Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
avg_antivirus_free_setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
avg_antivirus_free_setup.exe
Resource
win10v2004-20241007-en
General
-
Target
avg_antivirus_free_setup.exe
-
Size
247KB
-
MD5
18854664af657aa0a6d62196c321acf0
-
SHA1
86c944fbadfc4481533fa6b948cb2879f9411a2c
-
SHA256
979437ed2a4c9a008e48df0aa7f8c0470de20adcb4f83aaaf17903e1e4d55605
-
SHA512
5ddbd2e06c33e6464bcc407b63da8e9173c44f4cb91a6870b5a3bbffec6edf647649c71a35d51a1c773c4acc6753d26ac87fe90f27d5b5210b873090a07bdc62
-
SSDEEP
6144:PtgJcB7RG80fGwvDBn9Egw7Qj3EVfQ57:PtgJORaGiDB9y1fW7
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 5 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe -
Downloads MZ/PE file
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exeavg_antivirus_free_setup.exedescription ioc process File opened for modification \??\PhysicalDrive0 avg_antivirus_free_setup_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 avg_antivirus_free_setup.exe -
Executes dropped EXE 9 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exepid process 2800 avg_antivirus_free_setup_x64.exe 1148 2064 instup.exe 1644 instup.exe 1020 aswOfferTool.exe 2724 aswOfferTool.exe 2908 aswOfferTool.exe 2776 aswOfferTool.exe 2868 aswOfferTool.exe -
Loads dropped DLL 30 IoCs
Processes:
avg_antivirus_free_setup.exeavg_antivirus_free_setup_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exepid process 2744 avg_antivirus_free_setup.exe 2744 avg_antivirus_free_setup.exe 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 2064 instup.exe 1644 instup.exe 2908 aswOfferTool.exe 2868 aswOfferTool.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
Processes:
resource yara_rule C:\Windows\Temp\asw.aeea441ad5de6f11\Instup.dll embeds_openssl -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeavg_antivirus_free_setup.exeaswOfferTool.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avg_antivirus_free_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aswOfferTool.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avg_antivirus_free_setup_x64.exe -
Modifies registry class 64 IoCs
Processes:
instup.exeinstup.exeavg_antivirus_free_setup_x64.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "24" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "33" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "89" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "87" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "14" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "73" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "13" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "100" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "49" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "48" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "3" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "14" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "62" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "66" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "69" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "80" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "28" avg_antivirus_free_setup_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "22" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "88" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "99" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "25" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "12" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x86_ais-c62.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "25" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "64" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "32" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "47" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "91" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-c62.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-c62.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: AvDump.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "74" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "13" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "28" instup.exe -
Processes:
avg_antivirus_free_setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 avg_antivirus_free_setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde avg_antivirus_free_setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exepid process 2800 avg_antivirus_free_setup_x64.exe 2800 avg_antivirus_free_setup_x64.exe 1644 instup.exe 1644 instup.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
avg_antivirus_free_setup_x64.exeinstup.exeinstup.exeaswOfferTool.exedescription pid process Token: 32 2800 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 2800 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 2064 instup.exe Token: 32 2064 instup.exe Token: SeDebugPrivilege 1644 instup.exe Token: 32 1644 instup.exe Token: SeDebugPrivilege 2776 aswOfferTool.exe Token: SeImpersonatePrivilege 2776 aswOfferTool.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
instup.exeinstup.exepid process 2064 instup.exe 1644 instup.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
avg_antivirus_free_setup.exeavg_antivirus_free_setup_x64.exeinstup.exeinstup.exedescription pid process target process PID 2744 wrote to memory of 2800 2744 avg_antivirus_free_setup.exe avg_antivirus_free_setup_x64.exe PID 2744 wrote to memory of 2800 2744 avg_antivirus_free_setup.exe avg_antivirus_free_setup_x64.exe PID 2744 wrote to memory of 2800 2744 avg_antivirus_free_setup.exe avg_antivirus_free_setup_x64.exe PID 2744 wrote to memory of 2800 2744 avg_antivirus_free_setup.exe avg_antivirus_free_setup_x64.exe PID 2800 wrote to memory of 2064 2800 avg_antivirus_free_setup_x64.exe instup.exe PID 2800 wrote to memory of 2064 2800 avg_antivirus_free_setup_x64.exe instup.exe PID 2800 wrote to memory of 2064 2800 avg_antivirus_free_setup_x64.exe instup.exe PID 2064 wrote to memory of 1644 2064 instup.exe instup.exe PID 2064 wrote to memory of 1644 2064 instup.exe instup.exe PID 2064 wrote to memory of 1644 2064 instup.exe instup.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 1020 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2724 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2908 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe PID 1644 wrote to memory of 2776 1644 instup.exe aswOfferTool.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\avg_antivirus_free_setup.exe"C:\Users\Admin\AppData\Local\Temp\avg_antivirus_free_setup.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Temp\asw.e2ee3950eba1850e\avg_antivirus_free_setup_x64.exe"C:\Windows\Temp\asw.e2ee3950eba1850e\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /ga_clientid:99736dda-0a05-4c53-a8b6-547b34407642 /edat_dir:C:\Windows\Temp\asw.e2ee3950eba1850e2⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Temp\asw.aeea441ad5de6f11\instup.exe"C:\Windows\Temp\asw.aeea441ad5de6f11\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.aeea441ad5de6f11 /edition:15 /prod:ais /stub_context:24b80587-b8f6-488f-bba8-29a33adae804:11167936 /guid:431651c3-2489-4efa-81c9-6648edabc796 /ga_clientid:99736dda-0a05-4c53-a8b6-547b34407642 /no_delayed_installation /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /ga_clientid:99736dda-0a05-4c53-a8b6-547b34407642 /edat_dir:C:\Windows\Temp\asw.e2ee3950eba1850e3⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\instup.exe"C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.aeea441ad5de6f11 /edition:15 /prod:ais /stub_context:24b80587-b8f6-488f-bba8-29a33adae804:11167936 /guid:431651c3-2489-4efa-81c9-6648edabc796 /ga_clientid:99736dda-0a05-4c53-a8b6-547b34407642 /no_delayed_installation /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.e2ee3950eba1850e /online_installer4⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe"C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe" -checkGToolbar -elevated5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe"C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe" /check_secure_browser5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe"C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe" -checkChrome -elevated5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe"C:\Windows\Temp\asw.aeea441ad5de6f11\New_15020c62\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AWFA5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Users\Public\Documents\aswOfferTool.exe"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AWFA6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2868
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD519e8c413c6811dfffe58d7b87cd770dd
SHA17d60d4ee9abdd3b702625bc69c27724bf54d8821
SHA256865b3775092258cf86e8d160d8100b833fef9d085e966036989e87a6888e56fb
SHA512390642031d9e26dee05e4a720db3fb37a42cb8141b4a2b1e01652398980ef0188380f0f371d79ee1739b47ff4c3023e5d46256ef2d41e1657c8d40056500cfd1
-
Filesize
1KB
MD5daba72d50f296ce464a2103911fb6577
SHA1013f1d055efbfcb99ae7d490ba5a2d1ee4607b40
SHA2562a18000c4c2cd0911889e405ae6de5a18bb6fb0d48915970ca6ce62fcd6f2b6e
SHA512a12913147a7cca71b49458a92dacfed8452196f2062c4866f8168bd2c4bb2e0d00fefdbe4ad7c678a5dfcb81bd8c85d90de45de822b1f778798df18f6024ac61
-
Filesize
142B
MD55a624701bffd273add4aaa088e85130a
SHA165d3614023b6e6f6cb75b43f937cb9a636080660
SHA25653174f79d6b4ce5d996fe8d25260240cac1fbfc639d788d00de20d537d33794a
SHA51232e96cf80ba901f358eae276a718b4fc078ac28c776df81d8e715c7e042653321d066f9f5a81d256fa7ae159b0b398019c755a98bddf246326463ef87a57a148
-
Filesize
4.0MB
MD5b39614a52de7353db442a5e990d8b007
SHA16b9e95a06905267729e721167f99982033a3fa11
SHA25622a35a503c3060365c5107bb0f6b17113cca77f9c76993904140f616858ea10f
SHA5125ad0217ef70eb3baba368ccb5d05c54a479351be706ac95b268ee7dc1aa24ea00674134dc60c143bcbe5cf21d6759c18e965a6bd89bef7d0cc20f77967f56b7c
-
Filesize
21.7MB
MD5868b5c92cbd5394800f72ed7e843a1c0
SHA14292711d86c2f87f813a17ac3cd606fc2d6db305
SHA256e46f6295acd6d09164a8c2e196f02786338c54ebab0056b7e430b50a2c49f481
SHA5123203c12e050a9225d838cdb79ba6348f1b1d381974c44b1c275b713e214d2839c6523d1ee8784b45c76bb5dd33ce70a13c8e621c460171d2d951e6af39cf1694
-
Filesize
4.5MB
MD5bbb61ad0f20d3fe17a5227c13f09e82d
SHA101700413fc5470aa0ba29aa1a962d7a719a92a82
SHA25639154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e
SHA512c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4
-
Filesize
831KB
MD5ce4d45d0b684f591d5a83fdbd99bd306
