fe7e9e548c9b9bdeb1a42c8ef43087ea58d4b64d72d0d561ba7c7477521444d1

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\109.0.24252.121\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe

Checks for any installed AV software in registry 1 TTPs 12 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	ajCA64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	aj8A29.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\AVAST Software\Avast	aj8A29.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\AVAST Software\Avast	ajCA64.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ajCA64.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	aj8A29.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	ajCA64.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	ajCA64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	aj8A29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\AX	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_491376998\manifest.json	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\AVGBrowserCrashHandler.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\PS	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\KP	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\BM	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_604589979\manifest.fingerprint	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_ja.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\LU	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\LB	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\IQ	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1133694711\ranked_dicts	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\PR	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_604589979\kp_pinslist.pb	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_fa.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5024_1060268888\Safer-bin\109.0.24252.121\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\ID	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_778543253\hyph-et.hyb	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_491376998\desktop_sharing_hub.pb	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\acuapi_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\AVGBrowserCrashHandler64.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_pt-BR.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdate.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\HT	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_am.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_cs.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_fi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5024_1060268888\Safer-bin\109.0.24252.121\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\AF	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\SO	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\MH	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_iw.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5024_1060268888\Safer-bin\109.0.24252.121\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Application\SetupMetrics\2f772498-3be6-4516-93a2-e614d4784e59.tmp	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_987150860\download_file_types.pb	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\SV	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\IN	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\BI	AVGBrowser.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\CR_B1EFA.tmp\SETUP.EX_	AVGBrowserInstaller.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\LK	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\JP	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\BY	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_id.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_sv.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\SZ	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\MN	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\KG	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1133694711\surnames.txt	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_da.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_fil.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_es-419.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_hi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\PG	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_778543253\hyph-und-ethi.hyb	AVGBrowser.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5024_1060268888\secure.7z	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\GM	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_604384248\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Program Files (x86)\GUM3EA6.tmp\goopdateres_pl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_vi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5024_1060268888\Safer-bin\109.0.24252.121\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_1763329640\VG	AVGBrowser.exe
File created	C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping6004_604589979\ct_config.pb	AVGBrowser.exe

Executes dropped EXE 64 IoCs

pid	Process
5316	avg_secure_browser_setup.exe
4952	ajCA64.exe
5444	AVGBrowserUpdateSetup.exe
6088	AVGBrowserUpdate.exe
4548	AVGBrowserUpdate.exe
4284	AVGBrowserUpdate.exe
4428	AVGBrowserUpdateComRegisterShell64.exe
4156	AVGBrowserUpdateComRegisterShell64.exe
3668	AVGBrowserUpdateComRegisterShell64.exe
4712	AVGBrowserUpdate.exe
1776	AVGBrowserUpdate.exe
5092	AVGBrowserUpdate.exe
4188	avg_secure_browser_setup.exe
4532	aj8A29.exe
4980	AVGBrowserInstaller.exe
5024	setup.exe
6080	setup.exe
4956	AVGBrowserCrashHandler.exe
5584	AVGBrowserCrashHandler64.exe
5048	AVGBrowser.exe
6052	AVGBrowser.exe
6128	AVGBrowser.exe
2052	AVGBrowser.exe
4176	AVGBrowser.exe
476	Process not Found
3904	elevation_service.exe
1708	AVGBrowser.exe
2880	AVGBrowser.exe
5804	AVGBrowser.exe
5360	AVGBrowser.exe
5324	AVGBrowser.exe
5532	elevation_service.exe
5924	AVGBrowser.exe
920	AVGBrowser.exe
4740	AVGBrowser.exe
2672	AVGBrowser.exe
6084	AVGBrowser.exe
4272	AVGBrowser.exe
5784	elevation_service.exe
1192	AVGBrowser.exe
6004	elevation_service.exe
6008	AVGBrowser.exe
5404	AVGBrowser.exe
4580	AVGBrowser.exe
4252	AVGBrowser.exe
1144	AVGBrowser.exe
2680	AVGBrowser.exe
5632	AVGBrowser.exe
3876	AVGBrowser.exe
4092	AVGBrowser.exe
2152	AVGBrowser.exe
288	AVGBrowser.exe
2684	AVGBrowser.exe
3772	AVGBrowser.exe
5584	AVGBrowser.exe
4052	AVGBrowser.exe
3184	AVGBrowser.exe
5300	AVGBrowser.exe
4692	AVGBrowser.exe
4244	AVGBrowser.exe
5448	AVGBrowser.exe
5092	AVGBrowser.exe
5440	AVGBrowser.exe
4808	AVGBrowser.exe

Loads dropped DLL 64 IoCs

pid	Process
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
4952	ajCA64.exe
5444	AVGBrowserUpdateSetup.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
4548	AVGBrowserUpdate.exe
4548	AVGBrowserUpdate.exe
4548	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
4284	AVGBrowserUpdate.exe
4284	AVGBrowserUpdate.exe
4284	AVGBrowserUpdate.exe
4428	AVGBrowserUpdateComRegisterShell64.exe
4284	AVGBrowserUpdate.exe
4284	AVGBrowserUpdate.exe
4156	AVGBrowserUpdateComRegisterShell64.exe
4284	AVGBrowserUpdate.exe
4284	AVGBrowserUpdate.exe
3668	AVGBrowserUpdateComRegisterShell64.exe
4284	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
4712	AVGBrowserUpdate.exe
6088	AVGBrowserUpdate.exe
1776	AVGBrowserUpdate.exe
1776	AVGBrowserUpdate.exe
1776	AVGBrowserUpdate.exe
5092	AVGBrowserUpdate.exe
5092	AVGBrowserUpdate.exe
5092	AVGBrowserUpdate.exe
5092	AVGBrowserUpdate.exe
1776	AVGBrowserUpdate.exe
5092	AVGBrowserUpdate.exe
4188	avg_secure_browser_setup.exe
4188	avg_secure_browser_setup.exe
4188	avg_secure_browser_setup.exe
4188	avg_secure_browser_setup.exe
4188	avg_secure_browser_setup.exe
4188	avg_secure_browser_setup.exe
4188	avg_secure_browser_setup.exe
4532	aj8A29.exe
4532	aj8A29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3F8D9EE3-FE51-11EE-A346-76B743CBA6BC}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000008206b45286246477a8e71a5a64bcebee9949a1e7f897ecd59af80fdcc221a182000000000e8000000002000020000000ad8b7c0ef7928f9e6ab90d1851f58dc59ecf5112757a7150d47fe11e9fdb363c200000001f1fa5a2cacd385810f01f4b4fdf7ef1224a72e4b08232ca53929ae8e7af9edc40000000c1799e84ec58f240115a7e5d1fb9b17a4459240dedb48a7effca0a682369a55a0dbc37359f4ed5c484916ecf15f2638301bc1bcf13bf553a7e97af0f26ac4c2c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E29C6E1-37F8-11EF-A346-76B743CBA6BC} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20ef983105ccda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000000e1e5758bf937e8908c7f4fb1c56581ca2debed004fa30253905b365e5deb5ff000000000e8000000002000020000000b8bd2c105336465ff34d308273386560d806c5e059acf9b540481798e15695b89000000086964614d0411e63fe42e1bac0356331e22501df7ddfa34276171409137bc63938001e3c3221df1a1f7131c63be584b8a95b9157479a21a8a54361631d80ba98c0fbed73da98877ddf8f99f1132d26f7cd73d4bf706aed0e2de527bcce94af81fa0aea145f116532629650ce0abb8d9a6d86d348f33623db82b81aaf616333b9c7730e1565376ce08446803be188d719400000005523494331d05164e59d4eea736b211830d0858975c370aff1b7f41ec364d54944da3181ef337c4aab1f38cbdb27320647fb2213e82097c089913ed85264b736	iexplore.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineId = "00009bb098663592a3a6086bcc2909e7"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AVG\Browser\Update\MachineIdDate = "20240701"	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine\ = "goopdate CredentialDialog"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.xhtml\ = "AvgHTML"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\NumMethods\ = "11"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\NumMethods\ = "17"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachine.1.0\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\http\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\https\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachine\CLSID\ = "{BEBC1D02-EC16-479A-83F6-AA4247CA7F70}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}\LocalServer32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DD8E03F-6BE1-41E2-B931-A37C7D1C0317}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\NumMethods	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachine\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E37D9308-A3C0-4EC3-87C5-222235C974E3}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}\VersionIndependentProgID\ = "AVGUpdate.MiscUtils"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods\ = "4"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ = "IAppWeb"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEBC1D02-EC16-479A-83F6-AA4247CA7F70}\Elevation	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\NumMethods\ = "5"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\Application\AppUserModelId = "AVG_Secure_Browser"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\ProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BAAD654E-4B50-4C9F-A261-CF29CF884478}\ProgID\ = "AVGUpdate.OnDemandCOMClassMachineFallback.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\TypeLib\ = "{358EC846-617A-4763-8656-50BF6E0E8AA2}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass\CurVer\ = "AVGUpdate.CoreMachineClass.1"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachine.1.0\ = "Google Update Broker Class Factory"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync\CLSID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}	AVGBrowserUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ajCA64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ajCA64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ajCA64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ajCA64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe
5316	avg_secure_browser_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	FiveM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
5660	iexplore.exe
6004	AVGBrowser.exe
6004	AVGBrowser.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5316	avg_secure_browser_setup.exe
4952	ajCA64.exe
4188	avg_secure_browser_setup.exe
5660	iexplore.exe
5660	iexplore.exe
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
5820	IEXPLORE.EXE
5820	IEXPLORE.EXE
5820	IEXPLORE.EXE
5820	IEXPLORE.EXE
5660	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2884	2132	chrome.exe	29
PID 2132 wrote to memory of 2884	2132	chrome.exe	29
PID 2132 wrote to memory of 2884	2132	chrome.exe	29
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2872	2132	chrome.exe	31
PID 2132 wrote to memory of 2688	2132	chrome.exe	32
PID 2132 wrote to memory of 2688	2132	chrome.exe	32
PID 2132 wrote to memory of 2688	2132	chrome.exe	32
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33
PID 2132 wrote to memory of 2552	2132	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FiveM.exe
"C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ac9758,0x7fef6ac9768,0x7fef6ac9778
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:2
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1500 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3024 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3812 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3732 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2268 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4120 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4576 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4680 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4732 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4748 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4764 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4860 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5280 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4356 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4260 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5592 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5992 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6380 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5864 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=4492 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6012 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6756 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6860 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6680 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7216 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=7228 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7104 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7184 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7536 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8248 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8048 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7808 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9096 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8404 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8880 --field-trial-handle=1412,i,16610574270422032594,7636025934399827673,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
  "C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\ajCA64.exe
    "C:\Users\Admin\AppData\Local\Temp\ajCA64.exe" /relaunch=8 /was_elevated=1 /tagdata
    3⤵
    - Checks for any installed AV software in registry
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\nsjCB4D.tmp\AVGBrowserUpdateSetup.exe
      AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      PID:5444
    - - C:\Program Files (x86)\GUM3EA6.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUM3EA6.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Modifies Internet Explorer settings
        
        PID:6088
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4548
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4284
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4428
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4156
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3668
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0Q4MkY4MTRCLTBEQTgtNDU1MS04QjdCLTczRjgyRTA4MEQ3MH0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9Ins3MUI3REI3OC1GMzY3LTRGMDItOTgyNS05NEE0REY4QTFCMUV9IiB1c2VyaWRfZGF0ZT0iMjAyNDA3MDEiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDcwMSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins2N0NGNDEyQy1GOTM3LTRFNjUtODU4My0yQTg2RDJEMjVFN0N9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTIyOCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iOTMyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4712
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{D82F814B-0DA8-4551-8B7B-73F82E080D70}" /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1776
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      AVGBrowser.exe --heartbeat --install --create-profile
      4⤵
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      Checks computer location settings
      Checks system information in the registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:5048
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef3ca6b78,0x7fef3ca6b88,0x7fef3ca6b98
        5⤵
        Executes dropped EXE
        
        PID:6052
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:6128
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1480 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2052
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1608 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4176
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2336 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1708
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2880
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5804
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5360
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2932 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:5324
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1352 --field-trial-handle=1180,i,16117111011644072691,7364749043959980614,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5924
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      AVGBrowser.exe --silent-launch
      4⤵
      Adds Run key to start application
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks computer location settings
      Checks system information in the registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:920
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3b46b78,0x7fef3b46b88,0x7fef3b46b98
        5⤵
        Executes dropped EXE
        
        PID:4740
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2672
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1472 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6084
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1536 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4272
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2532 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1192
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2540 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6008
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1272 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:5404
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3388 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4580
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
        5⤵
        Executes dropped EXE
        
        PID:4252
      - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3b46b78,0x7fef3b46b88,0x7fef3b46b98
        6⤵
        Executes dropped EXE
        
        PID:1144
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2680
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3848 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5632
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:3876
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3796 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4092
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3864 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2152
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:288
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3784 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2684
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3644 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:3772
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5584
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4164 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4052
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4296 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:3184
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5300
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4692
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4244
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5448
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3776 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5092
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5440
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4132 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4808
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5320
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:376
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:3696
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:2152
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:3532
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3984 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:3172
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5208
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:4980
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4168 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5784
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:2540
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:2436
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:2924
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4124 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5480
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5440
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4228 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5756
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3988 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:1364
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4144 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:3408
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=3900 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5388
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:5528
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1880 --field-trial-handle=1232,i,16276694951611576712,8626454230504742850,131072 /prefetch:8
        5⤵
        
        PID:2540
  - - C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\Installer\setup.exe
      setup.exe /silent --create-shortcuts=0 --install-level=1 --system-level
      4⤵
      PID:5044
    - - C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\Installer\setup.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13fcc7c40,0x13fcc7c50,0x13fcc7c60
        5⤵
        
        PID:3856
  - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
      AVGBrowser.exe --check-run=src=installer
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Checks computer location settings
      Checks system information in the registry
      Drops file in Program Files directory
      Enumerates system info in registry
      Suspicious use of FindShellTrayWindow
      PID:6004
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3b46b78,0x7fef3b46b88,0x7fef3b46b98
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:2
        5⤵
        
        PID:5036
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1492 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2628
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1600 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:376
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2252 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5028
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2944
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4604
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:2
        5⤵
        
        PID:5348
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1256 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3132
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1248 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2632
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:6056
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3548
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1416 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5532
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4140 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5316
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5140
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5252
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5264
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4992
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1292 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4284
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4020 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3224
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4084
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5280
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4204
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1336 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4904
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4880
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4184
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3756
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4084 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5868
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2508
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5616
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4348 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:6048
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2852
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3240
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5972
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:1696
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5408 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4312
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4296 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4808
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4236
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
        5⤵
        
        PID:1688
      - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3b46b78,0x7fef3b46b88,0x7fef3b46b98
        6⤵
        
        PID:5700
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5176
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2756
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=1236 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:808
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4192
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1936 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3876
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1344 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:6000
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2084 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2980
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1580 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5868
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5784
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1584 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4320
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4112 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:3400
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3404 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2792
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4080 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:6056
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:2756
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5820
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3280 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5552
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:8
        5⤵
        
        PID:5804
    - - C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
        
        "C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=3472 --field-trial-handle=1180,i,6276109420202588555,11702014889994342854,131072 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2956

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5092
- C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:4980
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\CR_B1EFA.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\CR_B1EFA.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\CR_B1EFA.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Modifies registry class
    PID:5024
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\CR_B1EFA.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{BD6C9644-0159-4C69-8551-D9EFF9F9BCCD}\CR_B1EFA.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=109.0.24252.121 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x13f8f7c40,0x13f8f7c50,0x13f8f7c60
      4⤵
      Executes dropped EXE
      PID:6080
- C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
  "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
  "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  PID:5584

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2136

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x24c
1⤵
PID:4668

C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
"C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
1⤵
- Checks for any installed AV software in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4188
- C:\Users\Admin\AppData\Local\Temp\aj8A29.exe
  "C:\Users\Admin\AppData\Local\Temp\aj8A29.exe" /relaunch=8 /was_elevated=1 /tagdata
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4532

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3904

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5532

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5784

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5660 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5660 CREDAT:275463 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5820

C:\Windows\system32\taskeng.exe
taskeng.exe {4EF98960-A869-4E0F-9513-3FBE55677A28} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:4536
- C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
  "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c
  2⤵
  PID:5816
- C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
  "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler
  2⤵
  PID:6064

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
PID:5972

C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\109.0.24252.121\elevation_service.exe"
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery