Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
295s -
max time network
259s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
18/07/2024, 18:18
Static task
static1
Behavioral task
behavioral1
Sample
avast_free_antivirus_setup_online.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
avast_free_antivirus_setup_online.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
avast_free_antivirus_setup_online.exe
Resource
win11-20240709-en
General
-
Target
avast_free_antivirus_setup_online.exe
-
Size
257KB
-
MD5
5dd99460687fa202f26bef9565b2eb71
-
SHA1
d90930758b01570db7403b1e1130c99d5dfbac91
-
SHA256
1fb53cd33d285e2807dca6ee3005689f1425b363c46b377958a7431a46488207
-
SHA512
ef59d47099f738eedd457a7bbe4779af5e956f7afe073bc98f9d3b10ae57891a225402ad7494c055d656d111e59991fd54ccb00174d3b860e685cb6c49317f82
-
SSDEEP
3072:482RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhSn+K:480KgGwHqwOOELha+sm2D2+Uhngu7p
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 52 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile instup.exe Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast avast_free_antivirus_setup_online_x64.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings instup.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast avast_free_antivirus_setup_online_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avast_free_antivirus_setup_online_x64.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder instup.exe -
Downloads MZ/PE file
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online.exe -
Executes dropped EXE 8 IoCs
pid Process 4984 avast_free_antivirus_setup_online_x64.exe 3344 instup.exe 5124 instup.exe 5556 aswOfferTool.exe 5584 aswOfferTool.exe 5632 aswOfferTool.exe 5680 aswOfferTool.exe 5828 aswOfferTool.exe -
Loads dropped DLL 8 IoCs
pid Process 2360 avast_free_antivirus_setup_online.exe 3344 instup.exe 3344 instup.exe 3344 instup.exe 3344 instup.exe 5124 instup.exe 5632 aswOfferTool.exe 5828 aswOfferTool.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avast_free_antivirus_setup_online_x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "21" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "5" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "63" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-a42.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a42.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "42" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "64" avast_free_antivirus_setup_online_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a42.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "52" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75" instup.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4984 avast_free_antivirus_setup_online_x64.exe 4984 avast_free_antivirus_setup_online_x64.exe 4984 avast_free_antivirus_setup_online_x64.exe 4984 avast_free_antivirus_setup_online_x64.exe 5124 instup.exe 5124 instup.exe 5124 instup.exe 5124 instup.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 32 4984 avast_free_antivirus_setup_online_x64.exe Token: SeDebugPrivilege 4984 avast_free_antivirus_setup_online_x64.exe Token: SeDebugPrivilege 3344 instup.exe Token: 32 3344 instup.exe Token: SeDebugPrivilege 5124 instup.exe Token: 32 5124 instup.exe Token: SeDebugPrivilege 5680 aswOfferTool.exe Token: SeImpersonatePrivilege 5680 aswOfferTool.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3344 instup.exe 5124 instup.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4984 2360 avast_free_antivirus_setup_online.exe 73 PID 2360 wrote to memory of 4984 2360 avast_free_antivirus_setup_online.exe 73 PID 4984 wrote to memory of 3344 4984 avast_free_antivirus_setup_online_x64.exe 74 PID 4984 wrote to memory of 3344 4984 avast_free_antivirus_setup_online_x64.exe 74 PID 3344 wrote to memory of 5124 3344 instup.exe 75 PID 3344 wrote to memory of 5124 3344 instup.exe 75 PID 5124 wrote to memory of 5556 5124 instup.exe 76 PID 5124 wrote to memory of 5556 5124 instup.exe 76 PID 5124 wrote to memory of 5556 5124 instup.exe 76 PID 5124 wrote to memory of 5584 5124 instup.exe 77 PID 5124 wrote to memory of 5584 5124 instup.exe 77 PID 5124 wrote to memory of 5584 5124 instup.exe 77 PID 5124 wrote to memory of 5632 5124 instup.exe 78 PID 5124 wrote to memory of 5632 5124 instup.exe 78 PID 5124 wrote to memory of 5632 5124 instup.exe 78 PID 5124 wrote to memory of 5680 5124 instup.exe 79 PID 5124 wrote to memory of 5680 5124 instup.exe 79 PID 5124 wrote to memory of 5680 5124 instup.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\avast_free_antivirus_setup_online.exe"C:\Users\Admin\AppData\Local\Temp\avast_free_antivirus_setup_online.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\Temp\asw.57bba672884d277b\avast_free_antivirus_setup_online_x64.exe"C:\Windows\Temp\asw.57bba672884d277b\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-FAD /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /edat_dir:C:\Windows\Temp\asw.57bba672884d277b2⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\Temp\asw.31d43fabf4c75595\instup.exe"C:\Windows\Temp\asw.31d43fabf4c75595\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.31d43fabf4c75595 /edition:1 /prod:ais /stub_context:a71d0be2-a0f4-4838-bdbb-770237630168:9925720 /guid:e7679111-c503-470c-b1df-3d7914a323b2 /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-FAD /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /edat_dir:C:\Windows\Temp\asw.57bba672884d277b3⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\instup.exe"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.31d43fabf4c75595 /edition:1 /prod:ais /stub_context:a71d0be2-a0f4-4838-bdbb-770237630168:9925720 /guid:e7679111-c503-470c-b1df-3d7914a323b2 /ga_clientid:d532189d-1b65-4226-bec4-385f9f71631a /no_delayed_installation /cookie:mmm_ava_998_999_000_m:dlid_FAV-ONLINE-FAD /edat_dir:C:\Windows\Temp\asw.57bba672884d277b /online_installer4⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5124 -
C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" -checkGToolbar -elevated5⤵
- Executes dropped EXE
PID:5556
-
-
C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" /check_secure_browser5⤵
- Executes dropped EXE
PID:5584
-
-
C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" -checkChrome -elevated5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5632
-
-
C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe"C:\Windows\Temp\asw.31d43fabf4c75595\New_180617e9\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680 -
C:\Users\Public\Documents\aswOfferTool.exe"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5828
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD58bfc982a9f4f09241f517915470ff7bc
SHA1e63654a239a25a590c1ed2f8aeedc3e7e5f52fdf
SHA256ae9a0ab8549e3098b4f6fb9da715e98b7a4bfcf0ecc4d4cee18e5f434fc41e59
SHA512ec90432569007bfee56272fa0f645aa26b2a1330a8b35f5cace8636df3a405995505dc515be05f99a88d19fba23f572cbfcfecf3aa070ac8ea70444d2e802bb0
-
Filesize
1KB
MD50f4f0b6ea49233d9ceac8c4ac75d8361
SHA1064e6c9d1177030562a124d16cc4630d75f27965
SHA2569349ce9147d7f836d971886f7268fbd0998abd3a68b5efa84341d66049c3cf42
SHA51247f19bc3568c3cb82b6adb732272bf8d6fc984a76280e82b5fc08f9bf0f42e5d93c88e6b4ad790895c5a25e36aa7a1edc1a39ca360c2056cc1a4f57522dd7fb1
-
Filesize
142B
MD5ad692c8468fe3ea4836e90a402d76aa0
SHA1a7517558fc4db96f44bef3969a0000130d238f30
SHA256009ca5b54102509d098a8a2bdd027cd1d3926eb8732905a02e5744fe3b226d74
SHA5129f05d97bd4976c1ba14219df9213e2df271f6d11784ad709201ead0699ad5e015c3ab92b8d266f9e645d7cee60deac706a803c0a681df4f17a4bbd0ceaafa8e4
-
Filesize
4.0MB
MD5dfae82a37c609bb6f00ed781a58355f7
SHA192a9a702c64fd32668f3c334a770b4d3bdd49330
SHA2569e8669adde471d36dff8cc760b1387d68f9370a668ac1669d1427fede56540b0
SHA512d223c89cd8fe08b768c71297d46811538a21876dcfc1ad351d490392a7dc3811e4e26dbc52a89511b98d2955b28c91783c331cf9288a2f568d3cc753f6bc655a
-
Filesize
18.1MB
MD5cc9c6602502984f24aa849a4601166ab
SHA1f35f44fbeebb1d6616a27641311470406b0619f3
SHA2568add358f520ba6dde2aa14abf0f04a0a0739929465780e910af4bcfe47287932
SHA512f724530c3da9e707ae70420948f23c1c1b309b31a6d37c98cb7af3aa5012419bf46fd75475baf336f451286eb103d07314a41d159b2f3b447af80734e2ae66c4
-
Filesize
3.6MB
MD594422d2f5e7b7c2c394592ff42ffad97
SHA1b0688c9013391abe0946d61a296e810aae4ec061
SHA256778ef3bac5b93ab1848321b34922411403ee45972db240e2b5ec77688fd78985
SHA5122ff75aabe2fafddb6d468f0e70bcf2988f01bc575e42333c0c1cfb1f0ba2df8f06bbe7fe0ac8fe228a869c778f17f1306277086957a045a1bfd0f96d2262d1d7
-
Filesize
1KB
MD5396f4fc164e192bff8a571f27a94e5ae
SHA14882ac97ef1a7470e5031d0e9b2bc2aaa16c6fd3
SHA2562450334ce9131df9f659c2d22c09a22c964d53e8a181a88daf7aff2481bda74e
SHA512ddd8871b4fca51c59f4bc41d0b76889b7857a8fe70218ff3961de463344009b5e5d75276eac024055fd473c53a1fe92cd35dd69f9cf4ee96993d245297b27d84
-
Filesize
1KB
MD51f4c7e779c43761037d6f1f6952f0e39
SHA12b50df92d08cef1dc43d7659a913f510457fcec8
SHA256306b0c7b03f14bdc77e6e1b7943a685566737a0909344aa05cb54e34bf20aff5
SHA512f792a3bae7eea928b9baf638e63d02225dd3b287c7dd71997ef35f3f7172084fd0bb744f7c49f3dfd69701e8260d432dad15afe464391d6671c4fbeff4ff325a
-
Filesize
4.7MB
MD50e640c5ca12e01a50089c1497ab4f737
SHA15d0c22581c29f56bcf597e9be347f87bfb7efb20
SHA256ffef8170d192509f527d6a23584528a0b9676f0c11b88ff5c079fb8b5e79c2f7
SHA5127100dc0c067286fe5ba8b363d024f560fc57b8606b2e7d2e3a344bb3380b9b67f8c8e4b8b75e70d26e9caa947a42b3e78651f357775b6817230931f851403945
-
Filesize
3.3MB
MD5f0ddd08f9b933c3d49c5d738e52f6be0
SHA17a161fd561c7b014b3255256033c0d4a5ccaa682
SHA256435b0c4824c9aa637ca7c3335d4123d7a67a6c6818348f88eb7c00d70ded8221
SHA512e95a1337f6b00c69c33d7383f9a8076d5432dbe9c92c4e55dfe4fca5a56f51b5c73f0ba70b1e66ef913609012ef025b151931b4184c8ad6d8e55e391c3e224ad
-
Filesize
29KB
MD5f603b1460d9c67a945d10fdca920232c
SHA1ce0836271354e633a29137f86fc91a85f61f0aa1
SHA2561f1e4dfd55a6c8e581f475790dce8d8fc1ac2676b2fcc16fd732916c307a75e9
SHA512fac8ff10d6955490a5e1e56aa7ec08d10c7a12f5ee1ee546ac8a2ea9f6be163c947b737751b36b62de88ff53dd281e17c0742c1b9fe10c6d99655b19ec60ff8f
-
Filesize
29KB
MD574626fbf004a062b5449d1f73e320194
SHA1167586af6b98c776635af5d7171a05fcb6415fd4
SHA2563d3821629f9ef6b48081fee430668075e2bac601ff9215f574bf38ae8529a6ae
SHA5120a353acc59af7ac371418db9dd5213e2becae44457c5c7bb681fd9f3b107b34b753c416140d7f3b6e2629aeffcd3b3a30c8c16c91ceb8dfcccab16054a7fb4c5
-
Filesize
36KB
MD5c93aab0bbd869cd340112435e5fa184d
SHA1f146fcf444697408796a7e1d0850d5ef9ebbaa20
SHA25632e686bed39bdcdb0c7e2aaf4c71bab744ea18a7e66af0131c430865bc69c98f
SHA512f8521b926734a3e590b0cc48af1612eb456a24e3b17540905a91a4c86365087dcef0dd141270af4ce6d949cb406fef5bf4450ec3429e4ea41acbbc440b38e77d
-
Filesize
883B
MD56448210462f49aa74b31c47673c2eba9
SHA1c56bf4480ee4ae8b0940d1a171dfc4def2a30013
SHA25671f31a12075d375c7e382aa6d5be2659ed7f2b7926c44a0e6a845b015daa9ea0
SHA512eab495d0f2ba13f8cabe484b4870ef397ba570c9971d39333da7881387692a9ed2a57145e17843be161d0aa1ab31734673f8fcf9ee76929b6c03da0f0fab4e44
-
Filesize
2.3MB
MD54083a128d717e41f6eb3ad762fa9fad7
SHA1c8e41bea43a06a7f8127f490d209ffbc99b936ec
SHA256ef9ba8d3348eae59ffb7835eed786efb2f3f87babe784a2b7e3fb247bbf53cfd
SHA512719a8a2c638ba8ed281933afa65f32f2d2d633fb2f1a515506f06efd6e7a39b942aaf9f82a457f47a11d68028c197ea011d060e26cc3f7730fc61d84a4b7f2cb
-
Filesize
695B
MD5e4804fcb47654d7e8e4531ade30fdc39
SHA16dd1327984f63e725b60b776932920e63c5a9311
SHA2565a85c46d8656abdca1e9971ed783f930d0fc612a728e73c4e6d8d6b525155a61
SHA512c50bacad91d1f9eeb458dfad51aded1c4b8da258b0c238be375a65bb119d27d6320971129d9499c58110307de855c5240a82eba860bf0604f172829ada0db425
-
Filesize
74KB
MD5bb77ea8a833437ce4f5214d8315ab7a7
SHA1b76edcaa6275852232d613753d9dd9511af18694
SHA256eb01d6e0b5d1519c05720040a8887782c3e73adf9e406fc739e2afb2cdc4e0e1
SHA512a2acd616484843fdb4fe8c6121719f2a3b20cf06627a127d7b3cfec65ad0532c7397362464c582cee09e8d011ef0b97e69eb3bd73bd4578a121c935656f162f4
-
Filesize
4KB
MD5e63ce56d9b211d7432d327bfa3cf27f7
SHA153297bde156f132f1caf07d6bf63ea6dbb54efe4
SHA256d3b0db1d7070d8917811b2e0b2b662ab0c7b01b74567b2e655b7f03a35237c5b
SHA512bab3d082ba77a9dd6fb1c5f5cca13356541256d36db63255bf2a6614f4ff8289921746602f419c7ec9d080b3c2e822c89a34d5c16fdafd0395b28240ae3b6098
-
Filesize
11KB
MD5220968cc7ae466348d1026dadd65735e
SHA1a393f164470aa795d650734016b1d3fba5250b1b
SHA25642e41b74eeecc3b52db3c3e40868663dd9b9f2c0f089e4d99c66c7769b9f78ef
SHA512a481f591b67b021bcaecf177bfa661a63eeaa156deddc48a142cfc84dc86cce83dafdab5bdcc0f1371e25649fd9d0f85594a7b188c8fc3fb132d5fbfd4cbe1c2
-
Filesize
573B
MD5730e37ee15e02dcf1febfe34d83fc308
SHA172488fb7c771a8b09e9a488514cf18b2535cee7c
SHA25694d3fafb73f128ec140815eef45bc9dcf8166d54fb575527108effc0e7bb1e39
SHA512d43aa2dac183f1bcf22a84e17535deed9eba7e7225412736bb91206fea9a6c071226ff3e02f1496a51bc1f8d986f87523844461deea6d5e36eabcf88473acbe8
-
Filesize
342B
MD5e688ee6baf97d6bdc8cbf19b95a8c3d3
SHA13729393c3a1ddb5caaffa71f83ee1c890f292893
SHA256dce2bf3c5b81259cd50c8e61dcd2da461ecadba256a5aa82fc1e1de2f66f9666
SHA51272100577944efca60e16515967f3def58bfff676ac9694e65da56b11e34ad3b62054a409f918b4bd5416174546ccf114f34fc0503065584afb0e9d5a6ca68077
-
Filesize
343B
MD5072703fc85994aa98010f7aa9a6b3934
SHA1aa0467cd97c47afad02f96974d19ba132f920846
SHA256c9a8b3971644ae9dbb026053768ce326e61656a13e5f3e1071a2d485bd903fcc
SHA512234a8db4cf96fc4552c65b160d9407e8654b6c67c5c5bae65622f46a2707df779b582ea5f3731511088209306cbb32ea590f75e8cfb40cf52f1190e17361b070
-
Filesize
19KB
MD501f81005dda7a7da7c970292c188e9c1
SHA19a72b263853f33ba1d28cf98e990ad58b5592945
SHA2566c6ba59c14e1518f8f3c5d5426a402391088f096dbc1328c7557dfc65c38feb6
SHA512de3ad9ebea124cbedb170b7a897463fba47d3725883edd55a82a3615fa8a008d7bd766f909e22ebd6c5b3797fcefe245b42b2974b0e5b856d5fa9d6546da7085
-
Filesize
29KB
MD564cbbd842c50e8489587b82a7b14ab4c
SHA1d63da443a36de0976f78ca816cefb6e66f97b9d0
SHA256fc454821159496cc8c3e5fdb41e3f3c855746ea94b27b6247677c2e8e4c30624
SHA51222d7a03ac884419aada04483ecfd454fe7d6fdea25cf508783226b9532cfa373c84d50394a75effd2f219d25d6a216056a28847268e30c1758e19683b284f4e2
-
Filesize
2KB
MD5a304f0c6ef97e5a3111a3f0a37f675d7
SHA1d8798250d97781d598cdb8ba26c4fa8f78d0d0a0
SHA2563c362bbb1014fa517abc47ecc325989ddd6b8fdd22302506591ea9ea4f7a2aeb
SHA512039e3d51bba4c2f70c1eb720b57a533769cb9f9b3f812e1cf62ebb259d50bcbc42742c58a7911a3b974ae1ff4286a9b9f843ddc01fade99bc6f1e209511eb4b9
-
Filesize
38KB
MD5a0f2f8de6dccac4049ba23049750cdfe
SHA1e46b4ebc196ff434a1077fa86304cc3d0216ccd4
SHA256dbccb1e807254fc3abd86c1a094289eb68d7129631069c3ece96ad032f84da7c
SHA512f827ec92781a3768eb56778d1db7a50694591f9dd4a963fc3da955013f6f4e2731cf8f6952ca8f7cc92adb2a30b95a8d370452b46024cd039d20d08aa66dbb74
-
Filesize
16KB
MD586097d9281937c5a0add13b7ea2c39d0
SHA140b12c59e085561953828537c2a55346a370105e
SHA256884d7de18df38995ab864b9daec048a1ba8c8d3bcf54642d4c366b5c9a29a1ed
SHA5120a47292a1da0532867862b9b2464927ae5894d92522923c3cedcf9cdd0af95b9002746084954e92aea785f813b658e877912d5c182264c15903a55059cd0cdff
-
Filesize
41B
MD5becf40c99cebb8c75f02968502839ad3
SHA16719271fe168541b01bf923b41011ed258a2d8d4
SHA2561dd1226be9bebecf9b526e5ad68b5d1c26c2d9d5dc375ce715c3fb010ea4e519
SHA512ae5e04a42116cf806e9eb42b976c40ba6ab0d16a22c8e2e74e25793f3e4b7b09adf86b5cb02fd3b82c682d73f216ad3db43f2ee440c4b0a61fd8b4e530b92d6d
-
Filesize
867KB
MD53ead47f44293e18d66fb32259904197a
SHA1e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0
-
Filesize
29KB
MD5645b5c948e61171982650feb0762fee2
SHA12424182a5e1957d963e10340236cf12ab28570a5
SHA256c240e8b6271c51c11dccf41a5ac3b6f312208e3205336087af4785d433841a0f
SHA5125cf9155b9504343d6ab6cf540feb3c47628b3add3a6089b9d787349efa3280964577c9fc101f9ba4f0f44c5d22bc31f2d12bea1a6a44ea4e72645972a49dddcd
-
Filesize
9.5MB
MD5dfe0cd9972fb69dbc922ae92f830351e
SHA165238b6df365683283e0278b65de8f5e41a7e3ae
SHA256f552e5fc3f987f3d6140b315e8166febefcbdc1b1a7a104368c6c20df2f5825d
SHA5124211836c80a9df377d0eceb55eee9d9bcca679f1380f07b158aba985daf0799228aaa8679c2a33667c90a8912e710e1b9121a495c24cb3e5d9263b4b371015c4