6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

Modify Registry

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\111.0.20716.148\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

avg_secure_browser_setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	avg_secure_browser_setup.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

AVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exebitdurtsetup(1).tmpavg_secure_browser_setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	AVGBrowserUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	bitdurtsetup(1).tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Executes dropped EXE 21 IoCs

Processes:

bitdurtsetup(1).exebitdurtsetup(1).tmpavg_secure_browser_setup.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exeNoEscape.exesetup.exesetup.exesetup.exesetup.exeAVGBrowser.exeAVGBrowser.exe

pid	process
9048	bitdurtsetup(1).exe
5696	bitdurtsetup(1).tmp
6212	avg_secure_browser_setup.exe
12048	AVGBrowserUpdateSetup.exe
8092	AVGBrowserUpdate.exe
11840	AVGBrowserUpdate.exe
13728	AVGBrowserUpdate.exe
12348	AVGBrowserUpdateComRegisterShell64.exe
11508	AVGBrowserUpdateComRegisterShell64.exe
11740	AVGBrowserUpdateComRegisterShell64.exe
13760	AVGBrowserUpdate.exe
9844	AVGBrowserUpdate.exe
12568	AVGBrowserUpdate.exe
9596	AVGBrowserInstaller.exe
8432	NoEscape.exe
13848	setup.exe
13900	setup.exe
12092	setup.exe
1724	setup.exe
11432	AVGBrowser.exe
7672	AVGBrowser.exe

Loads dropped DLL 31 IoCs

Processes:

Ambrosial (1).exebitdurtsetup(1).tmpavg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exe

pid	process
4912	Ambrosial (1).exe
5696	bitdurtsetup(1).tmp
5696	bitdurtsetup(1).tmp
5696	bitdurtsetup(1).tmp
5696	bitdurtsetup(1).tmp
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
8092	AVGBrowserUpdate.exe
11840	AVGBrowserUpdate.exe
13728	AVGBrowserUpdate.exe
12348	AVGBrowserUpdateComRegisterShell64.exe
13728	AVGBrowserUpdate.exe
11508	AVGBrowserUpdateComRegisterShell64.exe
13728	AVGBrowserUpdate.exe
11740	AVGBrowserUpdateComRegisterShell64.exe
13728	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
13760	AVGBrowserUpdate.exe
9844	AVGBrowserUpdate.exe
12568	AVGBrowserUpdate.exe
12568	AVGBrowserUpdate.exe
9844	AVGBrowserUpdate.exe
12568	AVGBrowserUpdate.exe
11432	AVGBrowser.exe
7672	AVGBrowser.exe

Obfuscated with Agile.Net obfuscator 32 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4912-372-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-373-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-375-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-377-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-379-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-381-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-383-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-386-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-388-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-390-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-392-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-394-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-396-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-398-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-400-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-402-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-404-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-406-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-408-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-410-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-412-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-414-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-416-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-418-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-420-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-422-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-425-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-427-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-429-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-431-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-433-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net
behavioral1/memory/4912-435-0x000001D0BC880000-0x000001D0BCA64000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

AVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\111.0.20716.148\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\111.0.20716.148\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe

Checks for any installed AV software in registry 1 TTPs 5 IoCs

Security Software Discovery

T1063

Processes:

avg_secure_browser_setup.exebitdurtsetup(1).tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	bitdurtsetup(1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	bitdurtsetup(1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	bitdurtsetup(1).tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

avg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

AVGBrowserUpdateSetup.exeAVGBrowserUpdate.exesetup.exebitdurtsetup(1).tmpAVGBrowserUpdate.exeAVGBrowserInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\GUM2094.tmp\AVGBrowserUpdateHelper.msi	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_en-GB.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_it.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_sl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\chrome_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files\Bit Driver Updater\TAFactory.IconPack.dll	bitdurtsetup(1).tmp
File opened for modification	C:\Program Files (x86)\GUM2094.tmp\@PaxHeader	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_ko.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_tr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_ta.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\hi.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\vulkan-1.dll	setup.exe
File created	C:\Program Files (x86)\GUM2094.tmp\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_ms.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_et.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_ja.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_ar.dll	AVGBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_hr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_uk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\chrome_elf.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\AVGBrowser.exe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\master_preferences	setup.exe
File opened for modification	C:\Program Files\Bit Driver Updater\x64\SQLite.Interop.dll	bitdurtsetup(1).tmp
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_da.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_hu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\psuser_64.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\psmachine.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_lv.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_nl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\111.0.20716.148\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\111.0.20716.148.manifest	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_pl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_en.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_hi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_da.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_fil.dll	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files\Bit Driver Updater\Interop.IWshRuntimeLibrary.dll	bitdurtsetup(1).tmp
File opened for modification	C:\Program Files\Bit Driver Updater\Microsoft.Win32.TaskScheduler.dll	bitdurtsetup(1).tmp
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_lt.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_tr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_hi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_sv.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateBroker.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\chrome_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_am.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_bn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\SETUP.EX_	AVGBrowserInstaller.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files\Bit Driver Updater\System.Threading.dll	bitdurtsetup(1).tmp
File created	C:\Program Files (x86)\GUM2094.tmp\goopdateres_de.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\bg.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\uk.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\acuapi_64.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\111.0.20716.148\setup_helper_syslib.dll	setup.exe

Drops file in Windows directory 3 IoCs

Processes:

Ambrosial (1).exe

description	ioc	process
File created	C:\Windows\Fonts\Azonix.otf	Ambrosial (1).exe
File opened for modification	C:\Windows\Fonts\Azonix.otf	Ambrosial (1).exe
File created	C:\Windows\Fonts\OpenSansLight.ttf	Ambrosial (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

13284 13148 WerFault.exe
13280 13216 WerFault.exe
13272 13224 WerFault.exe
12892 13268 WerFault.exe

pid	pid_target	process
13284	13148	WerFault.exe
13280	13216	WerFault.exe
13272	13224	WerFault.exe
12892	13268	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

avg_secure_browser_setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

9792 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

10500 taskkill.exe

pid	process
9792	schtasks.exe

pid	process
10500	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20230416"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeNOTEPAD.EXEfirefox.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\ProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVG.OneClickCtrl.9	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ = "IPackage"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\NumMethods\ = "10"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\AVGBrowserUpdateBroker.exe\""	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ = "IGoogleUpdate"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ = "IApp"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\Elevation	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\Elevation	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\Elevation\IconReference = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\goopdate.dll,-1004"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAAD654E-4B50-4C9F-A261-CF29CF884478}\Elevation	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods\ = "24"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ = "IAppVersionWeb"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}	AVGBrowserUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A01E2077-A5A9-4229-8BC1-AB2D43564381}\InprocHandler32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ = "IAppVersion"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ = "IProcessLauncher"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods\ = "13"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.update.avgbrowser.com.oneclickctrl.9	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.update.avgbrowser.com.oneclickctrl.9\CLSID = "{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\VersionIndependentProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\ = "IGoogleUpdate3"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass.1\CLSID\ = "{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A01E2077-A5A9-4229-8BC1-AB2D43564381}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID	AVGBrowserUpdate.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\bitdurtsetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\bitdurtsetup(1).exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3528 NOTEPAD.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 1118 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	1118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

bitdurtsetup(1).tmpavg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exe

pid	process
5696	bitdurtsetup(1).tmp
5696	bitdurtsetup(1).tmp
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
6212	avg_secure_browser_setup.exe
8092	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
8092	AVGBrowserUpdate.exe
11432	AVGBrowser.exe
11432	AVGBrowser.exe
7672	AVGBrowser.exe
7672	AVGBrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ambrosial (1).exefirefox.exebitdurtsetup(1).tmptaskkill.exeavg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exeAVGBrowser.exe

description	pid	process
Token: SeDebugPrivilege	4912	Ambrosial (1).exe
Token: SeDebugPrivilege	13512	firefox.exe
Token: SeDebugPrivilege	13512	firefox.exe
Token: SeDebugPrivilege	5696	bitdurtsetup(1).tmp
Token: SeDebugPrivilege	5696	bitdurtsetup(1).tmp
Token: SeDebugPrivilege	5696	bitdurtsetup(1).tmp
Token: SeDebugPrivilege	10500	taskkill.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6212	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	8092	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	8092	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	8092	AVGBrowserUpdate.exe
Token: 33	9596	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	9596	AVGBrowserInstaller.exe
Token: SeDebugPrivilege	13512	firefox.exe
Token: SeDebugPrivilege	13512	firefox.exe
Token: SeDebugPrivilege	13512	firefox.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	12092	setup.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe
Token: SeDebugPrivilege	11432	AVGBrowser.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Ambrosial (1).exefirefox.exebitdurtsetup(1).tmpAVGBrowser.exe

pid	process
4912	Ambrosial (1).exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
5696	bitdurtsetup(1).tmp
11432	AVGBrowser.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exe

pid process

13512 firefox.exe
13512 firefox.exe
13512 firefox.exe
13512 firefox.exe
13512 firefox.exe

pid	process
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

NOTEPAD.EXEfirefox.exe

pid	process
3528	NOTEPAD.EXE
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe
13512	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2352 wrote to memory of 3532	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3532	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4044	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4044	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4712	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4712	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2124	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2124	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4388	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4388	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2436	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2436	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4320	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4320	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3804	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3804	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1716	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1716	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4112	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4112	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4568	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4568	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3380	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3380	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1100	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1100	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3224	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3224	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4600	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4600	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4300	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4300	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4920	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4920	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3736	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3736	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1516	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1516	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1272	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1272	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3344	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3344	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4596	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4596	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4516	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4516	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4660	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4660	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3428	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3428	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2092	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2092	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 824	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 824	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3492	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3492	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2504	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2504	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3488	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 3488	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2760	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 2760	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1672	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1672	2352	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ambrosial (1).exe
"C:\Users\Admin\AppData\Local\Temp\Ambrosial (1).exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4912

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\8uhgtghgj3g834gizn43nzug43nzg34nzgz3n4gznu43gzn34nzg34znug4znug34u.txt
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Pc fucker.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4712

