mercurialgrabber | hxxp://blob[:]hxxps://github[.]com/07b975ee-a1fc-4f07-a81f-65b5fb3ebcfe

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RBF.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.24252.121\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Looks for VMWare Tools registry key 2 TTPs 12 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	RBF.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RBF.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	aj3774.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	AVGBrowserUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 29 IoCs

pid	Process
5892	RBF.exe
6116	RBF.exe
3548	RBF.exe
4120	RBF.exe
5472	RBF.exe
5608	RBF.exe
3936	RBF.exe
5808	RBF.exe
5972	RBF.exe
4952	RBF.exe
4936	RBF.exe
6908	avg_secure_browser_setup.exe
7100	aj3774.exe
6756	AVGBrowserUpdateSetup.exe
6240	AVGBrowserUpdate.exe
7156	AVGBrowserUpdate.exe
5508	AVGBrowserUpdate.exe
436	AVGBrowserUpdateComRegisterShell64.exe
2972	AVGBrowserUpdateComRegisterShell64.exe
3532	AVGBrowserUpdateComRegisterShell64.exe
6340	AVGBrowserUpdate.exe
6344	AVGBrowserUpdate.exe
6444	AVGBrowserUpdate.exe
6928	AVGBrowserInstaller.exe
7052	setup.exe
7088	setup.exe
4008	RBF.exe
5492	setup.exe
5956	setup.exe

Loads dropped DLL 31 IoCs

pid	Process
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
6240	AVGBrowserUpdate.exe
7156	AVGBrowserUpdate.exe
5508	AVGBrowserUpdate.exe
436	AVGBrowserUpdateComRegisterShell64.exe
5508	AVGBrowserUpdate.exe
2972	AVGBrowserUpdateComRegisterShell64.exe
5508	AVGBrowserUpdate.exe
3532	AVGBrowserUpdateComRegisterShell64.exe
5508	AVGBrowserUpdate.exe
6240	AVGBrowserUpdate.exe
6240	AVGBrowserUpdate.exe
6340	AVGBrowserUpdate.exe
6344	AVGBrowserUpdate.exe
6444	AVGBrowserUpdate.exe
6444	AVGBrowserUpdate.exe
6344	AVGBrowserUpdate.exe
6444	AVGBrowserUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj3774.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\AVAST Software\Avast	aj3774.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
163	discord.com
171	discord.com
144	discord.com
146	discord.com
131	discord.com
167	discord.com
100	raw.githubusercontent.com
154	discord.com
160	discord.com
165	discord.com
170	discord.com
134	discord.com
147	discord.com
157	discord.com
161	discord.com
168	discord.com
141	discord.com
149	discord.com
130	discord.com
155	discord.com
99	raw.githubusercontent.com
158	discord.com
143	discord.com
151	discord.com
156	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
108	ip4.seeip.org
127	ip-api.com

Maps connected drives based on registry 3 TTPs 24 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RBF.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RBF.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
427	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aj3774.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_am.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ko.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateBroker.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_fa.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_bn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\npAvgBrowserUpdate3.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_hi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_vi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_bg.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_gu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\AVGBrowserUpdateHelper.msi	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\AVGBrowserCrashHandler64.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_sw.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdate.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_it.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_is.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_ru.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_ur.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_fi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ro.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe	AVGBrowserInstaller.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\cs.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_es-419.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_ta.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\AVGBrowserUpdateCore.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_id.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pt-BR.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_th.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\AVGBrowser.exe.sig	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\AVGBrowserUninstall.exe	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_ko.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_es.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_ml.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_ms.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\@PaxHeader	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_en-GB.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_sk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_cs.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_en.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_nl.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_sr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\acuapi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_lt.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM6B43.tmp\goopdateres_sl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source7052_999078055\Safer-bin\109.0.24252.121\Locales\mr.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aj3774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVGBrowserUpdateSetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6340	AVGBrowserUpdate.exe

Checks SCSI registry key(s) 3 TTPs 14 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj3774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	RBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj3774.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RBF.exe

Enumerates system info in registry 2 TTPs 51 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	RBF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	RBF.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20240823"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineId = "0000cbc4aa53932df6468356dc6cec24"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.MiscUtils\CurVer	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\NumMethods\ = "8"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\NumMethods\ = "5"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\AvgHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\AvgHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\CLSID\ = "{633D953B-278A-4DAC-8E4B-D15296A1C845}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\NumMethods\ = "11"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass.1	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreClass\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\ = "Google Update Core Class"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ = "IAppWeb"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine.dll"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\NumMethods\ = "5"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{CA348B59-06AD-4482-AD87-966302908F0F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachine.1.0\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\http\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback\CurVer\ = "AVGUpdate.Update3WebMachineFallback.1.0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.xht	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgQH\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ = "IApp"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\Elevation	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ = "IAppCommandWeb"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\DefaultIcon\ = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32\ThreadingModel = "Both"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\TypeLib\ = "{358EC846-617A-4763-8656-50BF6E0E8AA2}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\Application\ApplicationName = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\NumMethods\ = "41"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ = "IAppCommand"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\LocalizedString = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\goopdate.dll,-3000"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}\ProgID\ = "AVGUpdate.MiscUtils.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass.1\CLSID\ = "{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\VersionIndependentProgID	AVGBrowserUpdate.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 670824.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 833503.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
1080	msedge.exe
1080	msedge.exe
1272	identity_helper.exe
1272	identity_helper.exe
3880	msedge.exe
3880	msedge.exe
5728	msedge.exe
5728	msedge.exe
6724	msedge.exe
6724	msedge.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
7100	aj3774.exe
6908	avg_secure_browser_setup.exe
6908	avg_secure_browser_setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5892	RBF.exe
Token: SeDebugPrivilege	6116	RBF.exe
Token: SeDebugPrivilege	3548	RBF.exe
Token: SeDebugPrivilege	4120	RBF.exe
Token: SeDebugPrivilege	5472	RBF.exe
Token: SeDebugPrivilege	5608	RBF.exe
Token: SeDebugPrivilege	3936	RBF.exe
Token: SeDebugPrivilege	5808	RBF.exe
Token: SeDebugPrivilege	5972	RBF.exe
Token: SeDebugPrivilege	4952	RBF.exe
Token: SeDebugPrivilege	4936	RBF.exe
Token: SeDebugPrivilege	6240	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	6240	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	6240	AVGBrowserUpdate.exe
Token: 33	6928	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	6928	AVGBrowserInstaller.exe
Token: SeDebugPrivilege	4008	RBF.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6908	avg_secure_browser_setup.exe
7100	aj3774.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4792	1080	msedge.exe	83
PID 1080 wrote to memory of 4792	1080	msedge.exe	83
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 3680	1080	msedge.exe	84
PID 1080 wrote to memory of 4364	1080	msedge.exe	85
PID 1080 wrote to memory of 4364	1080	msedge.exe	85
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86
PID 1080 wrote to memory of 2500	1080	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://blob:https://github.com/07b975ee-a1fc-4f07-a81f-65b5fb3ebcfe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc136f46f8,0x7ffc136f4708,0x7ffc136f4718
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5472
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5972
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8476 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8852 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9212 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9388 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8680 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9180 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9624 /prefetch:1
  2⤵
  PID:6308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8492 /prefetch:8
  2⤵
  PID:6444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6724
- C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
  "C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:6908
- - C:\Users\Admin\AppData\Local\Temp\aj3774.exe
    "C:\Users\Admin\AppData\Local\Temp\aj3774.exe" /relaunch=8 /was_elevated=1 /tagdata
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:7100
  - - C:\Users\Admin\AppData\Local\Temp\nsl387D.tmp\AVGBrowserUpdateSetup.exe
      AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:6756
    - - C:\Program Files (x86)\GUM6B43.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUM6B43.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:6240
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7156
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:436
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2972
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3532
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0VDNUYwNTRGLTExMTYtNERBMy05RUE3LUYxRTAyODhDOTMxOH0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntCNUJBQ0NCOC1CMDE1LTQzOTYtQjAyRS0yRTFCMERGNTIzQkN9IiB1c2VyaWRfZGF0ZT0iMjAyNDA4MjMiIG1hY2hpbmVpZD0iezAwMDBDQkM0LUFBNTMtOTMyRC1GNjQ2LTgzNTZEQzZDRUMyNH0iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDgyMyIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins4RTQ2RDFBNC1FRjlGLTQ1RkYtQUY3Ni04QUJFOURGMkNCMTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTIyOCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6340
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{EC5F054F-1116-4DA3-9EA7-F1E0288C9318}" /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4630699369768422243,5753615064870311596,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=10100 /prefetch:2
  2⤵
  PID:6560
- C:\Users\Admin\Downloads\RBF.exe
  "C:\Users\Admin\Downloads\RBF.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x4c0
1⤵
PID:5172

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:6444
- C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:6928
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    PID:7052
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff665ff7c40,0x7ff665ff7c50,0x7ff665ff7c60
      4⤵
      Executes dropped EXE
      PID:7088
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe" --system-level --make-chrome-default-helper --user-data-dir="C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --module-dir="C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp" "AVG Secure Browser"
      4⤵
      Executes dropped EXE
      PID:5492
    - - C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\Install\{B1601615-3B86-4AA2-8B8E-9D4471BE0FA1}\CR_56481.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff665ff7c40,0x7ff665ff7c50,0x7ff665ff7c60
        5⤵
        Executes dropped EXE
        
        PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion