Malware analysis avg_secure_browser_setup.exe Malicious activity

Add for printing

File name:	avg_secure_browser_setup.exe
Full analysis:	https://app.any.run/tasks/264d7217-ed8c-4ebc-87c3-441e6395daaa
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 26, 2024, 16:48:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	8B1C0A9AFBB0CEB4F5D436683531878A
SHA1:	2D0D2E2146F18B00E92359F74D28FB596ABFF911
SHA256:	40206BA6DF9459656CF0DE49D1F2D4A640AC51E92F3DA1E4388127071E747155
SSDEEP:	98304:STrDmcoPlDcn3Rc/vTV08T19StKUCzVxejICvSPd8g9P2xL3fdkCwBkqEGzAmYZ/:k08VQEEkZZ3BZgpM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Steals credentials from Web Browsers
  - ajAE8B.exe (PID: 6936)
- Actions looks like stealing of personal data
  - ajAE8B.exe (PID: 6936)
- Changes the autorun value in the registry
  - AVGBrowserUpdate.exe (PID: 2892)
SUSPICIOUS
- Drops the executable file immediately after the start
  - avg_secure_browser_setup.exe (PID: 2068)
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdateSetup.exe (PID: 6208)
  - AVGBrowserUpdate.exe (PID: 2892)
- Executable content was dropped or overwritten
  - avg_secure_browser_setup.exe (PID: 2068)
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 2892)
  - AVGBrowserUpdateSetup.exe (PID: 6208)
- The process verifies whether the antivirus software is installed
  - avg_secure_browser_setup.exe (PID: 2068)
  - ajAE8B.exe (PID: 6936)
- Reads the BIOS version
  - ajAE8B.exe (PID: 6936)
- Reads security settings of Internet Explorer
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 2892)
- Searches for installed software
  - ajAE8B.exe (PID: 6936)
- Checks Windows Trust Settings
  - ajAE8B.exe (PID: 6936)
- Starts itself from another location
  - AVGBrowserUpdate.exe (PID: 2892)
- Creates/Modifies COM task schedule object
  - AVGBrowserUpdate.exe (PID: 6788)
  - AVGBrowserUpdateComRegisterShell64.exe (PID: 5220)
  - AVGBrowserUpdateComRegisterShell64.exe (PID: 6900)
  - AVGBrowserUpdateComRegisterShell64.exe (PID: 1828)
  - AVGBrowserUpdate.exe (PID: 2892)
- Reads the date of Windows installation
  - AVGBrowserUpdate.exe (PID: 2892)
- Potential Corporate Privacy Violation
  - AVGBrowserUpdate.exe (PID: 6912)
INFO
- Checks supported languages
  - avg_secure_browser_setup.exe (PID: 2068)
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdateSetup.exe (PID: 6208)
  - AVGBrowserUpdate.exe (PID: 6788)
  - AVGBrowserUpdateComRegisterShell64.exe (PID: 1828)
  - AVGBrowserUpdateComRegisterShell64.exe (PID: 5220)
  - AVGBrowserUpdateComRegisterShell64.exe (PID: 6900)
  - AVGBrowserUpdate.exe (PID: 2892)
  - AVGBrowserUpdate.exe (PID: 608)
  - AVGBrowserUpdate.exe (PID: 1616)
  - AVGBrowserUpdate.exe (PID: 6912)
- Reads the computer name
  - avg_secure_browser_setup.exe (PID: 2068)
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 2892)
  - AVGBrowserUpdate.exe (PID: 6788)
  - AVGBrowserUpdate.exe (PID: 6912)
  - AVGBrowserUpdate.exe (PID: 1616)
  - AVGBrowserUpdate.exe (PID: 608)
- Reads Environment values
  - avg_secure_browser_setup.exe (PID: 2068)
  - ajAE8B.exe (PID: 6936)
- Create files in a temporary directory
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdateSetup.exe (PID: 6208)
  - AVGBrowserUpdate.exe (PID: 6912)
  - avg_secure_browser_setup.exe (PID: 2068)
- Process checks computer location settings
  - ajAE8B.exe (PID: 6936)
  - avg_secure_browser_setup.exe (PID: 2068)
  - AVGBrowserUpdate.exe (PID: 2892)
- Creates files or folders in the user directory
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 2892)
- Checks proxy server information
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 1616)
  - AVGBrowserUpdate.exe (PID: 6912)
- Reads the machine GUID from the registry
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 2892)
  - AVGBrowserUpdate.exe (PID: 6912)
- Reads the software policy settings
  - ajAE8B.exe (PID: 6936)
  - AVGBrowserUpdate.exe (PID: 1616)
  - AVGBrowserUpdate.exe (PID: 6912)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:16 00:50:53+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x350d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	8.11.9.7512
ProductVersionNumber:	8.11.9.7512
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Arabic
CharacterSet:	Windows, Arabic
BuildDate:	19700120T212345
BuildTimestamp:	1718625656
BuildVersion:	8.11.9.7512
CompanyName:	Gen Digital Inc.
FileDescription:	إعداد AVG Secure Browser
FileVersion:	8.11.9.7512
InstallerCommit:	6abe2ae156386bdebece5cf23c59152082c14d11
InstallerEdition:	web
InstallerKeyword:	avg-securebrowser
InternalName:	AVG Secure Browser
JsisCommit:	9787409e632740167533d24081ccbb49791a2fdf
LegalCopyright:	حقوق النشر 2017-2024 لشركة Gen Digital Inc.
OmahaVersion:	1.8.1693.6
ProductName:	إعداد AVG Secure Browser
ProductVersion:	8.11.9.7512

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

127

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

608

"C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=false&lang=en-US&brand=9155&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{186EBD48-9E68-447E-9D6F-1FD374FECCFF}" /silent

C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe

—

AVGBrowserUpdate.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\avgbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1616

"C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjAiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezE4NkVCRDQ4LTlFNjgtNDQ3RS05RDZGLTFGRDM3NEZFQ0NGRn0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntBNjYyNkI1Mi03N0U5LTQwRTYtOUI2RC0yQUNEREQ0OTYxRDh9IiB1c2VyaWRfZGF0ZT0iMjAyNDA4MjYiIG1hY2hpbmVpZD0iezAwMDBCMEUxLTAwOUEtQkE1RS05NUY3LTIyN0U1NzQzNDg3NH0iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDgyNiIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntDN0Y2RTNGNy05N0E1LTRBMjctQjU3Ni00ODYwMkZDMjY5OTB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDUuNDA0NiIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTE1NSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iODI4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe

AVGBrowserUpdate.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser

Exit code:

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\avgbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1828

"C:\Users\admin\AppData\Local\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe

—

AVGBrowserUpdate.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser Com Register Shell 64

Exit code:

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\1.8.1693.6\avgbrowserupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2068

"C:\Users\admin\AppData\Local\Temp\avg_secure_browser_setup.exe"

C:\Users\admin\AppData\Local\Temp\avg_secure_browser_setup.exe

explorer.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Secure Browser Setup

Version:

8.11.9.7512

Modules

Images
c:\users\admin\appdata\local\temp\avg_secure_browser_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2892

C:\Users\admin\AppData\Local\Temp\GUM3636.tmp\AVGBrowserUpdate.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=false&lang=en-US&brand=9155&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"

C:\Users\admin\AppData\Local\Temp\GUM3636.tmp\AVGBrowserUpdate.exe

AVGBrowserUpdateSetup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\temp\gum3636.tmp\avgbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

5220

"C:\Users\admin\AppData\Local\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe

—

AVGBrowserUpdate.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser Com Register Shell 64

Exit code:

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\1.8.1693.6\avgbrowserupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6208

AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=false&lang=en-US&brand=9155&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"

C:\Users\admin\AppData\Local\Temp\nstAFE1.tmp\AVGBrowserUpdateSetup.exe

ajAE8B.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser Setup

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\temp\nstafe1.tmp\avgbrowserupdatesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

6788

"C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver

C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe

—

AVGBrowserUpdate.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser

Exit code:

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\avgbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6900

"C:\Users\admin\AppData\Local\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe

—

AVGBrowserUpdate.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser Com Register Shell 64

Exit code:

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\1.8.1693.6\avgbrowserupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6912

"C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe" -Embedding

C:\Users\admin\AppData\Local\AVG\Browser\Update\AVGBrowserUpdate.exe

svchost.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

AVG Browser

Version:

1.8.1693.6

Modules

Images
c:\users\admin\appdata\local\avg\browser\update\avgbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

18 055

Read events

17 367

Write events

662

Delete events

Modification events


(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\AVG\Browser
Operation:	write	Name:	installer_run_count
Value: 1
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\AVG\Browser
Operation:	write	Name:	machine_id
Value: 0000B0E1009ABA5E95F7227E57434874
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\AVG\Browser
Operation:	write	Name:	user_id
Value: a6626b5277e940e69b6d2acddd4961d8
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6936) ajAE8B.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

171

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\jsis.dll		executable
		MD5:2027121C3CDEB1A1F8A5F539D1FE2E28	SHA256:1DAE8B6DE29F2CFC0745D9F2A245B9ECB77F2B272A5B43DE1BA5971C43BF73A1
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\inetc.dll		executable
		MD5:650E0E39808140A1DA5ABD3D27880C7E	SHA256:AAB155DCAAAFEBE4B84A9AEEC6FFBCE9B484A99B316657EE9B7A98B346F9538B
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\nsJSON.dll		executable
		MD5:F840A9DDD319EE8C3DA5190257ABDE5B	SHA256:DDB6C9F8DE72DDD589F009E732040250B2124BCA6195AA147AA7AAC43FC2C73A
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\jsisdl.dll		executable
		MD5:5121C566AC9315A53E558BF62600F9B6	SHA256:D88E38DF30887C722FB837278EE3782914574414C741CDFD3BD6126799FA3167
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\thirdparty.dll		executable
		MD5:7B4BD3B8AD6E913952F8ED1CEEF40CD4	SHA256:A49D3E455D7AECA2032C30FC099BFAD1B1424A2F55EC7BB0F6ACBBF636214754
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\AccessControl.dll		executable
		MD5:D4FA24F021F155CE9214DCCF812C3B7F	SHA256:3B0889281FF6367BB736690229F461BB4FF34B7437F54A5C71B877A104C0F876
6936	ajAE8B.exe	C:\Users\admin\AppData\Local\Temp\nstAFE1.tmp\FF.places.tmp		—
		MD5:—	SHA256:—
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\StdUtils.dll		executable
		MD5:34939C7B38BFFEDBF9B9ED444D689BC9	SHA256:B127F3E04429D9F841A03BFD9344A0450594004C770D397FB32A76F6B0EABED0
6936	ajAE8B.exe	C:\Users\admin\AppData\Local\Temp\nstAFE1.tmp\jsis.dll		executable
		MD5:2027121C3CDEB1A1F8A5F539D1FE2E28	SHA256:1DAE8B6DE29F2CFC0745D9F2A245B9ECB77F2B272A5B43DE1BA5971C43BF73A1
2068	avg_secure_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsdA1E7.tmp\sciterui.dll		executable
		MD5:F40C5626532C77B9B4A6BB384DB48BBE	SHA256:E6D594047DEECB0F3D49898475084D286072B6E3E4A30EB9D0D03E9B3228D60F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6936	ajAE8B.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
4164	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1184	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1184	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6936	ajAE8B.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
6936	ajAE8B.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
6936	ajAE8B.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAQ1YD96iIrhbAWwDxU8xvw%3D	unknown	—	—	whitelisted
6912	AVGBrowserUpdate.exe	GET	—	2.19.126.133:80	http://browser-update.avg.com/browser-avg/win/x64/127.0.26097.121/AVGBrowserInstaller.exe	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1356	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6056	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3260	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6936	ajAE8B.exe	104.20.86.8:443	stats.securebrowser.com	CLOUDFLARENET	—	unknown
6936	ajAE8B.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4164	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4164	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.142	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
stats.securebrowser.com	104.20.86.8 104.20.87.8	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.76 40.126.32.134 40.126.32.68 20.190.160.20 20.190.160.22 40.126.32.136 40.126.32.133 20.190.160.14	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
update.avgbrowser.com	172.67.41.145 104.22.62.125 104.22.63.125	unknown

Threats

PID	Process	Class	Message
6912	AVGBrowserUpdate.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
avg_secure_browser_setup.exe	2024-08-26T16:48:48 [libnsis] {00000814:000013b8} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
avg_secure_browser_setup.exe	2024-08-26T16:48:48 [libnsis] {00000814:000013b8} <1:Debug> (91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62) Throwing exception 0x00000400000715
avg_secure_browser_setup.exe	2024-08-26T16:48:48 [libnsis] {00000814:000013b8} <4:Error> (893f00f663353e48\src\jsis-plugins\plugins\UtilitiesPlugin\TagData.cpp:85) 0x00000400000715 91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62
ajAE8B.exe	2024-08-26T16:48:50 [libnsis] {00001b18:00001798} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
ajAE8B.exe	2024-08-26T16:48:50 [libnsis] {00001b18:00001798} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nstAFE1.tmp\CR.History.tmp
ajAE8B.exe	2024-08-26T16:48:50 [libnsis] {00001b18:00001798} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19931 AND vtime <= 19962 GROUP BY vtime
ajAE8B.exe	2024-08-26T16:48:50 [libnsis] {00001b18:00001798} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nstAFE1.tmp\CR.History.tmp
ajAE8B.exe	2024-08-26T16:48:50 [libnsis] {00001b18:00001798} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19931 AND vtime <= 19962 GROUP BY vtime
ajAE8B.exe	2024-08-26T16:48:51 [libnsis] {00001b18:00001798} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nstAFE1.tmp\FF.places.tmp
ajAE8B.exe	2024-08-26T16:48:51 [libnsis] {00001b18:00001798} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT last_visit_date / 1000000 /60 /60 / 24 AS vtime FROM 'moz_places' WHERE vtime >= 19931 AND vtime <= 19962 GROUP BY vtime

General Info

avg_secure_browser_setup.exe

8B1C0A9AFBB0CEB4F5D436683531878A

2D0D2E2146F18B00E92359F74D28FB596ABFF911

40206BA6DF9459656CF0DE49D1F2D4A640AC51E92F3DA1E4388127071E747155

98304:STrDmcoPlDcn3Rc/vTV08T19StKUCzVxejICvSPd8g9P2xL3fdkCwBkqEGzAmYZ/:k08VQEEkZZ3BZgpM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

The process verifies whether the antivirus software is installed

Reads the BIOS version

Reads security settings of Internet Explorer

Searches for installed software

Checks Windows Trust Settings

Starts itself from another location

Creates/Modifies COM task schedule object

Reads the date of Windows installation

Potential Corporate Privacy Violation

INFO

Checks supported languages

Reads the computer name

Reads Environment values

Create files in a temporary directory

Process checks computer location settings

Creates files or folders in the user directory

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings