Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe
Resource
win10v2004-20241007-en
General
-
Target
fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe
-
Size
247KB
-
MD5
ab4f5253bfc80bac760c4a7d8849f524
-
SHA1
c871229e32b12bc731e2b86e638c7e03f759ee11
-
SHA256
fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9
-
SHA512
49ed70bc202f69865d223f66282dd73a370b759370b8830b4814322f10fac38baa0d34dff64a77b3fb1b7de68b77c4502df1f35244e954b8008fe067cee8daf0
-
SSDEEP
3072:82RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhBn+TF:80KgGwHqwOOELha+sm2D2+UhnguyRr
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 3928 avast_free_antivirus_setup_online_x64.exe 4328 instup.exe 1480 instup.exe 1260 aswOfferTool.exe 4768 aswOfferTool.exe 1408 aswOfferTool.exe 4344 aswOfferTool.exe 3428 aswOfferTool.exe -
Loads dropped DLL 11 IoCs
pid Process 3556 fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe 4328 instup.exe 4328 instup.exe 4328 instup.exe 4328 instup.exe 1480 instup.exe 1480 instup.exe 1480 instup.exe 1480 instup.exe 4344 aswOfferTool.exe 3428 aswOfferTool.exe -
Checks for any installed AV software in registry 1 TTPs 52 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder instup.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder instup.exe Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast avast_free_antivirus_setup_online_x64.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log" instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings instup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder instup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder instup.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe File opened for modification \??\PhysicalDrive0 avast_free_antivirus_setup_online_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral2/files/0x000a000000023b95-44.dat embeds_openssl -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avast_free_antivirus_setup_online_x64.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avast_free_antivirus_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "62" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avbugreport_x64_ais-a4e.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage avast_free_antivirus_setup_online_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100" avast_free_antivirus_setup_online_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Checking install conditions" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "35" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "96" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "18" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "78" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "92" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "1" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "96" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "75" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-a4e.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-a4e.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28" avast_free_antivirus_setup_online_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "22" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-a4e.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" instup.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3928 avast_free_antivirus_setup_online_x64.exe 3928 avast_free_antivirus_setup_online_x64.exe 3928 avast_free_antivirus_setup_online_x64.exe 3928 avast_free_antivirus_setup_online_x64.exe 1480 instup.exe 1480 instup.exe 1480 instup.exe 1480 instup.exe 1480 instup.exe 1480 instup.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 32 3928 avast_free_antivirus_setup_online_x64.exe Token: SeDebugPrivilege 3928 avast_free_antivirus_setup_online_x64.exe Token: SeDebugPrivilege 4328 instup.exe Token: 32 4328 instup.exe Token: SeDebugPrivilege 1480 instup.exe Token: 32 1480 instup.exe Token: SeDebugPrivilege 1408 aswOfferTool.exe Token: SeImpersonatePrivilege 1408 aswOfferTool.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4328 instup.exe 1480 instup.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3556 wrote to memory of 3928 3556 fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe 96 PID 3556 wrote to memory of 3928 3556 fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe 96 PID 3928 wrote to memory of 4328 3928 avast_free_antivirus_setup_online_x64.exe 102 PID 3928 wrote to memory of 4328 3928 avast_free_antivirus_setup_online_x64.exe 102 PID 4328 wrote to memory of 1480 4328 instup.exe 104 PID 4328 wrote to memory of 1480 4328 instup.exe 104 PID 1480 wrote to memory of 1260 1480 instup.exe 106 PID 1480 wrote to memory of 1260 1480 instup.exe 106 PID 1480 wrote to memory of 1260 1480 instup.exe 106 PID 1480 wrote to memory of 4768 1480 instup.exe 107 PID 1480 wrote to memory of 4768 1480 instup.exe 107 PID 1480 wrote to memory of 4768 1480 instup.exe 107 PID 1480 wrote to memory of 1408 1480 instup.exe 109 PID 1480 wrote to memory of 1408 1480 instup.exe 109 PID 1480 wrote to memory of 1408 1480 instup.exe 109 PID 1480 wrote to memory of 3428 1480 instup.exe 113 PID 1480 wrote to memory of 3428 1480 instup.exe 113 PID 1480 wrote to memory of 3428 1480 instup.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe"C:\Users\Admin\AppData\Local\Temp\fc82dae07a2ed2e600e072d5266804693a0048d6434fdae832264f021a0d97e9.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\Temp\asw.8fda303b1bbce475\avast_free_antivirus_setup_online_x64.exe"C:\Windows\Temp\asw.8fda303b1bbce475\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_003_999_a8a_m:dlid_FAV-ONLINE-HP /ga_clientid:57f960ae-a5a3-420d-80ba-11f2ae3eaacb /edat_dir:C:\Windows\Temp\asw.8fda303b1bbce4752⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\Temp\asw.c7bb8ae92a23a6ef\instup.exe"C:\Windows\Temp\asw.c7bb8ae92a23a6ef\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.c7bb8ae92a23a6ef /edition:1 /prod:ais /stub_context:8d92f919-4b73-49b1-8f80-97f89387074a:11072232 /guid:bc17b316-9d3b-4c01-ad96-ac7528f0789b /ga_clientid:57f960ae-a5a3-420d-80ba-11f2ae3eaacb /no_delayed_installation /cookie:mmm_ava_003_999_a8a_m:dlid_FAV-ONLINE-HP /ga_clientid:57f960ae-a5a3-420d-80ba-11f2ae3eaacb /edat_dir:C:\Windows\Temp\asw.8fda303b1bbce4753⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\instup.exe"C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.c7bb8ae92a23a6ef /edition:1 /prod:ais /stub_context:8d92f919-4b73-49b1-8f80-97f89387074a:11072232 /guid:bc17b316-9d3b-4c01-ad96-ac7528f0789b /ga_clientid:57f960ae-a5a3-420d-80ba-11f2ae3eaacb /no_delayed_installation /cookie:mmm_ava_003_999_a8a_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.8fda303b1bbce475 /online_installer4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe"C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe" -checkGToolbar -elevated5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe"C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe" /check_secure_browser5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768
-
-
C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe"C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Users\Public\Documents\aswOfferTool.exe"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4344
-
-
-
C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe"C:\Windows\Temp\asw.c7bb8ae92a23a6ef\New_180a17f5\aswOfferTool.exe" -checkChrome -elevated5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3428
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD53916471efedc84ddf677b29609d1d479
SHA1502a390705c68c350577bd1499056683ce8e59bf
SHA2565faad0c04e9a37cda9ee14f23945c7e576cdc31934350ccae498da6491ea6852
SHA512678e57bde5bc9139de779e155a603d84afdb1082a32ea3a83cd07a65fbdd7b3f1cba5b9176ae68c613dedd2a861a095cf22cc17498dbf0ae9d50913d1b53d80d
-
Filesize
1KB
MD5b5a43e6180af3b70477ea163206416db
SHA127054eb3b2b154f66b559cb5d1f6a49e8bbc17cc
SHA256c22141f49062d8828955e2847cb8e94cd7203b1208259284f4b8194178ec790d
SHA5123b954099d47d25cd5056820c892eff2a0b35a5806c6931faa8bb45753eb68ecb84e8abc21630a3beb91584ed9a1b91b8bdcd1095533d19247b4b54a47d515966
-
Filesize
142B
MD537183f74e2f8ecf62eec6e12b846e7b0
SHA19e11f35120896baec6e6079191c64173baa5025c
SHA25644da04b58a7b8f4b36355e1df16e837e45cfebf276d21e85d330088abb302507
SHA51240013e1e828b2c6c7ddd2339f7f14f387c295dedfe3e49a887839dbf2a23e5773d0bbfa0eb0d55193aa8521e56846b7459db686c6dbe6cc00e81823bc80484b3
-
Filesize
867KB
MD53ead47f44293e18d66fb32259904197a
SHA1e61e88bd81c05d4678aeb2d62c75dee35a25d16b
SHA256e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905
SHA512927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0
-
Filesize
10.6MB
MD5285b70b3ac1698009e386ece00acee56
SHA1dda4d5748970490ca1100d7e076045b3648008a3
SHA256df8b438844b84bae4a78bd4a593fd28be2fd58a0fd431e4b942661eea9476dc0
SHA5125c4a1819cd444d576e81fa10a686dabce9e66fae197aa1668cc2d394289a2722eeed7f88f5d3b80b2c9526ede50cb03deba999ecbaeb30e212c91e84b540580f
-
Filesize
40B
MD5e474dbcce611441cc45940ccb6463340
SHA161b5a8a78cfe610683d9c96c3065fd8acf60b63e
SHA256dacde89602498617c0096e9809c514234e1aa9f9c7ba6dad8adb1125ddf70696
SHA5120b4ddaf015708ff3e66781856cda92bd0d0f2d0288211a8463fad9aa1af1ec4d54e2f1832e6428bfddd93b71e3a77fb2ea0484c16faf0baa98bd09776fe9406c
-
Filesize
4.0MB
MD5b0e91293160024bfc0302bbdadd0bb9c
SHA1005fbe3c47213d4b791c05f2a8a6932dc70357e9
SHA2563db7c1fc402a689bb160ed2d0bc12edb6765307c725ad02e7b27510008b4f8ca
SHA512f7239b26fedc2a90c2b267467781ff26512890b879772bcc0809409a368fefd74a8930d8d4958559381dd57f7bdc769668c5ec638b5ad82e4a20a1e0217e9304
-
Filesize
21.7MB
MD50d09efc988c41b14c4fd0bd9c1457b87
SHA17c8bb0b4760edfc009e8b122124aa2b70e1da93a
SHA25649ae4e9a468593038c1ab7fd6f988ddc0eace7e8c3c407c53b130e2eba1506fb
SHA512b54c3ab104ce574690155d672146be30a1ae45abec71ddaad81ba16f9435f76deb4daccab628b006cbde0e9c9a85b99a3b8a33ad4dd3ebdc05a2dbb963062993
-
Filesize
3.7MB
MD56179a6bcb9d35753d2deb3c1594a9bad
SHA1d114563b01f474084efd2c4f7edef133cdc1018f
SHA2560f1d9af4f5eee63bf1959ec61e459f9f304c77ba3af29cbd640910661ecbe2d2
SHA5122cd159f3de29a011d4b6c807e87c3b404e311f39d015b5760febab1f480cca9bb8472ec53e912d526eaba65f58659acea1530923caa6c2baa60cfd9f98786f69
-
Filesize
1KB
MD5bfd5a11d0d2acd2960d179fc94d45e78
SHA11b5ca592d6b8d6ceb1a43212ddaf72b0ed13f998
SHA2560a5268ba9b369c6bf8691f0c54f159c9b550d4584a54e58988b824b4bc98a669
SHA512fc30c54b3c0e769da99689ba549d79ee6c76ea7557300fbc0fbdd24eeb9fca42ca40196bbed7813eba717a6deeb5ada4b062b5dbdb4fd8755c2443b08f896a87
-
Filesize
5.6MB
MD5842ce0dd7cb9f7da03deeaca914d2601
SHA14fb1155f24c0a21ce05422acef92315b28cd00b0
SHA2568611887d7a6d0e09154624ae8842101b75cebb9fbfed3ea5b75757dbf27f9c2b
SHA512afc099e544c225ee59ea322b9e8214eaa52e38f87c3ef1e9c1342381ed6297edf0f2305e110e0161a8bc285282277e8f71d97c6975be2692694b252b7fc14227
-
Filesize
3.3MB
MD51015a45d5a55cc49d7c9c7b738059b42
SHA1378b0613fdb97f20c4fa7ada4d6ff477235ed714
SHA256540d3f4ac06e02499b99a63e385fad6b9da3a0ddddd0f53c471fa337b29f6c9c
SHA5120ea22eee2e4888a14ec99f288e115e94787dc98e4e23431fcecc19a7b54f5f7511b01317709a1fc5df667f97b7eda25d0cdb54b15b1e26c8d14921462a43089e
-
Filesize
40KB
MD537b52ad27196b825ef96a72a4a190333
SHA1ede227946b52e30d4bb4a15ac340582243d48e72
SHA2567a47e4881c6428b8d139768028c572687853e1fe482085d6c5ce5249a25e2dda
SHA512c821abf46200d5942bac9f9210a414054b16cf68479a9ba8b485a6f0009cfc245b166dd15d4bd0775fe20ffe11e892fd095f0d2ac84d85c0474c07db0be07679
-
Filesize
32KB
MD55a0f70dfbf66819ca9c50d6ac6f3702a
SHA1ab4d2eac9985dba69422cf8cd6bc36846eda1855
SHA25631acc29e2df1d0841bbe81db1c28e145d44aa5805c3fd3a1615b6768a08514c2
SHA51213b24f45680e1607dc6fd2560b697918d11c4d8fec1ef561961e5846887f37623470782e36daa16005bf52142de3bd2ff15860c015a798e4729d6625c335c0ad
-
Filesize
33KB
MD5571701dcda011de7ae6b4ba48c2a5e86
SHA1e03c3b69f31bd86f4db2a5691ec43a97879281f5
SHA256b27df835a041953787acb77e97250a70f813c7289eb772b74198523cd164a8e5
SHA5125dee7684c8560a504c19b3e16e5953fd19c83a7c1717a9003cfea13486a70a538730f3366b4c062326c2ed2e45af5282d1a25afcc2512bbb5329cd06f4e8f33c
-
Filesize
887B
MD5f6f3286d8df488ac179b09c6703a001c
SHA17961ad39f9c049cc542e9c17e89546af3ef5d627
SHA25626efee0d45ba8b7c57c85eba0ab0e0b5375aad38f8a6a8ef31b55d69f7debcd4
SHA51234b5eafe7af23859d8b370216a86d559fa6bfcbaed697ff87cb7e10c256fb854d42739de9b6e3c24c1eb3eb41afe12714067bef546a7337bbb02f0c6c02386df
-
Filesize
2.4MB
MD56f6329510f25a07190dcb390f64aafb0
SHA1bb01be426c6b48ffd4de21bbc8b57d5ac98dcd3b
SHA256d494b12aeb973291ed85ff0ff94f734a827f14f52f9b2888824caad56a8192f1
SHA5125a140f6748348159ea00a686e555aa514d356a4855f75560110ac7745b172cf7e69861599d74596300252a0249f7671637d49b1cd2a63f2f43aaf818dca198f6
-
Filesize
700B
MD50487afba722c75421dab5ad76c907b64
SHA12af01aae124736188c6879265bc8e5b8aaf5f633
SHA256756380ea118c2bc721918c7fe94300032667b3f5a143b6374246e80339833019
SHA51223047f15ca793efd76614034455653960540b7831b726234501f8bb3d057ac48ce7fef0370cb4adbffe1f1c37d4199176a701479c8824afbe3ae55ca5714ac1d
-
Filesize
74KB
MD57e65c81832ebfd31aaa0971528adfe72
SHA159394751b3e14f516152747902e6d8f1c0799b54
SHA256bf4f0f44ab05c6585ab85b1d2b3ad7b36ca229dc39205069bda05674d6a6e034
SHA5129c6a2885b8a8dab5181052205ae9b4a53731242d5ab0e3e23e3d0be53c28c1e6800b6d9c5451a5f28a50b617f71dd457db109de32e852ac9b268962b8d997916
-
Filesize
4KB
MD59e51873b5404f36f66233ab303691c3c
SHA1829708f060b08fac4fc0474d2eddc76ba8a0d560
SHA256bece96f0fdacad51d9b490a4ecf7e129ef8feace87795d9ba9cb7901536d3f58
SHA5120d9b13ae03de4c94f0863a576a986810ba0d0d0cab1a8676f160628a66e26d76f673ca51f7e7ac48dd507b358a41220a94bb5dbbc96ed9dd95c29dc4c1288e6c
-
Filesize
11KB
MD5fbaf91e11247fcacda8bbba7e78e5aae
SHA188d882c06b0f3c30d69fe1aa018d921f1264a8bc
SHA256d5b2609e3056fb970c1ff0dd020add9fb95208c520058308595ea9a550f40317
SHA512b5e647dfe1bfa9a81235ab91719548ac473b32f31a0c0515bf79191c23e35bc48d1654c31258df35150e27357f5e9f615b4c63450e77d081396a6c7425aaa99b
-
Filesize
573B
MD5db09685c045dc0df0552427c752a1aa7
SHA1eb0e8e1e9839e7517efb7fedfa7edabc5d57587a
SHA2569219680462bef7060264ac63d21f3332daf0fca5090cae295427710895be0002
SHA512d0b4b1c23557aa18a5ca9299c7269cd2221ec8b155b9ec9c045f6ddb612f1979a9d3e78ae395dc6e515338ee8bdf13225a1cafc903bc800a22b9b9e3489a462b
-
Filesize
342B
MD58499e8596ec1c873e132662092da0a85
SHA1dd27c53c9fb86cbcc367182fccf8bd0af6ebb763
SHA25626d22504cae4bb0e7de6e10317a97aa4be15a0a3fa9bf2d735d89213696e0712
SHA512f06bcf0f8239a15c78b8113d27c60b32bcdc1be25d913ef3356ca5a58349e12b14b6673838e83972d81e90e338d948781626d5ff6db3a6fea303b8aead98824d
-
Filesize
342B
MD5fa7efdecc2537c953bb8a49f6ac54224
SHA168821ae21e5c476b5f451bd5a0a6fb6650a421f1
SHA25616ee2337d70bd3241362fd815d6ccf948836e3c5bfa1eb7921592ac909c0cba9
SHA5123f4e9d2e016b3d47fa2492dd0c7788bd2d320fcc39dca850ffa94d1ceaf212573f76c3e8305817ee282811f7533284a1619987ceaaee6858c8702d5cf412f538
-
Filesize
20KB
MD5aa4483fee9197dcc99ad3e6fd1ed976a
SHA1a7a70cc9d0cab661aa276a718eea9f5b4b417674
SHA256c782bd3a455f7236c1f99d3f85805ebb8b79ff622d1a989d148b1c7db5ee2b31
SHA51269b127b1516b447786d7cf0604fb75db1fff95f6d755c9f698a3164c8685a87dd3b288bcc70566b1e6c3aed444ee5db0321c19830e95750b79233952ba8188e8
-
Filesize
29KB
MD5b1960612149e68ce8d6f4827c5b39073
SHA16259a3ebd659bb63ec59fab4c8e1aa79092692a4
SHA256847bd020bc930856d25c54d5fa03278b0e6b2434f2560f3c6b7c000332012173
SHA51281d2737ca459d8fb3aab6dede1c666efdb6c3a851f1018a8b2d5166060de05fff7abb8eaa9e24ee441137033bd0574ce107ef9d3abd93ddde4b86cda76625423
-
Filesize
2KB
MD5eab5eaa228b24e2a0c3313fc200caa97
SHA1407dd379fd78df5b31585931fc567a1f9a3da40c
SHA2565d784971dcc44fd271dccb4351ebabb16b3170ff680ccfa64dc848a4125651fa
SHA512126b2bf2a5fe7a4d78eb766f95e4e7fc15095876ffc25f0955f1d073f351281b3d7a8f1cc3c8b8cfad7157e705a0d8019b28a82ce72c15f02cd31029b801bb0a
-
Filesize
38KB
MD52968b90417f9078ef3ec90887589bcbc
SHA136ce6e67601513bd6efa46085a5570dfe0946f03
SHA256f2de3592da42e4d30ffbfe8215539e08b0d9d7a4812b48a7a0ffe2da4f10db5b
SHA512f84b09bfd16d8564b265e9616501a09fd60b702a3871efa083ed2bbe950c52de3123829b295c360f36a6f8e0a6feb29430d7d22059e64931459cc056eec2e779
-
Filesize
29KB
MD5b49ac1e7007e1e445c45fc906e96687e
SHA1b33adeb3d8ad516a3fe826cc3f48f9c6e67030cb
SHA256da17cf39c773ab3048e767aff993458e284837287e8c4af0d139ad71f3459ff8
SHA512e3ef8ef9423552281dc12e25eeef69b954e50bc844442d7e0de9c7e066c53e62dc84a43e44428caff1e18b06470c17d25e65825c07f5f85535d97ace23f05ba2
-
Filesize
16KB
MD563e7a59b7d1f9405ba1a0e685ca98af7
SHA1c90d503b31b8027a0fbbe1f0008021e27ce42609
SHA25603cee410775634e7570b80077ca95e47cbafbdf982c19ac2e222726d28b9a584
SHA5129b70322f966accc16435bd3869106be18ac7e21962846938e64c7001c663cbd1ea7a7662e0d85af97af05820192ceb0bb01d65cff3d7bbe8467b873a872d644f