ac17339c53c46b70cd7786ad38273d8b3ce60ed0e3c6b621cb8b2f14810df26f

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\ = "Avast Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\StubPath = "\"C:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\110.0.20395.178\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A8504530-742B-42BC-895D-2BAD6406F698}\Localized Name = "Avast Secure Browser"	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastBrowserUpdate.exe	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AvastBrowserUpdate.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aj9988.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AvastBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AvastBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aj9988.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	avast_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	aj9988.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowserUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	AvastBrowser.exe

Executes dropped EXE 35 IoCs

pid	Process
4792	aj9988.exe
1900	AvastBrowserUpdateSetup.exe
3412	AvastBrowserUpdate.exe
1044	AvastBrowserUpdate.exe
1976	AvastBrowserUpdate.exe
2848	AvastBrowserUpdateComRegisterShell64.exe
3780	AvastBrowserUpdateComRegisterShell64.exe
2252	AvastBrowserUpdateComRegisterShell64.exe
64	AvastBrowserUpdate.exe
2724	AvastBrowserUpdate.exe
816	AvastBrowserUpdate.exe
4500	AvastBrowserInstaller.exe
8	setup.exe
3060	setup.exe
4560	setup.exe
1004	setup.exe
4744	AvastBrowser.exe
3372	AvastBrowser.exe
1232	setup.exe
4884	setup.exe
1560	AvastBrowserCrashHandler.exe
4968	AvastBrowserCrashHandler64.exe
812	AvastBrowser.exe
2176	AvastBrowser.exe
3920	AvastBrowser.exe
3892	AvastBrowser.exe
1120	AvastBrowser.exe
4832	elevation_service.exe
4008	AvastBrowser.exe
1036	AvastBrowser.exe
4548	AvastBrowser.exe
844	AvastBrowser.exe
4348	elevation_service.exe
3108	AvastBrowser.exe
4400	AvastBrowser.exe

Loads dropped DLL 59 IoCs

pid	Process
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
3412	AvastBrowserUpdate.exe
1044	AvastBrowserUpdate.exe
1976	AvastBrowserUpdate.exe
2848	AvastBrowserUpdateComRegisterShell64.exe
1976	AvastBrowserUpdate.exe
3780	AvastBrowserUpdateComRegisterShell64.exe
1976	AvastBrowserUpdate.exe
2252	AvastBrowserUpdateComRegisterShell64.exe
1976	AvastBrowserUpdate.exe
3412	AvastBrowserUpdate.exe
3412	AvastBrowserUpdate.exe
64	AvastBrowserUpdate.exe
2724	AvastBrowserUpdate.exe
816	AvastBrowserUpdate.exe
816	AvastBrowserUpdate.exe
2724	AvastBrowserUpdate.exe
816	AvastBrowserUpdate.exe
4744	AvastBrowser.exe
3372	AvastBrowser.exe
4792	aj9988.exe
812	AvastBrowser.exe
2176	AvastBrowser.exe
812	AvastBrowser.exe
3920	AvastBrowser.exe
3892	AvastBrowser.exe
3920	AvastBrowser.exe
3892	AvastBrowser.exe
1120	AvastBrowser.exe
1120	AvastBrowser.exe
3920	AvastBrowser.exe
3920	AvastBrowser.exe
3920	AvastBrowser.exe
3920	AvastBrowser.exe
3920	AvastBrowser.exe
4008	AvastBrowser.exe
4008	AvastBrowser.exe
4548	AvastBrowser.exe
1036	AvastBrowser.exe
4548	AvastBrowser.exe
1036	AvastBrowser.exe
844	AvastBrowser.exe
844	AvastBrowser.exe
3108	AvastBrowser.exe
3108	AvastBrowser.exe
4400	AvastBrowser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\110.0.20395.178\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\110.0.20395.178\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32	AvastBrowserUpdateComRegisterShell64.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	AvastBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avast_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\AVAST Software\Avast	avast_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj9988.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\AVAST Software\Avast	aj9988.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	aj9988.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aj9988.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AvastBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AvastBrowser.exe
File opened for modification	\??\PhysicalDrive0	aj9988.exe
File opened for modification	\??\PhysicalDrive0	AvastBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\ta.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Application\SetupMetrics\32db4221-b5ec-4ff5-9b77-8a55b4859ba9.tmp	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\@PaxHeader	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_sr.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\Download\{A8504530-742B-42BC-895D-2BAD6406F698}\110.0.20395.178\AvastBrowserInstaller.exe	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\sr.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_hi.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\am.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\lt.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\chrome.dll	setup.exe
File opened for modification	C:\Program Files (x86)\AVAST Software\Browser\Application\master_preferences	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\chrome_200_percent.pak	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_am.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_pl.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdate.exe	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_te.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserUpdateBroker.exe	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\psuser.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_bn.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\npAvastBrowserUpdate3.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_sl.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\psuser_64.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\resources.pak	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_ca.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_ko.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateWebPlugin.exe	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_ms.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_pt-BR.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_ta.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_et.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_fa.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateBroker.exe	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_el.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_hu.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_vi.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\SETUP.EX_	AvastBrowserInstaller.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_en.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_en-GB.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_sk.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_ar.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserUpdateSetup.exe	AvastBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserUpdateSetup.exe	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\goopdateres_bg.dll	AvastBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserCrashHandler.exe	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\fi.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\AvastBrowserQHelper.exe	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserCrashHandler64.exe	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_et.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_hi.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM4B32.tmp\goopdateres_sk.dll	AvastBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\110.0.20395.178\browser_crash_reporter.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj9988.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AvastBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AvastBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AvastBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj9988.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AvastBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AvastBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AvastBrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}\AppPath = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3"	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}\Policy = "3"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}\AppName = "AvastBrowserUpdateBroker.exe"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}\AppPath = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3"	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62593C70-ACF0-44CC-8716-990919D46A85}\Policy = "3"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4424021B-831C-4F50-A74F-1AF30ADA650C}\AppName = "AvastBrowserUpdateWebPlugin.exe"	AvastBrowserUpdate.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\hostprefix	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\MachineIdDate = "20230317"	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser	AvastBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\devmode = "0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\endpoint = "update.avastbrowser.com"	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVAST Software\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AvastBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDCF02F-B457-36D7-9215-FBE3FFC929BC}\VersionIndependentProgID\ = "AvastUpdate.CoCreateAsync"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods\ = "4"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99F8769E-4FE9-3A40-9D6D-5424B8AC9F57}\InprocServer32\ThreadingModel = "Both"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ProxyStubClsid32	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ = "ICoCreateAsync"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{CD12DA4E-0EDF-4193-9764-C4704AB9DEEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\NumMethods\ = "10"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\https\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9812D869-B696-40B5-91ED-514C32E7991D}\InprocHandler32\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\psmachine_64.dll"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods\ = "10"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E069908-8F93-3597-B83F-9FEB9694421C}\Elevation\IconReference = "@C:\\Program Files (x86)\\AVAST Software\\Browser\\Update\\1.8.1579.3\\goopdate.dll,-1004"	AvastBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\https\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.OnDemandCOMClassSvc.1.0	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC16F80-6C27-4585-83D0-A8493082C9E3}\InProcServer32\ThreadingModel = "Both"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ = "IAppBundle"	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5AB71627-A1C4-35E8-975E-327931339608}\LocalService = "avastm"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreClass.1\ = "Google Update Core Class"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDCF02F-B457-36D7-9215-FBE3FFC929BC}\ProgID\ = "AvastUpdate.CoCreateAsync.1.0"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9812D869-B696-40B5-91ED-514C32E7991D}	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.MiscUtils\CurVer	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.OnDemandCOMClassMachineFallback	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\DefaultIcon\ = "C:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\AvastBrowser.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE1DAAE-30B4-3140-9BE6-40A47E9D3588}\ProgID\ = "AvastUpdate.CredentialDialogMachine.1.0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CEA41856-DAAB-4EE7-9731-0DB1BCD5E0F4}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\110.0.20395.178\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.Update3COMClassService\CurVer\ = "AvastUpdate.Update3COMClassService.1.0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreClass.1\CLSID\ = "{D7EECC1B-3003-303A-B4DA-8E8F5A85F13C}"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ = "ICoCreateAsyncStatus"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\https	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\.xhtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ = "IAppBundle"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\NumMethods\ = "4"	AvastBrowserUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{493E9335-D965-3F74-9338-05A59D304768}\Elevation\Enabled = "1"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62593C70-ACF0-44CC-8716-990919D46A85}\ProgID\ = "Avast.Update3WebControl.3"	AvastBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E069908-8F93-3597-B83F-9FEB9694421C}\VersionIndependentProgID\ = "AvastUpdate.Update3WebMachineFallback"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastUpdate.CoreMachineClass\ = "Google Update Core Class"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E069908-8F93-3597-B83F-9FEB9694421C}\ProgID\ = "AvastUpdate.Update3WebMachineFallback.1.0"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32\ = "{3DC16F80-6C27-4585-83D0-A8493082C9E3}"	AvastBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods	AvastBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ = "IAppCommand"	AvastBrowserUpdate.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj9988.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj9988.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj9988.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj9988.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	aj9988.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
4792	aj9988.exe
4792	aj9988.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe
4792	aj9988.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
812	AvastBrowser.exe
812	AvastBrowser.exe
812	AvastBrowser.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	AvastBrowserUpdate.exe
Token: SeDebugPrivilege	3412	AvastBrowserUpdate.exe
Token: SeDebugPrivilege	3412	AvastBrowserUpdate.exe
Token: 33	4500	AvastBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	4500	AvastBrowserInstaller.exe
Token: SeDebugPrivilege	3412	AvastBrowserUpdate.exe
Token: SeIncreaseQuotaPrivilege	4792	aj9988.exe
Token: SeShutdownPrivilege	812	AvastBrowser.exe
Token: SeCreatePagefilePrivilege	812	AvastBrowser.exe
Token: SeShutdownPrivilege	812	AvastBrowser.exe
Token: SeCreatePagefilePrivilege	812	AvastBrowser.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4744	AvastBrowser.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
1776	avast_secure_browser_setup.exe
4792	aj9988.exe
1776	avast_secure_browser_setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4792	1776	avast_secure_browser_setup.exe	90
PID 1776 wrote to memory of 4792	1776	avast_secure_browser_setup.exe	90
PID 1776 wrote to memory of 4792	1776	avast_secure_browser_setup.exe	90
PID 4792 wrote to memory of 1900	4792	aj9988.exe	100
PID 4792 wrote to memory of 1900	4792	aj9988.exe	100
PID 4792 wrote to memory of 1900	4792	aj9988.exe	100
PID 1900 wrote to memory of 3412	1900	AvastBrowserUpdateSetup.exe	101
PID 1900 wrote to memory of 3412	1900	AvastBrowserUpdateSetup.exe	101
PID 1900 wrote to memory of 3412	1900	AvastBrowserUpdateSetup.exe	101
PID 3412 wrote to memory of 1044	3412	AvastBrowserUpdate.exe	102
PID 3412 wrote to memory of 1044	3412	AvastBrowserUpdate.exe	102
PID 3412 wrote to memory of 1044	3412	AvastBrowserUpdate.exe	102
PID 3412 wrote to memory of 1976	3412	AvastBrowserUpdate.exe	103
PID 3412 wrote to memory of 1976	3412	AvastBrowserUpdate.exe	103
PID 3412 wrote to memory of 1976	3412	AvastBrowserUpdate.exe	103
PID 1976 wrote to memory of 2848	1976	AvastBrowserUpdate.exe	104
PID 1976 wrote to memory of 2848	1976	AvastBrowserUpdate.exe	104
PID 1976 wrote to memory of 3780	1976	AvastBrowserUpdate.exe	105
PID 1976 wrote to memory of 3780	1976	AvastBrowserUpdate.exe	105
PID 1976 wrote to memory of 2252	1976	AvastBrowserUpdate.exe	106