SHA1e89637b905c37033950afadaca2161bd5b09fb5e
SHA256907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7
SHA512af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1
-
Filesize
19.1MB
MD5917a284494cbe4a4ec85e1ec768339c9
SHA147ccc0a04ecc7c3c1ff79bf42d424cfda356137c
SHA25657cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772
SHA51290849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8
-
Filesize
3.8MB
MD50b830444a6ef848fb85bfbb173bb6076
SHA127964cc1673ddb68ca3da8018f0e13e9a141605e
SHA25663f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f
SHA51231655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65
-
Filesize
3.1MB
MD5c545527e69a46359a4a45f58794a0fe5
SHA1e233e5837bfe5d1429300fb33f12f5b54689781b
SHA2568d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9
SHA512754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0
-
Filesize
907KB
MD543dc9e69f1e9db4059cf49a5e825cfda
SHA1519298f8a681b41d2d70db2670cc7543f1ee6da4
SHA25698efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d
SHA512d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079
-
Filesize
18KB
MD5b287ff221fcc9ed0834d24809fe35b97
SHA18bc09ba498c1a33f3226e6e55eb769e7d017cf9c
SHA256292369211d5a83d0a54c28afcb396cc6f9a8626e0ad109c8ddac19742deb5aff
SHA5123da3c73c074b417e4478c8a9e52c9f1debcfe4d5fe58467ca07b6c7a362b5705ad707f7af89af1eead8b699454f77cba364eba3d3759fcaa6c03e971b2b7a056
-
Filesize
19KB
MD504066ffcc36a979b7faf3597d72fb4d0
SHA15381164681d5cf88d92edf4524046915c5ff05cc
SHA2564c222ebc30e8f0c716536b4677366fdf5f836b0e53cc6da7a4113c9850a2b83e
SHA512a1e5a90ba0244bd0f8ace34c982d25b68ce69f87655bdf7b0d030f79c0657dfbf6634c9aa98dd223ba6e501054f34f2658858da740ed95001c73f027a1434c5d
-
Filesize
23KB
MD53952f549ce78ae50fd3e3c057584ee21
SHA16085e105beaf3213f8c460bf98e83e7c58783795
SHA2565aeb5e788eb782399710ebc36539cb358abfa26808c15d482a649337e830efac
SHA5122c4e4898a31d7f4e176d1108d768d77af4aa9c9273e99e217a523bc7ac814322c2afed8858d6d908adf7bcca0f40dc711e83f759d2305412422f902d3453509d
-
Filesize
719B
MD5e7a7f06c018407215154b1e3df4e38cf
SHA1ccf07702d132d4d2f6246ada187b80e37e6a9e6e
SHA256adfd3085c07154e30e5a43c14fd2bd7c3b91486db6e1c8ddf24cee3ec2526bfe
SHA512e4c5ae7c00c37b3a4807f900abf8cdc728f9d2db98cd647308e67272a5e02ab80d7dcfd3766fb8393f89d0d77aed0f12f5ec81e9c9e973fd725b2497e90d9410
-
Filesize
706B
MD57410e610a02b87e7f6f828f2604b6a47
SHA18bb34043915e657a74c2a2b35db4aed2da3d2152
SHA2560f8d65ba00223c47d1aca87e5e07ff316a80c37d3a2e9b7239ce403ad9ab7c5a
SHA512e14ce73c40d02ffd563e83c03547facc050b1fd23e60c2a37623d251efa5a4dc5004da988e4907c666b12327c6b238d4da9f881851d24a771c6c8397e998698e
-
Filesize
175KB
MD529b9bfd25fabf42939e3a6877f9b3ece
SHA1c30d865bc2d680311c68eb0bed0e356845f700f9
SHA256ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475
SHA512a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e
-
Filesize
5KB
MD5d5b798d8816b252e7d718195dfeb8a8c
SHA1860c5807fd491aeeb12d661d8cf2ecca4ca1639b
SHA25675176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499
SHA51216cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5
-
Filesize
11KB
MD5b531b59b0edcc190460c9271500c1fbe
SHA1a6b9a80e4a52e10055f9d8a041580eb64ebd5d03
SHA2562bc92796a760c7c54f6ad713ee394e118b5e3d7d772ec1c7790b18f5f809912e
SHA5122bf11cb7ab338c8f4753f30acfe54b3a791b4e0469ace1c3c6818a5512b33942eb4418228af2aa7b944e60abe64ab8eb5e5ef9f2b72ab4e5cc4135eb6a37a99a
-
Filesize
570B
MD56c1d9e1205004626b884438704c0631a
SHA100b5fd840f4fdcab41cc89da9fc1141c7594870b
SHA256067a441767c324abf5e72729e70ae1edff257611232c08e5181ccac83f10ebec
SHA512443c896b88520013cd43093ea6f934e179e7a64ce4d3443ab531798ce73298c5eb5dff22a554fbfd1a141daad9344fa69d170e5f727ec61652b3e297a878316e
-
Filesize
343B
MD53db64dd18a9c8b5f30520cb1e4dd1a97
SHA1d52b3cb5111366c8571d545b5c527a0bb339eaf1
SHA2565a6d11525163362dcf13d6557917c4f4af912d9f3de7d9ace9ffa3ca5c01a76b
SHA51292ff3730244782f51fd5ed03534ec87df5c04ccc8d3add3fbb6d30a82898cd69a03cfb628f6f0d210d9d900a7b3a140e4868749ed8270aa35cde52108f6b6077
-
Filesize
344B
MD51d3d34248a26b3ac42c0c047cac520c5
SHA1a361f70160d12b48956324670b1744bb10db31f1
SHA2569a46532b783dff58c60d6a34d4a3c777ebb8cac618f8c0fad445dad5328b9a08
SHA5129bcff30abab1678ec010afa7327e1b749988d75a2549f4a620d73b7b9e16d7103292e1b55861d32868a24d5d09d24d906850d1d66de87e675075b7764432c38d
-
Filesize
27KB
MD5c7e6e4e24e5ab4f8a02a45faa0b0d488
SHA12f07929c3d89cee87b9215b544a853254e0b0954
SHA256f9cb6948ee78d3250299f811168348e554419d70cc33ac0cfd8c7258678fdb7c
SHA512fb988fffa9b8b2c6aab74b605e0d24642042a614094bb35b3a51f80f0dee6bbae365a8fad71af1f004bf405f7ce6396794f9850125ee3a2a293a5e7d9f056a04
-
Filesize
1KB
MD5a5f4c9bc6ea5c71f763b215ded1298d2
SHA187e4f4be5dd37ddb13d220ccef88ae9091d0b452
SHA256057585349fc3568979e1d5ef62c32b801ac23835c2f224464a7300875b9f28c7
SHA51265f625ed27187c68c8d376626b5df38a96869fc1794a956f4fb87b3753dbfd0c1bec9e824a026c363bd0f5f1fbc55dfd37a26dc23f7af17254cf4e4a771f5244
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
37KB
MD53fc9d055795a4c01893e5661f300c513
SHA129c64165afecea436a2dcb57dd5b54163a002df4
SHA256425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0
SHA512e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902
-
Filesize
16KB
MD565102de34e58a65be304b144659b8647
SHA1062183fa6bfc38f64a9ba59ba3c6d642ff19e553
SHA2565b94dc186cb9a01363a4c4220d4ad9940ba5294a354a5013ffb445e94f4eb09d
SHA512b33431c4f0afc0528080505609c5c6efe6b9ac9a71c30380723fec14bcccc56056baede824b105231793e40e0d5342ce8863d4c4d75611cf7ac1b315c534b766
-
Filesize
38B
MD5aaa8f0ca4acc800e63ec0cc3f9598380
SHA1ba82445e4b1eae5bed00d6e5a78411b05700d88d
SHA2569fa614083ebc934b52510cc41eb3246e1b0d199329ab1fd3aea08a5bce62bcdf
SHA512cffec5401f95e8ddfd9edf6c2ea072114d3be913fd48f874938524046f08dea246823ce042fb9d452692c90c50a215c3dcaa19c02270d93534b6ff2da0d88dc0
-
Filesize
3.7MB
MD5023c18dc05f673644d0b2cce3cd63b8c
SHA1c87b13de1ba7613d5b24dc1b092c810bdb30b608
SHA25666a1b91e2023773c79bd9c3d9d3828b468fcdbc0f3f568619745628ca5a76004
SHA5128229c569e9b909b3e04ce3eab4b3560539df88de6899ec1fc953f1481c25f48f5323aa9ec42e95acc64d9e5a1f09c6514339a654e54c56061e0485664cfdc017
-
Filesize
15KB
MD5e38cc92cd980a55d811316ac62883e14
SHA1fa83737abe11ee825c3da6843cc4d8e3b459729a
SHA256be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87
SHA5121422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16
-
Filesize
348KB
MD52973af8515effd0a3bfc7a43b03b3fcc
SHA14209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e
-
Filesize
29KB
MD55c3a0ff89b572f0a54bdc16bc480527f
SHA1917800855ab584ffe8433dd54d2b4de116d29b2e
SHA256fdb1dc6d11fbe94ccce0efe751db6f034cd20741131572411cffb75d9b1f4b34
SHA5120264af292eca657858a015c5848bbaa831e6b55fcfe2be98a12411511f3a5f8b8071e51ea1f83a800a30349da4e32357374ed0b984ad6fe00e1aaf29540adaf9
-
Filesize
10.7MB
MD567337e485e2bc58d16b78674194ccf5e
SHA1d9d53590ee45868f5e993e28407d11da18915a49
SHA2562f17ecd381dbb368379d274fc0783a912c6d0e1c1870a741f940d2c71e3f6bef
SHA512bd34d0e4bd321256b7923dffd817923584b99a68bb9b69f30d249f991be2fb0bdc637ca747b2b38c439d8e31dd6ea1b8e1dda742c8df55632c5961b7bdfd306f