dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe
Size

219KB
MD5

f823004b55e04279e716827eb7d7a78f
SHA1

a20a550aded331ba73ecc5e05449005fb1646216
SHA256

dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a
SHA512

d73febcf23b35aa9af446fe16e4b2c48cabe0c3fe481cbd9f380c38704f4b88e75c5d966eda9e57a58f79645b79f6776869e3841606effc34a88ead68039c10d
SSDEEP

3072:Z2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhCK0KF:Z0KgGwHqwOOELha+sm2D2+UhngNUK4xe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
4212	avg_internet_security_setup_x64.exe
5024	instup.exe
4016	instup.exe
2280	aswOfferTool.exe
1696	aswOfferTool.exe
2572	aswOfferTool.exe
2944	aswOfferTool.exe

Loads dropped DLL 11 IoCs

pid	Process
4060	dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe
5024	instup.exe
5024	instup.exe
5024	instup.exe
5024	instup.exe
4016	instup.exe
4016	instup.exe
4016	instup.exe
4016	instup.exe
1696	aswOfferTool.exe
2944	aswOfferTool.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avg_internet_security_setup_x64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe
File opened for modification	\??\PhysicalDrive0	avg_internet_security_setup_x64.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avg_internet_security_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avg_internet_security_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avg_internet_security_setup_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-d08.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35"	avg_internet_security_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100"	avg_internet_security_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-d08.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage	avg_internet_security_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-d08.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-d08.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "14"	avg_internet_security_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "71"	avg_internet_security_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-d08.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-d08.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4212	avg_internet_security_setup_x64.exe
4212	avg_internet_security_setup_x64.exe
4016	instup.exe
4016	instup.exe
4016	instup.exe
4016	instup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 32	4212	avg_internet_security_setup_x64.exe
Token: SeDebugPrivilege	5024	instup.exe
Token: 32	5024	instup.exe
Token: SeDebugPrivilege	4016	instup.exe
Token: 32	4016	instup.exe
Token: SeDebugPrivilege	2572	aswOfferTool.exe
Token: SeImpersonatePrivilege	2572	aswOfferTool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5024	instup.exe
4016	instup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4212	4060	dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe	91
PID 4060 wrote to memory of 4212	4060	dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe	91
PID 4212 wrote to memory of 5024	4212	avg_internet_security_setup_x64.exe	94
PID 4212 wrote to memory of 5024	4212	avg_internet_security_setup_x64.exe	94
PID 5024 wrote to memory of 4016	5024	instup.exe	100
PID 5024 wrote to memory of 4016	5024	instup.exe	100
PID 4016 wrote to memory of 2280	4016	instup.exe	102
PID 4016 wrote to memory of 2280	4016	instup.exe	102
PID 4016 wrote to memory of 2280	4016	instup.exe	102
PID 4016 wrote to memory of 1696	4016	instup.exe	103
PID 4016 wrote to memory of 1696	4016	instup.exe	103
PID 4016 wrote to memory of 1696	4016	instup.exe	103
PID 4016 wrote to memory of 2572	4016	instup.exe	104
PID 4016 wrote to memory of 2572	4016	instup.exe	104
PID 4016 wrote to memory of 2572	4016	instup.exe	104

C:\Users\Admin\AppData\Local\Temp\dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe
"C:\Users\Admin\AppData\Local\Temp\dffbc3ef6aa1c5741a6d42a32f1d8ee26b3ac5f57def88f9ca23a1e074bfb09a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\Temp\asw.d01d51599c37e2b1\avg_internet_security_setup_x64.exe
  "C:\Windows\Temp\asw.d01d51599c37e2b1\avg_internet_security_setup_x64.exe" /ga_clientid:fad4b71b-3c07-4661-bedb-82ad53cc7906 /edat_dir:C:\Windows\Temp\asw.d01d51599c37e2b1
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\Temp\asw.93942a65e1bcb456\instup.exe
    "C:\Windows\Temp\asw.93942a65e1bcb456\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.93942a65e1bcb456 /edition:16 /prod:ais /stub_context:f4d891ea-eda2-4823-b099-814a97623a08:9994560 /guid:f58f2e14-549a-4b67-b413-f194ef24115d /ga_clientid:fad4b71b-3c07-4661-bedb-82ad53cc7906 /ga_clientid:fad4b71b-3c07-4661-bedb-82ad53cc7906 /edat_dir:C:\Windows\Temp\asw.d01d51599c37e2b1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\instup.exe
      "C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.93942a65e1bcb456 /edition:16 /prod:ais /stub_context:f4d891ea-eda2-4823-b099-814a97623a08:9994560 /guid:f58f2e14-549a-4b67-b413-f194ef24115d /ga_clientid:fad4b71b-3c07-4661-bedb-82ad53cc7906 /edat_dir:C:\Windows\Temp\asw.d01d51599c37e2b1 /online_installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\aswOfferTool.exe" -checkGToolbar -elevated
        5⤵
        Executes dropped EXE
        
        PID:2280
    - - C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\aswOfferTool.exe" -checkChrome -elevated
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
    - - C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\aswOfferTool.exe
        
        "C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFC
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
      - C:\Users\Public\Documents\aswOfferTool.exe
        
        "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFC
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5108 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

Filesize
27KB

MD5
dfc45f2ee38c2f1792465becea10354b

SHA1
10bdd0ca8ad1df9a7339ab2c7e537dec84068bcb

SHA256
a95c6e8a4db7af5aa2227ac168bc8a43e77241578bafdf01e98123bd9f93bf77

SHA512
1ffb42ac8445d2bef212064598ec0d7b36a19a243be328a7106e7f5dd59cc3a5a10abe0003eae51d45a529b109942037963cdac99834d96ae54d7c751e7f2026

Download Submit
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

Filesize
1KB

MD5
c7843ae93594cd92f2e3157958c7d321

SHA1
5fd0699001b7dc4b101c9658d63b04ab9d8a0a9d

SHA256
9ed9ee5b21de5f8b239a19f306ad011d276a9a682e8e74cbf86b6a50344d65a8

SHA512
5bcf23e212344bd40dfb160b0a9b65b084eba8ad1891e5601c8d5fb898b8607dd78c9446bbb9d3eeab8676e8dab031d92d171fec4c97966f6c56171be9c47135

Download Submit
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\event_manager.log

Filesize
281B

MD5
8a8c2e637d0b93e7a64075d01dc74e75

SHA1
e9e58134a14e7ebdf1978e4e078323d54743a015

SHA256
dd3d56d509b893cee8105c6f6c3d56d000944f4f3ec652f4b3c4948f647f48e2

SHA512
58a3b61a7ce65cb57088e8185fe63682a0c059477fc9b77f8b178f4d124e83080895fb74e81e43212d7f344d69ae713b1fe370d5ef77d3483de61ac4c481f41c

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\HTMLayout.dll

Filesize
4.0MB

MD5
4cc6efda014cc654142c97cd09175e37

SHA1
9ff80f73eb8aa9563ee04f3857fedbb4167a9a2a

SHA256
0ffd67c501dd1778c35830465f07f2390e318a485e0b22e437404b0a9d4b5ad2

SHA512
064ceb07ef2a8a5db7d07a3ee58df07008efd642f12960c7dce837f533876199c0773a4b9861cf7907487b7fb2a96d6a1efdcc854855fd9246198ca438cab751

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\Instup.dll

Filesize
18.1MB

MD5
e9134948a4db2642f9bfaaf157a18bd0

SHA1
98249d941c196e9ee01f5d77713f13a12fff87f4

SHA256
67721cd04b1866888a97c1027e6d6ca5805b08124b724a31ff9931f9f3e28b2a

SHA512
629b39736755e9a9987a74aa9dab6aec94be061a3c70c140ce98d4eb9ca3575ccc02380990a023f3fbc1f49d56518f1dc9345fd8c7fe3b9cfbf7eb9c80187995

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\Instup.exe

Filesize
3.6MB

MD5
cb33ee6145c1dfad640103e1bc8b00e9

SHA1
e68405536c9501a5f7617636db734a7e7bfdb61c

SHA256
068bd9cd5dc944ff9030bdf3e31638408314e54861b93cdaf8c3c905a8005cac

SHA512
31608dc1d295c91d012fd4634494b182c6d4b70c255036cbd0f71ace56fbc1a69f8358b8799d2db21e0bea1010ad79dee774b6049bf31dd513042b460722508b

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\New_18050d08\gcapi.dll

Filesize
867KB

MD5
3ead47f44293e18d66fb32259904197a

SHA1
e61e88bd81c05d4678aeb2d62c75dee35a25d16b

SHA256
e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

SHA512
927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\asw68afb39d26476bed.ini

Filesize
702B

MD5
17148479d6724242562f851535da1a50

SHA1
b2989d37ffdb3234912a099d1ac07d93aaa356d4

SHA256
512548e395a2e6598f080e15a379d8fe26d233f2bfced3f3d783f7d62abd9540

SHA512
ad27ea0b0234537fe11b335d0d69f0570bae737235968f8a07204c889bf4c587fef88a83459aa896debf3644b878a66557a61a242faff1423c2ea76276b4382d

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\asw6a9be8cfa56699c4.ini

Filesize
1KB

MD5
75e69462532345a35d5dc6d3d2b8f016

SHA1
da79783cdc95d7dce68b297761c5b9f9995985ad

SHA256
1d78a3ddff252c1fafaa118b600a7cdf7b5dddf63535bcea2c145fea8600144f

SHA512
cdd42ce817bb22631e17ff9935ecb75230d595dd2ce0e4001d916efd00e222f23b2e3b071a10301ec7c93ebcf2a5300d764f827f6de4d29e229aea338f8cbf39

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\avbugreport_x64_ais-d08.vpx

Filesize
4.7MB

MD5
ebc2e21a31af7ba94c3a70db0caf23ad

SHA1
36a25c19c6becbcf8e1c959458867f59cab774a3

SHA256
b1819bf1551be44e0f293f6b6ead1841aacb63ca3a9d90f1a31c9cb52f648c6e

SHA512
e777fd82cf1d782e73dc8796c57ecb9be4ed09256af456190ae0e414de651226c3eb616ae4ec1c245e55934843dd85485e0594c0125e013c47b48d89fff5f739

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\avdump_x64_ais-d08.vpx

Filesize
3.3MB

MD5
c339cfe0485edefebae496b088d41221

SHA1
684e4fa30a601ef645293cc5a8b008bbc03b9483

SHA256
55ebd9dc7c26877a51e11722d3ea17f1afdf39a30aeda07ef6804659c34e54c4

SHA512
c78b4735ed9184219f95a461e97a47d95b60f353ded28d692a72f9c3db2ead081b700731c8b673e8a1ca969519281d8e73cef449d5bb6bcfd282fcd2261f4a5d

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\config.def

Filesize
18KB

MD5
b86dd14aadb9e34d004ad39a4693ced0

SHA1
1cb7775cee3e4106b2ddba89a0ccdc9dd547c521

SHA256
b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878

SHA512
03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\config.def

Filesize
18KB

MD5
cf83fdbca32b875d7e5598f2139501e0

SHA1
84de2c080457953a56d5d329694c8f23e21b8cf4

SHA256
2b2829e191bc854179b91286f221c685088180d9632ff3e23719579aadcaae7c

SHA512
f179f728ea2ec3aaaaf45aea11803b11feddf16c23695f941cbd2c4d0a71ef36dcc4054141077bf5d73bfef8ea2371b88cda84d09515759a68cf85942b744cc6

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\config.def

Filesize
25KB

MD5
d88d7e79f2a9b211ebc805f44b309c5b

SHA1
4577ad75606f91422ea06e0f0b0d9ab896e4c0e4

SHA256
7432164251dab9cc35142c87619c98c8df44116acf3ebbd6335852e4eac3f474

SHA512
4c4a2d47262db72e4e030fca90ab770484199b886efa5f21474d4e99e07ae61ab61cfcd2721d9dd9059f18e1aa52951343d27b7d3583ab301bc5ecd23d83666b

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\offertool_x64_ais-d08.vpx

Filesize
2.3MB

MD5
993a67fbd5162510a2b0f3fba05bad33

SHA1
3c76258240a04c05341e611f55bef10341e34ff3

SHA256
0b7c3caa31928131ce0e1ca570aa72e20a98dda13e4ca0c59f31cc677d8e8c6e

SHA512
44a335d3db00fa9148066a5f2d2a9f5250d7df2315d132ab2798b02e2d21b700525a00be91d960e1564a6ffc0ee95347f0df9ffc27a10cf807d5a926ab5154a3

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\part-jrog2-7a.vpx

Filesize
211B

MD5
029594e2a837803f50b842a87bce0413

SHA1
e2850fbbb8c066e6acc771b586b670e109f41709

SHA256
5cc54f13a2c160b8010ed382be9dc03b156ec070410a4074d4de22c1523492d1

SHA512
00f7fd4b0ab8bab188cd529a358e47f3b9b85754e0bf96850651d006f8dbd30f03c970f40ca8f62382257412f4ba87a14e35e9ad663164371105cf9c62e73129

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\part-prg_ais-18050d08.vpx

Filesize
73KB

MD5
d264bf74d7ffcbad341d9fcefa4893bb

SHA1
c7e9a0972524fa573825865c46eb6728d3e219e0

SHA256
4b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025

SHA512
afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\part-setup_ais-18050d08.vpx

Filesize
4KB

MD5
0344288a18997069003d84c226a168f9

SHA1
0fe47920601834e620737ad321fbb24d38c7ee94

SHA256
675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d

SHA512
b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\part-vps_windows-24061201.vpx

Filesize
7KB

MD5
4fe64f4a6a83da82fefde63d3873ce43

SHA1
ab35bfe47a520fa7e09a97145fc7746261ef4906

SHA256
196983eb82410a7c045c828e3f5d796ac23b31bd39ff83077ccb0d5800302558

SHA512
9c4badae12ca9ae74a985a6058890f9fa463fc95a5df42432912ccfa7f0f633e00a59abfd7e79e4632b8b9ec16013313344fd6849ef157700d0c7d51379f8fcf

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\prod-pgm.vpx

Filesize
572B

MD5
6d08ac0131cac7a2f9f2ea5d9d0b0cc6

SHA1
25983c1419089c6a7570963dda2d06e022b3b36d

SHA256
846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f

SHA512
753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\prod-vps.vpx

Filesize
343B

MD5
b516373c4f4f0bd98bbbcd71b4022e4d

SHA1
fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062

SHA256
52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099

SHA512
b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\prod-vps.vpx

Filesize
341B

MD5
0f0b7bf12895cd6de6ad861763aeb094

SHA1
6e6f4fa3fac91de6a81bfc72fc90352f7a82d612

SHA256
57f649a2b539b6b9f345e883fd5a541208ab88825daebb6fedef627c6f6290d0

SHA512
bdb482b556c391d40f1e2228e32e7b11399bbe0379d25e219bf8f7745f8e7d1c0d104cb4f090d3814d4d7987008f49f750542c747bc0d761bae66d123fa5918f

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\sbr_x64_ais-d08.vpx

Filesize
19KB

MD5
ebd5c38aa827d9777dcde81e2a037b6f

SHA1
740eee39569863c6baa780e7d82c848c92abe0c1

SHA256
7fd358eddcef6756f315fec2bfad52286402f7194104fcfd3dcec7d588597025

SHA512
fc22fff31b6e84297af9769b84142960e45bf9d8b71e9039e3829be9c671fc173dd47c88c25807f3e7bca0b87f842de500f5227e21ed312bfae2e89d0b65ff0d

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\servers.def

Filesize
27KB

MD5
2b62fb1ecd174c7e951f2b8af502c1c0

SHA1
90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b

SHA256
1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67

SHA512
0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\servers.def.vpx

Filesize
1KB

MD5
ca027a5ef5f6d21d7e42855fa4db4120

SHA1
eee669fe1c3cabd5f96c65ac992e4851f8eca9da

SHA256
e1b5e5122457b19ad5175b0b372d6d0b55813503827ad1d84c26f23b8506a66d

SHA512
8dcd63d2406f6f7e67053342553345bb372401a8dda64e1b41e937df7359a8e4c0afa9705d8fbb953aeed403d54bcd6a5d5bddf7ca1d6c43f1da37020bdda491

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\setup.def

Filesize
38KB

MD5
49474897d267894daa13e9dcb168793d

SHA1
10331de148bb89ecc6e1af25bd3b0a862dd2b4eb

SHA256
0b9aedce74468150c054d27649dad8f98109e537a581649be6668a13cd29e6a7

SHA512
687dfcfdff27d8be7fa2b7a277a6bd269bf719ca12bf5e7f38643582785032cb8b0e11c04180736dfa56c2b10a12e10c10e50427ceacf6d6332125ebf65eb9da

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\uat64.dll

Filesize
29KB

MD5
c53dc6d8050e08d12939b95e2f5c53dc

SHA1
01f3fd1a4c730cad939d243e6bb8f9fe8f1e0138

SHA256
5a690ef46a5c889adbad580b773a6025040426ee11d3817927dd1e77698e8ece

SHA512
75ec453cfa12a071322877db4244746de6ecec779c4f267cb3b9729437f3e0a90ffa2fe1d42e5baf05c159c8c6ef6c71bc7e258044162e5fcbaad10a9e93d84a

Download Submit
C:\Windows\Temp\asw.93942a65e1bcb456\uat64.vpx

Filesize
16KB

MD5
bd33707a5e0b6cc434fbaa32e69cb30a

SHA1
34ddc8fbda6acef9e07de571d4c00e65e3c09958

SHA256
bf60d1aa67abc73f927e1544ba8b66a79ec9143caedb15e1d94d023be6aba036

SHA512
02b78b7796e55e245d00ae5b94ae767c6c7da480ec609e84b1a4deafb5f6dbb8f15ad5947b3db421048e17d46419b2149ef23aa369ce42288d3bb5817a0863de

Download Submit
C:\Windows\Temp\asw.d01d51599c37e2b1\avg_internet_security_setup_x64.exe

Filesize
9.5MB

MD5
eca3bcc6780653fc53282e3a6cce79b2

SHA1
24512b8e824890b34441442f429f1890614a2c8a

SHA256
72ec7275fee205958ec5b86a6e7d24fbd0dc2d9c081e1808df2a9fb024f3e959

SHA512
74588f99e1c6038640c5b699701a9635c76a8da7059438a25741a74d13ce2fa3cddf5b0fa6af26b9beb1d4fe022d5bb38ec13868c04b7f68ce5f079a63c07a78

Download Submit
C:\Windows\Temp\asw.d01d51599c37e2b1\eapt.edat

Filesize
51B

MD5
fd4581e8538fdf8af793993c3eae5768

SHA1
c5bc7ef5082f20e484286412216490ac775489cc

SHA256
3490399765b07f17cc4b15d8bc5a1c28f1f4faec84c3294cf050b7c5ebdfd698

SHA512
98946cb1bace1d2c53084a3e2d64a7f421d8d95b8286f18d2e676fe76c37ed279a393d712cee1aed84d612d493f70464303f8af94884bc10924c47da6358a1e7

Download Submit
C:\Windows\Temp\asw.d01d51599c37e2b1\eewk.edat

Filesize
20B

MD5
73f05e5467b5657422a3e35b81d4c1cb

SHA1
e5970f5ad3f7c388fa8d9202c8452c74083a3135

SHA256
abf2c18a036fa23f9cace0d16a8484cf542dea8a61bab87a3b99250451eb4753

SHA512
7879543a3bda5e43d515af0d47992cfb8ced4faa3bb71f1b31c61da98c216d6b7079ffe24d77388b7aa94b02f314a792e4cf5c73f8fb7b9b66b3b34f54b3b2e4

Download Submit