285f523bfc4d03efd65c514c6ffb9802afe2bebf55c7c4a5043c3cc6c1a6d012

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\106.0.18743.104\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\106.0.18743.104\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\106.0.18743.104\\notification_helper.exe"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	avg-securebrowser-update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	avg-securebrowser-update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVGBrowser.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	avg-securebrowser-update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
1944	avg_secure_browser_setup.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
1296	AVGBrowserUpdateSetup.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
896	AVGBrowserUpdate.exe
896	AVGBrowserUpdate.exe
896	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
684	AVGBrowserUpdate.exe
684	AVGBrowserUpdate.exe
684	AVGBrowserUpdate.exe
1676	AVGBrowserUpdateComRegisterShell64.exe
684	AVGBrowserUpdate.exe
684	AVGBrowserUpdate.exe
1992	AVGBrowserUpdateComRegisterShell64.exe
684	AVGBrowserUpdate.exe
684	AVGBrowserUpdate.exe
1976	AVGBrowserUpdateComRegisterShell64.exe
684	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
824	AVGBrowserUpdate.exe
972	AVGBrowserUpdate.exe
972	AVGBrowserUpdate.exe
972	AVGBrowserUpdate.exe
1440	AVGBrowserUpdate.exe
1440	AVGBrowserUpdate.exe
1440	AVGBrowserUpdate.exe
1440	AVGBrowserUpdate.exe
972	AVGBrowserUpdate.exe
1440	AVGBrowserUpdate.exe
1440	AVGBrowserUpdate.exe
560	AVGBrowserInstaller.exe
1644	setup.exe
1644	setup.exe
1556	setup.exe
1556	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg-securebrowser-update.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\AVAST Software\Avast	avg-securebrowser-update.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	avg-securebrowser-update.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avg-securebrowser-update.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_el.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_es-419.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_fr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_zh-TW.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\AVGBrowser.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_ja.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_sl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_zh-CN.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_id.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_en-GB.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_iw.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_sw.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\GUM4AE6.tmp\@PaxHeader	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_no.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_ro.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\lv.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_bn.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_cs.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_gu.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\npAvgBrowserUpdate3.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\eventlog_provider.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_el.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_hu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\AVGBrowserProtect.exe	setup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_ko.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_uk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateWebPlugin.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\ta.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\nacl_irt_x86_64.nexe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\resources.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\AVGBrowserQHelper.exe	setup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_ru.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_ja.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\106.0.18743.104.manifest	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\sr.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\Installer\setup.exe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_bg.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_gu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe	AVGBrowserInstaller.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\chrome_wer.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\lt.pak	setup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_it.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4AE6.tmp\goopdateres_iw.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_ml.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\psmachine.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_es.dll	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\config.def	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\106.0.18743.104\Locales\ro.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_fi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\goopdateres_pt-BR.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\master_preferences	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg-securebrowser-update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1176	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineIdDate = "20221023"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ = "IGoogleUpdateCore"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachine\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{358EC846-617A-4763-8656-50BF6E0E8AA2}\1.0\0\win32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\106.0.18743.104\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\NumMethods\ = "45"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ = "IGoogleUpdate"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28E08968-59C8-4A77-BEBA-12C9394AE077}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1207.2\\npAvgBrowserUpdate3.dll"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\AvgHTML	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\http\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync.1.0	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\VersionIndependentProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\VersionIndependentProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\ProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAF0186F-DA10-4E75-88D7-6BD34F515838}\InprocHandler32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ = "IPackage"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\http	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BAAD654E-4B50-4C9F-A261-CF29CF884478}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ = "IProcessLauncher2"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher\CurVer\ = "AVGUpdate.ProcessLauncher.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E37D9308-A3C0-4EC3-87C5-222235C974E3}\ = "Google Update Process Launcher Class"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\ = "IJobObserver"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods\ = "13"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32\ = "{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ = "IGoogleUpdate3WebSecurity"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachine.1.0\ = "Google Update Broker Class Factory"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1018A8C2-3B2E-405E-BC0F-06AECA5BF715}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ = "IGoogleUpdate3Web"	AVGBrowserUpdate.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg-securebrowser-update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg-securebrowser-update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	avg-securebrowser-update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	avg-securebrowser-update.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1032	AVGBrowserUpdate.exe
1696	AVGBrowser.exe
1696	AVGBrowser.exe
1696	AVGBrowser.exe
1696	AVGBrowser.exe
1696	AVGBrowser.exe
1696	AVGBrowser.exe
1696	AVGBrowser.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	1032	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	1032	AVGBrowserUpdate.exe
Token: 33	560	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	560	AVGBrowserInstaller.exe
Token: 33	1772	AVGBrowserCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	1772	AVGBrowserCrashHandler64.exe
Token: 33	1904	AVGBrowserCrashHandler.exe
Token: SeIncBasePriorityPrivilege	1904	AVGBrowserCrashHandler.exe
Token: SeDebugPrivilege	1032	AVGBrowserUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe
936	avg-securebrowser-update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 936	1944	avg_secure_browser_setup.exe	28
PID 1944 wrote to memory of 1628	1944	avg_secure_browser_setup.exe	29
PID 1944 wrote to memory of 1628	1944	avg_secure_browser_setup.exe	29
PID 1944 wrote to memory of 1628	1944	avg_secure_browser_setup.exe	29
PID 1944 wrote to memory of 1628	1944	avg_secure_browser_setup.exe	29
PID 1628 wrote to memory of 1176	1628	cmd.exe	31
PID 1628 wrote to memory of 1176	1628	cmd.exe	31
PID 1628 wrote to memory of 1176	1628	cmd.exe	31
PID 1628 wrote to memory of 1176	1628	cmd.exe	31
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 936 wrote to memory of 1296	936	avg-securebrowser-update.exe	32
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1296 wrote to memory of 1032	1296	AVGBrowserUpdateSetup.exe	33
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 896	1032	AVGBrowserUpdate.exe	34
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 1032 wrote to memory of 684	1032	AVGBrowserUpdate.exe	35
PID 684 wrote to memory of 1676	684	AVGBrowserUpdate.exe	36
PID 684 wrote to memory of 1676	684	AVGBrowserUpdate.exe	36
PID 684 wrote to memory of 1676	684	AVGBrowserUpdate.exe	36
PID 684 wrote to memory of 1676	684	AVGBrowserUpdate.exe	36
PID 684 wrote to memory of 1992	684	AVGBrowserUpdate.exe	37
PID 684 wrote to memory of 1992	684	AVGBrowserUpdate.exe	37
PID 684 wrote to memory of 1992	684	AVGBrowserUpdate.exe	37
PID 684 wrote to memory of 1992	684	AVGBrowserUpdate.exe	37
PID 684 wrote to memory of 1976	684	AVGBrowserUpdate.exe	38
PID 684 wrote to memory of 1976	684	AVGBrowserUpdate.exe	38
PID 684 wrote to memory of 1976	684	AVGBrowserUpdate.exe	38
PID 684 wrote to memory of 1976	684	AVGBrowserUpdate.exe	38
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 824	1032	AVGBrowserUpdate.exe	39
PID 1032 wrote to memory of 972	1032	AVGBrowserUpdate.exe	40
PID 1032 wrote to memory of 972	1032	AVGBrowserUpdate.exe	40

C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\nsiF894.tmp\avg-securebrowser-update.exe
  "C:\Users\Admin\AppData\Local\Temp\nsiF894.tmp\avg-securebrowser-update.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks computer location settings
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\nst1355.tmp\AVGBrowserUpdateSetup.exe
    AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=5101&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --private-browsing"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Program Files (x86)\GUM4AE6.tmp\AVGBrowserUpdate.exe
      "C:\Program Files (x86)\GUM4AE6.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=5101&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --private-browsing"
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:896
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:1676
      - C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:1992
      - C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:1976
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTIwNy4yIiBzaGVsbF92ZXJzaW9uPSIxLjguMTIwNy4yIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezE0MkI1QjIxLTYxQTEtNDhFMC1BRDEyLUMyMkY4MEE4NzJEQX0iIGNlcnRfZXhwX2RhdGU9IjIwMjIxMDIwIiB1c2VyaWQ9Ins3RTM2MEM1QS02MTRELTQ3QTEtOUMwNS0xQTA2NzU5N0NFRkR9IiB1c2VyaWRfZGF0ZT0iMjAyMjEwMjMiIG1hY2hpbmVpZD0iezUxQkU1NzRCLUI5RUQtNDRFQi1CMTY5LUJFMzIwMTk2NTk0MX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIyMTAyMyIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins3ODc4RDQ1NC1BQkU0LTRFOTUtODgwMi1GMjcwNTY4RjM1M0N9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xMjA3LjIiIGxhbmc9ImVuLVVTIiBicmFuZD0iNTEwMSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjE5OSIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:824
    - - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=5101&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --private-browsing" /installsource otherinstallcmd /sessionid "{142B5B21-61A1-48E0-AD12-C22F80A872DA}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:972
- - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
    AVGBrowser.exe --heartbeat --install --create-profile
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks computer location settings
    - Checks for any installed AV software in registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=106.0.18743.104 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5e4a768,0x7fef5e4a778,0x7fef5e4a788
      4⤵
      Executes dropped EXE
      PID:1196
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:2
      4⤵
      Executes dropped EXE
      PID:1964
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1504 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:536
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:8
      4⤵
      PID:1592
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2664 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:1
      4⤵
      PID:584
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2680 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:1
      4⤵
      PID:896
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:8
      4⤵
      PID:2236
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:1
      4⤵
      PID:2248
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1428,i,9494824267874898069,17157393428668420583,131072 /prefetch:8
      4⤵
      PID:2632
- - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
    AVGBrowser.exe --silent-launch
    3⤵
    PID:2864
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=106.0.18743.104 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5cfa768,0x7fef5cfa778,0x7fef5cfa788
      4⤵
      PID:2880
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1384,i,10248439511342590109,7859380861096698652,131072 /prefetch:2
      4⤵
      PID:3020
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1456 --field-trial-handle=1384,i,10248439511342590109,7859380861096698652,131072 /prefetch:8
      4⤵
      PID:2244
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 --field-trial-handle=1384,i,10248439511342590109,7859380861096698652,131072 /prefetch:8
      4⤵
      PID:2228
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
      4⤵
      PID:1084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /nobreak /t 10 && del /F /Q C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\timeout.exe
    timeout /nobreak /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:1176

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1440
- C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1001 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --private-browsing --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1001 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --private-browsing --system-level
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Registers COM server for autorun
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1644
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=106.0.18743.104 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13f5d4290,0x13f5d42a0,0x13f5d42b0
      4⤵
      Executes dropped EXE
      PID:1912
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\AVG\Browser\Temp\source1644_1252028897\Safer-bin\master_preferences" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1556
    - - C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\Install\{4C54AA06-A37F-4D9A-9EF2-1C8122C91E9D}\CR_CF7AD.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=106.0.18743.104 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13f5d4290,0x13f5d42a0,0x13f5d42b0
        5⤵
        Executes dropped EXE
        
        PID:1728
- C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler.exe
  "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler64.exe
  "C:\Program Files (x86)\AVG\Browser\Update\1.8.1207.2\AVGBrowserCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1772

C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1568

C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe"
1⤵
PID:2392

C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe"
1⤵
PID:2204

C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\106.0.18743.104\elevation_service.exe"
1⤵
PID:2528

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=106.0.18743.104 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5cfa768,0x7fef5cfa778,0x7fef5cfa788
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Security Software Discovery

T1063

System Information Discovery