285f523bfc4d03efd65c514c6ffb9802afe2bebf55c7c4a5043c3cc6c1a6d012

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\104.0.18088.103\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\104.0.18088.103\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\104.0.18088.103\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	avg-securebrowser-update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	avg-securebrowser-update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	avg_secure_browser_setup.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	avg-securebrowser-update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe

Deletes itself 1 IoCs

pid	Process
1836	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
576	avg_secure_browser_setup.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
960	AVGBrowserUpdateSetup.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1640	AVGBrowserUpdate.exe
1640	AVGBrowserUpdate.exe
1640	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1260	AVGBrowserUpdate.exe
1260	AVGBrowserUpdate.exe
1260	AVGBrowserUpdate.exe
584	AVGBrowserUpdateComRegisterShell64.exe
1260	AVGBrowserUpdate.exe
1260	AVGBrowserUpdate.exe
1284	AVGBrowserUpdateComRegisterShell64.exe
1260	AVGBrowserUpdate.exe
1260	AVGBrowserUpdate.exe
2012	AVGBrowserUpdateComRegisterShell64.exe
1260	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1076	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1448	AVGBrowserUpdate.exe
1448	AVGBrowserUpdate.exe
1448	AVGBrowserUpdate.exe
1580	AVGBrowserUpdate.exe
1580	AVGBrowserUpdate.exe
1580	AVGBrowserUpdate.exe
1580	AVGBrowserUpdate.exe
1448	AVGBrowserUpdate.exe
1580	AVGBrowserUpdate.exe
1580	AVGBrowserUpdate.exe
1952	AVGBrowserInstaller.exe
904	setup.exe
904	setup.exe
360	setup.exe
360	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg-securebrowser-update.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\AVAST Software\Avast	avg-securebrowser-update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	avg-securebrowser-update.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avg-securebrowser-update.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_bg.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_de.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_et.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\master_preferences	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_bn.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_en.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_sv.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_ko.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_sk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_kn.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_fil.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_hi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_hr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_is.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_zh-CN.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM197B.tmp\@PaxHeader	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_ml.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\SetupMetrics\1c5edcec-d4f4-4735-b9cd-ca809c5ad5f3.tmp	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\chrome_elf.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\bn.pak	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_fil.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_iw.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_mr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\acuapi_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_pt-PT.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_ms.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_tr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\acuapi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe	AVGBrowserInstaller.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_id.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_th.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\aswEngineConnector.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\sr.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\AVGBrowserQHelper.exe	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_ko.dll	AVGBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_sl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\secure.7z	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_kn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_zh-TW.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\browser_proxy.exe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\browser_proxy.exe	setup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_fi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM197B.tmp\goopdateres_lt.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_ru.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\104.0.18088.103\Locales\sw.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdate.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_uk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\psmachine.dll	AVGBrowserUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg-securebrowser-update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
456	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineIdDate = "20220906"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachine.1.0\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\http\shell\open\command\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods\ = "24"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\ = "AVG HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService.1.0\ = "Update3COMClass"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\NumMethods\ = "9"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine\CLSID\ = "{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgHTML\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreClass.1\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\NumMethods\ = "8"	AVGBrowserUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher\CLSID\ = "{E37D9308-A3C0-4EC3-87C5-222235C974E3}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\ = "AVG Browser Plugin"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAF0186F-DA10-4E75-88D7-6BD34F515838}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine.dll"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}\VersionIndependentProgID\ = "AVGUpdate.CoCreateAsync"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\NumMethods\ = "12"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\AvgHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\ = "Google Update Process Launcher Class"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgHTML\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods\ = "5"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ = "IAppCommand"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\ProgID\ = "AVG.OneClickCtrl.9"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{633D953B-278A-4DAC-8E4B-D15296A1C845}\AppID = "{30612A81-C10F-498E-9163-C2B2A3F81A14}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync\CurVer\ = "AVGUpdate.CoCreateAsync.1.0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback\CurVer	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}\ = "goopdate CredentialDialog"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\AvgHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\ = "PSFactoryBuffer"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods\ = "7"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAF0186F-DA10-4E75-88D7-6BD34F515838}\InprocHandler32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ = "IBrowserHttpRequest2"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg-securebrowser-update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg-securebrowser-update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg-securebrowser-update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	avg-securebrowser-update.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
576	avg_secure_browser_setup.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe
1872	AVGBrowserUpdate.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	1872	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	1872	AVGBrowserUpdate.exe
Token: 33	1952	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	1952	AVGBrowserInstaller.exe
Token: 33	1760	AVGBrowserCrashHandler.exe
Token: SeIncBasePriorityPrivilege	1760	AVGBrowserCrashHandler.exe
Token: 33	644	AVGBrowserCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	644	AVGBrowserCrashHandler64.exe
Token: SeDebugPrivilege	1872	AVGBrowserUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe
1948	avg-securebrowser-update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1948	576	avg_secure_browser_setup.exe	27
PID 576 wrote to memory of 1836	576	avg_secure_browser_setup.exe	28
PID 576 wrote to memory of 1836	576	avg_secure_browser_setup.exe	28
PID 576 wrote to memory of 1836	576	avg_secure_browser_setup.exe	28
PID 576 wrote to memory of 1836	576	avg_secure_browser_setup.exe	28
PID 1836 wrote to memory of 456	1836	cmd.exe	30
PID 1836 wrote to memory of 456	1836	cmd.exe	30
PID 1836 wrote to memory of 456	1836	cmd.exe	30
PID 1836 wrote to memory of 456	1836	cmd.exe	30
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 1948 wrote to memory of 960	1948	avg-securebrowser-update.exe	31
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 960 wrote to memory of 1872	960	AVGBrowserUpdateSetup.exe	32
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1640	1872	AVGBrowserUpdate.exe	33
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1872 wrote to memory of 1260	1872	AVGBrowserUpdate.exe	34
PID 1260 wrote to memory of 584	1260	AVGBrowserUpdate.exe	35
PID 1260 wrote to memory of 584	1260	AVGBrowserUpdate.exe	35
PID 1260 wrote to memory of 584	1260	AVGBrowserUpdate.exe	35
PID 1260 wrote to memory of 584	1260	AVGBrowserUpdate.exe	35
PID 1260 wrote to memory of 1284	1260	AVGBrowserUpdate.exe	36
PID 1260 wrote to memory of 1284	1260	AVGBrowserUpdate.exe	36
PID 1260 wrote to memory of 1284	1260	AVGBrowserUpdate.exe	36
PID 1260 wrote to memory of 1284	1260	AVGBrowserUpdate.exe	36
PID 1260 wrote to memory of 2012	1260	AVGBrowserUpdate.exe	37
PID 1260 wrote to memory of 2012	1260	AVGBrowserUpdate.exe	37
PID 1260 wrote to memory of 2012	1260	AVGBrowserUpdate.exe	37
PID 1260 wrote to memory of 2012	1260	AVGBrowserUpdate.exe	37
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1076	1872	AVGBrowserUpdate.exe	38
PID 1872 wrote to memory of 1448	1872	AVGBrowserUpdate.exe	39
PID 1872 wrote to memory of 1448	1872	AVGBrowserUpdate.exe	39

C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\nsd6A69.tmp\avg-securebrowser-update.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd6A69.tmp\avg-securebrowser-update.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks computer location settings
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\nsj983D.tmp\AVGBrowserUpdateSetup.exe
    AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=5101&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --private-browsing"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Program Files (x86)\GUM197B.tmp\AVGBrowserUpdate.exe
      "C:\Program Files (x86)\GUM197B.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=5101&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --private-browsing"
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1640
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:584
      - C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:1284
      - C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:2012
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTIwNy4yIiBzaGVsbF92ZXJzaW9uPSIxLjguMTIwNy4yIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezdCRkUxQURBLUMxQjgtNDAzMi1CNzM2LUJERjY5RkVBNjA2NX0iIGNlcnRfZXhwX2RhdGU9IjIwMjIxMDIwIiB1c2VyaWQ9Ins0Qjc5NEU1Mi00RjE2LTQwMDMtOEM2Ny1EQkMxQ0IwOTVBMzh9IiB1c2VyaWRfZGF0ZT0iMjAyMjA5MDYiIG1hY2hpbmVpZD0ie0YzODM5NkZDLTUxOUYtNDU4Qy1CN0Y3LTkzNDREOEM1RDhDOH0iIG1hY2hpbmVpZF9kYXRlPSIyMDIyMDkwNiIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntFQUYxNkIyRS1COTc2LTQzNzEtOUM3RS04RUY1NDU1QzQxRjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xMjA3LjIiIGxhbmc9ImVuLVVTIiBicmFuZD0iNTEwMSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTcxMCIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1076
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=5101&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --private-browsing" /installsource otherinstallcmd /sessionid "{7BFE1ADA-C1B8-4032-B736-BDF69FEA6065}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1448
- - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
    AVGBrowser.exe --heartbeat --install --create-profile
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Enumerates system info in registry
    PID:1508
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=104.0.18088.103 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5937bf0,0x7fef5937c00,0x7fef5937c10
      4⤵
      Executes dropped EXE
      PID:1280
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:2
      4⤵
      Executes dropped EXE
      PID:1632
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1356 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:1420
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1384 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:8
      4⤵
      PID:824
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2040 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:1
      4⤵
      PID:1676
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2056 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:1
      4⤵
      PID:1164
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2628 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:1
      4⤵
      PID:796
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=2740 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:1
      4⤵
      PID:2148
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=2772 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:1
      4⤵
      PID:2452
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2888 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:8
      4⤵
      PID:2644
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:2
      4⤵
      PID:2668
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3848 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:8
      4⤵
      PID:2900
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --display-capture-permissions-policy-allowed --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4976 --field-trial-handle=1188,i,13309201561738971144,6926283754785371811,131072 /prefetch:1
      4⤵
      PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /nobreak /t 10 && del /F /Q C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\timeout.exe
    timeout /nobreak /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:456

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:1580
- C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1001 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --private-browsing --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1001 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --private-browsing --system-level
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Registers COM server for autorun
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    PID:904
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=104.0.18088.103 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13fc49f48,0x13fc49f58,0x13fc49f68
      4⤵
      Executes dropped EXE
      PID:1380
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\AVG\Browser\Temp\source904_1029537372\Safer-bin\master_preferences" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:360
    - - C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\Install\{61498729-8AE1-44FE-8376-6C2115AF0371}\CR_C94D3.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=104.0.18088.103 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13fc49f48,0x13fc49f58,0x13fc49f68
        5⤵
        Executes dropped EXE
        
        PID:860
- C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler64.exe
  "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler.exe
  "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1760

C:\Program Files (x86)\AVG\Browser\Application\104.0.18088.103\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\104.0.18088.103\elevation_service.exe"
1⤵
PID:764

C:\Program Files (x86)\AVG\Browser\Application\104.0.18088.103\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\104.0.18088.103\elevation_service.exe"
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Security Software Discovery

T1063

System Information Discovery