agenttesla | 656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d

Resubmissions

24-01-2023 12:59

230124-p8ae9scg41 10

24-01-2023 12:56

230124-p6mmtacf7v 10

Analysis

max time kernel
556s
max time network
614s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
Size

910KB
MD5

e2f700dd4f26b02938dabb237b0dbe46
SHA1

b7f8e51419c9c0d1669bb5f447274697b4548c4c
SHA256

656b4aca18598d0fc4b53fa2585745d48498ced7d027e115643c7e50a5d92b9d
SHA512

2b88e4041fd1c9de4d5b618529cb100d7e63623a432fed3f205b8aa3bab3e95a47c864c86635cb040463b621435188a1c8c9103c0c1ba6cb851f861886df2a70
SSDEEP

12288:nE/V28nss0h0Pj9ggKdG+PVogHOpi5L7P++FrdvhXuJl9PsMgGTmy9Ph0:nEN28e6JIdGxq7P+wBhOeyM

Score

10^/10

agenttesla raccoon 1269ed6cdc166a49ecc72e46095cface bootkit collection discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.qualitysolutions.co.in
Port:
587
Username:
sales@qualitysolutions.co.in
Password:
9873335231
Email To:
marketing@shaktiinstrumentations.in

Extracted

Family

raccoon

Botnet

1269ed6cdc166a49ecc72e46095cface

http://79.137.197.160/

http://79.137.197.190/

rc4.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 5516 created 5672	5516	svchost.exe	aj330F.exe
PID 5516 created 5672	5516	svchost.exe	aj330F.exe
PID 5516 created 5672	5516	svchost.exe	aj330F.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

Executes dropped EXE 64 IoCs

Processes:

avg_secure_browser_setup.exeaj330F.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exesetup.exesetup.exesetup.exeAVGBrowser.exeAVGBrowser.exesetup.exesetup.exeAVGBrowserCrashHandler.exeAVGBrowserCrashHandler64.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
3040	avg_secure_browser_setup.exe
5672	aj330F.exe
4288	AVGBrowserUpdateSetup.exe
2340	AVGBrowserUpdate.exe
3648	AVGBrowserUpdate.exe
2008	AVGBrowserUpdate.exe
4300	AVGBrowserUpdateComRegisterShell64.exe
2744	AVGBrowserUpdateComRegisterShell64.exe
1084	AVGBrowserUpdateComRegisterShell64.exe
6656	AVGBrowserUpdate.exe
6960	AVGBrowserUpdate.exe
6448	AVGBrowserUpdate.exe
6248	AVGBrowserInstaller.exe
6328	setup.exe
6332	setup.exe
5132	setup.exe
932	setup.exe
5032	AVGBrowser.exe
3864	AVGBrowser.exe
6028	setup.exe
5416	setup.exe
5972	AVGBrowserCrashHandler.exe
5872	AVGBrowserCrashHandler64.exe
5412	AVGBrowser.exe
3932	AVGBrowser.exe
2476	AVGBrowser.exe
5020	AVGBrowser.exe
1636	elevation_service.exe
3468	AVGBrowser.exe
6892	AVGBrowser.exe
6552	AVGBrowser.exe
5448	AVGBrowser.exe
5328	AVGBrowser.exe
6504	AVGBrowser.exe
6532	elevation_service.exe
3012	AVGBrowser.exe
5176	AVGBrowser.exe
1484	AVGBrowser.exe
3740	AVGBrowser.exe
4140	AVGBrowser.exe
6236	elevation_service.exe
6444	AVGBrowser.exe
6704	AVGBrowser.exe
6120	elevation_service.exe
1308	AVGBrowser.exe
3944	AVGBrowser.exe
6532	AVGBrowser.exe
6956	AVGBrowser.exe
5348	AVGBrowser.exe
5028	AVGBrowser.exe
4916	AVGBrowser.exe
6428	AVGBrowser.exe
6436	AVGBrowser.exe
1228	AVGBrowser.exe
5196	AVGBrowser.exe
6764	AVGBrowser.exe
944	AVGBrowser.exe
5844	AVGBrowser.exe
6864	AVGBrowser.exe
6804	AVGBrowser.exe
1056	AVGBrowser.exe
5772	AVGBrowser.exe
1648	AVGBrowser.exe
6556	AVGBrowser.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.19817.76\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

AVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exesetup.exeAVGBrowserUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.19817.76\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.19817.76\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AVGBrowser.exeaj330F.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aj330F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aj330F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVGBrowser.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeavg_secure_browser_setup.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeaj330F.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeb7f8e51419c9c0d1669bb5f447274697b4548c4c.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowserUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	aj330F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe

Loads dropped DLL 64 IoCs

Processes:

avg_secure_browser_setup.exeaj330F.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
5672	aj330F.exe
5672	aj330F.exe
5672	aj330F.exe
5672	aj330F.exe
5672	aj330F.exe
5672	aj330F.exe
5672	aj330F.exe
5672	aj330F.exe
2340	AVGBrowserUpdate.exe
3648	AVGBrowserUpdate.exe
2008	AVGBrowserUpdate.exe
4300	AVGBrowserUpdateComRegisterShell64.exe
2008	AVGBrowserUpdate.exe
2744	AVGBrowserUpdateComRegisterShell64.exe
2008	AVGBrowserUpdate.exe
1084	AVGBrowserUpdateComRegisterShell64.exe
2008	AVGBrowserUpdate.exe
2340	AVGBrowserUpdate.exe
2340	AVGBrowserUpdate.exe
6656	AVGBrowserUpdate.exe
6960	AVGBrowserUpdate.exe
6448	AVGBrowserUpdate.exe
6448	AVGBrowserUpdate.exe
6960	AVGBrowserUpdate.exe
6448	AVGBrowserUpdate.exe
5032	AVGBrowser.exe
3864	AVGBrowser.exe
5672	aj330F.exe
5412	AVGBrowser.exe
3932	AVGBrowser.exe
5412	AVGBrowser.exe
2476	AVGBrowser.exe
5020	AVGBrowser.exe
2476	AVGBrowser.exe
5020	AVGBrowser.exe
2476	AVGBrowser.exe
2476	AVGBrowser.exe
2476	AVGBrowser.exe
2476	AVGBrowser.exe
2476	AVGBrowser.exe
3468	AVGBrowser.exe
3468	AVGBrowser.exe
5412	AVGBrowser.exe
5412	AVGBrowser.exe
5412	AVGBrowser.exe
6892	AVGBrowser.exe
6892	AVGBrowser.exe
6552	AVGBrowser.exe
5448	AVGBrowser.exe
5448	AVGBrowser.exe
6552	AVGBrowser.exe
5328	AVGBrowser.exe
5328	AVGBrowser.exe
6504	AVGBrowser.exe
6504	AVGBrowser.exe
3012	AVGBrowser.exe
3012	AVGBrowser.exe
5176	AVGBrowser.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeb7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	AVGBrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yqWDN = "C:\\Users\\Admin\\AppData\\Roaming\\yqWDN\\yqWDN.exe"	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	AVGBrowser.exe

Checks for any installed AV software in registry 1 TTPs 14 IoCs

Security Software Discovery

T1063

Processes:

avg_secure_browser_setup.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeaj330F.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj330F.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\AVAST Software\Avast	aj330F.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

aj330F.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aj330F.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aj330F.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

aj330F.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aj330F.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe

pid process

6784 Setup.exe
6784 Setup.exe

pid	process
6784	Setup.exe
6784	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description	pid	process	target process
PID 4676 set thread context of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

Drops file in Program Files directory 64 IoCs

Processes:

AVGBrowserUpdate.exesetup.exeelevation_service.exeAVGBrowserUpdateSetup.exeaj330F.exeAVGBrowserUpdate.exesetup.exeAVGBrowserInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\acuapi_64.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4860_1566821335\manifest.json	elevation_service.exe
File created	C:\Program Files (x86)\GUM349E.tmp\psmachine.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_bn.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_th.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\npAvgBrowserUpdate3.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_pt-BR.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_tr.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\browser_proxy.exe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\AVGBrowserUninstall.exe	aj330F.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_th.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_pt-BR.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\GUT349F.tmp	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_ro.dll	AVGBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM349E.tmp\AVGBrowserUpdate.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_am.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_de.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_vi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_ml.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\npAvgBrowserUpdate3.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_uk.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\psmachine.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\lt.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_el.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_id.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\mimic.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_ru.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_el.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_ru.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\109.0.19817.76\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\SetupMetrics\ecee3b1d-b934-4c8e-8b53-d76fef1a67cb.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe	AVGBrowserInstaller.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_id.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_sk.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_ta.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_vi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\psuser_64.dll	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\109.0.19817.76\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\GUM349E.tmp\goopdateres_en-GB.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_bn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_tr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_ro.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_sw.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\109.0.19817.76\chrome.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_en-GB.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_fa.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\goopdateres_nl.dll	AVGBrowserUpdate.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EDB7AEE7-E932-4836-AE50-D3B0B7766CB5}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0C9.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ede99.msi	msiexec.exe
File created	C:\Windows\Installer\e5ede96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ede96.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aj330F.exeAVGBrowser.exeAVGBrowser.exetaskmgr.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj330F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj330F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4088 schtasks.exe

pid	process
4088	schtasks.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exechrome.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 26 IoCs

Processes:

AVGBrowser.exeAVGBrowserUpdate.exeAVGBrowser.exemsiexec.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133190426709046771"	AVGBrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20230124"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1f3154096dfe395ac3087f69d44cd03a73137f0dd0b44870d3325923f557a4d8	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineId = "000058d4b27a012b9e3e4541471e6c69"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 341600006d7a5a60fd2fd901	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exemsiexec.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\Elevation\IconReference = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\goopdate.dll,-1004"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ = "IAppBundleWeb"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ = "IJobObserver2"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine.dll"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\AVGBrowserUpdateOnDemand.exe\""	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\VersionIndependentProgID\ = "AVGUpdate.CoreClass"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\ = "IAppVersionWeb"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\LocalService = "avg"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ = "ICurrentState"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods\ = "13"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7EEA7BDE239E6384EA053D0B7B67C65B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A01E2077-A5A9-4229-8BC1-AB2D43564381}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine.dll"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\ProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}\ = "goopdate CredentialDialog"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ = "IAppWeb"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ = "CATID_AppContainerCompatible"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AVGBrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	AVGBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\NumMethods\ = "12"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}\VersionIndependentProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ = "ICoCreateAsync"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEBC1D02-EC16-479A-83F6-AA4247CA7F70}\Elevation\IconReference = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\goopdate.dll,-1004"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ = "IGoogleUpdate3WebSecurity"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\AvgHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods\ = "7"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\Application\ApplicationName = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods\ = "5"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ = "IApp"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\AVGBrowserUpdateOnDemand.exe\""	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\Application\ApplicationDescription = "Access the Internet"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback\ = "GoogleUpdate Update3Web"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\NumMethods\ = "45"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods\ = "24"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ = "IMiscUtils"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\NumMethods\ = "45"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync\CurVer\ = "AVGUpdate.CoCreateAsync.1.0"	AVGBrowserUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeavg_secure_browser_setup.exe

pid	process
2280	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
2280	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
1040	chrome.exe
1040	chrome.exe
1708	chrome.exe
1708	chrome.exe
3004	chrome.exe
3004	chrome.exe
2924	chrome.exe
2924	chrome.exe
2344	chrome.exe
2344	chrome.exe
3780	chrome.exe
3780	chrome.exe
5100	chrome.exe
5100	chrome.exe
6680	chrome.exe
6680	chrome.exe
3988	chrome.exe
3988	chrome.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

5760 taskmgr.exe

pid	process
5760	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exe

pid	process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exetaskmgr.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exeaj330F.exesvchost.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	pid	process
Token: SeDebugPrivilege	2280	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
Token: SeDebugPrivilege	5760	taskmgr.exe
Token: SeSystemProfilePrivilege	5760	taskmgr.exe
Token: SeCreateGlobalPrivilege	5760	taskmgr.exe
Token: SeDebugPrivilege	2340	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	2340	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	2340	AVGBrowserUpdate.exe
Token: 33	6248	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	6248	AVGBrowserInstaller.exe
Token: SeDebugPrivilege	2340	AVGBrowserUpdate.exe
Token: SeIncreaseQuotaPrivilege	5672	aj330F.exe
Token: SeTcbPrivilege	5516	svchost.exe
Token: SeTcbPrivilege	5516	svchost.exe
Token: SeShutdownPrivilege	5412	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	5412	AVGBrowser.exe
Token: SeShutdownPrivilege	5412	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	5412	AVGBrowser.exe
Token: SeIncreaseQuotaPrivilege	5672	aj330F.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeShutdownPrivilege	1484	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	1484	AVGBrowser.exe
Token: SeIncreaseQuotaPrivilege	5672	aj330F.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	7140	AVGBrowser.exe
Token: SeShutdownPrivilege	7140	AVGBrowser.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe
5760	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

avg_secure_browser_setup.exeaj330F.exe

pid	process
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe
5672	aj330F.exe
3040	avg_secure_browser_setup.exe
3040	avg_secure_browser_setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exechrome.exe

description	pid	process	target process
PID 4676 wrote to memory of 4088	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	schtasks.exe
PID 4676 wrote to memory of 4088	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	schtasks.exe
PID 4676 wrote to memory of 4088	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	schtasks.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 4676 wrote to memory of 2280	4676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
PID 1708 wrote to memory of 844	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 844	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1260	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1040	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1040	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 660	1708	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

outlook_win_path 1 IoCs

Processes:

b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe

C:\Users\Admin\AppData\Local\Temp\b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
"C:\Users\Admin\AppData\Local\Temp\b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OiDoZiiA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9D8.tmp"
2⤵
- Creates scheduled task(s)
PID:4088

C:\Users\Admin\AppData\Local\Temp\b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb548b4f50,0x7ffb548b4f60,0x7ffb548b4f70
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
2⤵
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8
2⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:8
2⤵
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:8
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
2⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=836 /prefetch:8
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6120 /prefetch:8
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7304 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8432 /prefetch:1
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8204 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8580 /prefetch:1
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9132 /prefetch:1
2⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9020 /prefetch:1
2⤵
PID:5228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8880 /prefetch:1
2⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10368 /prefetch:1
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10360 /prefetch:1
2⤵
PID:5440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10352 /prefetch:1
2⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10344 /prefetch:1
2⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10336 /prefetch:1
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10316 /prefetch:1
2⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10304 /prefetch:1
2⤵
PID:5400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10180 /prefetch:1
2⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10048 /prefetch:1
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9916 /prefetch:1
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9784 /prefetch:1
2⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9652 /prefetch:1
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9520 /prefetch:1
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9380 /prefetch:1
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8812 /prefetch:1
2⤵
PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11900 /prefetch:1
2⤵
PID:6180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
2⤵
PID:6188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11388 /prefetch:1
2⤵
PID:6236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
2⤵
PID:6204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
2⤵
PID:6196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
2⤵
PID:6576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
PID:6712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
PID:6704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10916 /prefetch:1
2⤵
PID:6788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10768 /prefetch:1
2⤵
PID:6820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11064 /prefetch:1
2⤵
PID:6772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9012 /prefetch:1
2⤵
PID:6984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:7044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10920 /prefetch:1
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10772 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7428 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7652 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10280 /prefetch:1
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11648 /prefetch:1
2⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11036 /prefetch:1
2⤵
PID:3052

C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
"C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Users\Admin\AppData\Local\Temp\aj330F.exe
"C:\Users\Admin\AppData\Local\Temp\aj330F.exe" /relaunch=8 /was_elevated=1 /tagdata
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Users\Admin\AppData\Local\Temp\nsu3512.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9120&installargs=--make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --private-browsing"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4288

C:\Program Files (x86)\GUM349E.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUM349E.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9120&installargs=--make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --private-browsing"
5⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3648

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
7⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4300

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
7⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:2744

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
7⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1084

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTU4Mi4zIiBzaGVsbF92ZXJzaW9uPSIxLjguMTU4Mi4zIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezZDNzIzRjQzLTJGOTUtNEMyMi1CNEU2LTcwMDEyOEE0Qzk0NX0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntBQjc5RDIwOS1FNEY5LTRDQjctODI0Mi1GNURCQjE3ODBBREZ9IiB1c2VyaWRfZGF0ZT0iMjAyMzAxMjQiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMDEyNCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntCOUY1OEM1Ny1ENzUyLTQ5Q0UtODRCMS0zMzg3MTkyNEJDRUV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNTgyLjMiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTEyMCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTY4OCIvPjwvYXBwPjwvcmVxdWVzdD4
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6656

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9120&installargs=--make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --private-browsing" /installsource otherinstallcmd /sessionid "{6C723F43-2F95-4C22-B4E6-700128A4C945}" /silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6960

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --heartbeat --install --create-profile
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5412

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffb51887b78,0x7ffb51887b88,0x7ffb51887b98
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3932

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2120 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5020

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3468

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3436 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:6892

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3444 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:6552

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5448

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3844 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:5328

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6504

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1984,i,13027105090387517889,5476535822029847631,131072 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:5176

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --silent-launch
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51887b78,0x7ffb51887b88,0x7ffb51887b98
5⤵
- Executes dropped EXE
PID:3740

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:2
5⤵
- Executes dropped EXE
PID:4140

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1972 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6444

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6704

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3460 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1308

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3464 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3944

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6532

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6956

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
5⤵
- Executes dropped EXE
PID:5348

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51887b78,0x7ffb51887b88,0x7ffb51887b98
6⤵
- Executes dropped EXE
PID:5028

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:4916

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6428

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6436

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:1228

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:5196

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6764

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5172 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:944

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:5844

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6864

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6804

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5492 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:5772

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5640 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:1648

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5704 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
- Executes dropped EXE
PID:6556

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6176 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:5820

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6332 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:2384

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6432 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:6328

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6604 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:6032

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6716 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:3804

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6916 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:4284

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5716 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:2200

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7472 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:6196

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7756 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:6156

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7772 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:4148

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7952 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:4900

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7960 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:6724

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8280 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:6640

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8440 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:5132

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7944 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:3304

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9136 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:3888

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=5012 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:7132

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9312 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:8
5⤵
PID:6848

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=4656 --field-trial-handle=2016,i,15624957902982260389,7371139414476512067,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:1696

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --check-run=src=installer
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7140

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb55767b78,0x7ffb55767b88,0x7ffb55767b98
5⤵
PID:4664

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:2
5⤵
PID:4524

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2092 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:6096

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:5872

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=3252 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:1948

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=3296 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:1052

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=4568 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:6152

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4064 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:5948

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
PID:6652

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=4600 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:6952

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=4592 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:4144

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
5⤵
- Checks computer location settings
- Modifies registry class
PID:5088

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=6224 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:7060

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=6492 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:5064

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6804 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:6576

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
5⤵
PID:7052

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb55767b78,0x7ffb55767b88,0x7ffb55767b98
6⤵
PID:6804

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:6520

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
5⤵
- Checks computer location settings
PID:944

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:5252

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7280 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:1112

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=6840 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:5868

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=6920 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:6172

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=7792 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
PID:6384

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6616 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:3740

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=8272 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:2644

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=7560 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:5740

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8020 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:2432

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8008 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:4968

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=7840 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:1
5⤵
- Checks computer location settings
PID:5716

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 --field-trial-handle=1904,i,14058059287596110599,18000942165199485678,131072 /prefetch:8
5⤵
PID:7100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9948 /prefetch:1
2⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
2⤵
PID:6084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10992 /prefetch:8
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2272 /prefetch:2
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:8
2⤵
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
2⤵
PID:6540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
2⤵
PID:6552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8488 /prefetch:8
2⤵
PID:7140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11320 /prefetch:8
2⤵
PID:6712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12004 /prefetch:1
2⤵
PID:6380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8464 /prefetch:1
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:6864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
2⤵
PID:6496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11584 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11784 /prefetch:1
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
2⤵
PID:6732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1
2⤵
PID:6456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10244 /prefetch:1
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12024 /prefetch:1
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:8
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10236 /prefetch:1
2⤵
PID:5920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11656 /prefetch:1
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12028 /prefetch:1
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:1
2⤵
PID:6940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9720 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11636 /prefetch:8
2⤵
PID:6596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8484 /prefetch:8
2⤵
PID:6760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=992 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8452 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
2⤵
PID:6680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=152 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10772 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11624 /prefetch:8
2⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12076 /prefetch:1
2⤵
PID:5420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10080 /prefetch:1
2⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12048 /prefetch:1
2⤵
PID:6188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9832 /prefetch:1
2⤵
PID:6496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11016 /prefetch:8
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11328 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=162 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10132 /prefetch:1
2⤵
PID:6284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12032 /prefetch:8
2⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11996 /prefetch:8
2⤵
PID:6720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3540 /prefetch:8
2⤵
PID:5348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=166 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12076 /prefetch:1
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7416 /prefetch:8
2⤵
PID:6412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=168 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=169 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9720 /prefetch:1
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=170 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10048 /prefetch:1
2⤵
PID:7240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=171 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12188 /prefetch:1
2⤵
PID:7304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,8900975756840697377,11292766173593116575,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=172 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10020 /prefetch:1
2⤵
PID:7312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4c0
1⤵
PID:2232

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5760

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6448

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --adblock-mode-default=2 --default-search-id=1003 --default-search=bing.com --make-chrome-default --force-default-win10 --auto-import-data=chrome --import-cookies --private-browsing --system-level
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6248

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --adblock-mode-default=2 --default-search-id=1003 --default-search=bing.com --make-chrome-default --force-default-win10 --auto-import-data=chrome --import-cookies --private-browsing --system-level
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:6328

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7961c6c40,0x7ff7961c6c50,0x7ff7961c6c60
4⤵
- Executes dropped EXE
PID:6332

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\AVG\Browser\Temp\source6328_847502528\Safer-bin\master_preferences" --create-shortcuts=0 --install-level=1
4⤵
- Executes dropped EXE
PID:5132

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7961c6c40,0x7ff7961c6c50,0x7ff7961c6c60
5⤵
- Executes dropped EXE
PID:932

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 taskbarpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5032

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3864

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe" --system-level --make-chrome-default-helper --user-data-dir="C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --module-dir="C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp" "AVG Secure Browser"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6028

C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{52D4DC87-1BEF-4EF4-B609-543714EA42AA}\CR_519AF.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x270,0x274,0x278,0x258,0x27c,0x7ff7961c6c40,0x7ff7961c6c50,0x7ff7961c6c60
5⤵
- Executes dropped EXE
PID:5416

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe"
2⤵
- Executes dropped EXE
PID:5972

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe"
2⤵
- Executes dropped EXE
PID:5872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6532

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6236

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6120

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
PID:1984

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
PID:6348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6440

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6429:118:7zEvent21443
1⤵
PID:508

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6784

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --check-run=src=taskbar
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6656

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb551b7b78,0x7ffb551b7b88,0x7ffb551b7b98
2⤵
PID:6208

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:2
2⤵
PID:1860

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2108 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:8
2⤵
PID:7136

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:8
2⤵
PID:5320

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=3336 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:4416

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=3324 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:6152

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4004 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:3536

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=4628 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:6096

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4804 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:3524

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=4852 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:6008

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=4916 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:5616

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
2⤵
- Checks computer location settings
PID:5548

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=6432 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:1
2⤵
PID:5596

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
2⤵
- Checks computer location settings
PID:5544

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6860 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:8
2⤵
PID:6024

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:8
2⤵
PID:1328

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
2⤵
PID:6184

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb551b7b78,0x7ffb551b7b88,0x7ffb551b7b98
3⤵
PID:5160

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7024 --field-trial-handle=1952,i,13190825741755363080,11375984292673492771,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
PID:3436

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
PID:6920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:6676

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4860

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4860_1566821335\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4860_1566821335\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={55a304ed-b10d-46e5-a5f0-02e530d1fc3f} --system
2⤵
PID:6684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb548b4f50,0x7ffb548b4f60,0x7ffb548b4f70
2⤵
PID:6040

C:\Users\Admin\Desktop\CouLoader.exe
"C:\Users\Admin\Desktop\CouLoader.exe"
1⤵
PID:1948

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --single-argument http://bymynix.de/projects/RedirectLicense9137831.html
2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3632

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb55587b78,0x7ffb55587b88,0x7ffb55587b98
3⤵
PID:5324

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:2
3⤵
PID:2268

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:8
3⤵
PID:696

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1928 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:8
3⤵
PID:6360

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=3208 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:1556

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=3240 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:3768

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4304 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:5796

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=5004 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:5912

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=5160 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:1076

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=5272 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:6856

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=5292 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:6124

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=5432 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:6216

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=6224 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:5676

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=5088 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:6240

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=6496 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:5008

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:8
3⤵
PID:3616

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=7004 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:4320

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
3⤵
PID:6212

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.19817.76 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb55587b78,0x7ffb55587b88,0x7ffb55587b98
4⤵
PID:6280

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7200 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:8
3⤵
PID:4168

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=7308 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:3580

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7292 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:8
3⤵
PID:5084

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=7672 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:3068

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=3568 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:3520

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6388 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:5808

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=8040 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:5428

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6928 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:8
3⤵
PID:6044

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=3184 --field-trial-handle=2056,i,7917455087501007963,2146837054616600049,131072 /prefetch:1
3⤵
- Checks computer location settings
PID:7364

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
PID:4044

C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.19817.76\elevation_service.exe"
1⤵
PID:2040

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c
1⤵
PID:6212

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /cr
2⤵
PID:6320

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe"
2⤵
PID:1980

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe"
2⤵
PID:6024

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler
1⤵
PID:6280

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /registermsihelper
2⤵
PID:3988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4c0
1⤵
PID:4896

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b7f8e51419c9c0d1669bb5f447274697b4548c4c.exe.log
Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9D8.tmp
Filesize
1KB

MD5
4864784c8f5567e40fbdf0cf6bca6e58

SHA1
53ffa70bd6dd228f12df44db8fe282f33ae89e63

SHA256
cf151623080040f7c096abfa4bceff851d20acce2f2f6abc2c92a91fa88441ef

SHA512
63fca57b5b39e29d5e536bf483e82db6b1c588b9182a70927d020e7d74efd67a9381f67860152e56badf6eec4aaf11c715101e18870e2f3ea19fb73fb6a2a0c1

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
835B

MD5
6eb47c1cf858e25486e42440074917f2

SHA1
6a63f93a95e1ae831c393a97158c526a4fa0faae

SHA256
9b13a3ea948a1071a81787aac1930b89e30df22ce13f8ff751f31b5d83e79ffb

SHA512
08437ab32e7e905eb11335e670cdd5d999803390710ed39cbc31a2d3f05868d5d0e5d051ccd7b06a85bb466932f99a220463d27fac29116d241e8adac495fa2f

Download Submit
\??\pipe\crashpad_1708_XURUJDGTZTBGHXBL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/932-163-0x0000000000000000-mapping.dmp

Download
memory/944-226-0x0000000000000000-mapping.dmp

Download
memory/1056-234-0x0000000000000000-mapping.dmp

Download
memory/1084-156-0x0000000000000000-mapping.dmp

Download
memory/1228-220-0x0000000000000000-mapping.dmp

Download
memory/1308-204-0x0000000000000000-mapping.dmp

Download
memory/1484-196-0x0000000000000000-mapping.dmp

Download
memory/1648-238-0x0000000000000000-mapping.dmp

Download
memory/1948-333-0x0000000000190000-0x00000000018DA000-memory.dmp

Filesize
23.3MB

Download
memory/1948-334-0x0000000008090000-0x00000000080B2000-memory.dmp

Filesize
136KB

Download
memory/2008-153-0x0000000000000000-mapping.dmp

Download
memory/2280-140-0x0000000000000000-mapping.dmp

Download
memory/2280-143-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/2280-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2280-144-0x00000000066F0000-0x0000000006740000-memory.dmp

Filesize
320KB

Download
memory/2340-151-0x0000000000000000-mapping.dmp

Download
memory/2384-244-0x0000000000000000-mapping.dmp

Download
memory/2476-177-0x0000000000000000-mapping.dmp

Download
memory/2744-155-0x0000000000000000-mapping.dmp

Download
memory/3012-193-0x0000000000000000-mapping.dmp

Download
memory/3040-148-0x0000000000000000-mapping.dmp

Download
memory/3468-180-0x0000000000000000-mapping.dmp

Download
memory/3648-152-0x0000000000000000-mapping.dmp

Download
memory/3740-197-0x0000000000000000-mapping.dmp

Download
memory/3864-169-0x00007FFB707B0000-0x00007FFB707C0000-memory.dmp

Filesize
64KB

Download
memory/3864-167-0x0000000000000000-mapping.dmp

Download
memory/3932-175-0x0000000000000000-mapping.dmp

Download
memory/3944-206-0x0000000000000000-mapping.dmp

Download
memory/4088-138-0x0000000000000000-mapping.dmp

Download
memory/4140-199-0x0000000000000000-mapping.dmp

Download
memory/4288-150-0x0000000000000000-mapping.dmp

Download
memory/4300-154-0x0000000000000000-mapping.dmp

Download
memory/4524-303-0x000001C410B94000-0x000001C410C15000-memory.dmp

Filesize
516KB

Download
memory/4524-304-0x000001C410B94000-0x000001C410C15000-memory.dmp

Filesize
516KB

Download
memory/4524-305-0x000001C410B94000-0x000001C410C15000-memory.dmp

Filesize
516KB

Download
memory/4524-306-0x000001C410B94000-0x000001C410C15000-memory.dmp

Filesize
516KB

Download
memory/4676-136-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/4676-135-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/4676-133-0x0000000005170000-0x000000000520C000-memory.dmp

Filesize
624KB

Download
memory/4676-132-0x0000000000690000-0x000000000077A000-memory.dmp

Filesize
936KB

Download
memory/4676-134-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4676-137-0x00000000054A0000-0x00000000054F6000-memory.dmp

Filesize
344KB

Download
memory/4916-214-0x0000000000000000-mapping.dmp

Download
memory/5020-178-0x0000000000000000-mapping.dmp

Download
memory/5028-213-0x0000000000000000-mapping.dmp

Download
memory/5032-166-0x00007FFB707B0000-0x00007FFB707C0000-memory.dmp

Filesize
64KB

Download
memory/5032-165-0x00007FFB707B0000-0x00007FFB707C0000-memory.dmp

Filesize
64KB

Download
memory/5032-164-0x0000000000000000-mapping.dmp

Download
memory/5132-162-0x0000000000000000-mapping.dmp

Download
memory/5176-194-0x0000000000000000-mapping.dmp

Download
memory/5196-222-0x0000000000000000-mapping.dmp

Download
memory/5328-188-0x0000000000000000-mapping.dmp

Download
memory/5348-212-0x0000000000000000-mapping.dmp

Download
memory/5412-174-0x0000000000000000-mapping.dmp

Download
memory/5416-171-0x0000000000000000-mapping.dmp

Download
memory/5448-185-0x0000000000000000-mapping.dmp

Download
memory/5672-149-0x0000000000000000-mapping.dmp

Download
memory/5772-236-0x0000000000000000-mapping.dmp

Download
memory/5820-242-0x0000000000000000-mapping.dmp

Download
memory/5844-228-0x0000000000000000-mapping.dmp

Download
memory/5872-173-0x0000000000000000-mapping.dmp

Download
memory/5972-172-0x0000000000000000-mapping.dmp

Download
memory/6028-170-0x0000000000000000-mapping.dmp

Download
memory/6248-159-0x0000000000000000-mapping.dmp

Download
memory/6328-160-0x0000000000000000-mapping.dmp

Download
memory/6328-246-0x0000000000000000-mapping.dmp

Download
memory/6332-161-0x0000000000000000-mapping.dmp

Download
memory/6428-216-0x0000000000000000-mapping.dmp

Download
memory/6436-218-0x0000000000000000-mapping.dmp

Download
memory/6444-200-0x0000000000000000-mapping.dmp

Download
memory/6504-189-0x0000000000000000-mapping.dmp

Download
memory/6532-209-0x0000000000000000-mapping.dmp

Download
memory/6552-184-0x0000000000000000-mapping.dmp

Download
memory/6556-240-0x0000000000000000-mapping.dmp

Download
memory/6656-157-0x0000000000000000-mapping.dmp

Download
memory/6704-202-0x0000000000000000-mapping.dmp

Download
memory/6764-224-0x0000000000000000-mapping.dmp

Download
memory/6784-309-0x0000000000400000-0x0000000000EA0000-memory.dmp

Filesize
10.6MB

Download
memory/6784-311-0x0000000000400000-0x0000000000EA0000-memory.dmp

Filesize
10.6MB

Download
memory/6784-312-0x0000000000400000-0x0000000000EA0000-memory.dmp

Filesize
10.6MB

Download
memory/6784-313-0x0000000000400000-0x0000000000EA0000-memory.dmp

Filesize
10.6MB

Download
memory/6804-232-0x0000000000000000-mapping.dmp

Download
memory/6864-230-0x0000000000000000-mapping.dmp

Download
memory/6892-182-0x0000000000000000-mapping.dmp

Download
memory/6956-211-0x0000000000000000-mapping.dmp

Download
memory/6960-158-0x0000000000000000-mapping.dmp

Download