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4044

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3532

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2124

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4320

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3804

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2436

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4388

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1716

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4112

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4660

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4516

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3428

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5096

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5684

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5936

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5924

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5912

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5896

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:8820

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5880

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5860

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5848

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5832

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5816

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5792

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5768

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5752

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5740

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5720

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5712

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5696

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5672

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5656

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5640

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5632

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5616

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5604

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5592

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5576

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5560

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5548

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5536

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5520

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5500

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5488

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5476

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5464

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5448

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5440

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5416

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5400

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5384

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5376

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5368

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5352

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5340

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5324

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5312

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5292

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:9516

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5284

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5264

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5252

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5240

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5228

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5216

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5204

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5188

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5176

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5164

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5156

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5148

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5140

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5132

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2332

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2288

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4180

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4944

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3792

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2096

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2056

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1092

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1280

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4988

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5020

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5060

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:436

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2960

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1124

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:532

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1856

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3152

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2296

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4248

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:552

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3156

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1128

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3528

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1348

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3976

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3212

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3320

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1256

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4560

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2484

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5104

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4260

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1420

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10496

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10684

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:11004

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10988

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10972

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10956

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10932

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10924

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10908

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10892

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10884

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10876

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10860

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10852

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10844

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10836

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10820

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10804

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10792

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10780

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10772

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10764

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10756

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10748

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10732

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10724

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10708

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10700

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10692

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10676

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10668

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10660

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10652

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10644

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10636

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10628

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10620

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10612

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10604

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10596

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10588

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10580

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10572

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10564

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10556

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10548

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10536

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10528

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10512

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:10504

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4604

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:404

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3860

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1520

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:768

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3972

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4732

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2752

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2120

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4316

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1452

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5068

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2280

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1292

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3400

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2464

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:5048

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4656

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1928

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1724

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1672

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2760

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3488

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2504

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3492

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:824

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2092

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4596

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3344

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1272

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1516

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3736

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4920

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4300

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4600

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3224

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1100

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3380

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:4568

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:11212

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12740

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12880

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13128

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13120

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13112

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13104

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13096

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13084

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13076

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13068

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13060

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13052

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13044

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13036

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13028

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13020

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13012

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:13004

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12996

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12988

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12980

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12972

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12964

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12956

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12948

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12940

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12932

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12924

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12916

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12908

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:12900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 13224 -ip 13224
1⤵
PID:13256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 13216 -ip 13216
1⤵
PID:13200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 13148 -ip 13148
1⤵
PID:13176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 13268 -ip 13268
1⤵
PID:12888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13148 -s 16
1⤵
- Program crash
PID:13284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13216 -s 16
1⤵
- Program crash
PID:13280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13224 -s 16
1⤵
- Program crash
PID:13272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13268 -s 328
1⤵
- Program crash
PID:12892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:10164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:13512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.0.241181287\1744164878" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {186fac75-8ab1-41ea-a303-67cf02e7df8c} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 1952 141ab1e0558 gpu
3⤵
PID:6332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.1.1430784889\2108244523" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b03b6a94-b283-477e-92f5-a3a756c8425a} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 2332 1419e272858 socket
3⤵
PID:10052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.2.1632285575\875078841" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2988 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f6f9801-e678-4f50-8513-cdb1ee83ad68} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 3152 141aeee2258 tab
3⤵
PID:10876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.3.356530721\2459070" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3528 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebcd396f-6613-48bc-b5c9-487bf7d02688} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 3284 1419e265658 tab
3⤵
PID:9092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.4.413665498\54371291" -childID 3 -isForBrowser -prefsHandle 4004 -prefMapHandle 3992 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9727736-7d8d-4ae1-9eb0-a998090bc0e1} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 4016 141aeee4358 tab
3⤵
PID:11276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.7.1220060327\1230095094" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5720a2d1-36e3-4a13-a5ff-14bee063e81b} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 5300 141b1675158 tab
3⤵
PID:5228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.6.8242633\1725666715" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76626009-7e37-4c3e-9cbe-3bce77481534} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 5100 141b1674e58 tab
3⤵
PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.5.751729697\116971479" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4960 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {930aa579-f617-4c0b-a721-3a0b5b4b3346} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 4920 141b15b6258 tab
3⤵
PID:6892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.8.1842024341\1349682530" -childID 7 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e72924-8404-4197-afcb-d62bec38a9c3} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 5872 141b3a78b58 tab
3⤵
PID:10668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.9.1400576076\1064712681" -parentBuildID 20221007134813 -prefsHandle 3288 -prefMapHandle 3772 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea782663-2f3b-4d0e-b338-eac4017d10db} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 5864 141afda7d58 rdd
3⤵
PID:5936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.10.242816886\1177091943" -childID 8 -isForBrowser -prefsHandle 6192 -prefMapHandle 6176 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c810c4e5-3f66-49c2-beef-26a12940e652} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 6204 141b3678b58 tab
3⤵
PID:2960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.11.1661570823\1092914166" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f7e452-5ab1-490a-8c34-8e9f5fad0530} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 6488 141b1bb1258 utility
3⤵
PID:4632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.12.384145758\44418219" -childID 9 -isForBrowser -prefsHandle 3732 -prefMapHandle 3628 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9025e2b7-0923-4f22-a094-ffb815182660} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 5368 141b1e59258 tab
3⤵
PID:13280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.13.958620288\422729927" -childID 10 -isForBrowser -prefsHandle 5096 -prefMapHandle 5292 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69510970-e9fd-4dde-bf26-dd023381ae70} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 5436 141b23acb58 tab
3⤵
PID:6012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.14.882362140\2052576102" -childID 11 -isForBrowser -prefsHandle 10276 -prefMapHandle 10280 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4831f2b8-b2ab-4c02-bdb6-9d8601738f42} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 10268 141b4761258 tab
3⤵
PID:7728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.15.1548590573\1122929064" -childID 12 -isForBrowser -prefsHandle 8088 -prefMapHandle 8084 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c4ed235-e7d9-4550-80a9-71677d053d79} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 8096 141b4e50b58 tab
3⤵
PID:11072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.16.1804915345\560986955" -childID 13 -isForBrowser -prefsHandle 8020 -prefMapHandle 8016 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0ae07c-4e45-41ef-b31d-826fca016767} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 8096 141b4957558 tab
3⤵
PID:12372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.17.632981186\621500426" -childID 14 -isForBrowser -prefsHandle 7944 -prefMapHandle 7952 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0071c89b-7e94-4396-b1b4-8b216cc86f08} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 7760 1419e22f358 tab
3⤵
PID:12344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.18.2136647807\974834944" -childID 15 -isForBrowser -prefsHandle 6052 -prefMapHandle 6056 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5228610-5bb1-4fcb-bb0a-642336b4bd64} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 7412 141b65e0558 tab
3⤵
PID:9644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.19.199053630\260785731" -childID 16 -isForBrowser -prefsHandle 7488 -prefMapHandle 7232 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f6c548-0c5a-4320-b942-042d7002aea5} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 7228 141b53d5f58 tab
3⤵
PID:6896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.20.1074908763\429463912" -childID 17 -isForBrowser -prefsHandle 7024 -prefMapHandle 6088 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa16db08-b30f-4f8a-ba5e-7fdb34aa85e4} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 7220 141b68c2b58 tab
3⤵
PID:7564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.21.1287256653\1095289828" -childID 18 -isForBrowser -prefsHandle 10052 -prefMapHandle 10048 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e195e9-c40e-425a-91b0-fb97f31f232c} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 10060 141b68c2e58 tab
3⤵
PID:10260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.22.1152860695\909266074" -childID 19 -isForBrowser -prefsHandle 10072 -prefMapHandle 10076 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e15afb9-7977-45b8-956f-a11d5452abc7} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9916 141b68c1958 tab
3⤵
PID:11484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.23.1710709778\226771257" -childID 20 -isForBrowser -prefsHandle 6828 -prefMapHandle 6824 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15ac4aa8-cab4-4401-a552-a61767125a13} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 6836 141b6c1c758 tab
3⤵
PID:14268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.25.90723462\640575204" -childID 22 -isForBrowser -prefsHandle 9692 -prefMapHandle 9688 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7829009-c09d-446b-a8e7-a868a28002bd} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9700 141b7052b58 tab
3⤵
PID:13496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.26.514691855\1930409046" -childID 23 -isForBrowser -prefsHandle 9596 -prefMapHandle 9592 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f98dd34-1290-4592-8b4e-7e8d0fb92c4d} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9608 141b7053a58 tab
3⤵
PID:6168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.24.1886351436\258504468" -childID 21 -isForBrowser -prefsHandle 5900 -prefMapHandle 6756 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {138e6bec-358c-49e9-9736-98beb8f98350} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 6752 141b4f45c58 tab
3⤵
PID:12096

C:\Users\Admin\Downloads\bitdurtsetup(1).exe
"C:\Users\Admin\Downloads\bitdurtsetup(1).exe"
3⤵
- Executes dropped EXE
PID:9048

C:\Users\Admin\AppData\Local\Temp\is-QSCOO.tmp\bitdurtsetup(1).tmp
"C:\Users\Admin\AppData\Local\Temp\is-QSCOO.tmp\bitdurtsetup(1).tmp" /SL5="$503E6,9361252,1413632,C:\Users\Admin\Downloads\bitdurtsetup(1).exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Bit Driver Updater_launcher" /f
5⤵
PID:10448

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "bitdu.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10500

C:\Users\Admin\AppData\Local\Temp\is-36KE2.tmp\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-36KE2.tmp\avg_secure_browser_setup.exe" /s /run_source=avg_ads_bg
5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6212

C:\Users\Admin\AppData\Local\Temp\nsvDD9.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9153&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Dfirefox --import-cookies --auto-launch-chrome --private-browsing"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:12048

C:\Program Files (x86)\GUM2094.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUM2094.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9153&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Dfirefox --import-cookies --auto-launch-chrome --private-browsing"
7⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8092

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:11840

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:13728

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:12348

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:11508

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:11740

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTU4Mi4zIiBzaGVsbF92ZXJzaW9uPSIxLjguMTU4Mi4zIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezc1NDVDREFELUIxMkMtNEJFNy04MzA1LTRGRDAwNEMzMDgzOH0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9Ins3Q0IxQjcyOS01OTY3LTQ2ODItQjBDNC1BOTNGMjIwRDQ2RDl9IiB1c2VyaWRfZGF0ZT0iMjAyMzA0MTYiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMDQxNiIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins4RjFBNTYzMS1EMDA0LTRBNDEtOTVBRS1FM0ZFRjU2MkU0MkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNTgyLjMiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTE1MyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iOTU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13760

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9153&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Dfirefox --import-cookies --auto-launch-chrome --private-browsing" /installsource otherinstallcmd /sessionid "{7545CDAD-B12C-4BE7-8305-4FD004C30838}" /silent
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9844

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /Create /F /RL Highest /SC ONCE /st 00:00 /TN "Bit Driver Updater skipuac" /TR "'C:\Program Files\Bit Driver Updater\bitdu.exe'"
5⤵
- Creates scheduled task(s)
PID:9792

C:\Program Files\Bit Driver Updater\bitdu.exe
"C:\Program Files\Bit Driver Updater\bitdu.exe" drctlnch
5⤵
PID:10360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.27.1356218972\1282576483" -childID 24 -isForBrowser -prefsHandle 9944 -prefMapHandle 4516 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {492a56bc-f0b7-40a0-a51e-1652580a1801} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 4508 141b3c6bf58 tab
3⤵
PID:2180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.28.719288740\667389755" -childID 25 -isForBrowser -prefsHandle 9732 -prefMapHandle 6768 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da918328-93de-4c17-b93f-dfd60219c4bd} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9788 141b361f258 tab
3⤵
PID:5272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.29.2097294289\495917475" -childID 26 -isForBrowser -prefsHandle 9688 -prefMapHandle 6392 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0d46c6-04d9-4733-aa3c-1cc5a4faf93f} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 7304 141b0a94358 tab
3⤵
PID:13088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.30.770954362\802386835" -childID 27 -isForBrowser -prefsHandle 9896 -prefMapHandle 7220 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc517862-831b-4b50-9366-06bc27b2c0e6} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9780 141b1674b58 tab
3⤵
PID:10468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.31.227162389\921491244" -childID 28 -isForBrowser -prefsHandle 6584 -prefMapHandle 7752 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d03f120a-6488-434e-8ab7-5b2f56998a91} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 6524 141b3ad4f58 tab
3⤵
PID:5404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.32.635125749\542828747" -childID 29 -isForBrowser -prefsHandle 9408 -prefMapHandle 9404 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9e04f7d-b1dc-4d26-9006-f4bb7395ec30} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9544 141b3678258 tab
3⤵
PID:5504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.33.187695075\1378908626" -childID 30 -isForBrowser -prefsHandle 6340 -prefMapHandle 7304 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f07db1ae-8d15-4535-95f8-7ecb46a5cc4d} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 9360 141b3ad4058 tab
3⤵
PID:14088

C:\Users\Admin\Downloads\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe"
3⤵
- Executes dropped EXE
PID:8432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.34.1613059887\1202749790" -childID 31 -isForBrowser -prefsHandle 4828 -prefMapHandle 6988 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e76a97-f2eb-4fc2-8112-ed7b33c542d5} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 10096 141b361ec58 tab
3⤵
PID:4992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="13512.35.1692290079\1158244905" -childID 32 -isForBrowser -prefsHandle 7980 -prefMapHandle 9848 -prefsLen 27427 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9722a370-a46e-4a0a-ac35-7144fd0e2bae} 13512 "\\.\pipe\gecko-crash-server-pipe.13512" 6076 141b4da0e58 tab
3⤵
PID:6344

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
3⤵
PID:4904

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:8464

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:10080

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:9928

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:12256

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
4⤵
PID:10936

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
4⤵
PID:9460

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:12568

C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=firefox --import-cookies --auto-launch-chrome --private-browsing --system-level
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:9596

C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=firefox --import-cookies --auto-launch-chrome --private-browsing --system-level
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
PID:13848

C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=111.0.20716.148 --initial-client-data=0x274,0x278,0x27c,0x7c,0x280,0x7ff6f4415800,0x7ff6f4415810,0x7ff6f4415820
4⤵
- Executes dropped EXE
PID:13900

C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\AVG\Browser\Temp\source13848_10915269\Safer-bin\master_preferences" --create-shortcuts=0 --install-level=1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:12092

C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{390593FD-CFAC-40C4-8E89-A9A13CE2F552}\CR_F15EF.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=111.0.20716.148 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff6f4415800,0x7ff6f4415810,0x7ff6f4415820
5⤵
- Executes dropped EXE
PID:1724

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 taskbarpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:11432

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:7672

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe"
2⤵
PID:13308

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe"
2⤵
PID:9140

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:13864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery