cobaltstrike | hxxps://hatching[.]io/blog/tt-2024-06-27/

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files\\AVG\\Browser\\Application\\126.0.25444.62\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe

Contacts a large (568) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

Processes:

UnifiedStub-installer.exe

description	ioc	process
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

AVGBrowserUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

rsEngineSvc.exersEDRSvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe

Checks computer location settings 2 TTPs 36 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

rsAppUI.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exesteamwebhelper.exersAppUI.exeAVGBrowser.exesteamwebhelper.exeAVGBrowser.exeAVGBrowser.exeavg_secure_browser_setup.exeAVGBrowser.exesteamwebhelper.exesteamwebhelper.exersAppUI.exeAVGBrowser.exesteamwebhelper.exersAppUI.exersAppUI.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exersVPNSvc.exersAppUI.exersAppUI.exeAVGBrowser.exersAppUI.exesteamwebhelper.exeuTorrent.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exersAppUI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	uTorrent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	AVGBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

utorrent_installer.exeutorrent_installer.tmpuTorrent.exeutorrent.execomponent0.exesaBSI.exemxtj5uix.exeavg_secure_browser_setup.exeUnifiedStub-installer.exersSyncSvc.exersSyncSvc.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeuTorrent.exeutorrentie.exeutorrentie.exeMicrosoftEdgeWebView2Setup.exeutorrentie.exeMicrosoftEdgeUpdate.exeinstaller.exeMicrosoftEdgeUpdate.exeinstaller.exeutorrentie.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exersWSC.exersWSC.exersClientSvc.exersClientSvc.exersEngineSvc.exeAVGBrowserInstaller.exesetup.exesetup.exersEngineSvc.exersEDRSvc.exersEDRSvc.exersVPNClientSvc.exersVPNClientSvc.exersVPNSvc.exersHelper.exersVPNSvc.exeVPN.exersAppUI.exeEPP.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exe

pid	process
2528	utorrent_installer.exe
416	utorrent_installer.tmp
2876	uTorrent.exe
4832	utorrent.exe
1992	component0.exe
2084	saBSI.exe
4228	mxtj5uix.exe
2244	avg_secure_browser_setup.exe
4740	UnifiedStub-installer.exe
368	rsSyncSvc.exe
428	rsSyncSvc.exe
3548	AVGBrowserUpdateSetup.exe
604	AVGBrowserUpdate.exe
516	AVGBrowserUpdate.exe
4072	AVGBrowserUpdate.exe
528	AVGBrowserUpdateComRegisterShell64.exe
3988	AVGBrowserUpdateComRegisterShell64.exe
2656	AVGBrowserUpdateComRegisterShell64.exe
1504	AVGBrowserUpdate.exe
920	AVGBrowserUpdate.exe
3900	AVGBrowserUpdate.exe
4516	uTorrent.exe
528	utorrentie.exe
4344	utorrentie.exe
520	MicrosoftEdgeWebView2Setup.exe
4076	utorrentie.exe
5284	MicrosoftEdgeUpdate.exe
5192	installer.exe
5956	MicrosoftEdgeUpdate.exe
4520	installer.exe
5064	utorrentie.exe
5548	MicrosoftEdgeUpdate.exe
5532	MicrosoftEdgeUpdateComRegisterShell64.exe
5544	MicrosoftEdgeUpdateComRegisterShell64.exe
5708	MicrosoftEdgeUpdateComRegisterShell64.exe
5772	MicrosoftEdgeUpdate.exe
5920	MicrosoftEdgeUpdate.exe
5564	MicrosoftEdgeUpdate.exe
6044	MicrosoftEdgeUpdate.exe
6908	rsWSC.exe
6896	rsWSC.exe
6460	rsClientSvc.exe
7364	rsClientSvc.exe
7700	rsEngineSvc.exe
6952	AVGBrowserInstaller.exe
7692	setup.exe
7824	setup.exe
7280	rsEngineSvc.exe
6852	rsEDRSvc.exe
7468	rsEDRSvc.exe
6428	rsVPNClientSvc.exe
6268	rsVPNClientSvc.exe
5228	rsVPNSvc.exe
6648	rsHelper.exe
7240	rsVPNSvc.exe
6124	VPN.exe
6836	rsAppUI.exe
7144	EPP.exe
8296	rsAppUI.exe
8628	rsAppUI.exe
7476	rsAppUI.exe
6212	rsAppUI.exe
8508	rsAppUI.exe
4376	rsAppUI.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

uTorrent.exeutorrent.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	uTorrent.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	utorrent.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	utorrent.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	uTorrent.exe

Loads dropped DLL 64 IoCs

Processes:

uTorrent.exeutorrent.exeavg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeUnifiedStub-installer.exeuTorrent.exeMicrosoftEdgeUpdate.exeinstaller.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exersEDRSvc.exersEngineSvc.exersEDRSvc.exersVPNSvc.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exe

pid	process
2876	uTorrent.exe
2876	uTorrent.exe
2876	uTorrent.exe
2876	uTorrent.exe
4832	utorrent.exe
2876	uTorrent.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
604	AVGBrowserUpdate.exe
516	AVGBrowserUpdate.exe
4072	AVGBrowserUpdate.exe
528	AVGBrowserUpdateComRegisterShell64.exe
4072	AVGBrowserUpdate.exe
3988	AVGBrowserUpdateComRegisterShell64.exe
4072	AVGBrowserUpdate.exe
2656	AVGBrowserUpdateComRegisterShell64.exe
4072	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
1504	AVGBrowserUpdate.exe
920	AVGBrowserUpdate.exe
3900	AVGBrowserUpdate.exe
3900	AVGBrowserUpdate.exe
920	AVGBrowserUpdate.exe
3900	AVGBrowserUpdate.exe
4740	UnifiedStub-installer.exe
4516	uTorrent.exe
5284	MicrosoftEdgeUpdate.exe
4520	installer.exe
5532	MicrosoftEdgeUpdateComRegisterShell64.exe
5548	MicrosoftEdgeUpdate.exe
5544	MicrosoftEdgeUpdateComRegisterShell64.exe
5548	MicrosoftEdgeUpdate.exe
5708	MicrosoftEdgeUpdateComRegisterShell64.exe
5548	MicrosoftEdgeUpdate.exe
5564	MicrosoftEdgeUpdate.exe
5920	MicrosoftEdgeUpdate.exe
4740	UnifiedStub-installer.exe
6852	rsEDRSvc.exe
6852	rsEDRSvc.exe
7280	rsEngineSvc.exe
7468	rsEDRSvc.exe
7468	rsEDRSvc.exe
7468	rsEDRSvc.exe
4740	UnifiedStub-installer.exe
7280	rsEngineSvc.exe
7280	rsEngineSvc.exe
7240	rsVPNSvc.exe
6836	rsAppUI.exe
6836	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8628	rsAppUI.exe
8628	rsAppUI.exe
8628	rsAppUI.exe
8628	rsAppUI.exe
8628	rsAppUI.exe
7476	rsAppUI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4832-3310-0x0000000000400000-0x00000000009C3000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\utorrent\uTorrent.exe	upx
behavioral1/memory/4832-3334-0x0000000000400000-0x00000000009C3000-memory.dmp	upx
behavioral1/memory/4516-3995-0x0000000000400000-0x00000000009C3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

rundll32.exerundll32.exeAVGBrowser.exeSteamSetup.exeAVGBrowser.exeAVGBrowser.exeutorrent.exeuTorrent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\ut = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe /MINIMIZED"	utorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\ut = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" /MINIMIZED"	uTorrent.exe

Checks for any installed AV software in registry 1 TTPs 12 IoCs

Security Software Discovery

T1518.001

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exeutorrent_installer.tmpavg_secure_browser_setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Avira\Browser\Installed	utorrent_installer.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	utorrent_installer.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

rsEDRSvc.exeavg_secure_browser_setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	avg_secure_browser_setup.exe

Drops Chrome extension 1 IoCs

Processes:

chrome.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbcnfanfmjhpedaedhbcnpgeepdnnok\6.0.0_0\manifest.json chrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbcnfanfmjhpedaedhbcnpgeepdnnok\6.0.0_0\manifest.json	chrome.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exersEDRSvc.exersEngineSvc.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	rsEDRSvc.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\G:	msiexec.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

avg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeAVGBrowserUpdate.exeAVGBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe

AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp autoit_exe

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Checks system information in the registry 2 TTPs 16 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exersEDRSvc.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 64 IoCs

Processes:

rsEngineSvc.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exersEDRSvc.exersVPNSvc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_CDEBC4A4CE27F0FE6DF361744978A3A8	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_C98E9A819E78D8F2AA9EADB9D0414010	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4B7EBDACFF7CEC3D08B5D86C9ECA8639	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_E88282161F8E94D7BBCBA82FF0D64C88	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\206932163209AD483A44477E28192474	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4B7EBDACFF7CEC3D08B5D86C9ECA8639	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC68FB72D4FBC7E0F151BC2282D75E47_367FA2447481C3DB640CE44BE2E5A181	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_330B78668586CC1C5060B7886AA9A046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_022B2B3B07D70EA5A73F2579070A87A5	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_CDEBC4A4CE27F0FE6DF361744978A3A8	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_FAC429BFCC14A89D4D351DF26B2C8FD0	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_330B78668586CC1C5060B7886AA9A046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_A89204531497D3661ACEDB6FB93ECB4C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_C4502B2ED7ABD16FF1FA41F55DB2B363	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_022B2B3B07D70EA5A73F2579070A87A5	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_8D9F08808C11FCC6158CE8C653BEC3BC	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_B5AE763265020F84DE38D1F53EA2805E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

steam.exesetup.exesetup.exeMicrosoftEdgeWebView2Setup.exeAVGBrowser.exeUnifiedStub-installer.exesteamwebhelper.exeAVGBrowser.exeinstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_dpad_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_gyro_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_lt_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0333.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_expand.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\minithrobber12.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\chord_android.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_buttons_w_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\subchangepasswordintro.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\clienttexture8.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_buttons_s_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_r2_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_p1_md.png_	steam.exe
File created	C:\Program Files\AVG\Browser\Temp\source7692_895144436\Safer-bin\126.0.25444.62\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0305.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE203.tmp\msedgeupdateres_ro.dll	MicrosoftEdgeWebView2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE203.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebView2Setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17500_662260338\MV	AVGBrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17500_444885711\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\resources\white-blue-icon.ico	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe	UnifiedStub-installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0020.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\gamespage_details_friends_list.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_emoticon.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\platform_korean.txt_	steam.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17500_285204298\_platform_specific\win_x64\widevinecdm.dll.sig	AVGBrowser.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE203.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeWebView2Setup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_left_lg.png_	steam.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17500_662260338\MA	AVGBrowser.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE203.tmp\msedgeupdateres_pl.dll	MicrosoftEdgeWebView2Setup.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	UnifiedStub-installer.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\new_tab.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_dutch.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\steamui_postlogon_spanish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\joyconpair_left_sl_md.png_	steam.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_rb.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_l_click.svg_	steam.exe
File opened for modification	C:\Program Files (x86)\Steam\logs\cef_log.txt	steamwebhelper.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steampops_polish-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_swipe_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_mid_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_r.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\shader_minibanner.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_ps4_wasd.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\mic_meter_dead.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_right_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_rb_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_button_r_arrow_lg.png_	steam.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17500_662260338\PG	AVGBrowser.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Globalization.dll	UnifiedStub-installer.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping9484_1273479023\privacy-sandbox-attestations.dat	AVGBrowser.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\bump_paper_e.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0324.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_greek.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_button_l_arrow_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\ssa_russian.htm_	steam.exe
File created	C:\Program Files\McAfee\Temp1365514190\jslang\wa-res-install-fr-CA.js	installer.exe

Drops file in Windows directory 13 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\e66504a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e66504e.msi	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\SourceHash{EDB7AEE7-E932-4836-AE50-D3B0B7766CB5}	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\Installer\e66504a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI5124.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5828 416 WerFault.exe utorrent_installer.tmp
7864 416 WerFault.exe utorrent_installer.tmp

pid	pid_target	process	target process
5828	416	WerFault.exe	utorrent_installer.tmp
7864	416	WerFault.exe	utorrent_installer.tmp

Checks SCSI registry key(s) 3 TTPs 33 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AVGBrowser.exeavg_secure_browser_setup.exersEDRSvc.exeAVGBrowser.exeuTorrent.exeAVGBrowser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	uTorrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	uTorrent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	uTorrent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	uTorrent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

steamwebhelper.exersEDRSvc.exesteam.exerunonce.exerunonce.exeutorrent_installer.tmpsteam.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	utorrent_installer.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	utorrent_installer.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exeAVGBrowser.exechrome.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

Processes:

AVGBrowserUpdate.exeuTorrent.exePaintStudio.View.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\utorrentie.exe = "1"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	uTorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\utorrentie.exe = "11000"	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\utorrentie.exe = "0"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION	uTorrent.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exersSyncSvc.exersEngineSvc.exersEDRSvc.exersWSC.exemsiexec.exeMicrosoftEdgeUpdate.exeAVGBrowserUpdate.exeMicrosoftEdgeUpdate.exeAVGBrowserUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	rsSyncSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20240628"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exesetup.exeMicrosoftEdgeUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeCP.exeMicrosoftEdge.exesteamservice.exeutorrent.exeAVGBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41A025DF-6171-460F-B9A1-29ECE33E754E}\ = "IGoogleUpdate3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28E08968-59C8-4A77-BEBA-12C9394AE077}\ProgID	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\CurVer	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEBC1D02-EC16-479A-83F6-AA4247CA7F70}\LocalizedString = "@C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\goopdate.dll,-3000"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ = "IProgressWndEvents"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\ = "Interface {358EC846-617A-4763-8656-50BF6E0E8AA2}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ = "IProcessLauncher"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\AvgHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{358EC846-617A-4763-8656-50BF6E0E8AA2}\ = "Interface {358EC846-617A-4763-8656-50BF6E0E8AA2}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\bittorrent\shell\open\command	utorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ = "IApp"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{BAAD654E-4B50-4C9F-A261-CF29CF884478}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.41\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CEBE594-0680-4815-86E1-615A6BE65E0E}\NumMethods\ = "4"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F7CBA5-258D-4852-AD0A-B18F3FB214F4}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	AVGBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods\ = "5"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription+xml	utorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\ = "IMiscUtils"	AVGBrowserUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 25 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

rsEngineSvc.exesaBSI.exersEngineSvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	496	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	502	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	503	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	506	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

PaintStudio.View.exe

pid process

2440 PaintStudio.View.exe

pid	process
2440	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exesaBSI.exeUnifiedStub-installer.exeavg_secure_browser_setup.exeAVGBrowserUpdate.exeuTorrent.exeutorrentie.exe

pid	process
3484	chrome.exe
3484	chrome.exe
4716	chrome.exe
4716	chrome.exe
3680	chrome.exe
3680	chrome.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
2084	saBSI.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
2244	avg_secure_browser_setup.exe
604	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
604	AVGBrowserUpdate.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4740	UnifiedStub-installer.exe
4516	uTorrent.exe
4516	uTorrent.exe
4344	utorrentie.exe
4344	utorrentie.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steam.exe

pid process

14656 steam.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

fltmc.exe

pid process

636
9152 fltmc.exe
636
636
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

880 MicrosoftEdgeCP.exe
880 MicrosoftEdgeCP.exe
880 MicrosoftEdgeCP.exe
880 MicrosoftEdgeCP.exe

pid	process
14656	steam.exe

pid	process
636
9152	fltmc.exe
636
636

pid	process
880	MicrosoftEdgeCP.exe
880	MicrosoftEdgeCP.exe
880	MicrosoftEdgeCP.exe
880	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exechrome.exeAVGBrowser.exeAVGBrowser.exe

pid	process
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
9524	AVGBrowser.exe
9524	AVGBrowser.exe
9524	AVGBrowser.exe
9484	AVGBrowser.exe
9484	AVGBrowser.exe
9484	AVGBrowser.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe
Token: SeShutdownPrivilege	3484	chrome.exe
Token: SeCreatePagefilePrivilege	3484	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exeutorrent_installer.tmpuTorrent.exersAppUI.exersAppUI.exe

pid	process
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
416	utorrent_installer.tmp
4516	uTorrent.exe
4516	uTorrent.exe
4516	uTorrent.exe
8296	rsAppUI.exe
6836	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeuTorrent.exersAppUI.exersAppUI.exersAppUI.exe

pid	process
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
3484	chrome.exe
4516	uTorrent.exe
4516	uTorrent.exe
4516	uTorrent.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
8296	rsAppUI.exe
6836	rsAppUI.exe
6836	rsAppUI.exe
6836	rsAppUI.exe
6836	rsAppUI.exe
6836	rsAppUI.exe
6836	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

utorrentie.exeutorrentie.exeutorrentie.exeutorrentie.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemspaint.exePaintStudio.View.exemspaint.exesteam.exe

pid	process
528	utorrentie.exe
528	utorrentie.exe
4344	utorrentie.exe
4344	utorrentie.exe
4076	utorrentie.exe
4076	utorrentie.exe
5064	utorrentie.exe
5064	utorrentie.exe
5452	MicrosoftEdge.exe
880	MicrosoftEdgeCP.exe
5416	MicrosoftEdgeCP.exe
880	MicrosoftEdgeCP.exe
10428	mspaint.exe
2440	PaintStudio.View.exe
8680	mspaint.exe
2440	PaintStudio.View.exe
14656	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3484 wrote to memory of 600	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 600	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3640	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 1156	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 1156	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe
PID 3484 wrote to memory of 3288	3484	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://hatching.io/blog/tt-2024-06-27/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7ffc3ac49758,0x7ffc3ac49768,0x7ffc3ac49778
2⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:2
2⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4884 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5100 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5196 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4352 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=864 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4832 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4296 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2872 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4928 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5872 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5860 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1448 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4536 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6108 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5768 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3188 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5700 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=1880 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=3588 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5476 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5848 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6368 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6356 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1584 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=4596 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=5924 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=5048 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=2216 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6244 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=4564 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=5572 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=4864 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=5608 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=5580 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=4604 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1496 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6140 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=2184 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=5092 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=1472 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=5028 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=6268 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=6084 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6172 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6032 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=4876 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=2988 --field-trial-handle=1848,i,11954081696698790614,9083579229248952873,131072 /prefetch:1
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops Chrome extension
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc3ac49758,0x7ffc3ac49768,0x7ffc3ac49778
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:2
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1576 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3976 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4104 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3712 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3004 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3756 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2936 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4064 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5512 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3040 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5280 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1488 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4736

C:\Users\Admin\Downloads\utorrent_installer.exe
"C:\Users\Admin\Downloads\utorrent_installer.exe"
2⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\AppData\Local\Temp\is-ALIKK.tmp\utorrent_installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ALIKK.tmp\utorrent_installer.tmp" /SL5="$F004C,840718,816128,C:\Users\Admin\Downloads\utorrent_installer.exe"
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:416

C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\uTorrent.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\uTorrent.exe" /S /FORCEINSTALL 1110010101111110
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876

C:\Users\Admin\AppData\Local\Temp\nsn9E44.tmp\utorrent.exe
"C:\Users\Admin\AppData\Local\Temp\nsn9E44.tmp\utorrent.exe" /S /FORCEINSTALL 1110010101111110
5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:4832

C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component0.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component0.exe" -ip:"dui=ae202211-6e17-4cac-b8d2-d431e54ee209&dit=20240628150934&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&b=&se=true" -vp:"dui=ae202211-6e17-4cac-b8d2-d431e54ee209&dit=20240628150934&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&oip=26&ptl=7&dta=true" -dp:"dui=ae202211-6e17-4cac-b8d2-d431e54ee209&dit=20240628150934&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100" -i -v -d -se=true
4⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Local\Temp\mxtj5uix.exe
"C:\Users\Admin\AppData\Local\Temp\mxtj5uix.exe" /silent
5⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Local\Temp\7zS480857A1\UnifiedStub-installer.exe
.\UnifiedStub-installer.exe /silent
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
7⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
7⤵
- Adds Run key to start application
PID:9000

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
8⤵
- Checks processor information in registry
PID:9016

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
9⤵
PID:9052

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
7⤵
PID:9084

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
7⤵
- Suspicious behavior: LoadsDriver
PID:9152

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
7⤵
PID:9212

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
7⤵
- Executes dropped EXE
PID:6908

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
7⤵
- Executes dropped EXE
PID:6460

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:7700

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i -i
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6852

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
7⤵
- Executes dropped EXE
PID:6428

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
7⤵
- Executes dropped EXE
PID:5228

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
7⤵
- Adds Run key to start application
PID:9944

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
8⤵
- Checks processor information in registry
PID:9968

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
9⤵
PID:10004

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
7⤵
PID:10128

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
7⤵
PID:10200

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
7⤵
PID:6460

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
7⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component1_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component1_extract\installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5192

C:\Program Files\McAfee\Temp1365514190\installer.exe
"C:\Program Files\McAfee\Temp1365514190\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4520

C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component2_extract\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GAQS8.tmp\component2_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV6dEGo4BYi3aqJKISyRQeDHwfNaQ0EJ7rpDaLlvGnKFQMGknteZtLHhb3Qw7aaFLY25MaCwZsRsJ /make-default
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Users\Admin\AppData\Local\Temp\nsbB373.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome"
5⤵
- Executes dropped EXE
PID:3548

C:\Program Files (x86)\GUMBB02.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUMBB02.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome"
6⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:604

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:516

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4072

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:528

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3988

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2656

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezAzQjc0RUExLUM2RDQtNENBRS04MEM2LTlCM0M0MDZGRkY4Q30iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntDQ0E2RkI1OC05QjYyLTQ4QzktQjMxNy05MUU3QzYxODg1MEJ9IiB1c2VyaWRfZGF0ZT0iMjAyNDA2MjgiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDYyOCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins5NzkzQzQ0OS00RTk1LTQ3QTMtQjlERC01NjY2MjhCMTNFNUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTUwNjMuMCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTIzMCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTk0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dchrome --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{03B74EA1-C6D4-4CAE-80C6-9B3C406FFF8C}" /silent
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --heartbeat --install --create-profile
5⤵
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:9524

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffc09251c80,0x7ffc09251c8c,0x7ffc09251c98
6⤵
PID:9572

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2188,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:2
6⤵
PID:8768

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1832,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
6⤵
PID:3132

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1964,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:8
6⤵
PID:8676

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3284,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:1
6⤵
- Checks computer location settings
PID:9232

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:2
6⤵
- Checks computer location settings
PID:9248

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3568,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:8
6⤵
PID:9264

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3596,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:2
6⤵
- Checks computer location settings
PID:9280

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4612,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:8
6⤵
PID:10072

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4584,i,5757091508879046154,5562438133436177457,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:8
6⤵
PID:10144

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --silent-launch
5⤵
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:9484

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc210a1c80,0x7ffc210a1c8c,0x7ffc210a1c98
6⤵
PID:9560

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2332,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:2
6⤵
PID:1780

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1708,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:3
6⤵
PID:2108

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1952,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:8
6⤵
PID:1308

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3260,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=2512 /prefetch:8
6⤵
PID:1936

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3524,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
6⤵
PID:10052

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3532,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:8
6⤵
PID:2964

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3832,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
6⤵
PID:7144

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3976,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
6⤵
PID:9048

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4132,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
6⤵
PID:8972

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3672,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
6⤵
PID:8680

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4296,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
6⤵
PID:4812

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4572,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:8
6⤵
PID:5176

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4300,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:8
6⤵
PID:4736

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4908,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:8
6⤵
PID:9128

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5056,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
6⤵
PID:5436

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4892,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5204 /prefetch:8
6⤵
PID:9396

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4736,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8
6⤵
PID:9976

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4144,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
6⤵
PID:9268

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5628,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:8
6⤵
PID:9228

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4888,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8
6⤵
PID:8908

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5944,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:8
6⤵
PID:8428

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6108,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
6⤵
PID:9352

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5644,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8
6⤵
PID:10112

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4900,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:8
6⤵
PID:9604

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5800,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
6⤵
PID:7568

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6096,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:8
6⤵
PID:6064

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6100,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6844 /prefetch:8
6⤵
PID:4740

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6112,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6988 /prefetch:8
6⤵
PID:2840

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5648,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7136 /prefetch:8
6⤵
PID:6360

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7288,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:8
6⤵
PID:2088

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5804,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:8
6⤵
PID:224

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6104,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:8
6⤵
PID:10160

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6688,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7764 /prefetch:8
6⤵
PID:5608

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7124,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7292 /prefetch:8
6⤵
PID:8252

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7756,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=8024 /prefetch:8
6⤵
PID:9328

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7452,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=8176 /prefetch:8
6⤵
PID:9916

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=8336,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7616 /prefetch:8
6⤵
PID:9580

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=8468,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:8
6⤵
PID:8260

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6980,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=8676 /prefetch:8
6⤵
PID:11784

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8772,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=8992 /prefetch:1
6⤵
- Checks computer location settings
PID:7252

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8956,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=9028 /prefetch:2
6⤵
- Checks computer location settings
PID:9252

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=9472,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=9492 /prefetch:2
6⤵
- Checks computer location settings
PID:12008

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6280,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:8
6⤵
PID:11032

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --enable-protect
6⤵
PID:11100

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xe4,0xe8,0xec,0xc0,0xf0,0x7ffc210a1c80,0x7ffc210a1c8c,0x7ffc210a1c98
7⤵
PID:11180

C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe" --registration reg-task --taskintr PT10M --runonce
7⤵
PID:11104

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6400,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:8
6⤵
PID:6464

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=6712,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=7320 /prefetch:8
6⤵
PID:5596

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6428,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:8
6⤵
PID:5960

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6504,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
6⤵
PID:7752

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6500,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:8
6⤵
PID:7808

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5924,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:8
6⤵
PID:9524

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6480,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:8
6⤵
PID:11396

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6784,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6440 /prefetch:8
6⤵
PID:10184

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6464,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8
6⤵
PID:3304

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3412,i,12947150379083171391,2151994948352659680,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:8
6⤵
PID:11996

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\setup.exe
setup.exe /silent --create-shortcuts=0 --install-level=1 --system-level
5⤵
PID:17044

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\setup.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x22c,0x230,0x234,0x228,0x238,0x7ff7834f5390,0x7ff7834f539c,0x7ff7834f53a8
6⤵
PID:17080

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
6⤵
- Checks computer location settings
- Modifies registry class
PID:17260

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --check-run=src=installer
5⤵
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:17500

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc210a1c80,0x7ffc210a1c8c,0x7ffc210a1c98
6⤵
PID:17524

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:2
6⤵
PID:17744

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1848,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:3
6⤵
PID:17760

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2172,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:8
6⤵
PID:17816

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2976,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=3012 /prefetch:1
6⤵
- Checks computer location settings
PID:18228

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2984,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=3084 /prefetch:2
6⤵
- Checks computer location settings
PID:18192

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3548,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:2
6⤵
- Checks computer location settings
PID:18276

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3864,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:2
6⤵
- Checks computer location settings
PID:18312

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3672,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:8
6⤵
PID:5444

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4904,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:8
6⤵
PID:11356

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
6⤵
- Checks computer location settings
PID:1636

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4484,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
6⤵
PID:3612

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5344,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
6⤵
PID:4808

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5288,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:8
6⤵
PID:9564

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5704,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:8
6⤵
PID:18504

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5712,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:8
6⤵
PID:18516

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4316,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
6⤵
PID:19008

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6132,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
6⤵
PID:19056

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5352,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:8
6⤵
PID:19952

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5504,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8
6⤵
PID:20028

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6572,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:8
6⤵
PID:20120

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6720,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:8
6⤵
PID:20984

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6908,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6900 /prefetch:8
6⤵
PID:21408

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6728,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7032 /prefetch:8
6⤵
PID:21312

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6716,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:8
6⤵
PID:22104

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7336,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7180 /prefetch:8
6⤵
PID:4228

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6288,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:8
6⤵
PID:10560

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7184,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7604 /prefetch:8
6⤵
PID:10448

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7772,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7784 /prefetch:8
6⤵
PID:11672

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6712,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:2
6⤵
- Checks computer location settings
PID:5364

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=8108,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=8156 /prefetch:2
6⤵
- Checks computer location settings
PID:10896

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7612,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=8296 /prefetch:8
6⤵
PID:5540

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7760,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=8436 /prefetch:8
6⤵
PID:5840

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
6⤵
PID:2580

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6c5865390,0x7ff6c586539c,0x7ff6c58653a8
7⤵
PID:13816

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\AVG\Browser\Application\initial_preferences" --create-shortcuts=1 --install-level=0 --no-pin-startmenu
7⤵
PID:13860

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6c5865390,0x7ff6c586539c,0x7ff6c58653a8
8⤵
PID:9020

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
6⤵
- Checks computer location settings
PID:13968

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7776,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=8484 /prefetch:8
6⤵
PID:14116

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --enable-protect
6⤵
PID:14172

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc210a1c80,0x7ffc210a1c8c,0x7ffc210a1c98
7⤵
PID:14188

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=800,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=7704 /prefetch:8
6⤵
PID:16608

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7352,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:8
6⤵
PID:11488

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=8148,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:8
6⤵
PID:19004

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5292,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:8
6⤵
PID:19172

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=8264,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8
6⤵
PID:20216

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5312,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
6⤵
PID:20408

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4456,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:8
6⤵
PID:21144

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=2648,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
6⤵
PID:21512

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5236,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:8
6⤵
PID:21316

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4856,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8
6⤵
PID:22340

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5424,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=6468 /prefetch:8
6⤵
PID:8248

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5952,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:8
6⤵
PID:9264

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5868,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
6⤵
PID:10232

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5864,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
6⤵
PID:10736

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5460,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:8
6⤵
PID:11796

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5404,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:8
6⤵
PID:8796

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5944,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
6⤵
PID:7896

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5880,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:8
6⤵
PID:11032

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5456,i,9499124768045892681,8759846379032774389,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
6⤵
PID:10832

C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4516

C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe" uTorrent_4516_00D7DDF0_1917235599 µTorrent4823DF041B09 uTorrent ie unp
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528

C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe" uTorrent_4516_039AE4A0_838094532 µTorrent4823DF041B09 uTorrent ie unp
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Users\Admin\AppData\Roaming\uTorrent\MicrosoftEdgeWebView2Setup.exe
MicrosoftEdgeWebView2Setup.exe /silent /install
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:520

C:\Program Files (x86)\Microsoft\Temp\EUE203.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUE203.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
6⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:5284

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
7⤵
- Executes dropped EXE
- Modifies registry class
PID:5956

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5548

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5532

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5544

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5708

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTVENzE1MjgtNTVGOS00NDE4LTk3NEItMzQ3MUJFMTE2MzFBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswMjdENDlCMy00RjNGLTQwQ0EtQTc5Ny1EQ0Y1QkMwMjkwNDd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTg3LjQxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTUzNTgwNjMxNCIgaW5zdGFsbF90aW1lX21zPSIxNjg4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
7⤵
- Executes dropped EXE
- Checks system information in the registry
PID:5772

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{E5D71528-55F9-4418-974B-3471BE11631A}" /silent
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5920

C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe" uTorrent_4516_039AE708_1880000293 µTorrent4823DF041B09 uTorrent ie unp
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47124\utorrentie.exe" uTorrent_4516_039AFA48_123205246 µTorrent4823DF041B09 uTorrent ie unp
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1572
4⤵
- Program crash
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1572
4⤵
- Program crash
PID:7864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4736 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3796 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5604 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5644 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2356 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:2
2⤵
PID:7356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3100 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:10456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:10992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3844 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:10836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:11968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3208 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:11700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5696 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:11724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5944 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5660 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=4844 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=4864 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=1640 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5724 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:8908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:10504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6444 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:10856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2988 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=7148 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6972 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6800 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:8236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6772 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6904 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:11856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=812 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:7176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=6664 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=6716 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:10084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7084 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:6960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:9564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=7044 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5608

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
2⤵
- Adds Run key to start application
PID:808

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
3⤵
- Modifies registry class
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=6280 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:7052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=2476 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:6080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=896 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:20516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=5328 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=1820 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6052 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:10792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=6924 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=3092 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:10584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=6652 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:11316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=6876 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:12576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=5200 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:12668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=6244 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=6212 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=6812 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=1836 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:6340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=6324 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=5768 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=4036 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=6352 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:14168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=6404 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:14144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=7480 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=7660 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:15484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=7668 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=7960 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:14992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=8012 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:15004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=8020 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=8344 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=8276 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:13752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=8900 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=9172 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=9500 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=9556 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:15664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=7960 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:10684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --mojo-platform-channel-handle=9664 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --mojo-platform-channel-handle=10488 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=9004 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:6672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=10392 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --mojo-platform-channel-handle=10664 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --mojo-platform-channel-handle=8860 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:8180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --mojo-platform-channel-handle=9900 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --mojo-platform-channel-handle=10820 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:7096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --mojo-platform-channel-handle=10832 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:6332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --mojo-platform-channel-handle=10976 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --mojo-platform-channel-handle=11256 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --mojo-platform-channel-handle=11392 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:7444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --mojo-platform-channel-handle=11424 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --mojo-platform-channel-handle=11412 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --mojo-platform-channel-handle=11848 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:7252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --mojo-platform-channel-handle=11712 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:9820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --mojo-platform-channel-handle=11988 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --mojo-platform-channel-handle=12168 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --mojo-platform-channel-handle=9748 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --mojo-platform-channel-handle=12184 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --mojo-platform-channel-handle=12200 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --mojo-platform-channel-handle=12236 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:17068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --mojo-platform-channel-handle=10720 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:15180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --mojo-platform-channel-handle=11728 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:15008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --mojo-platform-channel-handle=11764 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:15924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11020 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:20976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11040 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:15060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=12348 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=12336 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:14796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --mojo-platform-channel-handle=10964 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:21232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --mojo-platform-channel-handle=12084 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --mojo-platform-channel-handle=8580 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:16412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --mojo-platform-channel-handle=13608 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=131 --mojo-platform-channel-handle=13564 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:11140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=132 --mojo-platform-channel-handle=12400 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --mojo-platform-channel-handle=9780 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:1
2⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12748 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:8348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9508 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9656 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:8452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12192 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:20520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11736 --field-trial-handle=1856,i,13525124133635023424,5197953417185375782,131072 /prefetch:8
2⤵
PID:20552

C:\Users\Admin\Downloads\ultimate-custom-night.exe
"C:\Users\Admin\Downloads\ultimate-custom-night.exe"
2⤵
PID:11696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4364

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:2544

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:428

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:3900

C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=chrome --import-cookies --auto-launch-chrome --system-level
2⤵
- Executes dropped EXE
PID:6952

C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\CR_8FA95.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\CR_8FA95.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\CR_8FA95.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=chrome --import-cookies --auto-launch-chrome --system-level
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:7692

C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\CR_8FA95.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{7C1E7118-2CD7-47E8-A401-B8A673453871}\CR_8FA95.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7a3b25390,0x7ff7a3b2539c,0x7ff7a3b253a8
4⤵
- Executes dropped EXE
PID:7824

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
2⤵
PID:9160

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
2⤵
PID:7568

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5564

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTVENzE1MjgtNTVGOS00NDE4LTk3NEItMzQ3MUJFMTE2MzFBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTcxRURCRDUtQzIzOS00OEM0LTgxRjItMjczQUI2RDNERTBGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IlFFTVUiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDt0eGdVQkhvbzZBUVNBL2Z5RTQ4c3lFWHF4MkorL3FzcWxHV3hpNHVmSFlrPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iODUiIGluc3RhbGxkYXRldGltZT0iMTcxMjIzMzcyMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzU2NzA2NTkyODM2MjIyNyI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxMTQzMjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNTQ0MzY0NTIxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6044

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\MicrosoftEdge_X64_126.0.2592.81.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
PID:11580

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\EDGEMITMP_9993C.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\EDGEMITMP_9993C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Drops file in Program Files directory
PID:12036

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\EDGEMITMP_9993C.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\EDGEMITMP_9993C.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D930ABBA-4C23-4655-8D6A-6D3C6B8E4057}\EDGEMITMP_9993C.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ff77bc9aa40,0x7ff77bc9aa4c,0x7ff77bc9aa58
4⤵
PID:2824

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTVENzE1MjgtNTVGOS00NDE4LTk3NEItMzQ3MUJFMTE2MzFBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFNUQ5RjI5RC04RTM0LTRDREYtOEUxNC1FQUZCMEJBRTY3RUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyNi4wLjI1OTIuODEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNjgyNjAzODgwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE2ODI3NjAxNDMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjUyNTI5MzM3MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMTExMGJmNjMtYzZjZS00NzE0LTk2OWItYjMwMjhiNDQxYzQ3P1AxPTE3MjAxOTIyMzgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VXRHY1lqd2FTdGpPbDFMU1BRNVdlSzQ2VFVzWWlseCUyYnFsanZKc3BpSFlSYjFBJTJieFZ6N2VUUkNhQ05wMHYlMmJrMDVnQVF2VEphRGtFUW8zNlBnb01WJTJidyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MzA4MjE2OCIgdG90YWw9IjE3MzA4MjE2OCIgZG93bmxvYWRfdGltZV9tcz0iNzY1MDQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjUyNTI5MzM3MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyNTQwNDc0NTM1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjk1NDAyOTY4MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjE4NzUiIGRvd25sb2FkX3RpbWVfbXM9Ijg0MjM3IiBkb3dubG9hZGVkPSIxNzMwODIxNjgiIHRvdGFsPSIxNzMwODIxNjgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQxMzQwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5452

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5416

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7268

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6896

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:7000

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:7280

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
- Executes dropped EXE
PID:6648

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
- Executes dropped EXE
PID:7144

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8296

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2364 --field-trial-handle=2368,i,14402254725959737744,11909624748724928477,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
PID:8508

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3164 --field-trial-handle=2368,i,14402254725959737744,11909624748724928477,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
- Executes dropped EXE
PID:4376

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3208 --field-trial-handle=2368,i,14402254725959737744,11909624748724928477,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:8964

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3632 --field-trial-handle=2368,i,14402254725959737744,11909624748724928477,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:6856

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4072 --field-trial-handle=2368,i,14402254725959737744,11909624748724928477,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:7960

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3804 --field-trial-handle=2368,i,14402254725959737744,11909624748724928477,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:5852

C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
2⤵
PID:11212

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks system information in the registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:7468

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:6268

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:7240

\??\c:\program files\reasonlabs\VPN\ui\VPN.exe
"c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
2⤵
- Executes dropped EXE
PID:6124

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6836

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2452 --field-trial-handle=2456,i,2999260309742598213,10168772244423309116,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8628

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=3212 --field-trial-handle=2456,i,2999260309742598213,10168772244423309116,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7476

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3296 --field-trial-handle=2456,i,2999260309742598213,10168772244423309116,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6212

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3460 --field-trial-handle=2456,i,2999260309742598213,10168772244423309116,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:4600

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3040 --field-trial-handle=2456,i,2999260309742598213,10168772244423309116,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:11412

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7224

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
PID:10176

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
PID:8612

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
PID:6248

\??\c:\program files\reasonlabs\DNS\ui\DNS.exe
"c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
2⤵
PID:7460

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
3⤵
- Checks computer location settings
- Suspicious use of SendNotifyMessage
PID:7948

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2116 --field-trial-handle=2120,i,8358441101110222895,14557722425460698847,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:6600

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=3152 --field-trial-handle=2120,i,8358441101110222895,14557722425460698847,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:10132

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3348 --field-trial-handle=2120,i,8358441101110222895,14557722425460698847,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
PID:7092

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2916 --field-trial-handle=2120,i,8358441101110222895,14557722425460698847,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:10340

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:1936

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:10224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1936

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:8940

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:9344

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:6580

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:7884

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
PID:11364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1536

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d1c69bc2329e4d5287530f7cae7431d8 /t 3364 /p 4516
1⤵
PID:9732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x44c
1⤵
PID:6060

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\download.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:10428

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\download.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:8680

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c
1⤵
PID:6612

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /cr
2⤵
PID:4072

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
2⤵
PID:5236

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
2⤵
PID:5312

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler
1⤵
PID:2016

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /registermsihelper
2⤵
PID:4576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:8480

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
PID:12200

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:11344

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
PID:8136

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
2⤵
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:14656

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=14656" "-buildid=1718904662" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
3⤵
- Checks computer location settings
- Checks processor information in registry
PID:14740

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1718904662 --initial-client-data=0x32c,0x330,0x334,0x300,0x338,0x7ffc1ef8ee38,0x7ffc1ef8ee48,0x7ffc1ef8ee58
4⤵
PID:14828

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1512 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Drops file in Program Files directory
PID:15156

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1972 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
PID:15252

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2328 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
PID:15500

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --first-renderer-process --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2712 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
PID:15548

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3324 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
PID:692

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3464 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
PID:14332

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=3676 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
PID:16040

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3472 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
PID:18720

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3428 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
PID:13068

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=3784 --field-trial-handle=1576,i,11766710081794248548,17761764736747680911,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:20304

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
3⤵
PID:15436

C:\Program Files (x86)\Steam\bin\gldriverquery.exe
.\bin\gldriverquery.exe
3⤵
PID:15492

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
3⤵
PID:15876

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
3⤵
PID:16016

C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe" --runonce
1⤵
PID:13788

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
PID:16164

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUY1RjU5RDQtMUNGQi00NTAzLUJDRjAtOEM2N0Y0NTI4NjVDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyMUE4MjRGNC05RDJELTQyNUUtQUI4Ni1DNTFBN0JERjkzRDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3R4Z1VCSG9vNkFRU0EvZnlFNDhzeUVYcXgySisvcXNxbEdXeGk0dWZIWWs9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODcuNDEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC45MyI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyNi4wLjI1OTIuODEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYzODQiIGNvaG9ydD0icnJmQDAuNzEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9IntFNkI5MDNEMS1GNzBDLTRENDAtQTA4Ny1FOTVBMzIzQjg4QjB9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:17148

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:17912

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:18360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s NgcSvc
1⤵
PID:14516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:5704

C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe" --runonce
1⤵
PID:9684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404
1⤵
PID:14772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

T1497

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

System Information Discovery