dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.24252.121\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

aj173B.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exedbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	aj173B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

aj173B.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exesetup.exeAVGBrowserCrashHandler.exeAVGBrowserCrashHandler64.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
2292	aj173B.exe
2720	AVGBrowserUpdateSetup.exe
324	AVGBrowserUpdate.exe
960	AVGBrowserUpdate.exe
2492	AVGBrowserUpdate.exe
2664	AVGBrowserUpdateComRegisterShell64.exe
2756	AVGBrowserUpdateComRegisterShell64.exe
2700	AVGBrowserUpdateComRegisterShell64.exe
2880	AVGBrowserUpdate.exe
2988	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
408	AVGBrowserInstaller.exe
1508	setup.exe
1300	setup.exe
2460	AVGBrowserCrashHandler.exe
2548	AVGBrowserCrashHandler64.exe
2644	AVGBrowser.exe
1608	AVGBrowser.exe
2080	AVGBrowser.exe
1876	AVGBrowser.exe
1784	AVGBrowser.exe
476
2756	elevation_service.exe
1892	AVGBrowser.exe
348	AVGBrowser.exe
1548	AVGBrowser.exe
2776	AVGBrowser.exe
804	elevation_service.exe
308	AVGBrowser.exe
2156	AVGBrowser.exe
408	AVGBrowser.exe
2764	AVGBrowser.exe
1436	AVGBrowser.exe
2992	AVGBrowser.exe
1608	AVGBrowser.exe
1856	elevation_service.exe
2388	elevation_service.exe
908	AVGBrowser.exe
1196	AVGBrowser.exe
2868	AVGBrowser.exe
2564	AVGBrowser.exe
572	AVGBrowser.exe
2424	AVGBrowser.exe
2496	AVGBrowser.exe
2124	AVGBrowser.exe
1772	AVGBrowser.exe
1176	AVGBrowser.exe
2880	AVGBrowser.exe
1940	AVGBrowser.exe
2008	AVGBrowser.exe
1856	AVGBrowser.exe
2316	AVGBrowser.exe
1564	AVGBrowser.exe
2724	AVGBrowser.exe
1764	AVGBrowser.exe
1520	AVGBrowser.exe
1312	AVGBrowser.exe
956	AVGBrowser.exe
2600	AVGBrowser.exe
928	AVGBrowser.exe
284	AVGBrowser.exe
1808	AVGBrowser.exe
2692	AVGBrowser.exe
652	AVGBrowser.exe

Loads dropped DLL 64 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj173B.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exe

pid	process
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2720	AVGBrowserUpdateSetup.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
960	AVGBrowserUpdate.exe
960	AVGBrowserUpdate.exe
960	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
2492	AVGBrowserUpdate.exe
2492	AVGBrowserUpdate.exe
2492	AVGBrowserUpdate.exe
2664	AVGBrowserUpdateComRegisterShell64.exe
2492	AVGBrowserUpdate.exe
2492	AVGBrowserUpdate.exe
2756	AVGBrowserUpdateComRegisterShell64.exe
2492	AVGBrowserUpdate.exe
2492	AVGBrowserUpdate.exe
2700	AVGBrowserUpdateComRegisterShell64.exe
2492	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
324	AVGBrowserUpdate.exe
2880	AVGBrowserUpdate.exe
2988	AVGBrowserUpdate.exe
2988	AVGBrowserUpdate.exe
2988	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
2988	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
408	AVGBrowserInstaller.exe
1508	setup.exe
1508	setup.exe
1508	setup.exe
2760	AVGBrowserUpdate.exe
2760	AVGBrowserUpdate.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

AVGBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj173B.exeAVGBrowser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\AVAST Software\Avast	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	aj173B.exe
Key opened	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\AVAST Software\Avast	aj173B.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

aj173B.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aj173B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aj173B.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

aj173B.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aj173B.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeAVGBrowser.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\mimic.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\master_preferences	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_714264741\manifest.json	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_sl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_1309162687\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_te.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pt-PT.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\gu.pak	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_1042353592\LICENSE	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_1749241042\manifest.json	AVGBrowser.exe
File opened for modification	C:\Program Files (x86)\GUM2424.tmp\AVGBrowserUpdateSetup.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\psuser.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\chrome_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\fi.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\ml.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\th.pak	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_729818498\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM2424.tmp\AVGBrowserUpdateCore.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_pt-PT.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_uk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_iw.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\browser_proxy.exe	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_1042353592\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM2424.tmp\AVGBrowserUpdateBroker.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_tr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ml.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_uk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\Installer\setup.exe	setup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\psuser.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\chrome.dll.sig	setup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\psmachine_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_fa.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_fil.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_bg.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\hi.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\ru.pak	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_1749241042\manifest.fingerprint	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_et.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_fi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_no.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_sv.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_fil.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_nl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\GUM2424.tmp\goopdateres_sr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_th.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sv.dll	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\109.0.24252.121\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source1508_859648173\Safer-bin\109.0.24252.121\Locales\lt.pak	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping408_1042353592\crl-set	AVGBrowser.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\psuser_64.dll	AVGBrowserUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

AVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineIdDate = "20240620"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineId = "00009bb098663592a3a6086bcc2909e7"	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exesetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ = "IGoogleUpdateCore"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\Application\ApplicationDescription = "Access the Internet"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\CurVer\ = "AVGUpdate.Update3WebSvc.1.0"	AVGBrowserUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgHTML\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass.1\CLSID\ = "{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\NumMethods\ = "8"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E37D9308-A3C0-4EC3-87C5-222235C974E3}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\AVGBrowserUpdateOnDemand.exe\""	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3COMClassService\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\Elevation\IconReference = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\goopdate.dll,-1004"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ = "IAppCommandWeb"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.xhtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\NumMethods\ = "6"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ = "IAppVersionWeb"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc.1.0\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ = "IProcessLauncher"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Implemented Categories	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.24252.121\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.xht\ = "AvgHTML"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\VersionIndependentProgID\ = "AVGUpdate.CoreClass"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ = "IGoogleUpdate3WebSecurity"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ = "IAppBundleWeb"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine\CLSID\ = "{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\InprocServer32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\https\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ = "IGoogleUpdate3WebSecurity"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine.dll"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine.dll"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ = "IGoogleUpdate"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ = "IAppCommandWeb"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback\CurVer	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

aj173B.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj173B.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj173B.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	aj173B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	aj173B.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	aj173B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	aj173B.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj173B.exe

pid	process
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2292	aj173B.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2292	aj173B.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2292	aj173B.exe
2292	aj173B.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserInstaller.exeAVGBrowser.exeAVGBrowser.exe

description	pid	process
Token: SeDebugPrivilege	324	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	324	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	324	AVGBrowserUpdate.exe
Token: 33	408	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	408	AVGBrowserInstaller.exe
Token: SeDebugPrivilege	324	AVGBrowserUpdate.exe
Token: SeShutdownPrivilege	2644	AVGBrowser.exe
Token: SeShutdownPrivilege	2644	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe
Token: SeShutdownPrivilege	408	AVGBrowser.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

pid process

2860 dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj173B.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exe

description	pid	process	target process
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2860 wrote to memory of 2292	2860	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj173B.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2292 wrote to memory of 2720	2292	aj173B.exe	AVGBrowserUpdateSetup.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 2720 wrote to memory of 324	2720	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 960	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2492	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 2492 wrote to memory of 2664	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2664	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2664	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2664	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2756	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2756	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2756	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2756	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2700	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2700	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2700	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 2492 wrote to memory of 2700	2492	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2880	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 324 wrote to memory of 2988	324	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 2760 wrote to memory of 408	2760	AVGBrowserUpdate.exe	AVGBrowserInstaller.exe
PID 2760 wrote to memory of 408	2760	AVGBrowserUpdate.exe	AVGBrowserInstaller.exe
PID 2760 wrote to memory of 408	2760	AVGBrowserUpdate.exe	AVGBrowserInstaller.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
"C:\Users\Admin\AppData\Local\Temp\dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\aj173B.exe
"C:\Users\Admin\AppData\Local\Temp\aj173B.exe" /relaunch=8 /was_elevated=1 /tagdata
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\nso18E0.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2720

C:\Program Files (x86)\GUM2424.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUM2424.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome"
4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:960

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2700

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezg3MUZBOUVGLTQxQUEtNEQ2OS04Mjc0LUQyMUNBNjVBN0I2N30iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9InszOENDRDY2Ni1BOTJGLTQyMjMtOTAxQS1FNUVCNTQxNERDMDh9IiB1c2VyaWRfZGF0ZT0iMjAyNDA2MjAiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDYyMCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins1OTRDQjg3QS01RTE2LTQ2OTctOEMwMy1GQjlCRjAyNjI2RDB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTI0OSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNzM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Diexplore --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{871FA9EF-41AA-4D69-8274-D21CA65A7B67}" /silent
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --heartbeat --install --create-profile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5fd6b78,0x7fef5fd6b88,0x7fef5fd6b98
4⤵
- Executes dropped EXE
PID:1608

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:2
4⤵
- Executes dropped EXE
PID:2080

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1508 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1876

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1624 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1784

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2392 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2400 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:348

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1548

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2776

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2948 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:308

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1244,i,12211304155368368696,15987817628437195418,131072 /prefetch:2
4⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --silent-launch
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5e76b78,0x7fef5e76b88,0x7fef5e76b98
4⤵
- Executes dropped EXE
PID:2764

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1208 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:2
4⤵
- Executes dropped EXE
PID:1436

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1484 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1572 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1608

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2568 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:908

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2672 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1196

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1312 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:2
4⤵
- Executes dropped EXE
PID:2868

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
4⤵
- Executes dropped EXE
PID:2564

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5e76b78,0x7fef5e76b88,0x7fef5e76b98
5⤵
- Executes dropped EXE
PID:572

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2424

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2496

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3816 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4164 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1772

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4024 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1176

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2880

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1940

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4060 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2008

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4120 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1856

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3884 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2316

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4164 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4072 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2724

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1764

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3940 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1520

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3544 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1312

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:956

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4160 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:928

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3780 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:284

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:1808

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
- Executes dropped EXE
PID:652

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2328

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3764 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2836

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:1116

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4076 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2008

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2888

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3264

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4056 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3392

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3940

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4144 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2336

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2736

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3980 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2980

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4076 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2624

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3188

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2736

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4224 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3176

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:1004

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1020 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:4020

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1132 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3128

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1004 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2720

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3380 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3468

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2044 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3800

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=660 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:3316

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1120 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:1804

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1752 --field-trial-handle=1216,i,5737140567510289632,9476407528099430638,131072 /prefetch:8
4⤵
PID:2728

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --system-level
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\CR_B3C0B.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\CR_B3C0B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\CR_B3C0B.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=iexplore --import-cookies --auto-launch-chrome --system-level
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:1508

C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\CR_B3C0B.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{84766CAD-296A-493B-BB66-8257C950A1C6}\CR_B3C0B.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x1403e7c40,0x1403e7c50,0x1403e7c60
4⤵
- Executes dropped EXE
PID:1300

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
2⤵
- Executes dropped EXE
PID:2460

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
2⤵
- Executes dropped EXE
PID:2548

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:804

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1856

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery