5ab5f39d143b6ff77df2fd5026ac8e4788edfd3de27a4e1fa4b420a7d2f61d38

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	opera.exe

Loads dropped DLL 64 IoCs

pid	Process
1324	TLauncher-2.86-Installer-1.0.1.exe
1324	TLauncher-2.86-Installer-1.0.1.exe
1324	TLauncher-2.86-Installer-1.0.1.exe
1324	TLauncher-2.86-Installer-1.0.1.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
1576	AdditionalExecuteTL.exe
1576	AdditionalExecuteTL.exe
1576	AdditionalExecuteTL.exe
1576	AdditionalExecuteTL.exe
1116	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe
1632	opera-installer-bro.exe
1632	opera-installer-bro.exe
1864	opera-installer-bro.exe
1632	opera-installer-bro.exe
1984	opera-installer-bro.exe
1632	opera-installer-bro.exe
1960	opera-installer-bro.exe
1960	opera-installer-bro.exe
684	opera-installer-bro.exe
1632	opera-installer-bro.exe
1632	opera-installer-bro.exe
1632	opera-installer-bro.exe
1632	opera-installer-bro.exe
976	irsetup.exe
1744	assistant_installer.exe
1960	opera-installer-bro.exe
1960	opera-installer-bro.exe
1268	Process not Found
1960	opera-installer-bro.exe
944	installer.exe
944	installer.exe
1160	installer.exe
944	installer.exe
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1612	assistant_installer.exe
2060	assistant_installer.exe
2060	assistant_installer.exe
944	installer.exe
2256	launcher.exe
2124	browser_assistant.exe
2348	opera.exe
2348	opera.exe
2348	opera.exe
2348	opera.exe
2348	opera.exe
1268	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	opera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\launcher.exe"	opera.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	assistant_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	assistant_installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	assistant_installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\assistant\\browser_assistant.exe"	assistant_installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 27 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\D:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\npt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME-JAVAFX.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\orbd.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\README.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\hprof.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\awt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7099.tmp	msiexec.exe
File created	C:\Windows\Installer\6e413a.msi	msiexec.exe
File created	C:\Windows\Installer\6e4136.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6e4136.msi	msiexec.exe
File created	C:\Windows\Installer\6e4138.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	assistant_installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	assistant_installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	assistant_installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\browser_assistant.exe = "9000"	assistant_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_61"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_40"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_30"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_39"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_49"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_74"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_09"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_10"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ftp\shell\open\ddeexec\Topic	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}	installer.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	opera.exe
2788	opera.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	2788	opera.exe
Token: SeShutdownPrivilege	548	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	548	jre-windows.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeCreateTokenPrivilege	548	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	548	jre-windows.exe
Token: SeLockMemoryPrivilege	548	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	548	jre-windows.exe
Token: SeMachineAccountPrivilege	548	jre-windows.exe
Token: SeTcbPrivilege	548	jre-windows.exe
Token: SeSecurityPrivilege	548	jre-windows.exe
Token: SeTakeOwnershipPrivilege	548	jre-windows.exe
Token: SeLoadDriverPrivilege	548	jre-windows.exe
Token: SeSystemProfilePrivilege	548	jre-windows.exe
Token: SeSystemtimePrivilege	548	jre-windows.exe
Token: SeProfSingleProcessPrivilege	548	jre-windows.exe
Token: SeIncBasePriorityPrivilege	548	jre-windows.exe
Token: SeCreatePagefilePrivilege	548	jre-windows.exe
Token: SeCreatePermanentPrivilege	548	jre-windows.exe
Token: SeBackupPrivilege	548	jre-windows.exe
Token: SeRestorePrivilege	548	jre-windows.exe
Token: SeShutdownPrivilege	548	jre-windows.exe
Token: SeDebugPrivilege	548	jre-windows.exe
Token: SeAuditPrivilege	548	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	548	jre-windows.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2124	browser_assistant.exe
2124	browser_assistant.exe
2124	browser_assistant.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2124	browser_assistant.exe
2124	browser_assistant.exe
2124	browser_assistant.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
976	irsetup.exe
1116	irsetup.exe
1116	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 1324 wrote to memory of 976	1324	TLauncher-2.86-Installer-1.0.1.exe	28
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 976 wrote to memory of 1576	976	irsetup.exe	31
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1576 wrote to memory of 1116	1576	AdditionalExecuteTL.exe	32
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1116 wrote to memory of 1632	1116	irsetup.exe	33
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1864	1632	opera-installer-bro.exe	34
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1984	1632	opera-installer-bro.exe	35
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1632 wrote to memory of 1960	1632	opera-installer-bro.exe	36
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1960 wrote to memory of 684	1960	opera-installer-bro.exe	37
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 640	1632	opera-installer-bro.exe	40
PID 1632 wrote to memory of 1744	1632	opera-installer-bro.exe	41

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.1.exe" "__IRCT:3" "__IRTSS:22693301" "__IRSID:S-1-5-21-4063495947-34355257-727531523-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-4063495947-34355257-727531523-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x717d8658,0x717d8668,0x717d8674
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=es --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1632 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230102175414" --session-guid=2e3a5314-972b-4586-a477-b622119c7adf --server-tracking-blob=ODkxMzVmYzE3ZTE5YWJhOTNhYmMxODI5MzVkNmU1M2U1NjRhYjA4MThlNTY2Y2E3ZTFlY2I0MDg3ZjM5Mjc0NDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzI2ODIwNTAuNTc4MCIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiYWJhZGNiYTYtYzc5NC00ZTFkLWJjNzMtMmU4ZTdkNmViZDlmIn0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C03000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x1b0,0x1b4,0x1b8,0x178,0x1bc,0x70db8658,0x70db8668,0x70db8674
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\installer.exe" --backend --initial-pid=1632 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=es --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141" --session-guid=2e3a5314-972b-4586-a477-b622119c7adf --server-tracking-blob=ODkxMzVmYzE3ZTE5YWJhOTNhYmMxODI5MzVkNmU1M2U1NjRhYjA4MThlNTY2Y2E3ZTFlY2I0MDg3ZjM5Mjc0NDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzI2ODIwNTAuNTc4MCIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiYWJhZGNiYTYtYzc5NC00ZTFkLWJjNzMtMmU4ZTdkNmViZDlmIn0= --silent --desktopshortcut=1 --install-subfolder=94.0.4606.38
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies registry class
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\installer.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x174,0x178,0x17c,0x148,0x180,0x7fef69a2c98,0x7fef69a2ca8,0x7fef69a2cb8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe" --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera\assistant" --copyonly=0 --allusers=0
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies Internet Explorer settings
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x1322dc0,0x1322dd0,0x1322ddc
        9⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --start-maximized
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_crashreporter.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x7feef41a490,0x7feef41a4a0,0x7feef41a4b0
        10⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:cashback=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:startpage-sync-banner=on --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1004 --field-trial-handle=1200,i,6513378506827934659,13276285294572357340,131072 /prefetch:2
        10⤵
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\_sfx.exe"
        6⤵
        Executes dropped EXE
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202301021754141\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0xda2dc0,0xda2dd0,0xda2ddc
        7⤵
        Executes dropped EXE
        
        PID:1128
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:548

C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe" --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera\assistant" --run-assistant --allusers=0
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060
- C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe
  C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0xdf2dc0,0xdf2dd0,0xdf2ddc
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Users\Admin\AppData\Local\Programs\Opera\assistant\browser_assistant.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\assistant\browser_assistant.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2124
- - C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --stream
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Users\Admin\AppData\Local\Programs\Opera\assistant\browser_assistant.exe
    C:\Users\Admin\AppData\Local\Programs\Opera\assistant\browser_assistant.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x150,0x154,0x158,0x124,0x15c,0x17623f8,0x1762408,0x1762414
    3⤵
    - Executes dropped EXE
    PID:2180
  - - C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --stream
      4⤵
      Executes dropped EXE
      PID:2196
  - - C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --stream
      4⤵
      Executes dropped EXE
      PID:2220
  - - C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
      "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --stream
      4⤵
      Executes dropped EXE
      PID:2244
- - C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --stream
    3⤵
    - Executes dropped EXE
    PID:2324

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --enable-quic --lowered-browser
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
- C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_crashreporter.exe
  C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x7feef41a490,0x7feef41a4a0,0x7feef41a4b0
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:cashback=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:startpage-sync-banner=on --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1228,i,11132858150205084526,6118468727254298761,131072 /prefetch:2
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe" --user-data-dir="C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" --pipeid=oauc_pipe2906202b27b41e4bd66c9238c4b575c1
  2⤵
  - Executes dropped EXE
  PID:2292
- - C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe
    C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x13f6c9b38,0x13f6c9b48,0x13f6c9b58
    3⤵
    - Executes dropped EXE
    PID:2364

C:\Windows\system32\taskeng.exe
taskeng.exe {1A8DC5E9-8406-4A3D-9EE5-195422C745FD} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
  C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe --scheduledautoupdate --autoupdaterequesttype=automatic --autoupdateoperaversion=94.0.4606.38 --newautoupdaterlogic
  2⤵
  - Executes dropped EXE
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe" --version
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe" --pipeid=oauc_task_pipedcbb8f53eff625f232ff45d764476217 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015" --scheduledtask
    3⤵
    PID:828
  - - C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe
      C:\Users\Admin\AppData\Local\Programs\Opera\94.0.4606.38\opera_autoupdate.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\Crash Reports" --crash-count-file=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\crash_count.txt --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x13f9c9b38,0x13f9c9b48,0x13f9c9b58
      4⤵
      PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1332
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" STATIC=1 REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1972
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    PID:536
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:2528
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    PID:668
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1892
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:1864
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      PID:1908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x210
1⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a74f50,0x7fef6a74f60,0x7fef6a74f70
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1196,6431269171576162427,8457687548993604043,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1208 /prefetch:8
  2⤵
  PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a74f50,0x7fef6a74f60,0x7fef6a74f70
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1044,11688206947514569163,12260153672145931068,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1300 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,11688206947514569163,12260153672145931068,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1052 /prefetch:2
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1044,11688206947514569163,12260153672145931068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1228 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1044,11688206947514569163,12260153672145931068,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1104 /prefetch:8
  2⤵
  PID:360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,11688206947514569163,12260153672145931068,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,11688206947514569163,12260153672145931068,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery