api-ms-win-core-file-l2-1-0.dll engsup.exe File opened for modification C:\Program Files\Avast Software\Avast\VisthAux.exe.sum instup.exe File created C:\Program Files\Avast Software\Avast\Setup\142bef9d-9cc7-4ea2-ab8c-35094a9aa372\update.xml AvEmUpdate.exe File created C:\Program Files\Avast Software\Avast\defs\24053100\asw08112a5c8f23624c.tmp instup.exe File opened for modification C:\Program Files\Avast Software\Avast\defs\24053100\engsup.exe instup.exe File opened for modification C:\Program Files\Avast Software\Avast\1033\avast.local_vc142.crt\avast.local_vc142.crt.manifest instup.exe File opened for modification C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-namedpipe-l1-1-0.dll instup.exe File opened for modification C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-core-fibers-l1-1-0.dll.sum instup.exe File created \??\c:\program files\avast software\avast\setup\4c5f1086-f5b5-498e-8704-2d32a6a1d2c7\6ED1F2D566F9C205DAD12A17ACFF076490B5CF3CCB116D70D4C07DADD18DF15F.sum AvEmUpdate.exe -
Drops file in Windows directory 36 IoCs
Processes:
SecHealthUI.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeinstup.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeSecHealthUI.exeinstup.exemspaint.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exedescription ioc Process File created C:\Windows\rescache\_merged\4272278488\2581520266.pri SecHealthUI.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\ELAMBKUP\aswb05beb292e5663a4.tmp instup.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\ELAMBKUP\aswb05beb292e5663a4.tmp instup.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\4272278488\2581520266.pri SecHealthUI.exe File opened for modification C:\Windows\ELAMBKUP\aswElam.sys instup.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\INF\netsstpa.PNF svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\ELAMBKUP\asw7a7dfa2958812101.tmp instup.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\INF\netrasa.PNF svchost.exe File created C:\Windows\ELAMBKUP\asw7a7dfa2958812101.tmp instup.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
instup.exesvchost.exeinstup.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags instup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 instup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 instup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags instup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvr.exefirefox.exeWINWORD.EXERegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeinstup.exeRegSvr.exeSetupInf.exeAvEmUpdate.exeSetupInf.exeAvEmUpdate.exeinstup.exeRegSvr.exewsc_proxy.exefirefox.exeinstup.exeAvastNM.exeRegSvr.exeinstup.exeavast_free_antivirus_setup_online_x64.exeSetupInf.exeSetupInf.exeinstup.exeSetupInf.exeSetupInf.exeSetupInf.exeRegSvr.exeSetupInf.exewsc_proxy.exeSetupInf.exeengsup.exeRegSvr.exeAvEmUpdate.exeSetupInf.exeengsup.exeAvEmUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision AvEmUpdate.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RegSvr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RegSvr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wsc_proxy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature AvastNM.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision wsc_proxy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature SetupInf.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SetupInf.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SetupInf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature SetupInf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wsc_proxy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SetupInf.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SetupInf.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature engsup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RegSvr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SetupInf.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 engsup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature SetupInf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegSvr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision wsc_proxy.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 AvEmUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision SetupInf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RegSvr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature AvEmUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature SetupInf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe -
Enumerates system info in registry 2 TTPs 13 IoCs
Processes:
chrome.exeWINWORD.EXEinstup.exeinstup.exechrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosReleaseDate instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosReleaseDate instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\Bios instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\Bios instup.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 224 vssadmin.exe -
Processes:
RegSvr.exeRegSvr.exebrowser_broker.exeRegSvr.exeRegSvr.exebrowser_broker.exeMicrosoftEdgeCP.exeRegSvr.exeRegSvr.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80} RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80} RegSvr.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80} RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80} RegSvr.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80} RegSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80} RegSvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exechrome.exechrome.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616205553445940" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 64 IoCs
Processes:
instup.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeinstup.exeinstup.exeinstup.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeRegSvr.exeMicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\x86\\aswSZB.dll" instup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: ais_gen_tools-976.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\Inf\\x64\\aswbdiska.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Starting kernel driver: aswSP" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\asOutExt64.dll" instup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.youtube.com\ = "410" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswCmnBS.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_dyna.nmp" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\rescue_disk.dll" instup.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ee12ec343cb3da01 MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswsysx.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: dndrules.dat.ver" instup.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\ProgramData\\Avast Software\\Avast\\log\\*.log.6" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\Edge_Renderer.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "39" instup.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-errorhandling-l1-1-0.dll" instup.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = c0dd2f8261ccda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: ais_res-989.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswKbd.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\lim.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\avdump_arm64_ais-*.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "56" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: part-prg_ais-180517e4.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswProperty.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Windows\\system32\\drivers\\aswbidshx.sys" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_ap2.dat" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\AhResMai.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "14" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "98" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: offertool_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\avastthemefile\ = "avast! theme file" instup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9110" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\x86\\libeay32.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Starting kernel driver: aswRdr" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\avastconfigfile instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32 instup.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-rtlsupport-l1-1-0.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "42" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "97" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\Inf\\x64\\aswTdi.sys" instup.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\AvDump64.exe" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Uninstalling kernel driver: aswHwid" instup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomai = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\avastvpnfile\shell\open instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswsysa.dll" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswStrm.dll" instup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1} RegSvr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe -
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 5264 WINWORD.EXE 5264 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskhsvc.exechrome.exechrome.exeavast_free_antivirus_setup_online_x64.exeinstup.exeavDump.exechrome.exeavast_free_antivirus_setup_online_x64.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid Process 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 3240 taskhsvc.exe 1636 chrome.exe 1636 chrome.exe 2748 chrome.exe 2748 chrome.exe 2888 avast_free_antivirus_setup_online_x64.exe 2888 avast_free_antivirus_setup_online_x64.exe 7624 instup.exe 7624 instup.exe 7624 instup.exe 7624 instup.exe 7624 instup.exe 7624 instup.exe 7624 instup.exe 7624 instup.exe 10860 avDump.exe 10860 avDump.exe 7624 instup.exe 7624 instup.exe 7824 chrome.exe 7824 chrome.exe 2756 avast_free_antivirus_setup_online_x64.exe 2756 avast_free_antivirus_setup_online_x64.exe 7340 MEMZ.exe 7340 MEMZ.exe 1752 MEMZ.exe 1752 MEMZ.exe 5744 MEMZ.exe 5744 MEMZ.exe 7340 MEMZ.exe 7340 MEMZ.exe 5744 MEMZ.exe 5744 MEMZ.exe 1752 MEMZ.exe 6584 MEMZ.exe 1752 MEMZ.exe 6584 MEMZ.exe 6636 MEMZ.exe 6636 MEMZ.exe 7340 MEMZ.exe 7340 MEMZ.exe 6636 MEMZ.exe 6636 MEMZ.exe 6584 MEMZ.exe 6584 MEMZ.exe 1752 MEMZ.exe 1752 MEMZ.exe 5744 MEMZ.exe 5744 MEMZ.exe 7340 MEMZ.exe 7340 MEMZ.exe 5744 MEMZ.exe 5744 MEMZ.exe 1752 MEMZ.exe 1752 MEMZ.exe 6584 MEMZ.exe 6584 MEMZ.exe 6636 MEMZ.exe 6636 MEMZ.exe -
Suspicious behavior: LoadsDriver 40 IoCs
Processes:
pid Process 632 632 632 632 632 632 632 632 632 632 632 632 632 4