36ade5fcd549711465e810ae21da6cb2e892fea2f03eb9622c361fc3f8484c9c

Modify Registry

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

Processes:

avg_secure_browser_setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Executes dropped EXE 22 IoCs

Processes:

utweb_installer.exeutweb_installer.tmputorrent_installer.exeutorrent_installer.tmpuTorrent.exeutorrent.exeavg_secure_browser_setup.exeavg_antivirus_free_setup.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeuTorrent.exeutorrentie.exeutorrentie.exeutorrentie.exe

pid	process
2068	utweb_installer.exe
2360	utweb_installer.tmp
1368	utorrent_installer.exe
1516	utorrent_installer.tmp
1320	uTorrent.exe
676	utorrent.exe
1960	avg_secure_browser_setup.exe
3068	avg_antivirus_free_setup.exe
932	AVGBrowserUpdateSetup.exe
1968	AVGBrowserUpdate.exe
3580	AVGBrowserUpdate.exe
3608	AVGBrowserUpdate.exe
3628	AVGBrowserUpdateComRegisterShell64.exe
3636	AVGBrowserUpdateComRegisterShell64.exe
3644	AVGBrowserUpdateComRegisterShell64.exe
3680	AVGBrowserUpdate.exe
3696	AVGBrowserUpdate.exe
3752	AVGBrowserUpdate.exe
3816	uTorrent.exe
4000	utorrentie.exe
4040	utorrentie.exe
4072	utorrentie.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

utorrent.exeuTorrent.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	utorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	utorrent.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	uTorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	uTorrent.exe

Loads dropped DLL 64 IoCs

Processes:

utweb_installer.exeutorrent_installer.exeutorrent_installer.tmpuTorrent.exeutorrent.exeavg_secure_browser_setup.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeuTorrent.exe

pid	process
2068	utweb_installer.exe
1368	utorrent_installer.exe
1516	utorrent_installer.tmp
1320	uTorrent.exe
1320	uTorrent.exe
1320	uTorrent.exe
1320	uTorrent.exe
1320	uTorrent.exe
676	utorrent.exe
676	utorrent.exe
676	utorrent.exe
676	utorrent.exe
1320	uTorrent.exe
1516	utorrent_installer.tmp
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1516	utorrent_installer.tmp
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
932	AVGBrowserUpdateSetup.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
3580	AVGBrowserUpdate.exe
3580	AVGBrowserUpdate.exe
3580	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
3608	AVGBrowserUpdate.exe
3608	AVGBrowserUpdate.exe
3608	AVGBrowserUpdate.exe
3628	AVGBrowserUpdateComRegisterShell64.exe
3608	AVGBrowserUpdate.exe
3608	AVGBrowserUpdate.exe
3636	AVGBrowserUpdateComRegisterShell64.exe
3608	AVGBrowserUpdate.exe
3608	AVGBrowserUpdate.exe
3644	AVGBrowserUpdateComRegisterShell64.exe
3608	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
3680	AVGBrowserUpdate.exe
3696	AVGBrowserUpdate.exe
3696	AVGBrowserUpdate.exe
3696	AVGBrowserUpdate.exe
3752	AVGBrowserUpdate.exe
3752	AVGBrowserUpdate.exe
3752	AVGBrowserUpdate.exe
3752	AVGBrowserUpdate.exe
3696	AVGBrowserUpdate.exe
3752	AVGBrowserUpdate.exe
1516	utorrent_installer.tmp
3816	uTorrent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

AVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsu1585.tmp\utorrent.exe	upx
behavioral1/memory/676-843-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral1/memory/676-877-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral1/memory/3816-1374-0x0000000000400000-0x00000000009C2000-memory.dmp	upx
behavioral1/memory/3816-1528-0x0000000000400000-0x00000000009C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

utorrent.exeuTorrent.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ut = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe /MINIMIZED"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ut = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" /MINIMIZED"	uTorrent.exe

Checks for any installed AV software in registry 1 TTPs 11 IoCs

Security Software Discovery

T1518.001

Processes:

avg_secure_browser_setup.exeutorrent_installer.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Avira\Browser\Installed	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\AVAST Software\Avast	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\AVG\AV\Dir	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	utorrent_installer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

AVGBrowserUpdate.exeavg_secure_browser_setup.exeAVGBrowserUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

AVGBrowserUpdateSetup.exeAVGBrowserUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_zh-CN.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_zh-TW.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\GUM2BF0.tmp\@PaxHeader	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_en.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_mr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_ur.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_fr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_iw.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_kn.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_kn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\acuapi_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_lv.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_pt-BR.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_sl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_pt-PT.dll	AVGBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_no.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserUpdateHelper.msi	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\psmachine_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_et.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_fa.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_vi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateWebPlugin.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_da.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_fi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_ro.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_uk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_cs.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_pl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateHelper.msi	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateBroker.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_nl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_zh-CN.dll	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\GUT2BF1.tmp	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_fil.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_ta.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_hu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_el.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_es-419.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pt-PT.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sv.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_tr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserCrashHandler64.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_ar.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_it.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_gu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_ja.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_de.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ru.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserUpdateWebPlugin.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_hr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserUpdateSetup.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_hr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_lt.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ro.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\psmachine.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\psuser.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_hu.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2BF0.tmp\goopdateres_nl.dll	AVGBrowserUpdateSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3620 1516 WerFault.exe utorrent_installer.tmp

pid	pid_target	process	target process
3620	1516	WerFault.exe	utorrent_installer.tmp

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

firefox.exeutorrent_installer.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	utorrent_installer.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

Processes:

AVGBrowserUpdate.exeuTorrent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\utorrentie.exe = "1"	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\utorrentie.exe = "0"	uTorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\utorrentie.exe = "11000"	uTorrent.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineId = "00009bb098663592a3a6086bcc2909e7"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineIdDate = "20240526"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeutorrent.exeAVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine.1.0\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ = "ICurrentState"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ = "IAppVersion"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\NumMethods\ = "12"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{30612A81-C10F-498E-9163-C2B2A3F81A14}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\LocalizedString = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\goopdate.dll,-3000"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEBC1D02-EC16-479A-83F6-AA4247CA7F70}\ProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync.1.0\CLSID\ = "{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\uTorrent\shell\ = "open"	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\AppID = "{30612A81-C10F-498E-9163-C2B2A3F81A14}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\uTorrent	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\NumMethods\ = "11"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods\ = "7"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ = "ICoCreateAsyncStatus"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}\ = "Google Update Misc Utils Class"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\ProgID\ = "AVGUpdate.CoreClass.1"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\AVGBrowserUpdateOnDemand.exe\""	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\VersionIndependentProgID\ = "AVGUpdate.OnDemandCOMClassMachine"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachine\CurVer\ = "AVGUpdate.Update3WebMachine.1.0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc.1.0	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachine.1.0\CLSID	AVGBrowserUpdate.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

utweb_installer.tmpavg_secure_browser_setup.exeAVGBrowserUpdate.exeutorrent_installer.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	utweb_installer.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	utweb_installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	avg_secure_browser_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	avg_secure_browser_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	utweb_installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	utorrent_installer.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	utorrent_installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	utweb_installer.tmp

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\utweb_installer.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\utweb_installer(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\utorrent_installer.exe:Zone.Identifier	firefox.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	152	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	161	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

utorrent_installer.tmpavg_secure_browser_setup.exeAVGBrowserUpdate.exeuTorrent.exe

pid	process
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1516	utorrent_installer.tmp
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1960	avg_secure_browser_setup.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
1968	AVGBrowserUpdate.exe
3816	uTorrent.exe
3816	uTorrent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeutweb_installer.tmpuTorrent.exeutorrent.exeutorrent_installer.tmpavg_secure_browser_setup.exe

description	pid	process
Token: SeDebugPrivilege	1708	firefox.exe
Token: SeDebugPrivilege	1708	firefox.exe
Token: SeDebugPrivilege	2360	utweb_installer.tmp
Token: SeDebugPrivilege	2360	utweb_installer.tmp
Token: SeDebugPrivilege	2360	utweb_installer.tmp
Token: SeDebugPrivilege	1320	uTorrent.exe
Token: SeDebugPrivilege	1320	uTorrent.exe
Token: SeDebugPrivilege	1320	uTorrent.exe
Token: SeDebugPrivilege	1320	uTorrent.exe
Token: SeDebugPrivilege	1320	uTorrent.exe
Token: SeDebugPrivilege	1320	uTorrent.exe
Token: SeManageVolumePrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	676	utorrent.exe
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1516	utorrent_installer.tmp
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	1960	avg_secure_browser_setup.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

rundll32.exefirefox.exeutorrent_installer.tmp

pid process

2220 rundll32.exe
2220 rundll32.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1516 utorrent_installer.tmp
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

firefox.exe

pid process

1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe
1708 firefox.exe

pid	process
2220	rundll32.exe
2220	rundll32.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1516	utorrent_installer.tmp

pid	process
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe

pid	process
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe
1708	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 2332 wrote to memory of 1708	2332	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2908	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2908	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2908	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2744	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2616	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2616	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2616	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2616	1708	firefox.exe	firefox.exe
PID 1708 wrote to memory of 2616	1708	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\Capture48.png
1⤵
- Suspicious use of FindShellTrayWindow
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.0.1792131921\2112953594" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ca49a5f-8559-4603-95f1-610f44e6aa14} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 1268 11ff6258 gpu
    3⤵
    PID:2908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.1.636883884\1609998794" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f0954f-428b-4fa6-b066-a0287d25994c} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 1472 d72258 socket
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.2.1656374289\1688371987" -childID 1 -isForBrowser -prefsHandle 1948 -prefMapHandle 1944 -prefsLen 21031 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ed911b0-b564-4cab-9222-385516ef43fe} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 1920 19da1c58 tab
    3⤵
    PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.3.1652117714\2063477170" -childID 2 -isForBrowser -prefsHandle 820 -prefMapHandle 1636 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57e96e4-643e-4599-a8cc-f25ea3d274c6} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 748 d71658 tab
    3⤵
    PID:2056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.4.312293832\496485691" -childID 3 -isForBrowser -prefsHandle 2820 -prefMapHandle 2816 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a0f01c8-aee0-40b6-aa2e-ec1d94f2f174} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 2832 1ba2d058 tab
    3⤵
    PID:1624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.5.1735877821\74353474" -childID 4 -isForBrowser -prefsHandle 3720 -prefMapHandle 3036 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2431e21a-dc8d-412b-9a1f-9886cffebafd} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 3748 1e91ba58 tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.6.2007010677\968850626" -childID 5 -isForBrowser -prefsHandle 3860 -prefMapHandle 3864 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {682287cd-535e-4fa7-8137-019037799539} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 3848 1e91c358 tab
    3⤵
    PID:1964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.7.1908570675\883105084" -childID 6 -isForBrowser -prefsHandle 4032 -prefMapHandle 4036 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd54420c-685d-4abd-ac10-94c0403cb817} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4020 1f030158 tab
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.8.1336577085\1212963709" -childID 7 -isForBrowser -prefsHandle 1904 -prefMapHandle 1864 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f5d92f2-20b8-4a1a-bf40-cfb21e54057f} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4260 21906e58 tab
    3⤵
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.9.1311697336\1688754047" -parentBuildID 20221007134813 -prefsHandle 4408 -prefMapHandle 4400 -prefsLen 26531 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {464da955-a5bd-4284-8c13-b63406be97f8} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4276 21fc7258 rdd
    3⤵
    PID:1992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.10.1402949777\357644510" -childID 8 -isForBrowser -prefsHandle 4596 -prefMapHandle 4164 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adfba818-4a4a-4066-8d25-138ea2616bd6} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 4052 1ccab858 tab
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1708.11.1763189410\2055283360" -childID 9 -isForBrowser -prefsHandle 2584 -prefMapHandle 2572 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {593c2901-de5a-40ca-b29f-2aef942b46d3} 1708 "\\.\pipe\gecko-crash-server-pipe.1708" 2408 1ccac158 tab
    3⤵
    PID:2712
- - C:\Users\Admin\Downloads\utweb_installer.exe
    "C:\Users\Admin\Downloads\utweb_installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\is-2LRR8.tmp\utweb_installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2LRR8.tmp\utweb_installer.tmp" /SL5="$5016E,866469,820736,C:\Users\Admin\Downloads\utweb_installer.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- - C:\Users\Admin\Downloads\utorrent_installer.exe
    "C:\Users\Admin\Downloads\utorrent_installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\is-1LK8T.tmp\utorrent_installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1LK8T.tmp\utorrent_installer.tmp" /SL5="$7015C,840718,816128,C:\Users\Admin\Downloads\utorrent_installer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\is-RJQA7.tmp\uTorrent.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RJQA7.tmp\uTorrent.exe" /S /FORCEINSTALL 1110010101111110
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\nsu1585.tmp\utorrent.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsu1585.tmp\utorrent.exe" /S /FORCEINSTALL 1110010101111110
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Users\Admin\AppData\Local\Temp\is-RJQA7.tmp\component0_extract\avg_secure_browser_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RJQA7.tmp\component0_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV6dEE0oDaKTHJ2CXA5wmbo5eucSYsfeeCqzL61Nh8Jnml66qXjo7A5HNYAGX8HiK6bsgTidU9F86 /make-default
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\nsz2445.tmp\AVGBrowserUpdateSetup.exe
        
        AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:932
        
        C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUM2BF0.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome"
        7⤵
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3580
        
        C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3608
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3628
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3636
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3644
        
        C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezI2QUNCRDZELTVFOTQtNEZGQi05MzI4LTVDQUYzNjkwRTYyNH0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9Ins2NDBBQzk1Mi1FN0Q1LTQ0NkMtOEIyQi1DMDIwQzczRjcyNzZ9IiB1c2VyaWRfZGF0ZT0iMjAyNDA1MjYiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDUyNiIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntCQkZCMTcyNS02QUY5LTQwRUItQUZGRS1GNjBGMzEzRkNBMTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTIzMCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNDgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:3680
        
        C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{26ACBD6D-5E94-4FFB-9328-5CAF3690E624}" /silent
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\is-RJQA7.tmp\component1_extract\avg_antivirus_free_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RJQA7.tmp\component1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5faEMABXNkLeGn9dVJ5FbU20GGyLVhANtsbn4WkWsUsbJTULIiSQF2LWrsY7sARBI1J9LHmYq
        5⤵
        Executes dropped EXE
        
        PID:3068
    - - C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:3816
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe" uTorrent_3816_03B55348_820294101 µTorrent4823DF041B09 uTorrent ie unp
        6⤵
        Executes dropped EXE
        
        PID:4000
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe" uTorrent_3816_03B665C8_1674117706 µTorrent4823DF041B09 uTorrent ie unp
        6⤵
        Executes dropped EXE
        
        PID:4040
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe" uTorrent_3816_03B68428_552567487 µTorrent4823DF041B09 uTorrent ie unp
        6⤵
        Executes dropped EXE
        
        PID:4072
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe" uTorrent_3816_03B34E60_1155527349 µTorrent4823DF041B09 uTorrent ie unp
        6⤵
        
        PID:3412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://utorrent.com/prodnews?v=3%2e6%2e0%2e1%2e47084&pv=0.0.0.0.0
        6⤵
        
        PID:3440
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3440 CREDAT:275457 /prefetch:2
        7⤵
        
        PID:3500
      - C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe
        
        "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47084\utorrentie.exe" uTorrent_3816_03B68A78_970458692 µTorrent4823DF041B09 uTorrent ie unp
        6⤵
        
        PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 452
        5⤵
        Program crash
        
        PID:3620

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:2352

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:3752

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:3940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry