94c0a829b34030f4b279c794962627eb422cd3ce3f969eb8ca330ca0c9f82635

Resubmissions

19/07/2024, 19:26

240719-x5x16awdjp 10

19/07/2024, 19:22

240719-x3gamawcjq 8

19/07/2024, 19:19

240719-x1lsbszapb 8

19/07/2024, 19:16

240719-xyvx8azajf 7

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19/07/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zeta-updater-1.0.1.exe
Size

3.1MB
MD5

b10ed91a7fe5a422d9c2f9aff5696a19
SHA1

c83105f812109e5f6a26564c197f49d61b2ef403
SHA256

94c0a829b34030f4b279c794962627eb422cd3ce3f969eb8ca330ca0c9f82635
SHA512

fc0d5149ce62ba67755732e5a0004a158bb36ec4e166fcbd734a89c9bde855e71ccf06ee5c7ff9df0834397178c90b9da40769b0275ea487d41c8201f7007c25
SSDEEP

49152:5wSHmvR05JIoEe/avRAvUP5v8R3Lkvrd2o8FEOrJUjnjv/kFE2fSAeFa5J9dxSFw:bOAvsU0D/IE5AeFWxxSFw

Score

8^/10

bootkit discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files\\AVG\\Browser\\Application\\126.0.25558.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 18 IoCs

pid	Process
1576	loader.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
7140	aj9BD.exe
3120	ajCAB.exe
6256	AVGBrowserUpdateSetup.exe
7852	AVGBrowserUpdate.exe
2156	AVGBrowserUpdate.exe
2848	AVGBrowserUpdate.exe
4076	AVGBrowserUpdateComRegisterShell64.exe
8012	AVGBrowserUpdateComRegisterShell64.exe
2788	AVGBrowserUpdateComRegisterShell64.exe
5704	AVGBrowserUpdate.exe
8032	AVGBrowserUpdate.exe
5340	AVGBrowserUpdate.exe
7468	AVGBrowserInstaller.exe
7240	setup.exe
7476	setup.exe

Loads dropped DLL 44 IoCs

pid	Process
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
7140	aj9BD.exe
7140	aj9BD.exe
5908	avg_secure_browser_setup.exe
3120	ajCAB.exe
3120	ajCAB.exe
7140	aj9BD.exe
7140	aj9BD.exe
7140	aj9BD.exe
7140	aj9BD.exe
7140	aj9BD.exe
3120	ajCAB.exe
3120	ajCAB.exe
3120	ajCAB.exe
3120	ajCAB.exe
3120	ajCAB.exe
7140	aj9BD.exe
7852	AVGBrowserUpdate.exe
2156	AVGBrowserUpdate.exe
2848	AVGBrowserUpdate.exe
4076	AVGBrowserUpdateComRegisterShell64.exe
2848	AVGBrowserUpdate.exe
8012	AVGBrowserUpdateComRegisterShell64.exe
2848	AVGBrowserUpdate.exe
2788	AVGBrowserUpdateComRegisterShell64.exe
2848	AVGBrowserUpdate.exe
7852	AVGBrowserUpdate.exe
7852	AVGBrowserUpdate.exe
5704	AVGBrowserUpdate.exe
8032	AVGBrowserUpdate.exe
5340	AVGBrowserUpdate.exe
5340	AVGBrowserUpdate.exe
8032	AVGBrowserUpdate.exe
5340	AVGBrowserUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	ajCAB.exe
Key opened	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\SOFTWARE\AVAST Software\Avast	ajCAB.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj9BD.exe
Key opened	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\SOFTWARE\AVAST Software\Avast	aj9BD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aj9BD.exe
File opened for modification	\??\PhysicalDrive0	ajCAB.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GUM958F.tmp\psuser_64.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\AVGBrowserCrashHandler64.exe	AVGBrowserUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\GUM958F.tmp\AVGBrowserUpdateSetup.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_de.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_et.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\setup_helper_syslib.dll	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_et.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ar.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_hu.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_sl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\npAvgBrowserUpdate3.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\ffmpeg.dll	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\vulkan-1.dll	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_vi.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdate.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_en-GB.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_zh-TW.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\chrome_wer.dll	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdate.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\126.0.25558.127\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\fil.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\AVGBrowserUpdateComRegisterShell64.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_bg.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ca.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_pt-PT.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_is.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_ru.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\lv.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\AVGBrowserUpdate.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\psmachine.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_ko.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_no.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateBroker.exe	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_ro.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateSetup.exe	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\AVGBrowserUpdateOnDemand.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_iw.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_kn.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_pl.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateCore.exe	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_th.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\nl.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\te.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe	setup.exe
File created	C:\Program Files (x86)\GUM958F.tmp\goopdateres_ca.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_cs.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_tr.dll	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\fa.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\resources.pak	setup.exe
File created	C:\Program Files\AVG\Browser\Application\initial_preferences	setup.exe
File created	C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\126.0.25558.127\AVGBrowserInstaller.exe	AVGBrowserUpdate.exe
File created	C:\Program Files\AVG\Browser\Temp\source7240_2085777812\Safer-bin\126.0.25558.127\Locales\mr.pak	setup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj9BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ajCAB.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ajCAB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj9BD.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20240719"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineId = "00009bb098663592a3a6086bcc2909e7"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\psmachine.dll"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEBC1D02-EC16-479A-83F6-AA4247CA7F70}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAAD654E-4B50-4C9F-A261-CF29CF884478}\Elevation	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{633D953B-278A-4DAC-8E4B-D15296A1C845}\VersionIndependentProgID\ = "AVGUpdate.Update3WebSvc"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ = "ICurrentState"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\Elevation\Enabled = "1"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\NumMethods\ = "41"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ = "IGoogleUpdate3WebSecurity"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ = "IMiscUtils"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback.1.0	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{358EC846-617A-4763-8656-50BF6E0E8AA2}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ = "IAppCommand"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ = "IJobObserver2"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}	AVGBrowserUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\Elevation\Enabled = "1"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\ = "GoogleUpdate Update3Web"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\NumMethods\ = "9"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{633D953B-278A-4DAC-8E4B-D15296A1C845}\ProgID\ = "AVGUpdate.Update3WebSvc.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.MiscUtils\CLSID\ = "{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\TypeLib\ = "{358EC846-617A-4763-8656-50BF6E0E8AA2}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback.1.0\CLSID\ = "{A42B2494-93AE-44E1-B76D-BA8509A5167D}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\AVGBrowserUpdateBroker.exe\""	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ = "CATID_AppContainerCompatible"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\Application\ApplicationDescription = "Access the Internet"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079CAB07-5001-4E71-9D5A-B412842E5178}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\AvgHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{633D953B-278A-4DAC-8E4B-D15296A1C845}\ = "GoogleUpdate Update3Web"	AVGBrowserUpdate.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 538899.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\avg_secure_browser_setup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4140	powershell.exe
4140	powershell.exe
2444	chrome.exe
2444	chrome.exe
644	msedge.exe
644	msedge.exe
5232	msedge.exe
5232	msedge.exe
5384	msedge.exe
5384	msedge.exe
4032	msedge.exe
4032	msedge.exe
5680	identity_helper.exe
5680	identity_helper.exe
1200	msedge.exe
1200	msedge.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe
6516	avg_secure_browser_setup.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeShutdownPrivilege	2444	chrome.exe
Token: SeCreatePagefilePrivilege	2444	chrome.exe
Token: SeDebugPrivilege	7852	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	7852	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	7852	AVGBrowserUpdate.exe
Token: 33	7468	AVGBrowserInstaller.exe
Token: SeIncBasePriorityPrivilege	7468	AVGBrowserInstaller.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
2444	chrome.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
6516	avg_secure_browser_setup.exe
5908	avg_secure_browser_setup.exe
7140	aj9BD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1576	2556	zeta-updater-1.0.1.exe	84
PID 2556 wrote to memory of 1576	2556	zeta-updater-1.0.1.exe	84
PID 1576 wrote to memory of 4140	1576	loader.exe	85
PID 1576 wrote to memory of 4140	1576	loader.exe	85
PID 2444 wrote to memory of 2396	2444	chrome.exe	107
PID 2444 wrote to memory of 2396	2444	chrome.exe	107
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 1448	2444	chrome.exe	108
PID 2444 wrote to memory of 3776	2444	chrome.exe	109
PID 2444 wrote to memory of 3776	2444	chrome.exe	109
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110
PID 2444 wrote to memory of 2912	2444	chrome.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\zeta-updater-1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\zeta-updater-1.0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\zeta\loader.exe
  "C:\Users\Admin\AppData\Roaming\zeta\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -c ./C:\Users\Admin\AppData\Roaming\zeta
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1196

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5036

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6047cc40,0x7ffc6047cc4c,0x7ffc6047cc58
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,9043394738504205743,834122223934661100,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1700,i,9043394738504205743,834122223934661100,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1840,i,9043394738504205743,834122223934661100,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,9043394738504205743,834122223934661100,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,9043394738504205743,834122223934661100,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,9043394738504205743,834122223934661100,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc5d023cb8,0x7ffc5d023cc8,0x7ffc5d023cd8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,18266042332900682617,8413684085950048053,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,18266042332900682617,8413684085950048053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ffc5d023cb8,0x7ffc5d023cc8,0x7ffc5d023cd8
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
  2⤵
  PID:6196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8732 /prefetch:1
  2⤵
  PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8988 /prefetch:1
  2⤵
  PID:6336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7964 /prefetch:8
  2⤵
  PID:6788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
  2⤵
  PID:6804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9240 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9232 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9512 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9560 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9576 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:6288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10008 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8588 /prefetch:8
  2⤵
  PID:7044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:6260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9460 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9520 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
  "C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:6516
- - C:\Users\Admin\AppData\Local\Temp\aj9BD.exe
    "C:\Users\Admin\AppData\Local\Temp\aj9BD.exe" /relaunch=8 /was_elevated=1 /tagdata
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:7140
  - - C:\Users\Admin\AppData\Local\Temp\nsiBB0.tmp\AVGBrowserUpdateSetup.exe
      AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:6256
    - - C:\Program Files (x86)\GUM958F.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUM958F.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:7852
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2156
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2848
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4076
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:8012
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2788
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0RGMDM1MEM3LTk0MjctNDk2MC04QTQ2LUI5MTYyREIxNkQ0OH0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9Ins1MkY0RTAxRi1DNjBELTRDMTQtQTAwMC00RjMxQzg0NDJCQTd9IiB1c2VyaWRfZGF0ZT0iMjAyNDA3MTkiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDcxOSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntBOUU2Q0NDMS02QjU0LTQ1OTQtQUIyOC1DMjE5MDM2NkVBOEZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7MUM4OUVGMkYtQTg4RS00REUwLTk3RkUtQ0I0MEM4RTRGRUVBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2OTMuNiIgbGFuZz0iZW4tVVMiIGJyYW5kPSI5MjI4IiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI2MjciLz48L2FwcD48L3JlcXVlc3Q-
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5704
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9228&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{DF0350C7-9427-4960-8A46-B9162DB16D48}" /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8032
- C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
  "C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\ajCAB.exe
    "C:\Users\Admin\AppData\Local\Temp\ajCAB.exe" /relaunch=8 /was_elevated=1 /tagdata
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks SCSI registry key(s)
    PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9224 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:6768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1228 /prefetch:1
  2⤵
  PID:6152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10032 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9996 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10940 /prefetch:1
  2⤵
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
  2⤵
  PID:6364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
  2⤵
  PID:7468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=8572 /prefetch:8
  2⤵
  PID:7896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1
  2⤵
  PID:8108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:7364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:6244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9660 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
  2⤵
  PID:6480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:6720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,8565482600704325867,2282556334001794796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10348 /prefetch:1
  2⤵
  PID:5564

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E4
1⤵
PID:7080

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5340
- C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7468
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\CR_124A1.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\CR_124A1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\CR_124A1.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:7240
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\CR_124A1.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{43FE714C-CAD5-43F6-B094-002F189A26EA}\CR_124A1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25558.127 --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x7ff651055390,0x7ff65105539c,0x7ff6510553a8
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:7476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\npAvgBrowserUpdate3.dll

Filesize
506KB

MD5
c6a2bff8e96b5622bf6841a671f4e564

SHA1
fb638e9c72604cc1b160385fa803b0ea028e5d5e

SHA256
7a7a12e9c0dee713700081b9354647972a0f3505596df34e4c68aaba99046992

SHA512
22a99f860055388e34a056af5d5e35f2e33a9294784795aca52fd42685d75aebb523add836c5e4b9b2f68fe00348d11ee56cc10208fcc662b86a6169664f934f

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe

Filesize
204KB

MD5
cbcdf56c8a2788ed761ad3178e2d6e9c

SHA1
bdee21667760bc0df3046d6073a05d779fdc82cb

SHA256
e9265a40e5ee5302e8e225ea39a67d452eaac20370f8b2828340ba079abbbfd3

SHA512
5f68e7dffdd3424e0eb2e5cd3d05f8b6ba497aab9408702505341b2c89f265ebb4f9177611d51b9a56629a564431421f3ecb8b25eb08fb2c54dfeddecb9e9f2e

Download Submit
C:\Program Files (x86)\GUM958F.tmp\@PaxHeader

Filesize
28B

MD5
e68634e87a4e9ccd30184881894f5a8c

SHA1
750d0a6c9185bb3a2d8837d54d8bf4fbaa4356c9

SHA256
57c4e71fad2d5c15a09ea440177235fcd3fb9ef017b69748b1df701b0ed18ebc

SHA512
4d983145e6830d782d08cd131918277789c2ca884b69aff35dbfa4418ec1b620962541142bd0fc40cd8a23eb73ae11f483bbef3555acf771e471e6b68f36f51e

Download Submit
C:\Program Files (x86)\GUM958F.tmp\@PaxHeader

Filesize
27B

MD5
5232faa6caa4ea3cae2df3285676760f

SHA1
6c9ff2bb06086757180fc64be9467807ad2b6ed9

SHA256
4afed737e1cb304bdc2ff0741baf3ba44d3007d6628caa2eedfacde64887591e

SHA512
b71e5dd8239b79b26cacfdd779873c4d0e7981179efdcee0b26807b2b74ea11c0186b5bbc17647901d06a928d987fa402522607107f8b49f670237dd78bd99d6

Download Submit
C:\Program Files (x86)\GUM958F.tmp\@PaxHeader

Filesize
28B

MD5
df33d8ff73bd1c480379bf3ff89363d0

SHA1
68bca50772fe1c8970aff550720ff82f21c24e55

SHA256
0c965ed8e0a4774d2e073885ad7df7dc920576cc7acfb2522db2155f75d4e13b

SHA512
3b9e6440412333fe1ae469d7fb902810bf56dac92bc5b9c8fe122628993b04db842bfb30e94c8c60fe97d6db8ea460d002b99981a5abafa6c8484ed597032a34

Download Submit
C:\Program Files (x86)\GUM958F.tmp\@PaxHeader

Filesize
28B

MD5
66f9ca2f2daba66c4b9418aab1c5715a

SHA1
5302851b016aac1905e9152fbedfd5b628d03ada

SHA256
ff44fdb64021b831ab199a4ceef17de9ca11ed5dcfc27d7bc315538c0e49185b

SHA512
080019ec671ac434e7aaee5aaa2d1a4f46555e78c3f7462cb7c60b1fa124b1f8920235514001e0ef17da911bb83ecd2056c4d0d704731deedbb4e3f80e633428

Download Submit
C:\Program Files\AVG\Browser\Application\126.0.25558.127\Installer\setup.exe

Filesize
3.4MB

MD5
72c60af67899c9ee8177dedc9caf8e3e

SHA1
133d0e17e65ebca7d1e2d0ff87d61d2e4e97cee3

SHA256
33e641f2f0fa24fbe72244e0a6c0da70463cac4e0102c5d385693d065cb993bd

SHA512
8584ae3a120aecf6b3ddb181bc8e90696cd68392695d5c544507ea7ef375f425bd5b402a799c21052d6546eaf82e9a03d8c602781f4ed315a658cce82f71caaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f02b40b299af1e77fb0a7ac300b5a7a3

SHA1
7a5c52f2d8c9262172e7e22aee9ed694352cdeaa

SHA256
8452291ea69a14157b2a6e975861b3c9fc93f812d5993af145dd58a24562dfe9

SHA512
dcf39d1c473b0fd8e555b989d74370a16024b92efa999176e74615c5161c9a8bf63e3103824b90dddb8a55bcd9f7e56e8a9707c88400df8ae5b0c2b246b9c898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
36f1ebe9b92eec38618f65654d6b1718

SHA1
7b858983c8b68986003c808268c663d228b6835c

SHA256
285981ad1a9a3bd47f48d8b96ec46bdfa7c32fc75d3f88519ad365fee0da8bd7

SHA512
86eac4f74f25aa576a8b836ed399be109626186b283d0f83334050736327db9839b6ba0aa50118d0ef632bc0102af4efdf46e6a1240b97971fec73f3806cd0dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f1b3a08594d6da22ecbdfe80da9f2406

SHA1
d87c8b7ab4e7b58734a703693246a16eb6bd838d

SHA256
c23f6c6d3e3d874a30a36ab86f4cb5c04eb73cfbfdcaf68760a659dabce30604

SHA512
57705b3a03d4040f9d9dc9842ea27c96c7c8a518e5b4b905b18623fcda94174732a24876affddb47b42e23107c11ffdd4d49ada4e0e55691c5b81df538f9e912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2daeaf1729327f67461f2767d103ef8

SHA1
6a0c26bcc65128ea7be9e3b99b1779c1b5d73c4d

SHA256
c40f668206317e7d4bc8b7bfc82a87233e0f7425e549ebc9cb0f485ea17b1674

SHA512
c4221aa292671d653dfbfcccb4e0f1482908a207a27826b261f494a1917cc4385e316cf1dba1fbbb7a8d26290669bdbe64d7a96e5e9917784395ac2e1871720b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
2983881f3b7811917a1dc12dd379213e

SHA1
9272555c906d21333ed2f000cbe8fd5be4ef3f39

SHA256
c0d452fe91f757ef1063dd1d39300227ff993f88078ef2f9deb3d6efdfd55474

SHA512
263753dcb327b368033402e1f542fca08ba20ece4dcaa9361f92787bad3478a86821d9d940b0fba8d7e1fede3c4326c1db2377372bd40128804780594a47a94f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
ca037087132178318e6287536e0b50bc

SHA1
9a6abbcbed54c76f58cb9c3ab335e2110a52c23e

SHA256
300c84f11e97baa1ca3ebec40e876a65faa37a6c2ee29414dc0996c0c94cd7df

SHA512
f890d5b8b2257e8dc84cf3639ed61bf765227873afcd96909528eef4429b9891057ee55f96bc975c43d6b704eddc1fcdf06d77fdfad6fa1617db5efd145c939b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
562b59fd3a3527ef4e850775b15d0836

SHA1
ffd14d901f78138fc2eece97c5e258b251bc6752

SHA256
0a64863cb40f9d3b13a7b768b62e8b4707dfee1d3e86a07e999acb87bd7d3430

SHA512
ef9fd3d83ab85b18cf0e0d17e2c7d71936f783e3ae38005e5c78742560332f88be7c4c936d4dc4179e93fde0240d2882d71ef7038289c8cbddbfc4790c0603c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1ff2a88b65e524450bf7c721960d7db

SHA1
382c798fcd7782c424d93262d79e625fcb5f84aa

SHA256
2d12365f3666f6e398456f0c441317bc8ad3e7b089feacc14756e2ae87379409

SHA512
f19c08edf1416435a7628064d85f89c643c248d0979ece629b882f600956f0d8cd93efbe253fa3ec61ad205233a8804807600f845e53e5ed8949290b80fe42d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5f4a8580-d4fb-49b9-b37b-f230e5bba59e.tmp

Filesize
17KB

MD5
ff68273ec519812a4b720253e6ff38df

SHA1
ce5be663152891c488628fc39344c563b438ccbc

SHA256
ed012a1bd09c94940e9bdab989abfbe525ad85eb1ffeb0574db7b1f0894d46aa

SHA512
fcedebaede506bafeee0c4b40a99b843b890fd539eff306602efff3ab91cc99d498d3847062d4ffb2fdc6415ff1eb8f486f278876ee61e3bd0e11a3eac4866d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
78b45f66500680832e342e6fb8f0c7a0

SHA1
457528aace12ab0b6487a490d7b8a6adb13dc8f0

SHA256
5cb9b5d3fb0be382aa00936369c7589c938a438c3942c9883072dee465458c00

SHA512
6c1aad5408b7c02a828596f5030fdd310b78b79dffdf3b3dd997aa26802b55026bc18d7fff44a0e3fadef8087b43964262a9894fd4fc06de1b229bbc6d3b2b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
16KB

MD5
bd17d16b6e95e4eb8911300c70d546f7

SHA1
847036a00e4e390b67f5c22bf7b531179be344d7

SHA256
9f9613a0569536593e3e2f944d220ce9c0f3b5cab393b2785a12d2354227c352

SHA512
f9647d2d7452ce30cf100aeb753e32203a18a1aaef7b45a4bc558397b2a38f63bfcfe174e26300317b7df176155ae4ebaee6bdf0d4289061860eff68236fe1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
19KB

MD5
d1b6e1ab1d59250bcaf318173293882e

SHA1
bd1eeeecc559a81a1728b51c46c62eeaa8d48ef1

SHA256
0c37cfc729a7dede221e3e412473bed2cece5d56cfc8deee9245936cf9f9ddb7

SHA512
d8c95b0e57ecf94f9b761476f5f7897fbcf12f722557692b69ee67e7c0cf751c9ff8e7e186bda031f3897fd1c02ab130bd12812e67a1a2225d9a6cfe7e288e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
17KB

MD5
67e30bbc30fa4e58ef6c33781b4e835c

SHA1
18125beb2b3f1a747f39ed999ff0edd5a52980ee

SHA256
1572e2beb45d2de9d63a7e7fe03c307d175b2b232bad2e763623dceb747729ba

SHA512
271d4a65d25b0a5d2ff2fe8f3925fc165d9b4345893abfd919061d78ffc5ffe8890ded35e41274ad8b860f06264b027cfea6030ec9411a4e03bc6d7cb4d4d228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
104KB

MD5
7651b1187bb58ac4c7be625337b35e5b

SHA1
307d969ef4137a66fe2793737dc1c546587c7f43

SHA256
0632850d01a46bc2f8c223155a4bf6c398b33596bb711e098440623f118c3968

SHA512
a81d2f768af155bdc642941404e7ddf95a2cea33c9374acb5fe32f6f5266e337fbef32f904551f61fcc9f9ab5a1c6a5ad130ab85b38bc2258e2f82c0ca1e9c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
31KB

MD5
1b65dd3bfcbc5c2eacf211b1320108be

SHA1
b8d2622564d2e7b724dd1ee0732700d64981a357

SHA256
71b8bf18d65be2532055d0cd5ff6ca66af88792e49f4d1b1a398af49df30e038

SHA512
912f788d773d340eb4a676067623f0480c37bd13d05172835b6b7f318707057cdddff241649edf6c9b073dbc683d4275507596e96021cea2b32269f14d428d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
97KB

MD5
9e827fdd1c6785038b88702c4fcae106

SHA1
f25166ae62da1f553a5362b1b10167f6c50f3690

SHA256
ce1145164a8795e130e871891ab616676fb39538dc1ae32f0c2fdcc925f6d9d3

SHA512
6a9fc060f75084e0aa9274a98a70699799436fb0cc89ffba4fb2cdf099fa8ed9f5dc933e479ab632cda561cc23f5d95d466d8005b28465395bb29b0bf1d2db08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
42KB

MD5
23d5f558755a9d58eef69b2bfc9a5d99

SHA1
fa43092cb330dff8dc6c572cb8703b92286219f6

SHA256
6e5bec69b1c6424972a7f5481ac57049811f0f196535b707613126c11292c5cf

SHA512
9c56c94d059a27dab9f69c9dfd718382a8eb192b8c0ce91cd6db6ec0769b8756acf9c0956a35561474b87d6278b13fbe88a6e4df6260c278b1ae06e9be55dd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
134KB

MD5
17d9640ceaf0aa9d8b151596f98cc483

SHA1
66799cd5a2f30dd868f9cf17622abac5502dd4d7

SHA256
840d391aff1faea4f8b11d870977788aab126c924f19cefe4d899fda32d8e3ea

SHA512
c0fa603bfdea97ea353357f035d817e80652d2e7ca2e46b1281151061c41739cadca9767b523f90654d6d2ce90165a8e6b360908c38914791453a12e13526b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
25KB

MD5
1b7ac631e480d5308443e58ad1392c3d

SHA1
95f148383063ad9a5dff765373a78ce219d94cd7

SHA256
7fb66071ac6c7cfff583072c47bc255706222c2a4672c75400893f4993c31738

SHA512
15134314dfd36247db86f9b3d4dcb637e162f8fd87c0ce73492ffdb73a87492fc80330655617f165dd969812ed2ebcc42503f632d757bb89ba9116137882119d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
20KB

MD5
ef395876af4fd9145df97543881db131

SHA1
16bd9f3c69d5764297fa02dcd57bd507b3502e2a

SHA256
14fe432bc385bee9b5395c98fff1b64c7ff3067cef264a3f146921921313678a

SHA512
75e5e50fe9734552014c0e4b04282cea87a29be8bfd8af8a27e262e974c74f622953a5663ee11f63888f647bcc4aa50e5000bce2b3d261db423f7282b015f6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
146KB

MD5
d413284fa2892c8b6a50c8124cca9bdc

SHA1
29dd5dc972558ad9403ec320285148318335c390

SHA256
6601b6c147960be14bbdee5db502e29439a3f29279a2ec5115e2c623d788c1a2

SHA512
ca8c6e7fd2b7ad4b645869d408e7db913f6e5f111c2ee361f0132aeb89dc4a2942eea6f4297c33dad075bed1be713c36bb5f916ce5d4be7fa736fc3f5387680f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
81KB

MD5
ed739e81f7761482d44ae91d4d5975b2

SHA1
2f267d1f3e49f1fb40f7b38d5b2c25abdeee9685

SHA256
9d3c875cc483153af3a96e775eca36386717d3ef7cd7a89bec0ca9a1ab556a0c

SHA512
d8280729a572ac12323564f090dff495ace5b8f9291c3ca303dddf98960e69cb505828f84e49af12513c87f97707016c52b88a25cb721179ea980dd84000c39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
19KB

MD5
05c5c53bb92e2cf4391f6af88d499f05

SHA1
95a78e30760a97c10f67e7ab60620d69b39ec6aa

SHA256
6d994566861abee52911e413f1c6e5353549224edabba42bd94c1437dcc33422

SHA512
ce784a0f7ce8b6b7d4c4145c9873b01661a26fea281bd23090bbe623f74da8ca5ae35d961e984d626be316e61e2178dda3ad27c07191f488d23b00b585b22e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
49KB

MD5
d6c0c97507352fbdea15e4a5ba3c0ba1

SHA1
0c528a95801032e7641f678550ea0cf37ea030d2

SHA256
4d7a44a649d1f1a199e380495c3bb61e84c72a06d5489f9b797698bcc8e4e33b

SHA512
44ce695fc37875d7cfd6affdaefb8abf103822c2471bd24de741a678f50855821e90bb40b0a3a9bd2c9df1ab1f406009df488773c9282ca89b3fd02b4ca70216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
76KB

MD5
7b18225ab4d1029c8a7bc99ecc0c9735

SHA1
278cb85ea9d89b8d06e8d907a7371a1dd9b09f36

SHA256
baf29001ad632e05b2da502023b6ecf305d65640f3618ac733e1470c2f919eb2

SHA512
2044ab4332511dbfe2c17bc4fbbb4be15fb855a755ee166b68fa16e972f2503399cb3b09d0de7f6d7a53e83cd08cd52131102ca4d2e179830fe9b6bef28a9644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
147KB

MD5
82a10e907132f0ffaa58791c2723e574

SHA1
5c51964b126a04f2fff4c567639eb3e1975546b5

SHA256
9e4752a4ab644d64ab637116eb385ebcaa2bcf03ec3a3db3b57a07ed248f87d2

SHA512
12fafd28cade90616221cdf0721fd54e45cf1e206fbb08411e64764f3c9b596af911b417b1068ba613bdc37d2a167140572803e971dd1b1494b79e04dcaf82e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
81KB

MD5
ce301fab4f6cc16679cf2245e32ba0e1

SHA1
658acaeb302d1ab70fbc360ff9d59bf317a5f1f7

SHA256
2966f1b1dc7a3fc15fc4791b2a855ed1d8d6ce0d368ee42c7dbc57f8eade9ce5

SHA512
e8487125d3ce64f2c8aff4440e37e3c2cd899d029373de6b43363d6aad7b2485c3f88c118025272759c512ccbd42646009b2c2d40154de05438b55a2efb3b4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
27KB

MD5
7820201f0db0c706a0ea5bb7ce018ef2

SHA1
6d116650afbb3b25bfd6226c7d5ee00dd1fe4515

SHA256
04f262a5cce0399379de17e5635f1e1acaf4371afe981edaaf792625a682c44a

SHA512
bfecb88d8852c413525e1e1bdb3eb69c97a10e4ff67ae3ca5eb97fff5a2ee369a1b80a0d314440a375d0f9e950e0e970a6de6afed09062d8523ca28ac878946f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
37KB

MD5
aed5a8f6aba3a80904c4da7e7edc5ffd

SHA1
a8822cf6f63a89d540bc7b06310ca1d8cdc11a65

SHA256
3a8826e411cbe9529cd9b6475b8d4cecd43c646953581027fe89578a628667bc

SHA512
973d1122aa9cb82a908530feddf7b2189e7a16451c49d8a85238e96f25ca9e292fd0827208b4c2f5277a543f8222a6338dafdf6d2da326fee596378d9f8ca625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
84KB

MD5
8e834d36fe7198340b731d65ba03d743

SHA1
2b4df8bdb8d68ed6ba2345e0bc7bea55d1d9c159

SHA256
251c2814188fe22afa7140dc1a32fdd66263a53571edc16f4313c2ff7d3c594f

SHA512
45d8de1911538f37c0fe9813909874d6736c9c19cf16da8bb19254a8ec614084a95ff7ca236a69e7310808ae7b62c0f19a8475af10253cb819dfb22c7eebcc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
96KB

MD5
1305e83e1d51d085d0feecfcadc19e02

SHA1
1ec114352889988fe07d775822a68c2ec67858a8

SHA256
5111151ed31f512ac5c64782cd31bd0e0549564a5ffe4dcda7d1d47dc85402ac

SHA512
1afb02b9a923c38a745ec559febf86ff9388e2ee70df9ca0e078cf69de9bcaef575249373ee6d755d23b3d9bd7cf6c521e83a344205418279d1c356fbbedc589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
62KB

MD5
0c80334d0d604ec18274ca386da3cc20

SHA1
7ad48f6e38fc58bb7ce03ff0e7fcc7f68f19c2e2

SHA256
eab981b59a865ba5e00917ec3fa2b94baf7c216a98ebd06c23d0ce0f135df54f

SHA512
53036cd1ceff91f7e17b2d80d4880d27e9f49bc5afdd739d6f26c2d03a80a08c044f60528be8a8b4fb1ca6a09a0f537e464c1970a2973e8e8a9138e739cc94b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
26KB

MD5
66b5415b18ee0645a482e6a679de14b9

SHA1
e872d23796c06114f0d06fcff877522db8c99418

SHA256
1cd8a7c5e7fa8e8ec03aad4aca1b60cc72f6babe862e4cbd15885f8ec043e861

SHA512
35323b4466b571a930f793caa63d3ee88f4f643535d7fb8a505d14904b936f20e8ff27917f069e60f636e554ba1068f658595a84c911a758f66679231987218d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
29KB

MD5
87c5c9b5aedf9daecbb44869ce8ebedb

SHA1
c9eb6bf13a8f14ae927186fd7698ba7176ecdd61

SHA256
5d2f0d568d0a8b5c8c285be4f258ebd9b39d4327e263848ec1989f9c18990663

SHA512
9ac2b1a8ee033635aa23ebb37e6034c16bd618e8225c40c23fbc295c9841f94082d620f76b91d329c1cbe826425d03db2680865d4383265df5e1c304453b3432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
16KB

MD5
9c6b5ce6b3452e98573e6409c34dd73c

SHA1
de607fadef62e36945a409a838eb8fc36d819b42

SHA256
cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc

SHA512
4cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\52ece08db72f73c5_0

Filesize
373KB

MD5
1d38e5ef537c08756767fa6a2089d908

SHA1
c52793da440cb7a255f5fda73fece976e58c5c6f

SHA256
199b55625d8e2ee5191e705cadff3d6943c9f58e10df8d58aed9659d97057377

SHA512
6af691f04f3ee04c0aedf92660554b639f2be80a7734cfa6c3d76ddf5c7a3afe051c2162d6904a60a34ea3719a198d4e56b5e97987105856007a9a9566279fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8f23d3452c5e5bb1_0

Filesize
32KB

MD5
a0475079a17bc364a853bb96c871ff97

SHA1
d0813fabf083347f5138bfe2f71e281c051470ea

SHA256
fa54ee49ae18e6aef7539ace1ef5b7861a4b623339020412d35fb97502cb7982

SHA512
42a1577ebc4cebdebf64f5bddf249619d42464aa309a1b27fd976a6557eb671b367831da7dc048b88679870c78f52215d9c4245d6485718e13baf268081a1679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a61dad53c5be19f1_0

Filesize
3KB

MD5
859eb443028ea72cf05c42ac9545f597

SHA1
4eb3f76f7487fd5db2fe8401528d3b384fec3ea9

SHA256
b5705cebc651e9acffa5fc87382c14b1c66de2eab59ed01a35ac703c3bfca986

SHA512
0656074bdecc643cb570cf94586dbaafc460b3fe6d7733b61e44bc39f1512aff350ee9deadd7d4e7d2ae16fec0325b81a71b63242db9beafd321a59380c2ef28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d782f305bb50c377_0

Filesize
300B

MD5
c5fb4aa94413a36a49e4146ba109dabc

SHA1
0a1d7adfca3e2b6e8d325703d90ca52c2db04c42

SHA256
32d568cd5249ec80a17d4a4d53857bf47a65246d9cfdf8746414486483624788

SHA512
bd2ce33367ec04491ea8d5a068236274b154246dfc61d363f51be28c920e5bacd121a0d82fea51a163452c664a072876c1555a71c6abe7ca758dc4a4f462c122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6b403a2d0aacd0b4f729c2f137af177e

SHA1
46d567deaba9dbcdbe23c3d0e2340c60a2d14e1d

SHA256
4e99602043a275ede7c2444243b20eafc798541a7f0719248d95cf00d2b82177

SHA512
feb1ed643fcf1d774e0f202a71c9ac13967a06de6e07c749e8076257553be650215745bcb6e6afa670a3a3eec4f8e7324387341a68aafebd27d5a52b44a6871c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
ba802f79472fe49a63f32b22e926d693

SHA1
6806952f6b6e268bc53dab13e1e3eb8a778af084

SHA256
15be369bc6b0e01cca5705a7be4d202c53c78c2186d9607be7464925274eabc4

SHA512
16e4dcf16384c528fc84fff9de06a71f3233ee1d71df1ebc980c773bc7cce74e0af903414dc222f2b1cd0be85acc7fe2e32711a7f82a066c54f557187422aa99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
6749b495c3d022a37cbe1ce221cbb2ff

SHA1
6a62dac0d6d2c46b39684e98eb07e34feaef248f

SHA256
5f8bc1328924ab50410244cb2516d0296cbc75cf2ebca8b2380d1c67121fc975

SHA512
e1ad0d31365a687cdc11f0b623449a485308d9fd806f6968d9a7c191229825c13a6ad665c814fe317d14f77fdc68e8bb71b59d796df237675fb80392160cd647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
25598abed2a86f670d63075f632ae835

SHA1
6f4390fd8a16bf65877809fb4c3109c8d42476c5

SHA256
32e8067ad41c1130c40831fe90fa8cb8dd03548bf3ffde6c9dca5ad602165237

SHA512
ce2d86c83794b476edae1edaa9cb29aeb9bb805d92fff1fef3c69e59bbcbbaf6567ab05aef978591d5c923826b2c0eadcecb3bdae6f43aba63533f4979433bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
ebde17aa36a65ba75bf6068d25b2d9ce

SHA1
68016869818232291eb080dda483b8d9184dc601

SHA256
aed2d99851aecefebf71d29c7980094d0db73884e0f0602da138fc9e88a12e92

SHA512
d53aedc4439d771aed0a5f99941cb34020a77cc37099d0a0e5bb49c759bfb124cd689b765a4b8c21b310026872ce28c5ff2a61833d6bfecef3fe12350a6d4e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
9f04e527f7ad4b0ab3bc824be107ba0a

SHA1
8785f2b26ab6f48aad134747bfd785ed479bfe84

SHA256
98e8e2def86dafde77c1c658505865903409962dbbcd1b762e7e36f493e14d0f

SHA512
9943371cb1546d7d6917356d34094786fd4a1ac0fb31f6d56b78b175ae01022a81cf41cff7c22d7d3aa45b49c8073fe31b029579e04b636c5e2be9475a872a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
26f8105bdb0f3ce5d86664cb10f7f529

SHA1
83c2fc698af7be5fc1c4158056c0f23a8691567e

SHA256
31bd463464803f35a7c98fc7667aea84b4c52e3c4107111c425aa940ca8a3b68

SHA512
592b6055a58b87c5a15f1f646771491cc8539513ebc35fcbb9665b0274ea9f4709af87ce381b26fa8891c1223b236285ee12c77213985936d9734a9d1caa9950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
de68e694d7a9b8a77d748b3a52ba4b78

SHA1
8a08d5baa075fcd65fc2c48b23243dde3f279278

SHA256
2d18c849f620ef8e5d745ea54df1b440be1d398e7ff2ac7fa270c0805ab7141c

SHA512
5fd2b7b592b909ba6534682601fed28bc34dc4127ec550958aa5d0a112a5e940bab231be024ccf716a504f9ddb2db2be58a431052b259229e84a5a07724bcc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e668398ddd9639e56b21963a58d5e163

SHA1
87caf0bd37ffcfd5797531813a7a0c14c2b5925b

SHA256
efd8245cf311e1e4304774a5f9fcf1d088e2fe9d7e1bd75365d09bf4d6bafe4e

SHA512
963ed15c0a92145624578cbb2b64b891ea99fa16bab1c9be17465274d55665087b05bc741440c4e7b28ae6d39d5e83b70c4e541bf5df61fed24fbdecdd149959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
1d999c89f475d8324663eb61cfe1e793

SHA1
e3d3f4c6ec3ed860e5492fd50dbf1c2eeb5c7cbf

SHA256
7435a335a15a5483f6c6a42f354f59cd892683c077a6edfc36f453742d7a1232

SHA512
e675f708eecb8f8bec32c654ab4bebaf6aeeea6b844a5e101625f16e26d015ba087e6e2a634d7a76dc8ec672b887f487c01267364abad2646ba95cbcf6515adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ca5b8e8e6703b3cc20d2850119db248

SHA1
d95fba96de342209e66270a687c6f98efe01e6ad

SHA256
f9d757adced5369f19aeed70effc7828cbf3581144b2e6585433688647b8c070

SHA512
9d4b2d38fe86ecdc6d2fb665911f6c1f693cd61104bf4e9b05ff1e29696311300c5a31ebafeb0f631d6cae93798e0a140a807e4b448f6b83d466adc2a60f2caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
65b2ae7d07767c76e0319fdd56320549

SHA1
6a10ed9695ca7c20cb14aa380c364db6d04cad56

SHA256
1597808c3e4da309267fdad96257cdb253d3c75a76483962cfb211fa7bced548

SHA512
6644720095e65dce5d3dd14c31cb45a8ae7a48f1978cd8fb1d9a7bd3314e84bdc26dd5860dac47ab7b9d4652fa23d485a4cba41246a1074e1097a2d05039385c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
e51f77ba0e22e5bb4efb53390ea8e80b

SHA1
0243ad7956d7583b31eb88bddf206d261000ff5c

SHA256
9029b2aae81a5567c894ac9ef3c630fd624aa7791642beb94275ba745244d7d8

SHA512
b06aca7ae5c80f383e7a6ad78c3c0a96ee746817a077000709406256fe3a847e8db5d12352c0d3f43b5eaca693bab6936f3e6cb1b189a812f2366694178e3b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
95d45c554d0468ec2b8934994d40772f

SHA1
fa84727a095b00c4c0b3a4b46d9612f4f3d35be3

SHA256
33ab72235e1ff00c0abc596419620c2fddc644b56938341dea8e1dc8fb8e9cc7

SHA512
e89b458e1bfb1daec223c87c8d41ec8449c4f6a5bf5f2f4f84c3da4b8025f7ccf353ccade82ee21cb958d2abb3ff0d56c882b4b5827720dbac7abe09e7af8ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7a766849d2eeb70af4bfec0b692b14d2

SHA1
545d137d2d13f6f0b36186bd4108ed838e66c00a

SHA256
e63330deaaaf26515d839555a2de4f36843083a27dbb6589bc8d5ef117e66c55

SHA512
8fd48c9fae248220e28e901619086977cd5f432862242557444c26a96a05e726a3c022e27be49c7d9ff51e803e682979c17524d5687884966eaec9bf10273f47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
8425280350dd41eb4860dd7ab6610093

SHA1
f4534bd58f98680c2eb3aed43268e3bce0c660c3

SHA256
da92f39b65997c7c1cded4fe65d228f959d347a26cd980c3e9a1154077536962

SHA512
a1132982d5d6b582c1bd4df045d917a09f54f88fb6e001d1f1e16351a779964207e10c7c9987d2954e611fe6799305908959d73500446853df7e70895726b886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
09c35acec22b5e8acd24b4000065b285

SHA1
2b7f5abd9f03e372eef89374b47fbbe34ba28fd3

SHA256
e37b1daaa5155395b3e701323545bad0f9550fee659d0432fdcf2373e1f3bc4e

SHA512
8f0919c9cde2e0d17c6ec11c7ff0e409ab37766a424e6e7cf8c1edca7bc4b00f5a63b93b4ec5f95d61249209a2f6fc2b5f8739806000babf0bff7c4a80fac5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d695.TMP

Filesize
2KB

MD5
e9414430bdd398e921cbe6dc183ccac9

SHA1
2cce3ae39b20a669f4083a376d6de1bdb1f0ed95

SHA256
c69733ec87b14b9371e91531b96254a8912798e92df4f23bc333c990b6053674

SHA512
676f1f4597c3c193371b9107dd93035ed04c3925e8164389dd6ed3b4306a34ea28142938143013bc5c5133958afed5ea1cb0f27fa681f9206825ef5fc6072394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23ce791c60021562c347bf5418053ede

SHA1
a089320cc8472bc3ac445228072b3d17329c5d27

SHA256
c30c8985f6ee0112ad5ddb8aa7212f323e5130c6c927736a660eb6b4889030dd

SHA512
cc8e7a5113da270e4056162f8c05b1bbcdc4e05463694cf77a2cae62bae5759483cb18275fbd4dc5b099493ce62d6a706d568311b37b7ba76a712736ac5dfca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1d78cf43315b8039433bc4e14915ad8c

SHA1
3095b739c9971bb7f7b44aad3346ae21c870821d

SHA256
b2c91ce1ecf46b25d55ad6ef99f51553f819f83c59e3c9d32ee2210f95161c4a

SHA512
16b74acf04d0d9155b800e7acce8679368f4527f80d6f598aee1ecdf6d02a0da8b71886f3e13b8c382473096051576d734b776edb427a750778000d7bd55194a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e6bccd581b902c5cbbc6c4419a59a7a

SHA1
41871ba71e97929b5a54a8c4b03606abe3630541

SHA256
e81483c829e4c848f97520c78620f41fd1657edd38757f10898cf0518efcbeac

SHA512
1c87e70b5f9a67e7a72a3246420f6a8b66f5187dfc4ac8ca21df3cb6b326fcc97fe6dc421f658cef82e4a49fe9e8e5c92cac4e335139b0595b98675db7ec49e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1b9123d31e617e691714f03f20f91fe4

SHA1
f17491f9cc5297877b735c8d22054280be1c3f6c

SHA256
07a7657b052ddb2042ff478f2611970023b4a3d8821a8aaf04996c3296ce3497

SHA512
9d40c7fa432b57ce4e591aa870a546c3d3a1ebbfed2d1622a2debe368c143bff4b59d3069c6ae32ef726e9c9e4552980551ede00dcce46c2ddd860ce779d81e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rklbpfwr.0fi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajCAB.exe

Filesize
5.8MB

MD5
c79bb78a0bad2559a7037913dd1f1f34

SHA1
a5b36348ad93fdf971201f31136d8c9b056984a7

SHA256
f63b47288af395ac9c02c980592691e2d446fe8b4d3813007433ae262af693c3

SHA512
1bd81cbe784427e54903159225e0fd94c0fab1d9498c11db177d86268f34129e6835759a9a3e3822c717349043930e13168390fcc2f9a74f9699f14497cfc888

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1025.tmp\AccessControl.dll

Filesize
26KB

MD5
d4fa24f021f155ce9214dccf812c3b7f

SHA1
864001ab7d2c87af00b7153cd096e0454b3f4e9f

SHA256
3b0889281ff6367bb736690229f461bb4ff34b7437f54a5c71b877a104c0f876

SHA512
de1720af369890df89c8550d49b4e3e2e353e4a21ef30be5ebee9216e312a57ede9f7919e71de592d0bad6e482d48fb759dd1d1323caafa506634e9f877f6213

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1025.tmp\inetc.dll

Filesize
37KB

MD5
650e0e39808140a1da5abd3d27880c7e

SHA1
b2ec540caf946ee5353f52227e8c9942cfb42f22

SHA256
aab155dcaaafebe4b84a9aeec6ffbce9b484a99b316657ee9b7a98b346f9538b

SHA512
9f00d912c123b1b235f0b63154693d294b7cf2c0571fc9bb462ba5c9ef350aa79680436ba4a094c9e28c867bc79bdeb96b0622d153a107bd8a9631d99e4fa6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1025.tmp\jsisdl.dll

Filesize
25KB

MD5
5121c566ac9315a53e558bf62600f9b6

SHA1
6da036314afefeb8c1dd88cc6eab0efb432a3b4d

SHA256
d88e38df30887c722fb837278ee3782914574414c741cdfd3bd6126799fa3167

SHA512
4f6de42af54cec8e63bdfc54ac250a5f5cc09081e9ae85d0cbbcad952f58727cc4cf68501a020474539c51a771537993bc12272496fea5eea924d7058f76fbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1025.tmp\reboot.dll

Filesize
26KB

MD5
c845234dd1e1cdf6f63ec1b025b75742

SHA1
150dc042b54e3dc34172d5a2507125eaf619d14d

SHA256
ca418ce0992368c09827a76b0cca14070b9c518badc95085c7d71034784fce5e

SHA512
b08b899e523da279b9e56306b237eadc6fb91fe460b0872bb6a4b163d3c83480621d2e5e70d1de64fc9d751d8704dd4ab8400d5a901846e4775f4d34977ce605

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1025.tmp\sciterui.dll

Filesize
6.4MB

MD5
f40c5626532c77b9b4a6bb384db48bbe

SHA1
d3124b356f6495288fc7ff1785b1932636ba92d3

SHA256
e6d594047deecb0f3d49898475084d286072b6e3e4a30eb9d0d03e9b3228d60f

SHA512
8eabf1f5f6561a587026a30258c959a6b3aa4fa2a2d5a993fcd7069bff21b1c25a648feea0ac5896adcf57414308644ac48a4ff4bdc3a5d6e6b91bc735dc1056

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBB0.tmp\AVGBrowserUpdateSetup.exe

Filesize
1.6MB

MD5
9750ea6c750629d2ca971ab1c074dc9d

SHA1
7df3d1615bec8f5da86a548f45f139739bde286b

SHA256
cd1c5c7635d7e4e56287f87588dea791cf52b8d49ae599b60efb1b4c3567bc9c

SHA512
2ecbe819085bb9903a1a1fb6c796ad3b51617dd1fd03234c86e7d830b32a11fbcbff6cdc0191180d368497de2102319b0f56bfd5d8ac06d4f96585164801a04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBB0.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBB0.tmp\CR.History.tmp

Filesize
116KB

MD5
62240b0adc48fd7601a9e73647972a49

SHA1
0be54e958d099670fdd1025dd4d47ee7126c6b81

SHA256
bfe3dc80cfbe21ef46bbb30897dea4dbdbf31d4ab67d581c77ab9025e0fd409c

SHA512
c68b84ec5517e5beec3b31a49196771ac2111710f863e5a44751bb70b4e7e206f2a0ed7487801e9b4b4785d3328fe12c2cc7ff80a5f5567bac66d923a74b5da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBB0.tmp\FF.places.tmp

Filesize
5.0MB

MD5
2aa52366fb2dd82cb67415f219fcb07a

SHA1
d53bf1f0b134cea7e92bfa88256a23b2bbb04c4a

SHA256
2cf80be9708a102f0dda102c28cd3a868e062385ba649ce709e7527c924901bc

SHA512
8d06cebb327874ceb8e29fcf6dab200646fa1eb89df4fa1d5e5a7b405b53cacd72a8403c3e8bdee99284860415c6031641a4fdf2619b0e7cef141b39de9071e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBB0.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp279.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp279.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy18C1.tmp

Filesize
676B

MD5
92ff3e51f55a2f70720c07f67acd3ca8

SHA1
4aaec240b744fa049bd6d2043106e9b5ca138bdd

SHA256
607783ec67ab3cc77fc9298011d53f2c1bb6b0882504c0164a167f787599532f

SHA512
47117d866fb6932bb0d6bf00e54a6e26517127be5f84fcdb9759372cbf6da2db4e7faf830793c215ecc94f6d080087b7a28663e4a358c9e1659e0986b3b1b93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFEC0.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFEC0.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyFEC0.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Roaming\zeta\loader.exe

Filesize
4.1MB

MD5
ab2242c4aba7518eecc26620cbd1d4aa

SHA1
ba46c9820732a289cd30a25bfcfc1b3492a6dee1

SHA256
b593c2f3d90d0205c1c465d8295514f8e1ec4df4acb3b45c844c72a9529e46f8

SHA512
6c3f80b5e6628481a9cbb7c14e020c46c6d4ebb2bcabc5701035c47417000631e6d6c8b3650e0a60e6ad6d1a8e36d75c81e6b36c2539f522aa7cc72eec678472

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 538899.crdownload

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
memory/4140-17-0x00007FFC5FE70000-0x00007FFC60932000-memory.dmp

Filesize
10.8MB

Download
memory/4140-13-0x000001985E0A0000-0x000001985E0C2000-memory.dmp

Filesize
136KB

Download
memory/4140-14-0x00007FFC5FE70000-0x00007FFC60932000-memory.dmp

Filesize
10.8MB

Download
memory/4140-15-0x00007FFC5FE70000-0x00007FFC60932000-memory.dmp

Filesize
10.8MB

Download
memory/4140-16-0x00007FFC5FE70000-0x00007FFC60932000-memory.dmp

Filesize
10.8MB

Download
memory/4140-20-0x00007FFC5FE70000-0x00007FFC60932000-memory.dmp

Filesize
10.8MB

Download
memory/4140-4-0x00007FFC5FE73000-0x00007FFC5FE75000-memory.dmp

Filesize
8KB

Download