dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files\\AVG\\Browser\\Application\\125.0.25426.176\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exedbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj6D82.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	aj6D82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

aj6D82.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exesetup.exeAVGBrowserCrashHandler.exeAVGBrowserCrashHandler64.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
3344	aj6D82.exe
3180	AVGBrowserUpdateSetup.exe
1988	AVGBrowserUpdate.exe
4260	AVGBrowserUpdate.exe
768	AVGBrowserUpdate.exe
2516	AVGBrowserUpdateComRegisterShell64.exe
1264	AVGBrowserUpdateComRegisterShell64.exe
3860	AVGBrowserUpdateComRegisterShell64.exe
2352	AVGBrowserUpdate.exe
2468	AVGBrowserUpdate.exe
1848	AVGBrowserUpdate.exe
2896	AVGBrowserInstaller.exe
4084	setup.exe
1308	setup.exe
5064	AVGBrowserCrashHandler.exe
596	AVGBrowserCrashHandler64.exe
1460	AVGBrowser.exe
648	AVGBrowser.exe
4144	AVGBrowser.exe
3312	AVGBrowser.exe
784	AVGBrowser.exe
4260	elevation_service.exe
2376	AVGBrowser.exe
3676	AVGBrowser.exe
2512	AVGBrowser.exe
360	AVGBrowser.exe
2504	elevation_service.exe
2004	AVGBrowser.exe
352	AVGBrowser.exe
4484	AVGBrowser.exe
1876	AVGBrowser.exe
4300	AVGBrowser.exe
1604	AVGBrowser.exe
2616	elevation_service.exe
620	elevation_service.exe
3360	AVGBrowser.exe
216	AVGBrowser.exe
3076	AVGBrowser.exe
5056	AVGBrowser.exe
4492	AVGBrowser.exe
4148	AVGBrowser.exe
2680	AVGBrowser.exe
4612	AVGBrowser.exe
3604	AVGBrowser.exe
4956	AVGBrowser.exe
4108	AVGBrowser.exe
4952	AVGBrowser.exe
4256	AVGBrowser.exe
2384	AVGBrowser.exe
2308	AVGBrowser.exe
5080	AVGBrowser.exe
2584	AVGBrowser.exe
2928	AVGBrowser.exe
2400	AVGBrowser.exe
876	AVGBrowser.exe
2992	AVGBrowser.exe
380	AVGBrowser.exe
2492	AVGBrowser.exe
4732	AVGBrowser.exe
2792	AVGBrowser.exe
4956	AVGBrowser.exe
5028	AVGBrowser.exe
592	AVGBrowser.exe
5356	AVGBrowser.exe

Loads dropped DLL 64 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj6D82.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
1988	AVGBrowserUpdate.exe
4260	AVGBrowserUpdate.exe
768	AVGBrowserUpdate.exe
2516	AVGBrowserUpdateComRegisterShell64.exe
768	AVGBrowserUpdate.exe
1264	AVGBrowserUpdateComRegisterShell64.exe
768	AVGBrowserUpdate.exe
3860	AVGBrowserUpdateComRegisterShell64.exe
768	AVGBrowserUpdate.exe
1988	AVGBrowserUpdate.exe
1988	AVGBrowserUpdate.exe
2352	AVGBrowserUpdate.exe
2468	AVGBrowserUpdate.exe
1848	AVGBrowserUpdate.exe
1848	AVGBrowserUpdate.exe
2468	AVGBrowserUpdate.exe
1848	AVGBrowserUpdate.exe
3344	aj6D82.exe
1460	AVGBrowser.exe
648	AVGBrowser.exe
1460	AVGBrowser.exe
1460	AVGBrowser.exe
4144	AVGBrowser.exe
3312	AVGBrowser.exe
4144	AVGBrowser.exe
4144	AVGBrowser.exe
784	AVGBrowser.exe
3312	AVGBrowser.exe
3312	AVGBrowser.exe
784	AVGBrowser.exe
784	AVGBrowser.exe
4144	AVGBrowser.exe
4144	AVGBrowser.exe
4144	AVGBrowser.exe
4144	AVGBrowser.exe
4144	AVGBrowser.exe
4144	AVGBrowser.exe
2376	AVGBrowser.exe
2512	AVGBrowser.exe
2376	AVGBrowser.exe
2376	AVGBrowser.exe
2512	AVGBrowser.exe
2512	AVGBrowser.exe
3676	AVGBrowser.exe
3676	AVGBrowser.exe
3676	AVGBrowser.exe
360	AVGBrowser.exe
360	AVGBrowser.exe
360	AVGBrowser.exe
2004	AVGBrowser.exe
2004	AVGBrowser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

AVGBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

Processes:

aj6D82.exeAVGBrowser.exeAVGBrowser.exedbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj6D82.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\SOFTWARE\AVAST Software\Avast	aj6D82.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\SOFTWARE\AVAST Software\Avast	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

aj6D82.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aj6D82.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aj6D82.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

AVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeaj6D82.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	aj6D82.exe

Drops file in Program Files directory 64 IoCs

Processes:

AVGBrowserUpdate.exesetup.exeAVGBrowserUpdateSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_bg.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_ru.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\sl.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\initial_preferences	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_pt-BR.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_sl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_lt.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\psmachine_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_hu.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\es.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\sk.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\resources.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\setup_helper_syslib.dll	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_cs.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_ms.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_sw.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\AVGBrowserUpdateBroker.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\ffmpeg.dll	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\psuser_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\af.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\lt.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Application\SetupMetrics\d8d70ab0-ae1c-44b4-93a3-f445c78ddf0b.tmp	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_nl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_no.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_sk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_tr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateHelper.msi	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\browser_crash_reporter.exe	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_fil.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_th.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_da.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\dxil.dll	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_ar.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_es-419.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_fa.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files\AVG\Browser\Application\SetupMetrics\4084_13363399542614838.pma	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_en.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_en-GB.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_tr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\psmachine.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_is.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pt-PT.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\acuapi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_it.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\AVGBrowserUpdateCore.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\psmachine_64.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\am.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\GUM7A8F.tmp\AVGBrowserUpdateSetup.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_fr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_mr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\GUM7A8F.tmp\goopdateres_ur.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\cs.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source4084_1768216644\Safer-bin\125.0.25426.176\Locales\ko.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AVGBrowser.exeaj6D82.exeAVGBrowser.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj6D82.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj6D82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

AVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowser.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633997486398985"	AVGBrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20240620"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exesetup.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ = "ICurrentState"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\ProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ = "IAppVersion"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\Elevation\Enabled = "1"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}\LocalServer32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\ = "AVG Browser Plugin"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\ = "Interface {358EC846-617A-4763-8656-50BF6E0E8AA2}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods\ = "24"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ = "IGoogleUpdateCore"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ = "IProcessLauncher"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\NumMethods\ = "41"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachine\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{358EC846-617A-4763-8656-50BF6E0E8AA2}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\ = "IJobObserver"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\NumMethods\ = "41"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\NumMethods\ = "4"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ = "IBrowserHttpRequest2"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.update.avgbrowser.com.oneclickctrl.9\CLSID = "{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc.1.0	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ = "IAppVersion"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods\ = "4"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\ = "IJobObserver"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreClass\CLSID\ = "{384098DD-AB6D-412E-B819-2F10032D9767}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ = "IApp"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync\CLSID\ = "{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32	AVGBrowserUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj6D82.exe

pid	process
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
3344	aj6D82.exe
3344	aj6D82.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
3344	aj6D82.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

AVGBrowser.exe

pid process

1460 AVGBrowser.exe
1460 AVGBrowser.exe
1460 AVGBrowser.exe

pid	process
1460	AVGBrowser.exe
1460	AVGBrowser.exe
1460	AVGBrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserInstaller.exeaj6D82.exeAVGBrowser.exeAVGBrowser.exe

description	pid	process
Token: SeDebugPrivilege	1988	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	1988	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	1988	AVGBrowserUpdate.exe
Token: 33	2896	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	2896	AVGBrowserInstaller.exe
Token: SeDebugPrivilege	1988	AVGBrowserUpdate.exe
Token: SeIncreaseQuotaPrivilege	3344	aj6D82.exe
Token: SeShutdownPrivilege	1460	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1460	AVGBrowser.exe
Token: SeIncreaseQuotaPrivilege	3344	aj6D82.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe
Token: SeShutdownPrivilege	352	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	352	AVGBrowser.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

pid process

4424 dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exeaj6D82.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exeAVGBrowser.exe

description	pid	process	target process
PID 4424 wrote to memory of 3344	4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj6D82.exe
PID 4424 wrote to memory of 3344	4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj6D82.exe
PID 4424 wrote to memory of 3344	4424	dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe	aj6D82.exe
PID 3344 wrote to memory of 3180	3344	aj6D82.exe	AVGBrowserUpdateSetup.exe
PID 3344 wrote to memory of 3180	3344	aj6D82.exe	AVGBrowserUpdateSetup.exe
PID 3344 wrote to memory of 3180	3344	aj6D82.exe	AVGBrowserUpdateSetup.exe
PID 3180 wrote to memory of 1988	3180	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 3180 wrote to memory of 1988	3180	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 3180 wrote to memory of 1988	3180	AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 4260	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 4260	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 4260	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 768	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 768	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 768	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 768 wrote to memory of 2516	768	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 768 wrote to memory of 2516	768	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 768 wrote to memory of 1264	768	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 768 wrote to memory of 1264	768	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 768 wrote to memory of 3860	768	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 768 wrote to memory of 3860	768	AVGBrowserUpdate.exe	AVGBrowserUpdateComRegisterShell64.exe
PID 1988 wrote to memory of 2352	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 2352	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 2352	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 2468	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 2468	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1988 wrote to memory of 2468	1988	AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
PID 1848 wrote to memory of 2896	1848	AVGBrowserUpdate.exe	AVGBrowserInstaller.exe
PID 1848 wrote to memory of 2896	1848	AVGBrowserUpdate.exe	AVGBrowserInstaller.exe
PID 2896 wrote to memory of 4084	2896	AVGBrowserInstaller.exe	setup.exe
PID 2896 wrote to memory of 4084	2896	AVGBrowserInstaller.exe	setup.exe
PID 4084 wrote to memory of 1308	4084	setup.exe	setup.exe
PID 4084 wrote to memory of 1308	4084	setup.exe	setup.exe
PID 1848 wrote to memory of 5064	1848	AVGBrowserUpdate.exe	AVGBrowserCrashHandler.exe
PID 1848 wrote to memory of 5064	1848	AVGBrowserUpdate.exe	AVGBrowserCrashHandler.exe
PID 1848 wrote to memory of 5064	1848	AVGBrowserUpdate.exe	AVGBrowserCrashHandler.exe
PID 1848 wrote to memory of 596	1848	AVGBrowserUpdate.exe	AVGBrowserCrashHandler64.exe
PID 1848 wrote to memory of 596	1848	AVGBrowserUpdate.exe	AVGBrowserCrashHandler64.exe
PID 1460 wrote to memory of 648	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 648	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe
PID 1460 wrote to memory of 4144	1460	AVGBrowser.exe	AVGBrowser.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe
"C:\Users\Admin\AppData\Local\Temp\dbcc4dfa51f18c523ea677699a0399dcf0c7551492800835587c1cec7848c3b1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\aj6D82.exe
"C:\Users\Admin\AppData\Local\Temp\aj6D82.exe" /relaunch=8 /was_elevated=1 /tagdata
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dedge --import-cookies --auto-launch-chrome"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3180

C:\Program Files (x86)\GUM7A8F.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUM7A8F.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dedge --import-cookies --auto-launch-chrome"
4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4260

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2516

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1264

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3860

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezI3M0M0NUM4LUM5NTktNEQzNi05MUQ0LTMxNTE0REE1MjMzRn0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9InsxODVDQ0FDRC0xNzNDLTRGNTctOThCOC05REEwMzQzMEU0MDZ9IiB1c2VyaWRfZGF0ZT0iMjAyNDA2MjAiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDYyMCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntFQ0I0RDBEQS1GNjM1LTQ1QzEtQTkzNi1FRTgzRkYyQUM3RTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTUwNjMuMCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTI0OSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNjg4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dedge --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{273C45C8-C959-4D36-91D4-31514DA5233F}" /silent
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --heartbeat --install --create-profile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=125.0.25426.176 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7fff891f1c40,0x7fff891f1c4c,0x7fff891f1c58
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=2016 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4144

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1728,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=1984 /prefetch:3
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3312

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2196,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3328,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=3396 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:360

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:2
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2376

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3340,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:2
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3676

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=3388,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3856,i,6563554347983041096,13053199558011958096,262144 --variations-seed-version --mojo-platform-channel-handle=3872 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --silent-launch
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=125.0.25426.176 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7fff891f1c40,0x7fff891f1c4c,0x7fff891f1c58
4⤵
- Executes dropped EXE
PID:4484

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=2012 /prefetch:2
4⤵
- Executes dropped EXE
PID:1876

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1796,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:3
4⤵
- Executes dropped EXE
PID:4300

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1836,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:8
4⤵
- Executes dropped EXE
PID:1604

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=2708,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:8
4⤵
- Executes dropped EXE
PID:3360

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3168,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3388 /prefetch:8
4⤵
- Executes dropped EXE
PID:216

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3388,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
4⤵
- Executes dropped EXE
PID:3076

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3412,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:8
4⤵
- Executes dropped EXE
PID:5056

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=2704,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3380 /prefetch:8
4⤵
- Executes dropped EXE
PID:4492

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3624,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:8
4⤵
- Executes dropped EXE
PID:4148

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3420,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
4⤵
- Executes dropped EXE
PID:2680

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3628,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:8
4⤵
- Executes dropped EXE
PID:4612

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3380,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:8
4⤵
- Executes dropped EXE
PID:3604

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3852,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:8
4⤵
- Executes dropped EXE
PID:4956

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3856,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
4⤵
- Executes dropped EXE
PID:4108

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3860,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:8
4⤵
- Executes dropped EXE
PID:4952

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3408,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
4⤵
- Executes dropped EXE
PID:4256

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3584,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:8
4⤵
- Executes dropped EXE
PID:2384

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3568,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3712 /prefetch:8
4⤵
- Executes dropped EXE
PID:2308

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4008,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
4⤵
- Executes dropped EXE
PID:5080

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4040,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
4⤵
- Executes dropped EXE
PID:2584

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4044,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
4⤵
- Executes dropped EXE
PID:2928

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3532,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
4⤵
- Executes dropped EXE
PID:2400

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3472,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8
4⤵
- Executes dropped EXE
PID:876

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3612,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:8
4⤵
- Executes dropped EXE
PID:2992

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=3824,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
4⤵
- Executes dropped EXE
PID:380

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4144,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
4⤵
- Executes dropped EXE
PID:2492

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3640,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4664 /prefetch:8
4⤵
- Executes dropped EXE
PID:4732

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4072,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4812 /prefetch:8
4⤵
- Executes dropped EXE
PID:2792

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4952,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:8
4⤵
- Executes dropped EXE
PID:4956

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3652,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:8
4⤵
- Executes dropped EXE
PID:5028

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4124,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
4⤵
- Executes dropped EXE
PID:592

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4800,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:8
4⤵
- Executes dropped EXE
PID:5356

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5408,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8
4⤵
PID:2984

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4960,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
4⤵
PID:5700

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4964,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:8
4⤵
PID:5440

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5976,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:8
4⤵
PID:5468

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4956,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
4⤵
PID:5592

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6124,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8
4⤵
PID:3552

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6428,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=6440 /prefetch:8
4⤵
PID:2532

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5996,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=1064 /prefetch:8
4⤵
PID:5756

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --enable-protect
4⤵
PID:2660

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=125.0.25426.176 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff891f1c40,0x7fff891f1c4c,0x7fff891f1c58
5⤵
PID:4960

C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe" --registration reg-task --taskintr PT10M --runonce
5⤵
PID:4652

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=6424,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:8
4⤵
PID:1400

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=6056,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:8
4⤵
PID:700

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=4936,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:8
4⤵
PID:3724

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=6464,i,10458281021252099111,10163904265279943462,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:8
4⤵
PID:5764

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1848

C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=edge --import-cookies --auto-launch-chrome --system-level
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\CR_18B66.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\CR_18B66.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\CR_18B66.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=edge --import-cookies --auto-launch-chrome --system-level
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084

C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\CR_18B66.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{2FED1C2C-A30D-4D95-BA67-68A0E8DBA0B8}\CR_18B66.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=125.0.25426.176 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7dd485390,0x7ff7dd48539c,0x7ff7dd4853a8
4⤵
- Executes dropped EXE
PID:1308

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
2⤵
- Executes dropped EXE
PID:5064

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
2⤵
- Executes dropped EXE
PID:596

C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2504

C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\125.0.25426.176\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:620

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:4112

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2992

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery