Resubmissions
24-01-2022 18:12
220124-ws75xsgcf6 114-01-2022 15:34
220114-szqyfahceq 1008-01-2022 19:45
220108-ygvfssdbh9 1008-01-2022 19:45
220108-ygvfssdbh8 1008-01-2022 19:34
220108-x95xkadbh3 807-01-2022 14:28
220107-rsy5sscda4 1006-01-2022 19:07
220106-xszdfsbee2 10Analysis
-
max time kernel
1747s -
max time network
1740s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-01-2022 15:34
General
-
Target
https://youtube.com
Score
10/10
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 59 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks for any installed AV software in registry 1 TTPs 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 23 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69d4f50,0x7fef69d4f60,0x7fef69d4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2408 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4352 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4532 /prefetch:82⤵
-
C:\Users\Admin\Downloads\utweb_installer.exe"C:\Users\Admin\Downloads\utweb_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS479277B6\GenericSetup.exe.\GenericSetup.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exeC:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe" /S"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exe" /S5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe"C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe" /install /quiet /norestart6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe"C:\Users\Admin\AppData\Local\Temp\ut_web_redist\vcredist_x86.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{BADF769E-5AF2-400A-9F32-B05546207902} {EEE2F9DF-0E11-4485-BBC0-4BE89120CD9F} 30527⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""saBSI.exe" /affid 91212 PaidDistribution=true InstallID=a3975c20-3aab-4664-ba9c-8057907e5c78 subID=VSW"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\saBSI.exe"saBSI.exe" /affid 91212 PaidDistribution=true InstallID=a3975c20-3aab-4664-ba9c-8057907e5c78 subID=VSW5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\saBSI.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\saBSI.exe" /install /affid 91212 PaidDistribution=true InstallID=a3975c20-3aab-4664-ba9c-8057907e5c78 saBsiVersion=4.1.0.22 /no_self_update6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\installer.exe"C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\\installer.exe" /setOem:Affid=91212 /s /thirdparty /upgrade7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files\McAfee\Temp2781912922\installer.exe"C:\Program Files\McAfee\Temp2781912922\installer.exe" /setOem:Affid=91212 /s /thirdparty /upgrade8⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\sc.exesc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"9⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"9⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"10⤵
-
C:\Windows\system32\sc.exesc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"9⤵
-
C:\Windows\system32\sc.exesc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//09⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"9⤵
- Modifies registry class
-
C:\Windows\system32\sc.exesc.exe start "McAfee WebAdvisor"9⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"9⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"10⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\euxhxnbc.3mc.exe" : /s /run_source=avg_ads_lava"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\euxhxnbc.3mc.exe"C:\Users\Admin\AppData\Local\Temp\euxhxnbc.3mc.exe" : /s /run_source=avg_ads_lava5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\nse6FF4.tmp\AVGBrowserUpdateSetup.exe"C:\Users\Admin\AppData\Local\Temp\nse6FF4.tmp\AVGBrowserUpdateSetup.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9141&ap=mv:96.1.13589.112&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\GUM83C0.tmp\AVGBrowserUpdate.exe"C:\Program Files (x86)\GUM83C0.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9141&ap=mv:96.1.13589.112&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTE4OC4xIiBzaGVsbF92ZXJzaW9uPSIxLjguMTE4OC4xIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0Q5Njc1RTkwLTI1MTctNEY1Ny04Q0Q1LTQzOEMwQTc0RkJGRX0iIGNlcnRfZXhwX2RhdGU9IjIwMjIxMDIwIiB1c2VyaWQ9InsxMzVENTQ5Ny0zRkNGLTQ3QkUtOTczNC0yMUI0RkQ5Q0RFQjd9IiB1c2VyaWRfZGF0ZT0iMjAyMjAxMTQiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIyMDExNCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins0Njg2OEM3MC0yRjUyLTRDODctOUUyMy1DQkVDN0E2MUQ0NDF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xMTg4LjEiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTE0MSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTU3NiIvPjwvYXBwPjwvcmVxdWVzdD48⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9141&ap=mv:96.1.13589.112&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing" /installsource otherinstallcmd /sessionid "{D9675E90-2517-4F57-8CD5-438C0A74FBFE}" /silent8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --heartbeat --install --create-profile6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef2f032c0,0x7fef2f032d0,0x7fef2f032e07⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 /prefetch:27⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1312 /prefetch:87⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1440 /prefetch:87⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --display-capture-permissions-policy-allowed --start-stack-profiler --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1888 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1896 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2388 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:87⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1632 /prefetch:27⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=2396 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,15945307706055374994,5426408190931036438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2916 /prefetch:87⤵
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings7⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x1401531d8,0x1401531e8,0x1401531f88⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1936 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=912 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1792 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=988 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1548 /prefetch:82⤵
-
C:\Users\Admin\Downloads\WcInstaller.exe"C:\Users\Admin\Downloads\WcInstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS01BD6767\WebCompanionInstaller.exe.\WebCompanionInstaller.exe --webprotection --partner=newwebsite --version=8.0.0.2143⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 27364⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3844 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2236 /prefetch:82⤵
-
C:\Users\Admin\Downloads\WcInstaller (1).exe"C:\Users\Admin\Downloads\WcInstaller (1).exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC68B5BC7\WebCompanionInstaller.exe.\WebCompanionInstaller.exe --webprotection --partner=newwebsite --version=8.0.0.2143⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3792 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1412 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,17539036067369572553,798019661286885597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 /prefetch:82⤵
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\AVGBrowserInstaller.exe"C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1003 --default-search=bing.com --adblock-mode-default=0 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --private-browsing --system-level2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe"C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1003 --default-search=bing.com --adblock-mode-default=0 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --private-browsing --system-level3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe"C:\Program Files (x86)\AVG\Browser\Update\Install\{0A885B3A-4BC6-4888-BDF6-E562196A30A3}\CR_797BC.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13f4e31d8,0x13f4e31e8,0x13f4e31f84⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\McAfee\WebAdvisor\UIHost.exe"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\x64\IEPlugin.dll"2⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\McAfee\WebAdvisor\updater.exe"C:\Program Files\McAfee\WebAdvisor\updater.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"3⤵
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005D0" "00000000000003A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"C:\Program Files (x86)\AVG\Browser\Application\96.1.13589.112\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\UTORRE~1\utweb.exe"C:\Users\Admin\AppData\Roaming\UTORRE~1\utweb.exe" /RUNONSTARTUP1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --single-argument https://utweb.trontv.com/gui/index.html?v=1.2.7.4186&firstrun=1&localauth=localapi943b42a223940d87:2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=96.1.13589.112 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2f032c0,0x7fef2f032d0,0x7fef2f032e03⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2581⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zSC68B5BC7\it-IT\WebCompanionInstaller.resources.dll1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\taskeng.exetaskeng.exe {6B6BA4AF-99E8-4CB2-9DA1-4AE86E83ABC1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /registermsihelper3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /cr3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"C:\Program Files (x86)\AVG\Browser\Update\1.8.1188.1\AVGBrowserCrashHandler64.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
d47b799c2fea3d88423f7b2d9e197d99
SHA1e1e345a09526ad22fac3e5da19fbfc3f3a1fdc1b
SHA256a453b10a353f1f89cade6c9141026ca42b8058e5d465be3951d51b4a336c3fa9
SHA5121cbe1199866883a2897b5337a4f79d278265c0b65b37aa033fb0a8e4042a3b10fe5d747026fd14dd4f762a952d02ceece9ace22d29efb3bbf0bf210ff6f1c4be
-
C:\Users\Admin\AppData\Local\Temp\7zS479277B6\GenericSetup.exeMD5
285b856fce47097d71e6b0b6a6607055
SHA18a5f6b9c22c9ffa947e68ac2f27078d9faf52ecf
SHA256a31b84e7f286a8c7660f2a2c8f8e9060a5d2220ec2510651e7ea83018b477606
SHA5127b628ccaba5d19780f1f0ce52b4602fa3d97bfff5aee23c5ff4e94d77a37b4ea1bc8baad32cf14c0678baafd15e2bfb539cc6f92fe4f647663a3983a7fafbcea
-
C:\Users\Admin\AppData\Local\Temp\7zS479277B6\GenericSetup.exeMD5
285b856fce47097d71e6b0b6a6607055
SHA18a5f6b9c22c9ffa947e68ac2f27078d9faf52ecf
SHA256a31b84e7f286a8c7660f2a2c8f8e9060a5d2220ec2510651e7ea83018b477606
SHA5127b628ccaba5d19780f1f0ce52b4602fa3d97bfff5aee23c5ff4e94d77a37b4ea1bc8baad32cf14c0678baafd15e2bfb539cc6f92fe4f647663a3983a7fafbcea
-
C:\Users\Admin\AppData\Local\Temp\7zS479277B6\GenericSetup.exe.configMD5
fd63ee3928edd99afc5bdf17e4f1e7b6
SHA11b40433b064215ea6c001332c2ffa093b1177875
SHA2562a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA5121925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4
-
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exeMD5
8f8550b49f1a7be810d25e2e79d727f6
SHA1415a59c3e52052f62149addff3592aed45f94f99
SHA2564f3ca16adde4c350da09f37872da275c285584200c3d86823d5bf894d988e2b2
SHA512e057b5da7cb39a38e3a1bca0a893093f8f9d0ee453992e375654722cdc4e73c2f67572b74212adce98f24a3f5df701bdbe1a4d038aae3f87aedcf827a09570fd
-
C:\Users\Admin\Downloads\utweb_installer.exeMD5
0a6a273312eabf4d971fb55b52b781ae
SHA12b887c32a8061ddccc94aee79ac2a0fb9adae783
SHA256d4e60be1204df950e20b1968e14458e3a9ccf40a7fe7b0a6d2c2b4e01d646fc6
SHA5126d0d61b56bad47d5903869e1799260421b6360a32be26e2f0660720a67933a1306bbec2bc69ac39f7e92ad58c19c5d16ca357920371026cf53491aa41db1ed9f
-
C:\Users\Admin\Downloads\utweb_installer.exeMD5
0a6a273312eabf4d971fb55b52b781ae
SHA12b887c32a8061ddccc94aee79ac2a0fb9adae783
SHA256d4e60be1204df950e20b1968e14458e3a9ccf40a7fe7b0a6d2c2b4e01d646fc6
SHA5126d0d61b56bad47d5903869e1799260421b6360a32be26e2f0660720a67933a1306bbec2bc69ac39f7e92ad58c19c5d16ca357920371026cf53491aa41db1ed9f
-
\??\pipe\crashpad_1688_WQXMLLSLDOENECGBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\7zS479277B6\GenericSetup.exeMD5
285b856fce47097d71e6b0b6a6607055
SHA18a5f6b9c22c9ffa947e68ac2f27078d9faf52ecf
SHA256a31b84e7f286a8c7660f2a2c8f8e9060a5d2220ec2510651e7ea83018b477606
SHA5127b628ccaba5d19780f1f0ce52b4602fa3d97bfff5aee23c5ff4e94d77a37b4ea1bc8baad32cf14c0678baafd15e2bfb539cc6f92fe4f647663a3983a7fafbcea
-
\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\Carrier.exeMD5
8f8550b49f1a7be810d25e2e79d727f6
SHA1415a59c3e52052f62149addff3592aed45f94f99
SHA2564f3ca16adde4c350da09f37872da275c285584200c3d86823d5bf894d988e2b2
SHA512e057b5da7cb39a38e3a1bca0a893093f8f9d0ee453992e375654722cdc4e73c2f67572b74212adce98f24a3f5df701bdbe1a4d038aae3f87aedcf827a09570fd
-
\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1642178103\sciter32.dllMD5
b431083586e39d018e19880ad1a5ce8f
SHA13bbf957ab534d845d485a8698accc0a40b63cedd
SHA256b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA5127805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b
-
memory/584-140-0x0000000000000000-mapping.dmp
-
memory/620-346-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/960-116-0x0000000000000000-mapping.dmp
-
memory/984-124-0x0000000000000000-mapping.dmp
-
memory/984-135-0x0000000000000000-mapping.dmp
-
memory/1136-99-0x0000000000000000-mapping.dmp
-
memory/1188-139-0x0000000000000000-mapping.dmp
-
memory/1440-344-0x00000000001B0000-0x00000000001E2000-memory.dmpFilesize
200KB
-
memory/1496-105-0x0000000000000000-mapping.dmp
-
memory/1500-91-0x0000000000000000-mapping.dmp
-
memory/1500-97-0x0000000002151000-0x0000000002152000-memory.dmpFilesize
4KB
-
memory/1500-93-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB
-
memory/1648-131-0x0000000000000000-mapping.dmp
-
memory/1656-330-0x0000000000000000-mapping.dmp
-
memory/1808-98-0x0000000000000000-mapping.dmp
-
memory/1912-152-0x0000000000000000-mapping.dmp
-
memory/1912-120-0x0000000000000000-mapping.dmp
-
memory/2088-111-0x0000000000000000-mapping.dmp
-
memory/2092-104-0x0000000000000000-mapping.dmp
-
memory/2116-88-0x0000000000AE6000-0x0000000000AF7000-memory.dmpFilesize
68KB
-
memory/2116-87-0x0000000000AE1000-0x0000000000AE2000-memory.dmpFilesize
4KB
-
memory/2116-142-0x0000000000000000-mapping.dmp
-
memory/2116-84-0x0000000000000000-mapping.dmp
-
memory/2116-206-0x0000000000000000-mapping.dmp
-
memory/2116-125-0x0000000000000000-mapping.dmp
-
memory/2116-86-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/2140-130-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2140-127-0x0000000000000000-mapping.dmp
-
memory/2156-89-0x0000000000000000-mapping.dmp
-
memory/2160-138-0x0000000000000000-mapping.dmp
-
memory/2212-328-0x0000000000000000-mapping.dmp
-
memory/2312-101-0x0000000000000000-mapping.dmp
-
memory/2356-72-0x0000000000D70000-0x0000000000D9C000-memory.dmpFilesize
176KB
-
memory/2356-68-0x0000000000DA0000-0x00000000026F4000-memory.dmpFilesize
25.3MB
-
memory/2356-61-0x0000000000000000-mapping.dmp
-
memory/2356-66-0x0000000000DA0000-0x00000000026F4000-memory.dmpFilesize
25.3MB
-
memory/2356-67-0x0000000000DA0000-0x00000000026F4000-memory.dmpFilesize
25.3MB
-
memory/2356-81-0x0000000000DA0000-0x00000000026F4000-memory.dmpFilesize
25.3MB
-
memory/2356-69-0x0000000006400000-0x0000000006ADA000-memory.dmpFilesize
6.9MB
-
memory/2356-80-0x0000000006ED0000-0x0000000006EFE000-memory.dmpFilesize
184KB
-
memory/2356-70-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/2356-71-0x0000000000450000-0x0000000000478000-memory.dmpFilesize
160KB
-
memory/2356-76-0x0000000008EE0000-0x00000000095BA000-memory.dmpFilesize
6.9MB
-
memory/2356-75-0x0000000007730000-0x00000000077AC000-memory.dmpFilesize
496KB
-
memory/2356-73-0x0000000005F20000-0x0000000005F32000-memory.dmpFilesize
72KB
-
memory/2364-102-0x0000000000000000-mapping.dmp
-
memory/2372-334-0x0000000000000000-mapping.dmp
-
memory/2376-123-0x0000000000000000-mapping.dmp
-
memory/2404-331-0x0000000000000000-mapping.dmp
-
memory/2408-122-0x0000000000000000-mapping.dmp
-
memory/2416-248-0x0000000000000000-mapping.dmp
-
memory/2420-58-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/2420-56-0x0000000000000000-mapping.dmp
-
memory/2596-118-0x0000000000000000-mapping.dmp
-
memory/2632-136-0x0000000000000000-mapping.dmp
-
memory/2632-137-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB
-
memory/2648-114-0x0000000000000000-mapping.dmp
-
memory/2724-96-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/2724-94-0x0000000000000000-mapping.dmp
-
memory/2740-150-0x0000000000000000-mapping.dmp
-
memory/2748-132-0x0000000000000000-mapping.dmp
-
memory/2748-134-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-146-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-133-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-156-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-147-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-145-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-148-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2748-144-0x0000000169470000-0x0000000169480000-memory.dmpFilesize
64KB
-
memory/2756-335-0x0000000000000000-mapping.dmp
-
memory/2828-325-0x0000000000000000-mapping.dmp
-
memory/2832-82-0x0000000000000000-mapping.dmp
-
memory/2844-270-0x0000000000000000-mapping.dmp
-
memory/2876-321-0x0000000000000000-mapping.dmp
-
memory/2988-185-0x0000000000000000-mapping.dmp
-
memory/2988-149-0x0000000000000000-mapping.dmp
-
memory/3052-107-0x0000000000000000-mapping.dmp
-
memory/3060-113-0x0000000065501000-0x0000000065503000-memory.dmpFilesize
8KB
-
memory/3060-109-0x0000000000000000-mapping.dmp
-
memory/3080-311-0x0000000000000000-mapping.dmp
-
memory/3104-154-0x0000000000000000-mapping.dmp
-
memory/3392-157-0x0000000000000000-mapping.dmp
-
memory/3424-158-0x0000000000000000-mapping.dmp
-
memory/3444-159-0x0000000000000000-mapping.dmp
-
memory/3456-316-0x0000000000000000-mapping.dmp
-
memory/3512-329-0x0000000000000000-mapping.dmp
-
memory/3544-227-0x0000000000000000-mapping.dmp
-
memory/3560-327-0x0000000000000000-mapping.dmp
-
memory/3704-161-0x0000000000000000-mapping.dmp
-
memory/3716-162-0x0000000000000000-mapping.dmp
-
memory/3732-249-0x0000000000000000-mapping.dmp
-
memory/3792-323-0x0000000000000000-mapping.dmp
-
memory/3872-164-0x0000000000000000-mapping.dmp
-
memory/3872-193-0x0000000003200000-0x0000000003201000-memory.dmpFilesize
4KB
-
memory/3880-290-0x0000000000000000-mapping.dmp
-
memory/3888-165-0x0000000000000000-mapping.dmp
-
memory/4028-177-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-175-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-181-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-179-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-178-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-184-0x0000000000000000-mapping.dmp
-
memory/4028-176-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-182-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-174-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-180-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-173-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-172-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-171-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-170-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-169-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-166-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/4028-183-0x0000000000071000-0x0000000000072000-memory.dmpFilesize
4KB
-
memory/4028-186-0x0000000077410000-0x0000000077411000-memory.dmpFilesize
4KB