PID 1976 wrote to memory of 2252	1976	AvastBrowserUpdate.exe	106
PID 3412 wrote to memory of 64	3412	AvastBrowserUpdate.exe	107
PID 3412 wrote to memory of 64	3412	AvastBrowserUpdate.exe	107
PID 3412 wrote to memory of 64	3412	AvastBrowserUpdate.exe	107
PID 3412 wrote to memory of 2724	3412	AvastBrowserUpdate.exe	108
PID 3412 wrote to memory of 2724	3412	AvastBrowserUpdate.exe	108
PID 3412 wrote to memory of 2724	3412	AvastBrowserUpdate.exe	108
PID 816 wrote to memory of 4500	816	AvastBrowserUpdate.exe	110
PID 816 wrote to memory of 4500	816	AvastBrowserUpdate.exe	110
PID 4500 wrote to memory of 8	4500	AvastBrowserInstaller.exe	112
PID 4500 wrote to memory of 8	4500	AvastBrowserInstaller.exe	112
PID 8 wrote to memory of 3060	8	setup.exe	113
PID 8 wrote to memory of 3060	8	setup.exe	113
PID 8 wrote to memory of 4560	8	setup.exe	114
PID 8 wrote to memory of 4560	8	setup.exe	114
PID 4560 wrote to memory of 1004	4560	setup.exe	115
PID 4560 wrote to memory of 1004	4560	setup.exe	115
PID 4560 wrote to memory of 4744	4560	setup.exe	117
PID 4560 wrote to memory of 4744	4560	setup.exe	117
PID 4560 wrote to memory of 3372	4560	setup.exe	118
PID 4560 wrote to memory of 3372	4560	setup.exe	118
PID 8 wrote to memory of 1232	8	setup.exe	119
PID 8 wrote to memory of 1232	8	setup.exe	119
PID 1232 wrote to memory of 4884	1232	setup.exe	120
PID 1232 wrote to memory of 4884	1232	setup.exe	120
PID 816 wrote to memory of 1560	816	AvastBrowserUpdate.exe	121
PID 816 wrote to memory of 1560	816	AvastBrowserUpdate.exe	121
PID 816 wrote to memory of 1560	816	AvastBrowserUpdate.exe	121
PID 816 wrote to memory of 4968	816	AvastBrowserUpdate.exe	122
PID 816 wrote to memory of 4968	816	AvastBrowserUpdate.exe	122
PID 812 wrote to memory of 2176	812	AvastBrowser.exe	125
PID 812 wrote to memory of 2176	812	AvastBrowser.exe	125
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126
PID 812 wrote to memory of 3920	812	AvastBrowser.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\avast_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\avast_secure_browser_setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\aj9988.exe
  "C:\Users\Admin\AppData\Local\Temp\aj9988.exe" /relaunch=8 /was_elevated=1 /tagdata
  2⤵
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\nsc9B5C.tmp\AvastBrowserUpdateSetup.exe
    AvastBrowserUpdateSetup.exe /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=6502&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserUpdate.exe
      "C:\Program Files (x86)\GUM4B32.tmp\AvastBrowserUpdate.exe" /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=6502&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing"
      4⤵
      Sets file execution options in registry
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1044
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2848
      - C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3780
      - C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2252
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezZEMzdDNzYwLThGRUQtNDhBNS1BNEE0LUNFQzA5NUIyRDhERH0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTU3OS4zIiBzaGVsbF92ZXJzaW9uPSIxLjguMTU3OS4zIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezVGOENGNEMzLTAwRTctNEFFQy04NzUzLTc4REFBN0E3NzY3OX0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9Ins4OTA0RDY0Mi04REE3LTQ2RjgtQTBGMy1CNkU5NjNEQzFCOTl9IiB1c2VyaWRfZGF0ZT0iMjAyMzAzMTciIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMDMxNyIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntFQzY0RTc3NC03NjBDLTQ2RDgtQTgxOC00MkY5ODExNDc4NzR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezZEMzdDNzYwLThGRUQtNDhBNS1BNEE0LUNFQzA5NUIyRDhERH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNTc5LjMiIGxhbmc9ImVuLVVTIiBicmFuZD0iNjUwMiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTc2NiIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:64
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /handoff "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=6502&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome --private-browsing" /installsource otherinstallcmd /sessionid "{5F8CF4C3-00E7-4AEC-8753-78DAA7A77679}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2724
- - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
    AvastBrowser.exe --heartbeat --install --create-profile
    3⤵
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVAST Software\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVAST Software\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=110.0.20395.178 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9a814ab78,0x7ff9a814ab88,0x7ff9a814ab98
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2176
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3920
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1120
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1796 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3892
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3396 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4008
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3416 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:1036
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3632 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:844
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4548
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4260 --field-trial-handle=1928,i,12365612415251103167,11335447740535542957,131072 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3108
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\Avast Secure Browser.lnk"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4400
- - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
    AvastBrowser.exe --silent-launch
    3⤵
    PID:2028
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVAST Software\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVAST Software\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVAST Software\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=110.0.20395.178 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a814ab78,0x7ff9a814ab88,0x7ff9a814ab98
      4⤵
      PID:228
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=2016,i,2632188252342207041,1692597480688108624,131072 /prefetch:2
      4⤵
      PID:3496
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2088 --field-trial-handle=2016,i,2632188252342207041,1692597480688108624,131072 /prefetch:8
      4⤵
      PID:4784
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1892 --field-trial-handle=2016,i,2632188252342207041,1692597480688108624,131072 /prefetch:8
      4⤵
      PID:1320
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3608 --field-trial-handle=2016,i,2632188252342207041,1692597480688108624,131072 /prefetch:1
      4⤵
      PID:1200
  - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3616 --field-trial-handle=2016,i,2632188252342207041,1692597480688108624,131072 /prefetch:1
      4⤵
      PID:4736

C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
"C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:816
- C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\AvastBrowserInstaller.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\AvastBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --private-browsing --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe
    "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1 --default-search=google.com --adblock-mode-default=1 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --private-browsing --system-level
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=110.0.20395.178 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7a0a69950,0x7ff7a0a69960,0x7ff7a0a69970
      4⤵
      Executes dropped EXE
      PID:3060
  - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\AVAST Software\Browser\Temp\source8_86674973\Safer-bin\master_preferences" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=110.0.20395.178 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7a0a69950,0x7ff7a0a69960,0x7ff7a0a69970
        5⤵
        Executes dropped EXE
        
        PID:1004
    - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=shortcut-pin-helper /prefetch:8 taskbarpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Secure Browser.lnk"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4744
    - - C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Secure Browser.lnk"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3372
  - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe
      "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe" --system-level --make-chrome-default-helper --user-data-dir="C:\Users\Admin\AppData\Local\AVAST Software\Browser\User Data" --module-dir="C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp" "Avast Secure Browser"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe
        
        "C:\Program Files (x86)\AVAST Software\Browser\Update\Install\{03772D83-E4AC-4931-9C8D-4992C9B8DC86}\CR_F4BB1.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=Avast --annotation=ver=110.0.20395.178 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7a0a69950,0x7ff7a0a69960,0x7ff7a0a69970
        5⤵
        Executes dropped EXE
        
        PID:4884
- C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserCrashHandler.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserCrashHandler64.exe
  "C:\Program Files (x86)\AVAST Software\Browser\Update\1.8.1579.3\AvastBrowserCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  PID:4968

C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe
"C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4832

C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe
"C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4348

C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe
"C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe"
1⤵
PID:1552

C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe
"C:\Program Files (x86)\AVAST Software\Browser\Application\110.0.20395.178\elevation_service.exe"
1⤵
PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Security Software Discovery

T1063

System Information Discovery