Resubmissions
24-01-2022 18:12
220124-ws75xsgcf6 114-01-2022 15:34
220114-szqyfahceq 1008-01-2022 19:45
220108-ygvfssdbh9 1008-01-2022 19:45
220108-ygvfssdbh8 1008-01-2022 19:34
220108-x95xkadbh3 807-01-2022 14:28
220107-rsy5sscda4 1006-01-2022 19:07
220106-xszdfsbee2 10Analysis
-
max time kernel
1747s -
max time network
1740s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-01-2022 15:34
General
-
Target
https://youtube.com
Score
10/10
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 59 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks for any installed AV software in registry 1 TTPs 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 23 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69d4f50,0x7fef69d4f60,0x7fef69d4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2408 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4432 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4364 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4352 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4532 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\utweb_installer.exe"C:\Users\Admin\Downloads\utweb_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS479277B6\GenericSetup.exe.\GenericSetup.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exeC:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe" /S"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe" /S5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe"C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe" /install /quiet /norestart6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe"C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{BADF769E-5AF2-400A-9F32-B05546207902} {EEE2F9DF-0E11-4485-BBC0-4BE89120CD9F} 30527⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""saBSI.exe" /affid 91212 PaidDistribution=true InstallID=a3975c20-3aab-4664-ba9c-8057907e5c78 subID=VSW"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\saBSI.exe"saBSI.exe" /affid 91212 PaidDistribution=true InstallID=a3975c20-3aab-4664-ba9c-8057907e5c78 subID=VSW5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\saBSI.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\saBSI.exe" /install /affid 91212 PaidDistribution=true InstallID=a3975c20-3aab-4664-ba9c-8057907e5c78 saBsiVersion=4.1.0.22 /no_self_update6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\installer.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\\installer.exe" /setOem:Affid=91212 /s /thirdparty /upgrade7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files\McAfee\Temp2781912922\installer.exe"C:\Program Files\McAfee\Temp2781912922\installer.exe" /setOem:Affid=91212 /s /thirdparty /upgrade8⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\sc.exesc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"9⤵
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"9⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"10⤵
-
-
-
C:\Windows\system32\sc.exesc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"9⤵
-
-
C:\Windows\system32\sc.exesc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//09⤵
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"9⤵
- Modifies registry class
-
-
C:\Windows\system32\sc.exesc.exe start "McAfee WebAdvisor"9⤵
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"9⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"10⤵
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"9⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\euxhxnbc.3mc.exe" : /s /run_source=avg_ads_lava"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\euxhxnbc.3mc.exe"C:\Users\Admin\AppData\Local\Temp\euxhxnbc.3mc.exe" : /s /run_source=avg_ads_lava5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\nse6FF4.tmp\AVGBrowserUpdateSetup.exe"C:\Users\Admin\AppData\Local\Temp\nse6FF4.tmp\AVGBrowserUpdateSetup.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9141&ap=mv:96.1.13589.112&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\GUM83C0.tmp\AVGBrowserUpdate.exe"C:\Program Files (x86)\GUM83C0.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9141&ap=mv:96.1.13589.112&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
-
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTE4OC4xIiBzaGVsbF92ZXJzaW9uPSIxLjguMTE4OC4xIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0Q5Njc1RTkwLTI1MTctNEY1Ny04Q0Q1LTQzOEMwQTc0RkJGRX0iIGNlcnRfZXhwX2RhdGU9IjIwMjIxMDIwIiB1c2VyaWQ9InsxMzVENTQ5Ny0zRkNGLTQ3QkUtOTczNC0yMUI0RkQ5Q0RFQjd9IiB1c2VyaWRfZGF0ZT0iMjAyMjAxMTQiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIyMDExNCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins0Njg2OEM3MC0yRjUyLTRDODctOUUyMy1DQkVDN0E2MUQ0NDF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xMTg4LjEiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTE0MSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTU3NiIvPjwvYXBwPjwvcmVxdWVzdD48⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9141&ap=mv:96.1.13589.112&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing" /installsource otherinstallcmd /sessionid "{D9675E90-2517-4F57-8CD5-438C0A74FBFE}" /silent8⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --heartbeat --install --create-profile6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef2f032c0,0x7fef2f032d0,0x7fef2f032e07⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 /prefetch:27⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1312 /prefetch:87⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1440 /prefetch:87⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --display-capture-permissions-policy-allowed --start-stack-profiler --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1888 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1896 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2388 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:87⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1632 /prefetch:27⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=2396 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2916 /prefetch:87⤵
-
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings7⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x1401531d8,0x1401531e8,0x1401531f88⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=988 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1936 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=912 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1792 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1908 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=988 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3756 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2164 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4164 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1548 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\WcInstaller.exe"C:\Users\Admin\Downloads\WcInstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS01BD6767\WebCompanionInstaller.exe.\WebCompanionInstaller.exe --webprotection --partner=newwebsite --version=8.0.0.2143⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 27364⤵
- Loads dropped DLL
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3844 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2236 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\WcInstaller (1).exe"C:\Users\Admin\Downloads\WcInstaller (1).exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC68B5BC7\WebCompanionInstaller.exe.\WebCompanionInstaller.exe --webprotection --partner=newwebsite --version=8.0.0.2143⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3792 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3584 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1412 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 /prefetch:82⤵
-
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\AVGBrowserInstaller.exe"C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1003 --default-search=bing.com --adblock-mode-default=0 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --private-browsing --system-level2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe"C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1003 --default-search=bing.com --adblock-mode-default=0 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --private-browsing --system-level3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe"C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13f4e31d8,0x13f4e31e8,0x13f4e31f84⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\McAfee\WebAdvisor\UIHost.exe"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"3⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\x64\IEPlugin.dll"2⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
-
C:\Program Files\McAfee\WebAdvisor\updater.exe"C:\Program Files\McAfee\WebAdvisor\updater.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"3⤵
-
-
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005D0" "00000000000003A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\UTORRE~1\utweb.exe"C:\Users\Admin\AppData\Roaming\UTORRE~1\utweb.exe" /RUNONSTARTUP1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --single-argument https://utweb.trontv.com/gui/index.html?v=1.2.7.4186&firstrun=1&localauth=localapi943b42a223940d87:2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2f032c0,0x7fef2f032d0,0x7fef2f032e03⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2581⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zSC68B5BC7\it-IT\WebCompanionInstaller.resources.dll1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\taskeng.exetaskeng.exe {6B6BA4AF-99E8-4CB2-9DA1-4AE86E83ABC1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /registermsihelper3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /cr3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
25.3MB
-
Filesize
25.3MB
-
Filesize
25.3MB
-
Filesize
25.3MB
-
Filesize
6.9MB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
6.9MB
-
Filesize
496KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB