Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe
Resource
win10v2004-20240611-en
General
-
Target
2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe
-
Size
219KB
-
MD5
e232ec4371343f84b5024dacd5dd3197
-
SHA1
7c60f5f222cbbf1f8845a3c2b79f8922e1d2bc61
-
SHA256
2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e
-
SHA512
c3018f9f3394c553c293d3a73fed84d78b8f4d2e813f2648b25f308430faa6fcf74a8a3fdc72244c1ffa8c68ae3bde7eea7b7c3cfe227eb4da28ba8835784729
-
SSDEEP
6144:20KgGwHqwOOELha+sm2D2+UhngNeK4Vnb:20KgGXFhazmdVgAK4Vb
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exepid process 1324 avg_antivirus_free_setup_x64.exe 1468 instup.exe 688 instup.exe 1444 aswOfferTool.exe 3660 aswOfferTool.exe 1272 aswOfferTool.exe 4908 aswOfferTool.exe 1076 aswOfferTool.exe 4808 aswOfferTool.exe 4464 aswOfferTool.exe 5068 aswOfferTool.exe -
Loads dropped DLL 13 IoCs
Processes:
2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exepid process 3960 2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe 1468 instup.exe 1468 instup.exe 1468 instup.exe 1468 instup.exe 688 instup.exe 688 instup.exe 688 instup.exe 688 instup.exe 1272 aswOfferTool.exe 1076 aswOfferTool.exe 4464 aswOfferTool.exe 5068 aswOfferTool.exe -
Checks for any installed AV software in registry 1 TTPs 6 IoCs
Processes:
instup.exeavg_antivirus_free_setup_x64.exeinstup.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
instup.exe2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exeavg_antivirus_free_setup_x64.exeinstup.exedescription ioc process File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe File opened for modification \??\PhysicalDrive0 avg_antivirus_free_setup_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
instup.exeinstup.exeavg_antivirus_free_setup_x64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe -
Modifies registry class 64 IoCs
Processes:
instup.exeavg_antivirus_free_setup_x64.exeinstup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "DNS resolving" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "37" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-d08.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-d08.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "53" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instcont_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6" instup.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exepid process 1324 avg_antivirus_free_setup_x64.exe 1324 avg_antivirus_free_setup_x64.exe 688 instup.exe 688 instup.exe 688 instup.exe 688 instup.exe 688 instup.exe 688 instup.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exedescription pid process Token: 32 1324 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 1468 instup.exe Token: 32 1468 instup.exe Token: SeDebugPrivilege 688 instup.exe Token: 32 688 instup.exe Token: SeDebugPrivilege 4908 aswOfferTool.exe Token: SeImpersonatePrivilege 4908 aswOfferTool.exe Token: SeDebugPrivilege 4808 aswOfferTool.exe Token: SeImpersonatePrivilege 4808 aswOfferTool.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
instup.exeinstup.exepid process 1468 instup.exe 688 instup.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exeavg_antivirus_free_setup_x64.exeinstup.exeinstup.exedescription pid process target process PID 3960 wrote to memory of 1324 3960 2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe avg_antivirus_free_setup_x64.exe PID 3960 wrote to memory of 1324 3960 2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe avg_antivirus_free_setup_x64.exe PID 1324 wrote to memory of 1468 1324 avg_antivirus_free_setup_x64.exe instup.exe PID 1324 wrote to memory of 1468 1324 avg_antivirus_free_setup_x64.exe instup.exe PID 1468 wrote to memory of 688 1468 instup.exe instup.exe PID 1468 wrote to memory of 688 1468 instup.exe instup.exe PID 688 wrote to memory of 1444 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 1444 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 1444 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 3660 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 3660 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 3660 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 1272 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 1272 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 1272 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 4908 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 4908 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 4908 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 4808 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 4808 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 4808 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 5068 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 5068 688 instup.exe aswOfferTool.exe PID 688 wrote to memory of 5068 688 instup.exe aswOfferTool.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe"C:\Users\Admin\AppData\Local\Temp\2c12c1552883e64824dc8ee259295a57c4fb1fdd01522b83d82370209a18ef1e.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\Temp\asw.1cc5322306472007\avg_antivirus_free_setup_x64.exe"C:\Windows\Temp\asw.1cc5322306472007\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_002_999_b7f_m:dlid_FREEGSR-FAD /ga_clientid:ba8eaedb-f96f-40ff-a5b6-99e71d43272d /edat_dir:C:\Windows\Temp\asw.1cc53223064720072⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\Temp\asw.1f3cf59678773ea7\instup.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.1f3cf59678773ea7 /edition:15 /prod:ais /stub_context:0aca1c77-27b7-4d3a-87a5-956c09870cd4:9994552 /guid:bf9c6fac-1675-4ea1-aa61-8bc0041657e1 /ga_clientid:ba8eaedb-f96f-40ff-a5b6-99e71d43272d /cookie:mmm_bav_002_999_b7f_m:dlid_FREEGSR-FAD /ga_clientid:ba8eaedb-f96f-40ff-a5b6-99e71d43272d /edat_dir:C:\Windows\Temp\asw.1cc53223064720073⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\instup.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.1f3cf59678773ea7 /edition:15 /prod:ais /stub_context:0aca1c77-27b7-4d3a-87a5-956c09870cd4:9994552 /guid:bf9c6fac-1675-4ea1-aa61-8bc0041657e1 /ga_clientid:ba8eaedb-f96f-40ff-a5b6-99e71d43272d /cookie:mmm_bav_002_999_b7f_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.1cc5322306472007 /online_installer4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe" -checkGToolbar -elevated5⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe" /check_secure_browser5⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe" -checkChrome -elevated5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Users\Public\Documents\aswOfferTool.exe"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Users\Public\Documents\aswOfferTool.exe"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4464 -
C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe"C:\Windows\Temp\asw.1f3cf59678773ea7\New_18050d08\aswOfferTool.exe" -checkChrome -elevated5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5e8f2d61d708f30478b387df74d69051d
SHA17823a5c8c0c8f2c8dd01053c8f3cf93daf4c484d
SHA256d84ee3408a6974257cdde5a90175a4414c437076df69ba0e00957ff29e07a80b
SHA51204e9782243bb47636a8670c28134e0d5e4daa6e9cdb7f50501c96d46b64cf7495792f966e67eb4253c7f77a54593cd6632e8cd3df081177f2234a9ea68553961
-
Filesize
1KB
MD5cedf5a8a695cefeadcc21670cd0892ec
SHA1e2292fa911d519d1edb844bc1dc0ce7d62e35df0
SHA25653af31a9def138b9b3ea1deb6834e7b0895b4b79ce94d5fa238f87486dca6c5c
SHA51208cc7a58391376d418db51fb922a0a3315aa19cb2f325a6dc28dd088f90481c8d4ab9f86eec8f5e499ba84d758e6389e477a44f2d49f96dc18b8d73e7451ec0e
-
Filesize
281B
MD5a1d995488db266ef8d9223218b6be25f
SHA16be95a8e11c5e038fdbb6be1d7ec3c2968c75af6
SHA2569eaf9ba7e9a3d0b84e3ade757da85676364330d49676d04f114b2207c2779f58
SHA51206bfb9ce5db2c9ae6b00af2965c2956ddc2c03f8985c683c6cf6763c0d77e816503aad14174cf53ceef676a8377d71d9629063a573412ac7ccba737312929028
-
Filesize
9.5MB
MD572c1cad77d7a37f6eed6606b00b22738
SHA11883d039f42ead5318de8f5f37b61bad4b61fa72
SHA25647cee4d44e8fe27f3229fa751c11259227a00b605d6a42e2cb066f100a9049c3
SHA51287104f2cf47683f113398e71b795fbeadd6835b5d333e1aedf22e7d3afec7de3e138cbc949947235ff4892489caaf219405832df91885084e361806ac22d0209
-
Filesize
38B
MD51266462e7cfd51811e15a61174ade109
SHA144e3d290e9a19065afd1bf45cd65495b554bfa82
SHA256e3122f232cbdf7599a00a5e2ae8e638e4c0565c22ac72ebd50ae560709ad47f9
SHA51272b33d4c8d722a35bcb14754d3076d14c3a78dbb8c836734bde1d7c69d9c867a21cb48705f4907cf5ccb4aeaf40f398c5722dabc03c9503043c2c6258ec300ad
-
Filesize
4.0MB
MD54cc6efda014cc654142c97cd09175e37
SHA19ff80f73eb8aa9563ee04f3857fedbb4167a9a2a
SHA2560ffd67c501dd1778c35830465f07f2390e318a485e0b22e437404b0a9d4b5ad2
SHA512064ceb07ef2a8a5db7d07a3ee58df07008efd642f12960c7dce837f533876199c0773a4b9861cf7907487b7fb2a96d6a1efdcc854855fd9246198ca438cab751
-
Filesize
18.1MB
MD5e9134948a4db2642f9bfaaf157a18bd0
SHA198249d941c196e9ee01f5d77713f13a12fff87f4
SHA25667721cd04b1866888a97c1027e6d6ca5805b08124b724a31ff9931f9f3e28b2a
SHA512629b39736755e9a9987a74aa9dab6aec94be061a3c70c140ce98d4eb9ca3575ccc02380990a023f3fbc1f49d56518f1dc9345fd8c7fe3b9cfbf7eb9c80187995
-
Filesize
3.6MB
MD5cb33ee6145c1dfad640103e1bc8b00e9
SHA1e68405536c9501a5f7617636db734a7e7bfdb61c
SHA256068bd9cd5dc944ff9030bdf3e31638408314e54861b93cdaf8c3c905a8005cac
SHA51231608dc1d295c91d012fd4634494b182c6d4b70c255036cbd0f71ace56fbc1a69f8358b8799d2db21e0bea1010ad79dee774b6049bf31dd513042b460722508b
-
Filesize
19KB
MD5ebd5c38aa827d9777dcde81e2a037b6f
SHA1740eee39569863c6baa780e7d82c848c92abe0c1
SHA2567fd358eddcef6756f315fec2bfad52286402f7194104fcfd3dcec7d588597025
SHA512fc22fff31b6e84297af9769b84142960e45bf9d8b71e9039e3829be9c671fc173dd47c88c25807f3e7bca0b87f842de500f5227e21ed312bfae2e89d0b65ff0d
-
Filesize
867KB
MD53ead47f44293e18d66fb32259904197a
SHA1e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0
-
Filesize
571B
MD537a6725d41f3007b9c07e63a4de52957
SHA19f430977a4e718ac4c5df7ec6478fcf0fda17a53
SHA256be9057cdf3334f037abc67dfc089b13b9ff1e99bc5abdf30bab19314697c4fc7
SHA512fbe8e1e84442a28f5e2906ae04f3a0f13c274b1d9bb983174a7e4ec604bc5ff0b0182db0084df7a08d6b995880fa0e5f8ccf94d8038e22f12b0faf4e115881b2
-
Filesize
1KB
MD5cb16dc4771a55cd8f95557c89f7ecacd
SHA14e68359662607c3d2ccec6f3bae14db217d6e70f
SHA256e9d2e4d0fa7a0e7e5771be205a9d7e42332e6cb17dac9025ee203fd3f00d9a7d
SHA512af65e99bba9e6ceee16d4223d2209ac745b53c6615c4e37952f4e426492315f5abb881c22f1430f03873c1ba9da986267adc227afee70031dc40ff4977ec6601
-
Filesize
4.7MB
MD5ebc2e21a31af7ba94c3a70db0caf23ad
SHA136a25c19c6becbcf8e1c959458867f59cab774a3
SHA256b1819bf1551be44e0f293f6b6ead1841aacb63ca3a9d90f1a31c9cb52f648c6e
SHA512e777fd82cf1d782e73dc8796c57ecb9be4ed09256af456190ae0e414de651226c3eb616ae4ec1c245e55934843dd85485e0594c0125e013c47b48d89fff5f739
-
Filesize
3.3MB
MD5c339cfe0485edefebae496b088d41221
SHA1684e4fa30a601ef645293cc5a8b008bbc03b9483
SHA25655ebd9dc7c26877a51e11722d3ea17f1afdf39a30aeda07ef6804659c34e54c4
SHA512c78b4735ed9184219f95a461e97a47d95b60f353ded28d692a72f9c3db2ead081b700731c8b673e8a1ca969519281d8e73cef449d5bb6bcfd282fcd2261f4a5d
-
Filesize
18KB
MD5b86dd14aadb9e34d004ad39a4693ced0
SHA11cb7775cee3e4106b2ddba89a0ccdc9dd547c521
SHA256b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878
SHA51203cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1
-
Filesize
18KB
MD5bbe42dc10320330b04f77b3073ffe9cc
SHA1fe34747c2583b8be3fafb4e7904b4e8dd9ab67b9
SHA2563566fc5a3b3fcd9e2e5e5ac049363981ba8e16607842191bae402a190e8fa0ad
SHA512cc135f50570acb7d5d4c722c57cd2bae546a7a79b853816836f7fd662fba3b52f377b91c1f19a3022d838ee9fefbf31145000801b7eeb2a2507db73fb056e023
-
Filesize
24KB
MD59a2dc5c816e92f3c45e285456c75f64d
SHA1bc878127e0d90d85ebdfa0ccc1f5864c90d5a469
SHA2568f9d74022029d4dace08db9cbf74a2afd8c14023f038229526da3fc43c4a9422
SHA5129b1859639cfa7a83c267e8cf8dae6d868c6e7875e71f80f7f14b2298d47bfcbb5bac01d80417edc47139355a0cb184c7c5c900389a7a599a664773d612c6d769
-
Filesize
668B
MD5663720a50d7f42483a66b3d32057d095
SHA19e797929ed80b84cdd765d75ac6dfd6ff6d81886
SHA256cb56461f94d38e6d7d16b898d625126d8eb74d39059999471875a72c48a101b7
SHA51279620a0fe1c37d96b1252ab2a98d4a0fe200e3356fcae815ce0117cda92f23b2de1ee365d603ed17bcf94a582908505db1f59556d8a182194a72b90d5355854a
-
Filesize
2.3MB
MD5993a67fbd5162510a2b0f3fba05bad33
SHA13c76258240a04c05341e611f55bef10341e34ff3
SHA2560b7c3caa31928131ce0e1ca570aa72e20a98dda13e4ca0c59f31cc677d8e8c6e
SHA51244a335d3db00fa9148066a5f2d2a9f5250d7df2315d132ab2798b02e2d21b700525a00be91d960e1564a6ffc0ee95347f0df9ffc27a10cf807d5a926ab5154a3
-
Filesize
211B
MD5a1b8228fcdaa47b486cade7ff1159833
SHA16f090d73a081c0d854db42b9f6719ce5ecefdf91
SHA256d7356e185708ab40b1bbe0f7691a97b5f2cfa3edf2e00f2aa5cab18ae3e63787
SHA512bb3e590504444bf9020a74ab9a7641dfe2ac15158af3f556a04666823f0dab75ac7c0f280f555d8ff8f3c5208fde6ddc801f3db5a4785d211b7d0fcdaedc3251
-
Filesize
73KB
MD5d264bf74d7ffcbad341d9fcefa4893bb
SHA1c7e9a0972524fa573825865c46eb6728d3e219e0
SHA2564b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025
SHA512afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3
-
Filesize
4KB
MD50344288a18997069003d84c226a168f9
SHA10fe47920601834e620737ad321fbb24d38c7ee94
SHA256675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d
SHA512b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429
-
Filesize
7KB
MD5769c8f235059d9a43ff880d268de20bd
SHA1417804808fdc83a469d260ca3378bcc461b665ff
SHA256544d75f184c7ccef191ba7526985f461e5b19493cd9f61ed73c422e449eed51e
SHA5121908c17c6566c5b592683d34670940bf9dafd7815bfc49ee530fe2db21114fdb90f109c5096a43aafee6cfd7b520ffd0c60c5a9e1ba501890e858fa7e356f0ae
-
Filesize
572B
MD56d08ac0131cac7a2f9f2ea5d9d0b0cc6
SHA125983c1419089c6a7570963dda2d06e022b3b36d
SHA256846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f
SHA512753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c
-
Filesize
343B
MD5b516373c4f4f0bd98bbbcd71b4022e4d
SHA1fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062
SHA25652e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099
SHA512b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469
-
Filesize
341B
MD5fdb487ce4bbd3fb4300630d4b3633977
SHA1d3f105078f5f490641f7062ea12b22cee848f624
SHA256ad8c1dbb522554e094112fceb4fd627d393638672559d9fbcd624d9efb13242b
SHA512a9555d6a730c75a328c30200738ced9a4f9a7fdc30097f716ee4115d5ea9b4f4a12696419626e8b0e73d7c194488ac04e09a543ff72804f61d5721d4246af754
-
Filesize
27KB
MD52b62fb1ecd174c7e951f2b8af502c1c0
SHA190744a9355dd5b74d2ecc7ee34fccbeca1c18f1b
SHA2561fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67
SHA5120f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD5ca027a5ef5f6d21d7e42855fa4db4120
SHA1eee669fe1c3cabd5f96c65ac992e4851f8eca9da
SHA256e1b5e5122457b19ad5175b0b372d6d0b55813503827ad1d84c26f23b8506a66d
SHA5128dcd63d2406f6f7e67053342553345bb372401a8dda64e1b41e937df7359a8e4c0afa9705d8fbb953aeed403d54bcd6a5d5bddf7ca1d6c43f1da37020bdda491
-
Filesize
38KB
MD549474897d267894daa13e9dcb168793d
SHA110331de148bb89ecc6e1af25bd3b0a862dd2b4eb
SHA2560b9aedce74468150c054d27649dad8f98109e537a581649be6668a13cd29e6a7
SHA512687dfcfdff27d8be7fa2b7a277a6bd269bf719ca12bf5e7f38643582785032cb8b0e11c04180736dfa56c2b10a12e10c10e50427ceacf6d6332125ebf65eb9da
-
Filesize
29KB
MD5c53dc6d8050e08d12939b95e2f5c53dc
SHA101f3fd1a4c730cad939d243e6bb8f9fe8f1e0138
SHA2565a690ef46a5c889adbad580b773a6025040426ee11d3817927dd1e77698e8ece
SHA51275ec453cfa12a071322877db4244746de6ecec779c4f267cb3b9729437f3e0a90ffa2fe1d42e5baf05c159c8c6ef6c71bc7e258044162e5fcbaad10a9e93d84a
-
Filesize
16KB
MD5bd33707a5e0b6cc434fbaa32e69cb30a
SHA134ddc8fbda6acef9e07de571d4c00e65e3c09958
SHA256bf60d1aa67abc73f927e1544ba8b66a79ec9143caedb15e1d94d023be6aba036
SHA51202b78b7796e55e245d00ae5b94ae767c6c7da480ec609e84b1a4deafb5f6dbb8f15ad5947b3db421048e17d46419b2149ef23aa369ce42288d3bb5817a0863de