hxxps://audioz[.]download/software/258976-download_waves-ultimate-14-v240624-incl-vr-patch-win[.]html

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files\\AVG\\Browser\\Application\\126.0.25444.62\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

partitionwizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	partitionwizard.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

OperaSetup.exesetup.exesetup.exesetup.exesetup.exesetup.exeAssistant_111.0.5168.25_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeavg_secure_browser_setup.exeaj3793.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserInstaller.exesetup.exesetup.exedriver_booster_setup.exedriver_booster_setup.tmpsetup.exedriver_booster_setup.exedriver_booster_setup.tmpAVGBrowserCrashHandler.exeAVGBrowserCrashHandler64.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
2316	OperaSetup.exe
768	setup.exe
3396	setup.exe
2384	setup.exe
2476	setup.exe
4228	setup.exe
4372	Assistant_111.0.5168.25_Setup.exe_sfx.exe
2884	assistant_installer.exe
2976	assistant_installer.exe
2008	avg_secure_browser_setup.exe
1464	aj3793.exe
112	AVGBrowserUpdateSetup.exe
4684	AVGBrowserUpdate.exe
2892	AVGBrowserUpdate.exe
5008	AVGBrowserUpdate.exe
1556	AVGBrowserUpdateComRegisterShell64.exe
3660	AVGBrowserUpdateComRegisterShell64.exe
3468	AVGBrowserUpdateComRegisterShell64.exe
1636	AVGBrowserUpdate.exe
5084	AVGBrowserUpdate.exe
1572	AVGBrowserUpdate.exe
4660	AVGBrowserInstaller.exe
4452	setup.exe
2768	setup.exe
5048	driver_booster_setup.exe
2060	driver_booster_setup.tmp
3016	setup.exe
1636	driver_booster_setup.exe
4436	driver_booster_setup.tmp
2384	AVGBrowserCrashHandler.exe
3076	AVGBrowserCrashHandler64.exe
1360	AVGBrowser.exe
4128	AVGBrowser.exe
1952	AVGBrowser.exe
4684	AVGBrowser.exe
2408	AVGBrowser.exe
4964	elevation_service.exe
5360	AVGBrowser.exe
5532	AVGBrowser.exe
5588	AVGBrowser.exe
5600	AVGBrowser.exe
5796	AVGBrowser.exe
5820	elevation_service.exe
6008	AVGBrowser.exe
6020	AVGBrowser.exe
5276	elevation_service.exe
5328	AVGBrowser.exe
5312	AVGBrowser.exe
5232	AVGBrowser.exe
5296	elevation_service.exe
5568	AVGBrowser.exe
5772	AVGBrowser.exe
5864	AVGBrowser.exe
5840	AVGBrowser.exe
5156	AVGBrowser.exe
3288	AVGBrowser.exe
5592	AVGBrowser.exe
5700	AVGBrowser.exe
4660	AVGBrowser.exe
5504	AVGBrowser.exe
5780	AVGBrowser.exe
5364	AVGBrowser.exe
6336	AVGBrowser.exe
6700	AVGBrowser.exe

Loads dropped DLL 64 IoCs

Processes:

setup.exesetup.exesetup.exesetup.exesetup.exeassistant_installer.exeassistant_installer.exeavg_secure_browser_setup.exeaj3793.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exesetup.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
768	setup.exe
3396	setup.exe
2384	setup.exe
2476	setup.exe
4228	setup.exe
2884	assistant_installer.exe
2884	assistant_installer.exe
2976	assistant_installer.exe
2976	assistant_installer.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
4684	AVGBrowserUpdate.exe
2892	AVGBrowserUpdate.exe
5008	AVGBrowserUpdate.exe
1556	AVGBrowserUpdateComRegisterShell64.exe
5008	AVGBrowserUpdate.exe
3660	AVGBrowserUpdateComRegisterShell64.exe
5008	AVGBrowserUpdate.exe
3468	AVGBrowserUpdateComRegisterShell64.exe
5008	AVGBrowserUpdate.exe
4684	AVGBrowserUpdate.exe
4684	AVGBrowserUpdate.exe
1636	AVGBrowserUpdate.exe
5084	AVGBrowserUpdate.exe
1572	AVGBrowserUpdate.exe
1572	AVGBrowserUpdate.exe
5084	AVGBrowserUpdate.exe
1572	AVGBrowserUpdate.exe
3016	setup.exe
3016	setup.exe
1464	aj3793.exe
1360	AVGBrowser.exe
4128	AVGBrowser.exe
1360	AVGBrowser.exe
1360	AVGBrowser.exe
1952	AVGBrowser.exe
4684	AVGBrowser.exe
1952	AVGBrowser.exe
1952	AVGBrowser.exe
2408	AVGBrowser.exe
4684	AVGBrowser.exe
4684	AVGBrowser.exe
2408	AVGBrowser.exe
2408	AVGBrowser.exe
1952	AVGBrowser.exe
1952	AVGBrowser.exe
1952	AVGBrowser.exe
1952	AVGBrowser.exe
1952	AVGBrowser.exe
1952	AVGBrowser.exe
5360	AVGBrowser.exe
5360	AVGBrowser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGBrowserAutoLaunch_2539D9FFF1F40C0A976762D6C815D3E3 = "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\""	AVGBrowser.exe

Checks for any installed AV software in registry 1 TTPs 14 IoCs

Security Software Discovery

T1518.001

Processes:

avg_secure_browser_setup.exeAVGBrowser.exeAVGBrowser.exeaj3793.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj3793.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	AVGBrowser.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\SOFTWARE\AVAST Software\Avast	aj3793.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	AVGBrowser.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

aj3793.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aj3793.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aj3793.exe

Enumerates connected drives 3 TTPs 28 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exesetup.exeIEDSearch.exesetup.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	IEDSearch.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

645 ip-api.com

flow	ioc
645	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowserUpdate.exeAVGBrowser.exeaj3793.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	aj3793.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	AVGBrowser.exe

Drops file in System32 directory 5 IoCs

Processes:

IEDSearch.exepartitionwizard.exe

description	ioc	process
File opened for modification	C:\Windows\System32\MetroAppCache.ini	IEDSearch.exe
File created	C:\Windows\System32\MetroAppCache.ini	IEDSearch.exe
File created	C:\Windows\system32\pwdspio.sys	partitionwizard.exe
File opened for modification	C:\Windows\system32\pwdspio.sys	partitionwizard.exe
File created	C:\Windows\system32\pwdrvio.sys	partitionwizard.exe

Drops file in Program Files directory 64 IoCs

Processes:

ISRSetup.tmppw_sm_setup_x64.tmpsetup.exepw-demo-pack-for-freesetup.tmpAVGBrowserUpdate.exedriver_booster_setup.tmpDBDownloader.exeiTopVPN.exeIEDSetup.tmp

description	ioc	process
File created	C:\Program Files\iTop Screen Recorder\res\stickers\is-6NH1G.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\2x\is-EUC15.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-EDCE1.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-7VR65.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-OA3QM.tmp	ISRSetup.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\api-ms-win-crt-locale-l1-1-0.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\images\is-EO4R8.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Universal\is-5ODMH.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-HS64K.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\AVG\Browser\Temp\source4452_160369624\Safer-bin\126.0.25444.62\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files\MiniTool ShadowMaker\ChannelNetFileInfo.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\is-R1447.tmp	ISRSetup.tmp
File created	C:\Program Files\MiniTool Partition Wizard 12\PEDrivers\x86\f6flpy-x86\is-DFMRP.tmp	pw-demo-pack-for-freesetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\is-O8U4K.tmp	ISRSetup.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\help.chm	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-CR033.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\is-UTDRU.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Universal\is-S3VJI.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Dialogs\is-C44FT.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\amd64\is-T6MPB.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_hu.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\IObit\Driver Booster\11.5.0\History\is-233DB.tmp	driver_booster_setup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-D6V0A.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-NGETB.tmp	ISRSetup.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\Qt5Sql.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\Qt\labs\settings\is-I3OML.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-PLG3V.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\2x\is-BUK86.tmp	ISRSetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\translations\qtwebengine_locales\is-MO27S.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool Partition Wizard 12\7z.dll	pw-demo-pack-for-freesetup.tmp
File opened for modification	C:\Program Files\MiniTool Partition Wizard 12\Qt5Network.dll	pw-demo-pack-for-freesetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Materials\is-VN1B4.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\msvcp140_atomic_wait.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Material\is-KS7LT.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Universal\is-N7QLC.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\iTop Screen Recorder\res\transitions\is-N8G33.tmp	ISRSetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\DISM5_x64\is-8RPQN.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\is-IEGKM.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Imagine\is-PUHF1.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\goopdateres_vi.dll	AVGBrowserUpdate.exe
File created	C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DrvInstall\is-AKD6V.tmp	driver_booster_setup.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Update\is-A4C4Q.tmp	driver_booster_setup.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Icons\Apps\is-PDPCA.tmp	driver_booster_setup.tmp
File created	C:\Program Files\MiniTool Partition Wizard 12\en-us\x64\is-CL4A8.tmp	pw-demo-pack-for-freesetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-SQ8LN.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\11.5.0\LocalData\WhiteList.ini	DBDownloader.exe
File created	C:\Program Files (x86)\iTop VPN\Flag\[email protected]	iTopVPN.exe
File created	C:\Program Files\iTop Screen Recorder\lib\is-NTLUV.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\stickers\thumbs\1x\is-3863Q.tmp	ISRSetup.tmp
File created	C:\Program Files\iTop Screen Recorder\res\transitions\is-UQDE7.tmp	ISRSetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\images\is-OFS8C.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\AVG\Browser\Temp\source4452_160369624\Safer-bin\126.0.25444.62\Locales\kn.pak	setup.exe
File created	C:\Program Files\iTop Easy Desktop\Language\is-QOC9N.tmp	IEDSetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Dialogs\is-EFPRN.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\translations\qtwebengine_locales\is-1DI6O.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\translations\qtwebengine_locales\is-01AN5.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Boost\is-2LT21.tmp	driver_booster_setup.tmp
File created	C:\Program Files\iTop Screen Recorder\is-SV8HA.tmp	ISRSetup.tmp
File created	C:\Program Files\MiniTool ShadowMaker\DISM5_x64\is-Q3FRU.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\PETools\x86\efi\boot\is-JQ5AM.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Universal\is-C1EAO.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\conversionpixel.exe	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-8JMRJ.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\is-NR035.tmp	pw_sm_setup_x64.tmp

Drops file in Windows directory 64 IoCs

Processes:

AVGBrowser.exemsiexec.exeAVGBrowser.exesetup.exesetup.exeDriverBooster.exesetup.exechrmstp.exechrmstp.exeAVGBrowser.exechrmstp.exesetup.exechrmstp.exe

description	ioc	process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_1461268788\manifest.fingerprint	AVGBrowser.exe
File created	C:\Windows\SystemTemp\~DFB95DE24DFE094EC6.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_143003470\manifest.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_143003470\LICENSE	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1772000357\manifest.fingerprint	AVGBrowser.exe
File created	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\~DFD37D457832C68805.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_143003470\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1772000357\manifest.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1369523385\_metadata\verified_contents.json	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\INF\c_volume.PNF	DriverBooster.exe
File created	C:\Windows\INF\c_display.PNF	DriverBooster.exe
File created	C:\Windows\Installer\SourceHash{EDB7AEE7-E932-4836-AE50-D3B0B7766CB5}	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_580445938\manifest.fingerprint	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1432159187\manifest.json	AVGBrowser.exe
File opened for modification	C:\Windows\Installer\MSIE820.tmp	msiexec.exe
File created	C:\Windows\Installer\e67e797.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE871E774BE59F73E.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File created	C:\Windows\INF\c_diskdrive.PNF	DriverBooster.exe
File created	C:\Windows\SystemTemp\~DF54B08171EAA076D7.TMP	msiexec.exe
File created	C:\Windows\INF\c_media.PNF	DriverBooster.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_1576668755\manifest.fingerprint	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1679942945\optimization-hints.pb	AVGBrowser.exe
File created	C:\Windows\INF\c_processor.PNF	DriverBooster.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_1461268788\privacy-sandbox-attestations.dat	AVGBrowser.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1432159187\manifest.fingerprint	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1772000357\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1432159187\Preload Data	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_1576668755\manifest.json	AVGBrowser.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB104080B0055D441.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_580445938\_platform_specific\win_x64\widevinecdm.dll	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe
File created	C:\Windows\Installer\e67e793.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF56073C6A1E48AA56.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1679942945\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_580445938\_platform_specific\win_x64\widevinecdm.dll.sig	AVGBrowser.exe
File created	C:\Windows\SystemTemp\~DFF53337E84518AFE6.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7E25A6F0B64421C6.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_580445938\LICENSE	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File created	C:\Windows\SystemTemp\~DF7D8A5F2082AD0014.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_700975720\manifest.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_700975720\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_1576668755\_metadata\verified_contents.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1369523385\safety_tips.pb	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1369523385\manifest.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_580445938\manifest.json	AVGBrowser.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8052_1432159187\_metadata\verified_contents.json	AVGBrowser.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File created	C:\Windows\INF\c_monitor.PNF	DriverBooster.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping8608_1461268788\manifest.json	AVGBrowser.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

8148 sc.exe
9168 sc.exe
744 sc.exe
7588 sc.exe
7604 sc.exe
6484 sc.exe
5556 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
8148	sc.exe
9168	sc.exe
744	sc.exe
7588	sc.exe
7604	sc.exe
6484	sc.exe
5556	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AVGBrowser.exeGpuCheck.exeDriverBooster.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exevds.exeaj3793.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceType	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceType	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	GpuCheck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceCharacteristics	GpuCheck.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Address	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj3793.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003\	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Address	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceCharacteristics	GpuCheck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	GpuCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

partitionwizard.exeDriverBooster.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\21	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\24	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\52	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\25	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\26	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\28	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\41	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\9	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\13	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\46	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\54	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\55	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\19	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\39	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\27	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\43	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\45	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\47	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\50	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\58	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\38	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\63	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\35	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\53	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\22	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\40	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\14	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\18	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\32	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\29	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\60	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\61	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\49	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\20	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\44	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\59	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\48	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\30	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\36	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\37	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\62	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\34	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\42	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\56	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\11	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\16	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\33	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\17	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\57	partitionwizard.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

System Information Discovery

Processes:

AVGBrowser.exeAVGBrowser.exeAVGBrowser.exechrome.exeAVGBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AVGBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AVGBrowser.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

6788 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

7212 taskkill.exe
9020 taskkill.exe
7728 taskkill.exe
7668 taskkill.exe

pid	process
6788	ipconfig.exe

pid	process
7212	taskkill.exe
9020	taskkill.exe
7728	taskkill.exe
7668	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

Processes:

AVGBrowserUpdate.exepw-free-online.tmppw-demo-pack-for-freesetup.tmppw_sm_setup_x64.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\updatechecker.exe = "11000"	pw-free-online.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\partitionwizard.exe = "11000"	pw-demo-pack-for-freesetup.tmp
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	pw-free-online.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\partitionwizard.exe = "11000"	pw-free-online.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\experience.exe = "11000"	pw-demo-pack-for-freesetup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\experience.exe = "11000"	pw-free-online.tmp
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	pw-demo-pack-for-freesetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	pw_sm_setup_x64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\experience.exe = "11000"	pw_sm_setup_x64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\system_backup_gui.exe = "11000"	pw_sm_setup_x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowserUpdate.exe

Modifies data under HKEY_USERS 44 IoCs

Processes:

AVGBrowserUpdate.exesvchost.exemsiexec.exechrome.exeAgentService.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\devmode = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642339938913792"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\hostprefix	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\MTSoft\SM\TASK_COUNT = "0"	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1876259831ba7e7fe002cf99b0cbbfcd67999fd33ddb4e64754b0e775e46c329	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	AVGBrowser.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineId = "00009bb098663592a3a6086bcc2909e7"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\MachineIdDate = "20240630"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\MTSoft\SM	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\MTSoft	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser	AVGBrowserUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = e41d00008b39c68e02cbda01	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AVGBrowserUpdate.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeiScrInit.exesetup.exeregsvr32.exeAVGBrowserUpdate.exemsiexec.exeAVGBrowserUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1693.6\\AVGBrowserUpdateBroker.exe\""	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ = "IGoogleUpdateCore"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}\InprocHandler32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A27F7BCA-118B-4330-9B07-9092E8F047E2}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}\ProgID\ = "AVGUpdate.CredentialDialogMachine.1.0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpg\shell\Open Video Editor\command	iScrInit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6972DB5C-E9D6-4A81-B352-B415A3A61CA6}\NumMethods\ = "24"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB785069-B832-4423-B813-47F7422BA6E5}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\iTop Desktop Manager\ = "{609ED1DF-1540-4F2E-BAAC-C2C9CDB64C00}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mov\shell\Open Video Editor\command	iScrInit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\NumMethods\ = "45"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{609ED1DF-1540-4F2E-BAAC-C2C9CDB64C00}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ = "IPackage"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback.1.0	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.update.avgbrowser.com.oneclickctrl.9	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ = "IAppWeb"	AVGBrowserUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7EEA7BDE239E6384EA053D0B7B67C65B\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebSvc\CurVer	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FBDC15B-BBCD-402B-A45F-1853B01A9E3C}\VersionIndependentProgID\ = "AVGUpdate.OnDemandCOMClassMachine"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.MiscUtils\CLSID\ = "{7E22D0ED-B403-44D2-BABF-4DDD0DFCA692}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\ProgID\ = "AVGUpdate.Update3WebMachineFallback.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\ProgID\ = "AVGUpdate.OnDemandCOMClassSvc.1.0"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods\ = "5"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ = "IGoogleUpdateCore"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avi\shell\Open Video Editor\icon = "C:\\Program Files\\iTop Screen Recorder\\iScrEditer.exe"	iScrInit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CredentialDialogMachine.1.0\CLSID\ = "{40C1C1D3-AAEA-46EE-AA2B-79A2CC62F257}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVG.Update3WebControl.3\ = "AVG Browser Plugin"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{358EC846-617A-4763-8656-50BF6E0E8AA2}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mov\shell\Open Video Editor\icon = "C:\\Program Files\\iTop Screen Recorder\\iScrEditer.exe"	iScrInit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ = "IRegistrationUpdateHook"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachine\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ = "IProcessLauncher2"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\NumMethods\ = "7"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32\ = "{2E7A212B-A33C-45D6-9EFD-2AB58EFAACF0}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.OnDemandCOMClassSvc.1.0\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}\NumMethods\ = "6"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\NumMethods\ = "13"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37D106C-CDD2-4821-BC7A-F08990DDCA74}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avi\shell\isr_rightmenu = "Open Video Editor"	iScrInit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3700FAF-2DC2-4322-99B1-D6A51203AF77}\NumMethods\ = "4"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.Update3WebMachineFallback	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A708F91-06A3-409E-83BC-4A5CF10C8025}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 19 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

setup.exeDriverBooster.exeAutoUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DriverBooster.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 1900000001000000100000004fca18b530ab2d3765b8830436884be603000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e87e000000010000000800000000409120d035d9011d00000001000000100000003475b6ae07580528b505a98d7f0fe1f4140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d62000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba79687997f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030153000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d004900290000000f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d9820000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DriverBooster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 040000000100000010000000ebf59d290d61f9421f7cc2ba6de315090f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d980b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030162000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d1d00000001000000100000003475b6ae07580528b505a98d7f0fe1f47e000000010000000800000000409120d035d90103000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e81900000001000000100000004fca18b530ab2d3765b8830436884be620000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DriverBooster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8	AutoUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 0f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d980b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030162000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d1d00000001000000100000003475b6ae07580528b505a98d7f0fe1f47e000000010000000800000000409120d035d90103000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e820000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 5c0000000100000004000000000800001900000001000000100000004fca18b530ab2d3765b8830436884be603000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e87e000000010000000800000000409120d035d9011d00000001000000100000003475b6ae07580528b505a98d7f0fe1f4140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d62000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba79687997f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030153000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d004900290000000f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d98040000000100000010000000ebf59d290d61f9421f7cc2ba6de3150920000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe

NTFS ADS 4 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\avg_secure_browser_setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\driver_booster_setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\pw-free-online.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

experience.exeexperience.exepartitionwizard.exe

pid process

3680 experience.exe
6228 experience.exe
5832 partitionwizard.exe

pid	process
3680	experience.exe
6228	experience.exe
5832	partitionwizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeavg_secure_browser_setup.exeaj3793.exe

pid	process
2028	chrome.exe
2028	chrome.exe
1536	chrome.exe
1536	chrome.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
1464	aj3793.exe
1464	aj3793.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
1464	aj3793.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe
2008	avg_secure_browser_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3320 Explorer.EXE
Suspicious behavior: LoadsDriver 9 IoCs

Processes:

pid process

672
672
672
672
672
672
672
672
672

pid	process
3320	Explorer.EXE

pid	process
672
672
672
672
672
672
672
672
672

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
1360	AVGBrowser.exe
1360	AVGBrowser.exe
1360	AVGBrowser.exe
6008	AVGBrowser.exe
6008	AVGBrowser.exe
6008	AVGBrowser.exe
6008	AVGBrowser.exe
6008	AVGBrowser.exe
6008	AVGBrowser.exe
2028	chrome.exe
2028	chrome.exe
8608	AVGBrowser.exe
8608	AVGBrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeExplorer.EXEDriverBooster.exeIObitDownloader.exe

pid	process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
4104	DriverBooster.exe
5324	IObitDownloader.exe
5324	IObitDownloader.exe
5324	IObitDownloader.exe
5324	IObitDownloader.exe
5324	IObitDownloader.exe
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

MiniSearchHost.exesetup.exeavg_secure_browser_setup.exeaj3793.exeExplorer.EXEiEasyDesk.exeIEDSearch.exeiScrRec.exeiScrMagnifier.exeget-graphics-offsets64.exeget-graphics-offsets32.exeIEDDW.exetestOpenGL.exeexperience.exeAgentService.exeSchedulerService.exeexperience.exepartitionwizard.exe

pid	process
4484	MiniSearchHost.exe
768	setup.exe
2008	avg_secure_browser_setup.exe
1464	aj3793.exe
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
6432	iEasyDesk.exe
2892	IEDSearch.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
7260	iScrRec.exe
652	iScrMagnifier.exe
6528	get-graphics-offsets64.exe
8704	get-graphics-offsets32.exe
3320	Explorer.EXE
2892	IEDSearch.exe
8056	IEDDW.exe
8056	IEDDW.exe
8636	testOpenGL.exe
3680	experience.exe
3680	experience.exe
3680	experience.exe
1312	AgentService.exe
1312	AgentService.exe
1312	AgentService.exe
1312	AgentService.exe
1312	AgentService.exe
1312	AgentService.exe
1312	AgentService.exe
6940	SchedulerService.exe
6940	SchedulerService.exe
6940	SchedulerService.exe
6940	SchedulerService.exe
6228	experience.exe
6228	experience.exe
6228	experience.exe
5832	partitionwizard.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2028 wrote to memory of 3304	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3304	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3864	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 1416	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 1416	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe
PID 2028 wrote to memory of 3496	2028	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://audioz.download/software/258976-download_waves-ultimate-14-v240624-incl-vr-patch-win.html
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb43fab58,0x7ffdb43fab68,0x7ffdb43fab78
3⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:2
3⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4584 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1808 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4180 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4792 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2976 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3080 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4160 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1652 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5060 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3888 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3140 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3112 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5256 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2940 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5416 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5580 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5716 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5364 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5448 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=1496 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4940 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=4372 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3000 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4876 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5236 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5892 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6060 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=2912 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=1456 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6096 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2996 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6080 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=4756 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=1036 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=5956 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=6064 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=1468 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6164 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6064 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6340 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=5712 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=5844 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=5036 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=1036 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4216 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=6520 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=4460 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=6284 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=6020 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=5752 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=4908 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5872 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
- NTFS ADS
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6556 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3572

C:\Users\Admin\Downloads\OperaSetup.exe
"C:\Users\Admin\Downloads\OperaSetup.exe"
3⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe --server-tracking-blob=ZmI1YzczNWQ2NTU4ZjZjYTQ3M2ViOThmODZmNmEyNDI5NzYxNGM2YjNkN2YyZTVlMDBiYTEzZDlhMTRmZDVmZTp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9c29mdG9uaWMmdXRtX21lZGl1bT1wYiZ1dG1fY2FtcGFpZ249RGlzcF9ETF9kaXNfY3B1Jmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGcGFydG5lciUzRnV0bV9tZWRpdW0lM0RwYiUyNnV0bV9zb3VyY2UlM0Rzb2Z0b25pYyUyNnV0bV9jYW1wYWlnbiUzRERpc3BfRExfZGlzX2NwdSZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRnBhcnRuZXImZGxfdG9rZW49OTI3ODIyNDEiLCJ0aW1lc3RhbXAiOiIxNzE5NzYxMDM1LjUyMjkiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEwLjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJEaXNwX0RMX2Rpc19jcHUiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9wYXJ0bmVyIiwibWVkaXVtIjoicGIiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoic29mdG9uaWMifSwidXVpZCI6ImJiOWM3YTM4LTUyZDktNDVhNS1iZDc3LTQyYzBiOTBjN2U2NyJ9
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:768

C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.43 --initial-client-data=0x33c,0x340,0x344,0x2f8,0x348,0x7434a128,0x7434a134,0x7434a140
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3396

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384

C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=768 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240630152403" --session-guid=d0950709-4bb1-4f13-907d-3c28bfd9e59d --server-tracking-blob=NDAxNTEzZTFhZDgwNjk1M2M2MmU2Yjg0ZGYyZDdmMjJkMzM3ZTAxYmM4OGMwMmJjYjNiMTIzN2QxMTNmODRmMTp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9c29mdG9uaWMmdXRtX21lZGl1bT1wYiZ1dG1fY2FtcGFpZ249RGlzcF9ETF9kaXNfY3B1Jmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGcGFydG5lciUzRnV0bV9tZWRpdW0lM0RwYiUyNnV0bV9zb3VyY2UlM0Rzb2Z0b25pYyUyNnV0bV9jYW1wYWlnbiUzRERpc3BfRExfZGlzX2NwdSZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRnBhcnRuZXImZGxfdG9rZW49OTI3ODIyNDEiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTk3NjEwMzUuNTIyOSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTAuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6IkRpc3BfRExfZGlzX2NwdSIsImxhc3RwYWdlIjoib3BlcmEuY29tL3BhcnRuZXIiLCJtZWRpdW0iOiJwYiIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJzb2Z0b25pYyJ9LCJ1dWlkIjoiYmI5YzdhMzgtNTJkOS00NWE1LWJkNzctNDJjMGI5MGM3ZTY3In0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=100A000000000000
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2476

C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zSC0978821\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.43 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x71fda128,0x71fda134,0x71fda140
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4228

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301524031\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301524031\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"
5⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301524031\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301524031\assistant\assistant_installer.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301524031\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406301524031\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0xc99f88,0xc99f94,0xc99fa0
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=5888 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7116 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=2912 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=7392 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=7884 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=5664 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=4984 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6728 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7608 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7620 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
- NTFS ADS
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4856 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1500 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:1188

C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
"C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Users\Admin\AppData\Local\Temp\aj3793.exe
"C:\Users\Admin\AppData\Local\Temp\aj3793.exe" /relaunch=8 /was_elevated=1 /tagdata
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Users\Admin\AppData\Local\Temp\nse388C.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9407&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
5⤵
- Executes dropped EXE
PID:112

C:\Program Files (x86)\GUM4F4E.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUM4F4E.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9407&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome"
6⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4684

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5008

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3660

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3468

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezQ3QUVDMjI4LURDQTgtNDJBOS05RDBDLTI3RDc0RTdBRDNDMn0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntFMTUwODQ5My0wRjM0LTQ0RDUtQkExNy05RkRDRjI3Q0M0RTV9IiB1c2VyaWRfZGF0ZT0iMjAyNDA2MzAiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDYzMCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins4QjExNEVDMy0wN0U3LTQzNzgtOTVGMS00MjQxNEJFMTVDRER9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7MUM4OUVGMkYtQTg4RS00REUwLTk3RkUtQ0I0MEM4RTRGRUVBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS44LjE2OTMuNiIgbGFuZz0iZW4tVVMiIGJyYW5kPSI5NDA3IiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI2MzQiLz48L2FwcD48L3JlcXVlc3Q-
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9407&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{47AEC228-DCA8-42A9-9D0C-27D74E7AD3C2}" /silent
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5084

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --heartbeat --install --create-profile
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1360

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4128

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=1908 /prefetch:2
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2188,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:11
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4684

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2300,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:13
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3424,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:14
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5360

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3508,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:1
6⤵
- Executes dropped EXE
PID:5532

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3488,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:9
6⤵
- Executes dropped EXE
PID:5588

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3552,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:9
6⤵
- Executes dropped EXE
PID:5600

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4436,i,2827007945510283530,1658531608218226393,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:14
6⤵
- Executes dropped EXE
PID:5796

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --silent-launch
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6008

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
6⤵
- Executes dropped EXE
PID:6020

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:2
6⤵
- Executes dropped EXE
PID:5328

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1932,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:11
6⤵
- Executes dropped EXE
PID:5312

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1964,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=2612 /prefetch:13
6⤵
- Executes dropped EXE
PID:5232

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3352,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=2828 /prefetch:14
6⤵
- Executes dropped EXE
PID:5568

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3532,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:14
6⤵
- Executes dropped EXE
PID:5772

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=2904,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:14
6⤵
- Executes dropped EXE
PID:5864

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3648,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14
6⤵
- Executes dropped EXE
PID:5840

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3524,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:14
6⤵
- Executes dropped EXE
PID:5156

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3644,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:14
6⤵
- Executes dropped EXE
PID:3288

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3692,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:14
6⤵
- Executes dropped EXE
PID:5592

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3544,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:14
6⤵
- Executes dropped EXE
PID:5700

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3988,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:14
6⤵
- Executes dropped EXE
PID:4660

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3972,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:14
6⤵
- Executes dropped EXE
PID:5504

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4296,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:14
6⤵
- Executes dropped EXE
PID:5780

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4456,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:14
6⤵
- Executes dropped EXE
PID:5364

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4752,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:14
6⤵
- Executes dropped EXE
PID:6336

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4476,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:14
6⤵
- Executes dropped EXE
PID:6700

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3840,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:14
6⤵
PID:7244

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5216,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:1
6⤵
PID:7752

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5224,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:9
6⤵
PID:7764

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5296,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:14
6⤵
PID:7776

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5316,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:14
6⤵
PID:7788

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6064,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:14
6⤵
PID:7860

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4768,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:14
6⤵
PID:7904

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6336,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:14
6⤵
PID:8000

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6380,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:14
6⤵
PID:5316

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5304,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:14
6⤵
PID:5336

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5212,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:14
6⤵
PID:2948

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5328,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=7120 /prefetch:14
6⤵
PID:6148

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6352,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:14
6⤵
PID:6192

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6360,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=7400 /prefetch:14
6⤵
PID:6832

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5332,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=7560 /prefetch:14
6⤵
PID:6856

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7588,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=7720 /prefetch:14
6⤵
PID:7140

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7740,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:14
6⤵
PID:7484

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7752,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8020 /prefetch:14
6⤵
PID:4692

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6372,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8044 /prefetch:14
6⤵
PID:5788

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7548,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8156 /prefetch:14
6⤵
PID:6060

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6872,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8324 /prefetch:14
6⤵
PID:6128

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7584,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8464 /prefetch:14
6⤵
PID:5148

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7592,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:14
6⤵
PID:8176

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8908,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8928 /prefetch:9
6⤵
PID:7024

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=7760,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=9048 /prefetch:14
6⤵
PID:7720

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=9208,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=9256 /prefetch:9
6⤵
PID:8296

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8856,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=9412 /prefetch:9
6⤵
PID:8660

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9744,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=9280 /prefetch:9
6⤵
PID:6316

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --enable-protect
6⤵
PID:8308

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
7⤵
PID:7088

C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowserProtect.exe" --registration reg-task --taskintr PT10M --runonce
7⤵
PID:7104

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=9756,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8748 /prefetch:14
6⤵
PID:8492

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=9952,i,5221830885476055680,14226516050835739017,262144 --variations-seed-version --mojo-platform-channel-handle=8936 /prefetch:14
6⤵
PID:8612

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\setup.exe
setup.exe /silent --create-shortcuts=0 --install-level=1 --system-level
5⤵
- Drops file in Windows directory
PID:7680

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\setup.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x254,0x258,0x25c,0x200,0x260,0x7ff607505390,0x7ff60750539c,0x7ff6075053a8
6⤵
- Drops file in Windows directory
PID:6760

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
6⤵
PID:7408

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --check-run=src=installer
5⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:8608

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
6⤵
PID:8724

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2344,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:2
6⤵
PID:7872

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1768,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:11
6⤵
PID:1496

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2044,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:13
6⤵
PID:6708

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3148,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=3176 /prefetch:1
6⤵
PID:6880

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3164,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=3220 /prefetch:9
6⤵
PID:5276

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=4044,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:9
6⤵
PID:5876

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3600,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:9
6⤵
PID:5804

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4428,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:9
6⤵
PID:6152

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4444,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:9
6⤵
PID:7224

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4480,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:9
6⤵
PID:7240

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5508,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:14
6⤵
PID:5424

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
6⤵
- Drops file in Windows directory
PID:5944

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6b9f75390,0x7ff6b9f7539c,0x7ff6b9f753a8
7⤵
- Drops file in Windows directory
PID:7272

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\AVG\Browser\Application\initial_preferences" --create-shortcuts=1 --install-level=0 --no-pin-startmenu
7⤵
- Drops file in Windows directory
PID:8164

C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6b9f75390,0x7ff6b9f7539c,0x7ff6b9f753a8
8⤵
- Drops file in Windows directory
PID:7020

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
6⤵
PID:5916

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
6⤵
PID:7200

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --enable-protect
6⤵
PID:5908

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
7⤵
PID:6624

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5460,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:14
6⤵
PID:5956

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4172,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:1
6⤵
PID:2468

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6380,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:1
6⤵
PID:6508

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=1040,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=3172 /prefetch:14
6⤵
PID:8176

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5128,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:14
6⤵
PID:8820

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6300,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:14
6⤵
PID:3296

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6376,i,3934643174864739157,18434018421608979135,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:9
6⤵
PID:8108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=7104 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=5800 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5324 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6808 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
- NTFS ADS
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4192 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7484 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:2144

C:\Users\Admin\Downloads\driver_booster_setup.exe
"C:\Users\Admin\Downloads\driver_booster_setup.exe"
3⤵
- Executes dropped EXE
PID:5048

C:\Users\Admin\AppData\Local\Temp\is-SF2BO.tmp\driver_booster_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SF2BO.tmp\driver_booster_setup.tmp" /SL5="$50354,28950539,139264,C:\Users\Admin\Downloads\driver_booster_setup.exe"
4⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Temp\is-E6HFK.tmp-dbinst\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-E6HFK.tmp-dbinst\setup.exe" "C:\Users\Admin\Downloads\driver_booster_setup.exe" /title="Driver Booster 11" /dbver=11.5.0.85 /eula="C:\Users\Admin\AppData\Local\Temp\is-E6HFK.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016

C:\Users\Admin\Downloads\driver_booster_setup.exe
"C:\Users\Admin\Downloads\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon
6⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\is-OB8MU.tmp\driver_booster_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OB8MU.tmp\driver_booster_setup.tmp" /SL5="$10386,28950539,139264,C:\Users\Admin\Downloads\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4436

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\HWiNFO\HWiNFO.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\HWiNFO\HWiNFO.exe" /brandname
8⤵
PID:6524

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\SetupHlp.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\SetupHlp.exe" /install /setup="C:\Users\Admin\Downloads\driver_booster_setup.exe"
8⤵
PID:8232

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\RttHlp.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\RttHlp.exe" /winstdate
9⤵
PID:8936

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\TaskbarPin\ICONPIN64.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\TaskbarPin\ICONPIN64.exe" pin "C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DriverBooster.exe"
8⤵
PID:6100

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\InstStat.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\InstStat.exe" /install db11
8⤵
PID:5256

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DriverBooster.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DriverBooster.exe" /autoscan
6⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of SendNotifyMessage
PID:4104

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\HWiNFO\HWiNFO.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\HWiNFO\HWiNFO.exe" /brandname
7⤵
PID:9076

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStat /Code="a602" /Days=0
7⤵
PID:6292

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\AutoUpdate.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\AutoUpdate.exe" /main /App=db11 /MainHwnd=0
7⤵
PID:8324

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\ChangeIcon.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\ChangeIcon.exe" /0 "C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Icons\Main\"
7⤵
PID:6048

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\NoteIcon.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\NoteIcon.exe" "C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DriverBooster.exe"
7⤵
PID:5564

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\RttHlp.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\RttHlp.exe" /cnt
7⤵
PID:7580

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStat /Code="A100" /Days=0
7⤵
PID:6160

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStat /Code="B100" /Days=7
7⤵
PID:6812

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\RttHlp.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\RttHlp.exe" /stat
7⤵
PID:6444

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\AUpdate.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\AUpdate.exe" /u http://stats.iobit.com/active_month.php /a db11 /p iobit /v 11.5.0.85 /t 1 /d 7 /db /user
8⤵
PID:9100

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\SetupHlp.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\SetupHlp.exe" /afterupgrade
7⤵
PID:8752

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStat /Code="A101" /Days=0
7⤵
PID:5452

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStat /Code="B101" /Days=7
7⤵
PID:9144

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DBDownloader.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DBDownloader.exe" {"proxytype":0,"task":[{"exp":"C:\\Program Files (x86)\\IObit\\Driver Booster\\11.5.0\\Database\\Scan\\WhiteList.db","u":"http://www.cd4o.com/drivers/wlst/c36d59941193eb723e8d1f13566cd460.wlst","t":3,"p":"C:\\Program Files (x86)\\IObit\\Driver Booster\\11.5.0\\Database\\Scan\\WhiteListtmp","m":"c36d59941193eb723e8d1f13566cd460","d":false}],"downtype":1}
7⤵
- Drops file in Program Files directory
PID:6852

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DBDownloader.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\DBDownloader.exe" {"proxytype":0,"hosthandle":132036,"timeout":10,"id":42630,"task":[{"u":"http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2013/07/20578753_999fee3ed6b5ef3a08f51ced090c4827a420736e.cab","t":0,"p":""}],"downtype":4}
7⤵
PID:8428

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStatEx /Code="a270" /Days=0 /PostNow=-1 /WaitFor=0 /ExParam=""
7⤵
PID:8980

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStatEx /Code="b270" /Days=7 /PostNow=-1 /WaitFor=0 /ExParam=""
7⤵
PID:9184

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\ChangeIcon.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\ChangeIcon.exe" /1 "C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Icons\Main\"
7⤵
PID:1912

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /PostCommStat /Days=7 /Wait=0 /Path=""
7⤵
PID:7140

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStatEx /Code="a201" /Days=0 /PostNow=-1 /WaitFor=0 /ExParam=""
7⤵
PID:1228

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /CommStat /DoCommStatEx /Code="b201" /Days=7 /PostNow=-1 /WaitFor=0 /ExParam=""
7⤵
PID:3124

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\Manta.exe" /appgoto /to="activateweb-5" /base /promote
7⤵
PID:6348

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --single-argument https://www.iobit.com/appgoto.php?to=activateweb-5&name=db&ref=db11&lan=&type=free&ver=11.5.0.85&instd=1&usr=0&expd=-1&insur=other&ftype=free&finstd=1&idata=eyJpc3UiOjEwLCJpbWYiOjEwLCJhc2MiOjEwLCJzZCI6MTAsIml1IjoxMCwiZGIiOjEsImF1Ijox%0D%0AMH0%3D&f2p=0
8⤵
PID:8260

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
9⤵
PID:8228

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --single-argument https://www.iobit.com/appgoto.php?to=install&name=db&ver=11.5.0.85&lan=&ref=db11&type=free
6⤵
PID:8080

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x11c,0x120,0x124,0x104,0x128,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
7⤵
PID:6580

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\IObitDownloader.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\IObitDownloader.exe" "/Config=http://update.iobit.com/infofiles/db/rmd/freeware-db.upt" /show /lang=English.lng /product=db11 "iTop VPN Installer B" "IFun Screen Recorder Installer" "iTop Easy Desktop Installer_p2"
6⤵
- Suspicious use of SendNotifyMessage
PID:5324

C:\ProgramData\IObit\Driver Booster\Downloader\db11\iTopSetup.exe
"C:\ProgramData\IObit\Driver Booster\Downloader\db11\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /norestart /insur=db_in_fre
7⤵
PID:9140

C:\Users\Admin\AppData\Local\Temp\is-T5UHA.tmp\iTopSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T5UHA.tmp\iTopSetup.tmp" /SL5="$3048C,38628101,141312,C:\ProgramData\IObit\Driver Booster\Downloader\db11\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /norestart /insur=db_in_fre
8⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\is-4CVQO.tmp\ugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-4CVQO.tmp\ugin.exe" /kill
9⤵
PID:6380

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "ugin.exe"
9⤵
- Kills process with taskkill
PID:7212

C:\Program Files (x86)\iTop VPN\ugin.exe
"C:\Program Files (x86)\iTop VPN\ugin.exe" /kill /updagrade
9⤵
PID:8276

C:\Program Files (x86)\iTop VPN\ugin.exe
"C:\Program Files (x86)\iTop VPN\ugin.exe" /InitTop /ver 5.5.0.5240 /install
9⤵
PID:8176

C:\Program Files (x86)\iTop VPN\ullc.exe
"C:\Program Files (x86)\iTop VPN\ullc.exe"
9⤵
PID:6312

C:\Program Files (x86)\iTop VPN\iTopVPN.exe
"C:\Program Files (x86)\iTop VPN\iTopVPN.exe" /installinit
9⤵
PID:9032

C:\Program Files (x86)\iTop VPN\ugin.exe
"C:\Program Files (x86)\iTop VPN\ugin.exe" /init /ver 5.5.0.5240 /force /f /inspkg "C:\ProgramData\IObit\Driver Booster\Downloader\db11\iTopSetup.exe" /insur "db_in_fre" /PINTOTASKBAR
9⤵
PID:9048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop windivert
10⤵
PID:7012

C:\Windows\SysWOW64\sc.exe
sc stop windivert
11⤵
- Launches sc.exe
PID:5556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc stop windivert
10⤵
PID:7696

C:\Windows\SysWOW64\sc.exe
sc stop windivert
11⤵
- Launches sc.exe
PID:8148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc delete windivert
10⤵
PID:5416

C:\Windows\SysWOW64\sc.exe
sc delete windivert
11⤵
- Launches sc.exe
PID:9168

C:\Program Files (x86)\iTop VPN\icop64.exe
"C:\Program Files (x86)\iTop VPN\icop64.exe" Pin "C:\Program Files (x86)\iTop VPN\iTopVPN.exe"
10⤵
PID:4964

C:\Program Files (x86)\iTop VPN\ugin.exe
"C:\Program Files (x86)\iTop VPN\ugin.exe" /checkwelcome
10⤵
PID:8964

C:\Program Files (x86)\iTop VPN\ugin.exe
"C:\Program Files (x86)\iTop VPN\ugin.exe" /setlan "English"
9⤵
PID:6712

C:\Program Files (x86)\iTop VPN\unpr.exe
"C:\Program Files (x86)\iTop VPN\unpr.exe" /install itop5
9⤵
PID:4692

C:\Program Files (x86)\iTop VPN\iTopVPN.exe
"C:\Program Files (x86)\iTop VPN\iTopVPN.exe" /install
9⤵
- Drops file in Program Files directory
PID:6128

C:\Program Files (x86)\iTop VPN\atud.exe
"C:\Program Files (x86)\iTop VPN\atud.exe" /auto
10⤵
PID:5328

C:\Program Files (x86)\iTop VPN\aud.exe
"C:\Program Files (x86)\iTop VPN\aud.exe" /itop /dayactive
10⤵
PID:7104

C:\Program Files (x86)\iTop VPN\aud.exe
"C:\Program Files (x86)\iTop VPN\aud.exe" /u https://stats.itopvpn.com/active_month.php /a itop5 /p itopf /v 5.5.0.5240 /t 10 /d 7 / /user
10⤵
PID:5592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /flushdns
10⤵
PID:6104

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
11⤵
- Gathers network information
PID:6788

C:\Program Files (x86)\iTop VPN\iTopVPNMini.exe
"C:\Program Files (x86)\iTop VPN\iTopVPNMini.exe" /antrun /install /state 0
10⤵
PID:5872

C:\Program Files (x86)\iTop VPN\ugin.exe
"C:\Program Files (x86)\iTop VPN\ugin.exe" /combinslog "C:\Users\Admin\AppData\Local\Temp\Setup Log 2024-06-30 #003.txt"
9⤵
PID:8364

C:\ProgramData\IObit\Driver Booster\Downloader\db11\ISRSetup.exe
"C:\ProgramData\IObit\Driver Booster\Downloader\db11\ISRSetup.exe" /sp- /verysilent /suppressmsgboxes /NoRestart /insur=db_in
7⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\is-SGRLR.tmp\ISRSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SGRLR.tmp\ISRSetup.tmp" /SL5="$9048A,168953330,230912,C:\ProgramData\IObit\Driver Booster\Downloader\db11\ISRSetup.exe" /sp- /verysilent /suppressmsgboxes /NoRestart /insur=db_in
8⤵
- Drops file in Program Files directory
PID:5560

C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe
"C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe" /CheckOldVer=1 /CopyOldConfig /installdir=""
9⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe
"C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe" /CleanReg
9⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe
"C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe" /KillProcess /installdir="C:\Program Files\iTop Screen Recorder"
9⤵
PID:9068

C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe
"C:\Users\Admin\AppData\Local\Temp\is-363RJ.tmp\iScrInit.exe" /DeleteAllFile /reinstall=1 /installdir="C:\Program Files\iTop Screen Recorder"
9⤵
PID:1216

C:\Program Files\iTop Screen Recorder\LocalLang.exe
"C:\Program Files\iTop Screen Recorder\LocalLang.exe"
9⤵
PID:9144

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /reinstall=0 /insur=db_in /SetupFile="C:\ProgramData\IObit\Driver Booster\Downloader\db11\ISRSetup.exe"
9⤵
PID:5180

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /install
9⤵
- Modifies registry class
PID:8040

C:\Program Files\iTop Screen Recorder\GpuCheck.exe
"C:\Program Files\iTop Screen Recorder\GpuCheck.exe" /GpuCheck
10⤵
- Checks SCSI registry key(s)
PID:1020

C:\Program Files\iTop Screen Recorder\iScrGPURecording.exe
"C:\Program Files\iTop Screen Recorder\iScrGPURecording.exe" /CheckFPS=40
9⤵
PID:1464

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /pin=1
9⤵
PID:6512

C:\Program Files\iTop Screen Recorder\ICONPIN64.exe
"C:\Program Files\iTop Screen Recorder\ICONPIN64.exe" pin "C:\Program Files\iTop Screen Recorder\iScrRec.exe"
10⤵
PID:8076

C:\Program Files\iTop Screen Recorder\UninstallInfo.exe
"C:\Program Files\iTop Screen Recorder\UninstallInfo.exe" /install isr5
9⤵
PID:6960

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /PostSystemInfo
9⤵
PID:8384

C:\Program Files\iTop Screen Recorder\iScrRec.exe
"C:\Program Files\iTop Screen Recorder\iScrRec.exe"
9⤵
- Suspicious use of SetWindowsHookEx
PID:7260

C:\Program Files\iTop Screen Recorder\GpuCheck.exe
"C:\Program Files\iTop Screen Recorder\GpuCheck.exe" /checkGpuEncode
10⤵
PID:8856

C:\Program Files\iTop Screen Recorder\iScrGameScanner.exe
"C:\Program Files\iTop Screen Recorder\iScrGameScanner.exe" scangame
10⤵
PID:8948

C:\Program Files\iTop Screen Recorder\graphics-check.exe
"C:\Program Files\iTop Screen Recorder\graphics-check.exe"
10⤵
PID:5724

C:\Program Files\iTop Screen Recorder\iScrMagnifier.exe
"C:\Program Files\iTop Screen Recorder\iScrMagnifier.exe" 1 250 /check
10⤵
- Suspicious use of SetWindowsHookEx
PID:652

C:\Program Files\iTop Screen Recorder\AutoUpdate.exe
"C:\Program Files\iTop Screen Recorder\AutoUpdate.exe" /auto /start
10⤵
PID:7968

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /AutoupdateUac
11⤵
PID:6348

C:\Program Files\iTop Screen Recorder\get-graphics-offsets32.exe
"C:\Program Files\iTop Screen Recorder\get-graphics-offsets32.exe" /main
10⤵
- Suspicious use of SetWindowsHookEx
PID:8704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:6512

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /UAC
10⤵
PID:8924

C:\Program Files\iTop Screen Recorder\AUpdate.exe
"C:\Program Files\iTop Screen Recorder\AUpdate.exe" /u http://stats.reportcpanel.com/iactive_month.php /a isr5 /p itop /v 5.0.0.2414 /t 1 /d 7
11⤵
PID:8576

C:\Program Files\iTop Screen Recorder\AUpdate.exe
"C:\Program Files\iTop Screen Recorder\AUpdate.exe" /isr /dayactive
11⤵
PID:6428

C:\Program Files\iTop Screen Recorder\get-graphics-offsets64.exe
"C:\Program Files\iTop Screen Recorder\get-graphics-offsets64.exe" /main
10⤵
- Suspicious use of SetWindowsHookEx
PID:6528

C:\Program Files\iTop Screen Recorder\iScrFileMover.exe
"C:\Program Files\iTop Screen Recorder\iScrFileMover.exe" 3
10⤵
PID:5476

C:\Program Files\iTop Screen Recorder\iScrFileMover.exe
"C:\Program Files\iTop Screen Recorder\iScrFileMover.exe" 1
10⤵
PID:7908

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /CheckUAC
10⤵
PID:5628

C:\Program Files\iTop Screen Recorder\iScrpdst3.exe
"C:\Program Files\iTop Screen Recorder\iScrpdst3.exe" /postspcache "C:\Users\Admin\AppData\Roaming\iTop Screen Recorder\Data\iTopSpCache.dat"
10⤵
PID:8096

C:\Program Files\iTop Screen Recorder\AutoUpdate.exe
"C:\Program Files\iTop Screen Recorder\AutoUpdate.exe" /auto
9⤵
PID:6220

C:\Program Files\iTop Screen Recorder\iScrInit.exe
"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /AutoupdateUac
10⤵
PID:7900

C:\ProgramData\IObit\Driver Booster\Downloader\db11\IEDSetup.exe
"C:\ProgramData\IObit\Driver Booster\Downloader\db11\IEDSetup.exe" /sp- /verysilent /suppressmsgboxes /install_start /insur=db_in_p2
7⤵
PID:8612

C:\Users\Admin\AppData\Local\Temp\is-P5M64.tmp\IEDSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P5M64.tmp\IEDSetup.tmp" /SL5="$80224,32827532,221696,C:\ProgramData\IObit\Driver Booster\Downloader\db11\IEDSetup.exe" /sp- /verysilent /suppressmsgboxes /install_start /insur=db_in_p2
8⤵
- Drops file in Program Files directory
PID:6376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop iTopEasyDesktopService
9⤵
PID:7512

C:\Windows\SysWOW64\sc.exe
sc stop iTopEasyDesktopService
10⤵
- Launches sc.exe
PID:744

C:\Users\Admin\AppData\Local\Temp\is-S752R.tmp\IEDInit.exe
"C:\Users\Admin\AppData\Local\Temp\is-S752R.tmp\IEDInit.exe" /DeleteAllFile /reinstall=1 /InstallDir="C:\Program Files\iTop Easy Desktop"
9⤵
PID:5336

C:\Program Files\iTop Easy Desktop\LocalLang.exe
"C:\Program Files\iTop Easy Desktop\LocalLang.exe"
9⤵
PID:7224

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\iTop Easy Desktop\IEDMenu.dll"
9⤵
PID:8120

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\iTop Easy Desktop\IEDMenu.dll"
10⤵
- Modifies registry class
PID:5724

C:\Program Files\iTop Easy Desktop\IedInit.exe
"C:\Program Files\iTop Easy Desktop\IedInit.exe" /reinstall=0 /SetupFile="C:\ProgramData\IObit\Driver Booster\Downloader\db11\IEDSetup.exe" /insur=db_in_p2 /OldVersion=
9⤵
PID:3204

C:\Program Files\iTop Easy Desktop\UninstallInfo.exe
"C:\Program Files\iTop Easy Desktop\UninstallInfo.exe" /install ied2
9⤵
PID:2776

C:\Program Files\iTop Easy Desktop\AutoUpdate.exe
"C:\Program Files\iTop Easy Desktop\AutoUpdate.exe" /Auto
9⤵
- Modifies system certificate store
PID:5592

C:\Program Files\iTop Easy Desktop\iiopdcs.exe
"C:\Program Files\iTop Easy Desktop\iiopdcs.exe" /itp /rnd=3
10⤵
PID:6644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc create iTopEasyDesktopService binPath= "\"C:\Program Files\iTop Easy Desktop\IEDService.exe\"" start= auto DisplayName= "iTop Easy Desktop Service"
9⤵
PID:9000

C:\Windows\SysWOW64\sc.exe
sc create iTopEasyDesktopService binPath= "\"C:\Program Files\iTop Easy Desktop\IEDService.exe\"" start= auto DisplayName= "iTop Easy Desktop Service"
10⤵
- Launches sc.exe
PID:7588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc description iTopEasyDesktopService "iTop Easy Desktop Service"
9⤵
PID:6400

C:\Windows\SysWOW64\sc.exe
sc description iTopEasyDesktopService "iTop Easy Desktop Service"
10⤵
- Launches sc.exe
PID:7604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc start iTopEasyDesktopService
9⤵
PID:5464

C:\Windows\SysWOW64\sc.exe
sc start iTopEasyDesktopService
10⤵
- Launches sc.exe
PID:6484

C:\Program Files (x86)\IObit\Driver Booster\11.5.0\SetupHlp.exe
"C:\Program Files (x86)\IObit\Driver Booster\11.5.0\SetupHlp.exe" /afterinstall /setup="C:\Users\Admin\AppData\Local\Temp\is-E6HFK.tmp-dbinst\setup.exe"
6⤵
PID:6376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=6816 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=7536 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:7064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=5772 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:8312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=7672 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:7564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7620 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:7460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7812 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:7052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
- NTFS ADS
PID:7844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7140 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:8
3⤵
PID:4080

C:\Users\Admin\Downloads\pw-free-online.exe
"C:\Users\Admin\Downloads\pw-free-online.exe"
3⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\is-A2DE4.tmp\pw-free-online.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A2DE4.tmp\pw-free-online.tmp" /SL5="$6039A,2294223,1148928,C:\Users\Admin\Downloads\pw-free-online.exe"
4⤵
- Modifies Internet Explorer settings
PID:8096

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /f /im "updatechecker.exe"
5⤵
- Kills process with taskkill
PID:9020

C:\Users\Admin\AppData\Local\Temp\is-M5H78.tmp\SmDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\is-M5H78.tmp\SmDownloader.exe" /HWND:1049466 /PATH:"C:\Program Files\MiniTool Partition Wizard 12" /URL:https://www.partitionwizard.com/download/online-setup-config/pwpro-v12.ini /VERYSILENT /USERMSG:1450 /LANG:english
5⤵
PID:7104

C:\Users\Admin\AppData\Local\Temp\pw-demo-pack-for-freesetup.exe
C:\Users\Admin\AppData\Local\Temp\pw-demo-pack-for-freesetup.exe /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12" /LANG=english
6⤵
PID:7240

C:\Users\Admin\AppData\Local\Temp\is-5JBE3.tmp\pw-demo-pack-for-freesetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5JBE3.tmp\pw-demo-pack-for-freesetup.tmp" /SL5="$8064E,28212041,488960,C:\Users\Admin\AppData\Local\Temp\pw-demo-pack-for-freesetup.exe" /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12" /LANG=english
7⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
PID:8092

C:\Users\Admin\AppData\Local\Temp\is-M5H78.tmp\SmDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\is-M5H78.tmp\SmDownloader.exe" /HWND:1049466 /PATH:"C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /URL:https://www.partitionwizard.com/download/online-setup-config/pwfree-v12-bundle-sm.ini /VERYSILENT /USERMSG:1439 /LANG:english
5⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\pw_sm_setup_x64.exe
C:\Users\Admin\AppData\Local\Temp\pw_sm_setup_x64.exe /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /LANG=english
6⤵
PID:8704

C:\Users\Admin\AppData\Local\Temp\is-3GGJ8.tmp\pw_sm_setup_x64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3GGJ8.tmp\pw_sm_setup_x64.tmp" /SL5="$1404D4,208678187,268800,C:\Users\Admin\AppData\Local\Temp\pw_sm_setup_x64.exe" /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /LANG=english
7⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
PID:6740

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "SchedulerService.exe"
8⤵
- Kills process with taskkill
PID:7728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:6528

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "AgentService.exe"
8⤵
- Kills process with taskkill
PID:7668

C:\Program Files\MiniTool ShadowMaker\testOpenGL.exe
"C:\Program Files\MiniTool ShadowMaker\testOpenGL.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:8636

C:\Program Files\MiniTool ShadowMaker\initsrv.exe
"C:\Program Files\MiniTool ShadowMaker\initsrv.exe"
8⤵
PID:8404

C:\Program Files\MiniTool ShadowMaker\BootTrigger.exe
"C:\Program Files\MiniTool ShadowMaker\BootTrigger.exe" "C:\Program Files\MiniTool ShadowMaker\SMMonitor.exe"
8⤵
PID:7564

C:\Program Files\MiniTool ShadowMaker\experience.exe
"C:\Program Files\MiniTool ShadowMaker\experience.exe" http://tracking.minitool.com/backup/installation.html?mt_lang=en&mt_edition=pw-trial&mt_ver=4.5.0
8⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Program Files\MiniTool ShadowMaker\AgentService.exe
"C:\Program Files\MiniTool ShadowMaker\AgentService.exe" -i
8⤵
PID:6312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:7968

C:\Program Files\MiniTool ShadowMaker\AgentService.exe
"C:\Program Files\MiniTool ShadowMaker\AgentService.exe" -s
8⤵
PID:6468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:6220

C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
"C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" -i
8⤵
PID:6980

C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
"C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" -s
8⤵
PID:6240

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --single-argument https://www.partitionwizard.com/feedback/install-partition-wizard.html?from-demo-v1208
5⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:8052

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
6⤵
PID:7056

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=1848 /prefetch:2
6⤵
PID:7280

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2192,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:11
6⤵
PID:7588

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2352,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=2368 /prefetch:13
6⤵
PID:2364

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3276,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:1
6⤵
PID:5780

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3292,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=3320 /prefetch:1
6⤵
PID:5208

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3792,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:9
6⤵
PID:5316

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3812,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:9
6⤵
PID:8404

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3820,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:9
6⤵
PID:5128

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=4156,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:9
6⤵
PID:8656

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4920,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:9
6⤵
PID:4156

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5596,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14
6⤵
PID:7980

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --enable-protect
6⤵
PID:5804

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda0e01c80,0x7ffda0e01c8c,0x7ffda0e01c98
7⤵
PID:7872

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5716,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14
6⤵
PID:3624

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4944,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=3920 /prefetch:14
6⤵
PID:328

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=868,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:14
6⤵
PID:2668

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4120,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:14
6⤵
PID:8400

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5936,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:14
6⤵
PID:7316

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4244,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:10
6⤵
PID:5764

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5816,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=1592 /prefetch:14
6⤵
PID:7360

C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4052,i,9486846826995964079,7541539300360716069,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:14
6⤵
PID:7080

C:\Program Files\MiniTool Partition Wizard 12\experience.exe
"C:\Program Files\MiniTool Partition Wizard 12\experience.exe" http://tracking.minitool.com/pw/installation.php?from=pw-demo12-freesetup
5⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6228

C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe
"C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"
5⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=7052 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:5404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=4736 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --mojo-platform-channel-handle=8000 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:8224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --mojo-platform-channel-handle=6104 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:6784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --mojo-platform-channel-handle=6748 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:6816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --mojo-platform-channel-handle=920 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:7640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --mojo-platform-channel-handle=7892 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --mojo-platform-channel-handle=6164 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:8796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --mojo-platform-channel-handle=4912 --field-trial-handle=1832,i,6127473551770347094,15594865743368124600,131072 /prefetch:1
3⤵
PID:3364

C:\Program Files\iTop Screen Recorder\iScrRec.exe
"C:\Program Files\iTop Screen Recorder\iScrRec.exe"
2⤵
PID:6688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4904

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E4
1⤵
PID:432

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:1572

C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
2⤵
- Executes dropped EXE
PID:4660

C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\CR_66DF8.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\CR_66DF8.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\CR_66DF8.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --import-cookies --auto-launch-chrome --system-level
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4452

C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\CR_66DF8.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{D9BF8AE5-A7F7-45C0-9E8E-0D686EF33986}\CR_66DF8.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=126.0.25444.62 --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x7ff7f3ea5390,0x7ff7f3ea539c,0x7ff7f3ea53a8
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
2⤵
- Executes dropped EXE
PID:2384

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
2⤵
- Executes dropped EXE
PID:3076

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5820

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5276

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5296

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:8068

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:6676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:8672

C:\Program Files\iTop Easy Desktop\IEDService.exe
"C:\Program Files\iTop Easy Desktop\IEDService.exe"
1⤵
PID:5160

C:\Program Files\iTop Easy Desktop\iEasyDesk.exe
"C:\Program Files\iTop Easy Desktop\iEasyDesk.exe" /Service
2⤵
- Suspicious use of SetWindowsHookEx
PID:6432

C:\Program Files\iTop Easy Desktop\IEDSnap.exe
"C:\Program Files\iTop Easy Desktop\IEDSnap.exe" /take /0 /3
3⤵
PID:7500

C:\Program Files\iTop Easy Desktop\IEDDW.exe
"C:\Program Files\iTop Easy Desktop\IEDDW.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:8056

C:\Program Files\iTop Easy Desktop\AUpdate.exe
"C:\Program Files\iTop Easy Desktop\AUpdate.exe" /ied /dayactive
3⤵
PID:5216

C:\Program Files\iTop Easy Desktop\AUpdate.exe
"C:\Program Files\iTop Easy Desktop\AUpdate.exe" /u https://stats.reportcpanel.com/iactive_month.php /a ied2 /p itop /v 2.5.0.14 /t 1 /d 7
3⤵
PID:3340

C:\Program Files\iTop Easy Desktop\IEDSearch.exe
"C:\Program Files\iTop Easy Desktop\IEDSearch.exe" /Service
2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Program Files\iTop Easy Desktop\AutoUpdate.exe
"C:\Program Files\iTop Easy Desktop\AutoUpdate.exe" /auto
2⤵
PID:9112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E4
1⤵
PID:4128

C:\Program Files\MiniTool ShadowMaker\AgentService.exe
"C:\Program Files\MiniTool ShadowMaker\AgentService.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
"C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6940

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c
1⤵
PID:7812

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /cr
2⤵
PID:6068

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler.exe"
2⤵
PID:5968

C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserCrashHandler64.exe"
2⤵
PID:2856

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler
1⤵
PID:6748

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /registermsihelper
2⤵
PID:6380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:7652

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:6464

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:8004

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:6996

C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe
"C:\Program Files\AVG\Browser\Application\126.0.25444.62\elevation_service.exe"
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Impair Defenses

Pre-OS Boot

Bootkit

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery