Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe
Resource
win10v2004-20241007-en
General
-
Target
36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe
-
Size
219KB
-
MD5
704b6d42185d41549884e65540ede321
-
SHA1
52ba07c4213cf33bb87cd22cbc1087296480df3b
-
SHA256
36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422
-
SHA512
59e6aedb8caea7650617dbd56107b71d3d1b30af6cc2b8f3a78aec0f4a1d93e4b7ea88ccbfa046fe78d18e42031e244909b9be3561658de00e91913f2fe73c1d
-
SSDEEP
3072:l2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhWK0KK:l0KgGwHqwOOELha+sm2D2+UhngNQK44O
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3020 avg_antivirus_free_setup_x64.exe 1212 Process not Found 2512 instup.exe -
Loads dropped DLL 27 IoCs
pid Process 2828 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe 2828 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe 2512 instup.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe File opened for modification \??\PhysicalDrive0 avg_antivirus_free_setup_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x00050000000193fa-53.dat embeds_openssl -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "14" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-c62.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "0" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-c62.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "71" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "93" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: part-setup_ais-15020c62.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42" avg_antivirus_free_setup_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: prod-pgm.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-c62.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "6" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "32" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-c62.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" instup.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3020 avg_antivirus_free_setup_x64.exe 3020 avg_antivirus_free_setup_x64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 32 3020 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 3020 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 2512 instup.exe Token: 32 2512 instup.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2512 instup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2828 wrote to memory of 3020 2828 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe 30 PID 2828 wrote to memory of 3020 2828 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe 30 PID 2828 wrote to memory of 3020 2828 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe 30 PID 2828 wrote to memory of 3020 2828 36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe 30 PID 3020 wrote to memory of 2512 3020 avg_antivirus_free_setup_x64.exe 31 PID 3020 wrote to memory of 2512 3020 avg_antivirus_free_setup_x64.exe 31 PID 3020 wrote to memory of 2512 3020 avg_antivirus_free_setup_x64.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe"C:\Users\Admin\AppData\Local\Temp\36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Temp\asw.21ee1e2b3d60f032\avg_antivirus_free_setup_x64.exe"C:\Windows\Temp\asw.21ee1e2b3d60f032\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_003_999_a8a_m:dlid_FREEGSR-FAD /ga_clientid:595ea4a4-c45f-4edf-b58b-550befda0b2d /edat_dir:C:\Windows\Temp\asw.21ee1e2b3d60f0322⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Temp\asw.76b7dcc099c20e5a\instup.exe"C:\Windows\Temp\asw.76b7dcc099c20e5a\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.76b7dcc099c20e5a /edition:15 /prod:ais /stub_context:f4768b96-7739-43f7-ab47-580f4e3b51a4:11167936 /guid:71fa9fcb-ae92-4509-b535-07dde8a841a5 /ga_clientid:595ea4a4-c45f-4edf-b58b-550befda0b2d /no_delayed_installation /cookie:mmm_bav_003_999_a8a_m:dlid_FREEGSR-FAD /ga_clientid:595ea4a4-c45f-4edf-b58b-550befda0b2d /edat_dir:C:\Windows\Temp\asw.21ee1e2b3d60f0323⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc7ef17d1cc3839e267a6bd40a9e49b0
SHA17007017c3145f8f1685d6161560c1bc708ac99bf
SHA2567bb2c32b6d4e5da7ed5de43b857b568538829c95296b962f93ccaf3b78e394ac
SHA5124e7a90d8395686e969da05ae8aa7244819444a45e1b39446577e522d65f63558feddab0ca6f02857dd1cd7f38e70abc4503c63bfd1ea4b83a6cf31aff84a303c
-
Filesize
10.7MB
MD567337e485e2bc58d16b78674194ccf5e
SHA1d9d53590ee45868f5e993e28407d11da18915a49
SHA2562f17ecd381dbb368379d274fc0783a912c6d0e1c1870a741f940d2c71e3f6bef
SHA512bd34d0e4bd321256b7923dffd817923584b99a68bb9b69f30d249f991be2fb0bdc637ca747b2b38c439d8e31dd6ea1b8e1dda742c8df55632c5961b7bdfd306f
-
Filesize
38B
MD5834914832cf4e739057be03e60d20884
SHA1352fc1a7c0bb2ebd96ae66c135a0d6a18943cd19
SHA256a0de647574f0a401ed84b266c3a4b71714f51e0dcffbeca4aae395ece61aed66
SHA512987efd1d22fb7d08ac35e8a7b8b89301ad2de51ffc8dac74d811e8e5bae1e107ac409c7d91f043ad814546da3152a3e581a3720249e248463abe2b9a14b454e1
-
Filesize
21.7MB
MD5868b5c92cbd5394800f72ed7e843a1c0
SHA14292711d86c2f87f813a17ac3cd606fc2d6db305
SHA256e46f6295acd6d09164a8c2e196f02786338c54ebab0056b7e430b50a2c49f481
SHA5123203c12e050a9225d838cdb79ba6348f1b1d381974c44b1c275b713e214d2839c6523d1ee8784b45c76bb5dd33ce70a13c8e621c460171d2d951e6af39cf1694
-
Filesize
3.7MB
MD5023c18dc05f673644d0b2cce3cd63b8c
SHA1c87b13de1ba7613d5b24dc1b092c810bdb30b608
SHA25666a1b91e2023773c79bd9c3d9d3828b468fcdbc0f3f568619745628ca5a76004
SHA5128229c569e9b909b3e04ce3eab4b3560539df88de6899ec1fc953f1481c25f48f5323aa9ec42e95acc64d9e5a1f09c6514339a654e54c56061e0485664cfdc017
-
Filesize
19.1MB
MD5917a284494cbe4a4ec85e1ec768339c9
SHA147ccc0a04ecc7c3c1ff79bf42d424cfda356137c
SHA25657cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772
SHA51290849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8
-
Filesize
831KB
MD5ce4d45d0b684f591d5a83fdbd99bd306
SHA1e89637b905c37033950afadaca2161bd5b09fb5e
SHA256907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7
SHA512af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1
-
Filesize
3.8MB
MD50b830444a6ef848fb85bfbb173bb6076
SHA127964cc1673ddb68ca3da8018f0e13e9a141605e
SHA25663f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f
SHA51231655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65
-
Filesize
4.5MB
MD5bbb61ad0f20d3fe17a5227c13f09e82d
SHA101700413fc5470aa0ba29aa1a962d7a719a92a82
SHA25639154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e
SHA512c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4
-
Filesize
767KB
MD5f75d663065c0ccd7e63bf2accdafed7a
SHA1daa2d2415cb3d0f27fb4591889d01583c45e5ffd
SHA2560d25e74cf179f4fa2febb01cb647b6ca0e6fa3c6499ed7eee3f1557775e1b6c8
SHA512783a35d57236ec1b5f4d730cf15f201a26356953eeec848beb5125351f3976908495ab6128117f4dae72986480675f880e9268b7ff72b00a1bdcd78042c2ad90
-
Filesize
18KB
MD5b287ff221fcc9ed0834d24809fe35b97
SHA18bc09ba498c1a33f3226e6e55eb769e7d017cf9c
SHA256292369211d5a83d0a54c28afcb396cc6f9a8626e0ad109c8ddac19742deb5aff
SHA5123da3c73c074b417e4478c8a9e52c9f1debcfe4d5fe58467ca07b6c7a362b5705ad707f7af89af1eead8b699454f77cba364eba3d3759fcaa6c03e971b2b7a056
-
Filesize
19KB
MD5a37c6d8fbae7c03c19b94c4c9da64174
SHA14417a9503b2be52caaa2bd73224f3359eeb32558
SHA256761b97970c0442c780bd547037f8ab8caca544900ccb99458221e63f1e3d275b
SHA512c8288ed1ac6fce88d52eb831b0e8ecc7be8294189601699e91c90c3166dc5f0db54ea6fc9faf9e7087bde945a5564fb37d482f962b3a13d97cbbb13bd1b2957c
-
Filesize
689B
MD5f628a6796b03446de2cb2603810d68b9
SHA1314407ecbb643d5b0ada656d734d8872e8af41f0
SHA2561bdecbcbd64244e6999a5ca252ca45738e81c1658ac31a14155224ab12fe6561
SHA5125f1e0bb02f82c3ebca750e327de0d349aafb948ff570bf77a8c7af7941b8b0489e3f75f2a07dd9413cd1926c875eb275238e4c65e88383e99ff7ac7158501b53
-
Filesize
5KB
MD5d5b798d8816b252e7d718195dfeb8a8c
SHA1860c5807fd491aeeb12d661d8cf2ecca4ca1639b
SHA25675176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499
SHA51216cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5
-
Filesize
570B
MD56c1d9e1205004626b884438704c0631a
SHA100b5fd840f4fdcab41cc89da9fc1141c7594870b
SHA256067a441767c324abf5e72729e70ae1edff257611232c08e5181ccac83f10ebec
SHA512443c896b88520013cd43093ea6f934e179e7a64ce4d3443ab531798ce73298c5eb5dff22a554fbfd1a141daad9344fa69d170e5f727ec61652b3e297a878316e
-
Filesize
343B
MD53db64dd18a9c8b5f30520cb1e4dd1a97
SHA1d52b3cb5111366c8571d545b5c527a0bb339eaf1
SHA2565a6d11525163362dcf13d6557917c4f4af912d9f3de7d9ace9ffa3ca5c01a76b
SHA51292ff3730244782f51fd5ed03534ec87df5c04ccc8d3add3fbb6d30a82898cd69a03cfb628f6f0d210d9d900a7b3a140e4868749ed8270aa35cde52108f6b6077
-
Filesize
27KB
MD5c7e6e4e24e5ab4f8a02a45faa0b0d488
SHA12f07929c3d89cee87b9215b544a853254e0b0954
SHA256f9cb6948ee78d3250299f811168348e554419d70cc33ac0cfd8c7258678fdb7c
SHA512fb988fffa9b8b2c6aab74b605e0d24642042a614094bb35b3a51f80f0dee6bbae365a8fad71af1f004bf405f7ce6396794f9850125ee3a2a293a5e7d9f056a04
-
Filesize
1KB
MD5a5f4c9bc6ea5c71f763b215ded1298d2
SHA187e4f4be5dd37ddb13d220ccef88ae9091d0b452
SHA256057585349fc3568979e1d5ef62c32b801ac23835c2f224464a7300875b9f28c7
SHA51265f625ed27187c68c8d376626b5df38a96869fc1794a956f4fb87b3753dbfd0c1bec9e824a026c363bd0f5f1fbc55dfd37a26dc23f7af17254cf4e4a771f5244
-
Filesize
37KB
MD53fc9d055795a4c01893e5661f300c513
SHA129c64165afecea436a2dcb57dd5b54163a002df4
SHA256425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0
SHA512e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902
-
Filesize
16KB
MD565102de34e58a65be304b144659b8647
SHA1062183fa6bfc38f64a9ba59ba3c6d642ff19e553
SHA2565b94dc186cb9a01363a4c4220d4ad9940ba5294a354a5013ffb445e94f4eb09d
SHA512b33431c4f0afc0528080505609c5c6efe6b9ac9a71c30380723fec14bcccc56056baede824b105231793e40e0d5342ce8863d4c4d75611cf7ac1b315c534b766
-
Filesize
4.0MB
MD5b39614a52de7353db442a5e990d8b007
SHA16b9e95a06905267729e721167f99982033a3fa11
SHA25622a35a503c3060365c5107bb0f6b17113cca77f9c76993904140f616858ea10f
SHA5125ad0217ef70eb3baba368ccb5d05c54a479351be706ac95b268ee7dc1aa24ea00674134dc60c143bcbe5cf21d6759c18e965a6bd89bef7d0cc20f77967f56b7c
-
Filesize
3.1MB
MD5c545527e69a46359a4a45f58794a0fe5
SHA1e233e5837bfe5d1429300fb33f12f5b54689781b
SHA2568d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9
SHA512754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0
-
Filesize
15KB
MD5e38cc92cd980a55d811316ac62883e14
SHA1fa83737abe11ee825c3da6843cc4d8e3b459729a
SHA256be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87
SHA5121422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16
-
Filesize
907KB
MD543dc9e69f1e9db4059cf49a5e825cfda
SHA1519298f8a681b41d2d70db2670cc7543f1ee6da4
SHA25698efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d
SHA512d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079
-
Filesize
29KB
MD55c3a0ff89b572f0a54bdc16bc480527f
SHA1917800855ab584ffe8433dd54d2b4de116d29b2e
SHA256fdb1dc6d11fbe94ccce0efe751db6f034cd20741131572411cffb75d9b1f4b34
SHA5120264af292eca657858a015c5848bbaa831e6b55fcfe2be98a12411511f3a5f8b8071e51ea1f83a800a30349da4e32357374ed0b984ad6fe00e1aaf29540adaf9