9ea864181b2d4409ce2d80fe22f242790e904db23f2151a05209c947d9ec59e1

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a00000000	RestoroMain.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00060000000232e0-1605.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Restoro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	RestoroSetup.exe

Executes dropped EXE 20 IoCs

pid	Process
640	OperaGXSetup.exe
1564	_sfx.exe
3368	assistant_installer.exe
2716	assistant_installer.exe
5924	Restoro.exe
3024	sqlite3.exe
3788	sqlite3.exe
3296	sqlite3.exe
6712	sqlite3.exe
4752	RestoroSetup.exe
3336	lzma.exe
4444	lzma.exe
5284	RestoroUpdater.exe
5392	RestoroServiceSetup.exe
3676	RestoroProtection.exe
3984	RestoroProtection.exe
3888	RestoroService.exe
6920	RestoroApp.exe
6748	RestoroMain.exe
6596	RestoroAM.exe

Loads dropped DLL 64 IoCs

pid	Process
3432	OperaGXSetup.exe
4492	OperaGXSetup.exe
640	OperaGXSetup.exe
4020	OperaGXSetup.exe
3844	OperaGXSetup.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
5924	Restoro.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
4752	RestoroSetup.exe
6024	regsvr32.exe
5436	regsvr32.exe
5436	regsvr32.exe
3584	regsvr32.exe
4156	regsvr32.exe
4752	RestoroSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\InprocServer32\ = "C:\\Program Files\\Restoro\\ax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\InprocServer32\ = "C:\\Program Files\\Restoro\\ax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3432-135-0x00000000005F0000-0x0000000000BD8000-memory.dmp	upx
behavioral2/memory/4492-138-0x00000000005F0000-0x0000000000BD8000-memory.dmp	upx
behavioral2/files/0x00050000000162b1-146.dat	upx
behavioral2/memory/640-151-0x0000000000460000-0x0000000000A48000-memory.dmp	upx
behavioral2/memory/640-170-0x0000000000460000-0x0000000000A48000-memory.dmp	upx
behavioral2/memory/4020-268-0x00000000005F0000-0x0000000000BD8000-memory.dmp	upx
behavioral2/memory/3844-275-0x00000000005F0000-0x0000000000BD8000-memory.dmp	upx
behavioral2/memory/4020-374-0x00000000005F0000-0x0000000000BD8000-memory.dmp	upx
behavioral2/files/0x00060000000232e0-1605.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	RestoroSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Restoro = "\"C:\\Program Files\\Restoro\\bin\\RestoroApp.exe\""	RestoroSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 50 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	RestoroProtection.exe
File opened (read-only)	\??\E:	RestoroMain.exe
File opened (read-only)	\??\E:	RestoroProtection.exe
File opened (read-only)	\??\O:	RestoroProtection.exe
File opened (read-only)	\??\H:	RestoroMain.exe
File opened (read-only)	\??\T:	RestoroMain.exe
File opened (read-only)	\??\Z:	RestoroMain.exe
File opened (read-only)	\??\A:	RestoroProtection.exe
File opened (read-only)	\??\Q:	RestoroProtection.exe
File opened (read-only)	\??\Y:	RestoroProtection.exe
File opened (read-only)	\??\N:	RestoroMain.exe
File opened (read-only)	\??\P:	RestoroMain.exe
File opened (read-only)	\??\U:	RestoroMain.exe
File opened (read-only)	\??\H:	RestoroProtection.exe
File opened (read-only)	\??\L:	RestoroProtection.exe
File opened (read-only)	\??\N:	RestoroProtection.exe
File opened (read-only)	\??\P:	RestoroProtection.exe
File opened (read-only)	\??\X:	RestoroProtection.exe
File opened (read-only)	\??\Z:	RestoroProtection.exe
File opened (read-only)	\??\A:	RestoroMain.exe
File opened (read-only)	\??\L:	RestoroMain.exe
File opened (read-only)	\??\G:	RestoroProtection.exe
File opened (read-only)	\??\R:	RestoroProtection.exe
File opened (read-only)	\??\S:	RestoroProtection.exe
File opened (read-only)	\??\U:	RestoroProtection.exe
File opened (read-only)	\??\M:	RestoroMain.exe
File opened (read-only)	\??\Y:	RestoroMain.exe
File opened (read-only)	\??\K:	RestoroMain.exe
File opened (read-only)	\??\K:	RestoroProtection.exe
File opened (read-only)	\??\B:	RestoroMain.exe
File opened (read-only)	\??\F:	RestoroMain.exe
File opened (read-only)	\??\G:	RestoroMain.exe
File opened (read-only)	\??\W:	RestoroMain.exe
File opened (read-only)	\??\F:	RestoroProtection.exe
File opened (read-only)	\??\J:	RestoroProtection.exe
File opened (read-only)	\??\M:	RestoroProtection.exe
File opened (read-only)	\??\V:	RestoroMain.exe
File opened (read-only)	\??\V:	RestoroProtection.exe
File opened (read-only)	\??\W:	RestoroProtection.exe
File opened (read-only)	\??\I:	RestoroMain.exe
File opened (read-only)	\??\J:	RestoroMain.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\B:	RestoroProtection.exe
File opened (read-only)	\??\T:	RestoroProtection.exe
File opened (read-only)	\??\X:	RestoroMain.exe
File opened (read-only)	\??\O:	RestoroMain.exe
File opened (read-only)	\??\Q:	RestoroMain.exe
File opened (read-only)	\??\R:	RestoroMain.exe
File opened (read-only)	\??\S:	RestoroMain.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files\Restoro\Restoro_SafeMode.ico	RestoroSetup.exe
File created	C:\Program Files\Restoro\msvcr120.dll	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroApp.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\RestoroMain.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\ax.dll	lzma.exe
File created	C:\Program Files\Restoro\engine.lza	RestoroSetup.exe
File created	C:\Program Files\Restoro\Restoro_website.ico	RestoroSetup.exe
File created	C:\Program Files\Restoro\RestoroSafeMode.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroService.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroUpdater.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\Restoro.dat	RestoroSetup.exe
File created	C:\Program Files\Restoro\RestoroAM.exe	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Uninstall Instructions.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\engine.dat	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Privacy Policy.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroScanner.exe	RestoroServiceSetup.exe
File opened for modification	C:\Program Files\Restoro\engine.dat	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro.exe	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro.dat	RestoroSetup.exe
File created	C:\Program Files\Restoro\Restoroicon.ico	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroProtection.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\Restoro.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\savapi.dll	RestoroSetup.exe
File created	C:\Program Files\Restoro\uninst.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\TechSupportApp.exe	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Terms of Use.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\ax.lza	RestoroSetup.exe
File created	C:\Program Files\Restoro\engine.dll	lzma.exe
File created	C:\Program Files\Restoro\Restoro_uninstall.ico	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Help & Support.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroUI.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\LZMA.EXE	RestoroSetup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\restoro.ini	RestoroMain.exe
File opened for modification	C:\Windows\restoro.ini	Restoro.exe
File opened for modification	C:\Windows\restoro.ini	RestoroUpdater.exe
File opened for modification	C:\Windows\restoro.ini	RestoroServiceSetup.exe
File opened for modification	C:\Windows\restoro.ini	RestoroSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates processes with tasklist 1 TTPs 16 IoCs

Process Discovery

T1057

pid	Process
6776	tasklist.exe
6392	tasklist.exe
6080	tasklist.exe
4088	tasklist.exe
696	tasklist.exe
6828	tasklist.exe
5748	tasklist.exe
4368	tasklist.exe
1400	tasklist.exe
6656	tasklist.exe
3888	tasklist.exe
4200	tasklist.exe
6104	tasklist.exe
5544	tasklist.exe
5684	tasklist.exe
5908	tasklist.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	RestoroMain.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
4796	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RestoroMain.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RestoroMain.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	RestoroMain.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	RestoroMain.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247762399668339"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Restoro.Engine.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\TypeLib\ = "{C661BE9A-11D8-47DD-A980-6494B09F3AF3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Restoro.Engine\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}\1.0\0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}\1.0\FLAGS	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AX.DLL	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\MiscStatus\1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript	regsvr32.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
4392	chrome.exe
4392	chrome.exe
3112	msedge.exe
3112	msedge.exe
5384	chrome.exe
5384	chrome.exe
3984	RestoroProtection.exe
3984	RestoroProtection.exe
3984	RestoroProtection.exe
3984	RestoroProtection.exe
3676	RestoroProtection.exe
3676	RestoroProtection.exe
3984	RestoroProtection.exe
3984	RestoroProtection.exe
3984	RestoroProtection.exe
3984	RestoroProtection.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	taskmgr.exe
Token: SeSystemProfilePrivilege	2680	taskmgr.exe
Token: SeCreateGlobalPrivilege	2680	taskmgr.exe
Token: 33	2680	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2680	taskmgr.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
6920	RestoroApp.exe
6748	RestoroMain.exe
6920	RestoroApp.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3432	OperaGXSetup.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe
6748	RestoroMain.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4492	3432	OperaGXSetup.exe	85
PID 3432 wrote to memory of 4492	3432	OperaGXSetup.exe	85
PID 3432 wrote to memory of 4492	3432	OperaGXSetup.exe	85
PID 3432 wrote to memory of 640	3432	OperaGXSetup.exe	86
PID 3432 wrote to memory of 640	3432	OperaGXSetup.exe	86
PID 3432 wrote to memory of 640	3432	OperaGXSetup.exe	86
PID 3432 wrote to memory of 1564	3432	OperaGXSetup.exe	94
PID 3432 wrote to memory of 1564	3432	OperaGXSetup.exe	94
PID 3432 wrote to memory of 1564	3432	OperaGXSetup.exe	94
PID 3432 wrote to memory of 3368	3432	OperaGXSetup.exe	95
PID 3432 wrote to memory of 3368	3432	OperaGXSetup.exe	95
PID 3432 wrote to memory of 3368	3432	OperaGXSetup.exe	95
PID 3368 wrote to memory of 2716	3368	assistant_installer.exe	96
PID 3368 wrote to memory of 2716	3368	assistant_installer.exe	96
PID 3368 wrote to memory of 2716	3368	assistant_installer.exe	96
PID 3432 wrote to memory of 4020	3432	OperaGXSetup.exe	98
PID 3432 wrote to memory of 4020	3432	OperaGXSetup.exe	98
PID 3432 wrote to memory of 4020	3432	OperaGXSetup.exe	98
PID 4020 wrote to memory of 3844	4020	OperaGXSetup.exe	99
PID 4020 wrote to memory of 3844	4020	OperaGXSetup.exe	99
PID 4020 wrote to memory of 3844	4020	OperaGXSetup.exe	99
PID 4392 wrote to memory of 1080	4392	chrome.exe	108
PID 4392 wrote to memory of 1080	4392	chrome.exe	108
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 208	4392	chrome.exe	110
PID 4392 wrote to memory of 3456	4392	chrome.exe	111
PID 4392 wrote to memory of 3456	4392	chrome.exe	111
PID 4392 wrote to memory of 4600	4392	chrome.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=96.0.4693.127 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x7578a4b0,0x7578a4c0,0x7578a4cc
  2⤵
  - Loads dropped DLL
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:640
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202303312237201\assistant\_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202303312237201\assistant\_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202303312237201\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202303312237201\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202303312237201\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202303312237201\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xdc4f48,0xdc4f58,0xdc4f64
    3⤵
    - Executes dropped EXE
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=3432 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20230331223720" --session-guid=2b165e42-0a2f-473c-a4ba-1bb5ad1a9cef --server-tracking-blob=MjU0MDE3ZmUwZTZmMDYwNmUwMTMwYzg2YWQ4OGU0YjhiNjBhNTAwNDM2MjFjMzVjMjM3NGRkZTJkM2M2YzRiMjp7ImNvdW50cnkiOiJVUyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3RyeWFnYWluPXllcyZ1dG1fc291cmNlPWdvb2dsZS1hZHMmdXRtX21lZGl1bT1iYV9vc2UmdXRtX2NhbXBhaWduPSUyNTIzMDElMjUyMC0lMjUyMFVTJTI1MjAtJTI1MjBTZWFyY2glMjUyMC0lMjUyMEVOJTI1MjAtJTI1MjBCcmFuZGVkJTI1MjAtJTI1MjAyMDE3JnV0bV9jb250ZW50PWdvb2dsZSUyMGNwYyZ1dG1faWQ9Z2NsaWRDajBLQ1Fqd2lacWhCaENKQVJJc0FDSEhFSF9DdTdDejFhV3JlenFuTjJKSEVqQ2ZMYmdsanlrbTcyeWN5MDVub1Bpdk1nVndyd0VqVWRnYUFzMlhFQUx3X3djQiZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lmdvb2dsZS5jb20lMkYmdXRtX3NpdGU9b3BlcmFfY29tJiZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tLyZkbF90b2tlbj04MDQ2NTkxNCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY4MDI5NDkyMS41NDgyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFgxMTsgQ3JPUyB4ODZfNjQgMTQ4MTYuMTMxLjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMDMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6IiUyMzAxJTIwLSUyMFVTJTIwLSUyMFNlYXJjaCUyMC0lMjBFTiUyMC0lMjBCcmFuZGVkJTIwLSUyMDIwMTciLCJjb250ZW50IjoiZ29vZ2xlIGNwYyIsImlkIjoiZ2NsaWRDajBLQ1Fqd2lacWhCaENKQVJJc0FDSEhFSF9DdTdDejFhV3JlenFuTjJKSEVqQ2ZMYmdsanlrbTcyeWN5MDVub1Bpdk1nVndyd0VqVWRnYUFzMlhFQUx3X3djQiIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6ImJhX29zZSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJnb29nbGUtYWRzIiwidHJ5YWdhaW4iOiJ5ZXMifSwidXVpZCI6ImViZWZiNzAyLWZkMjctNDZiOC05MjkzLTY0MTgxZTRmNjIzMCJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=180B000000000000
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
    C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=96.0.4693.127 --initial-client-data=0x2ec,0x2f0,0x300,0x2c0,0x304,0x72b4a4b0,0x72b4a4c0,0x72b4a4cc
    3⤵
    - Loads dropped DLL
    PID:3844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcae5f9758,0x7ffcae5f9768,0x7ffcae5f9778
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:2
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4484 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3840 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2844 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4952 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5532 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5596 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5072 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5756 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5492 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5888 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5884 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6108 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6496 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6476 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6324 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7004 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=7000 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=7336 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7324 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7400 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6836 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7720 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=8156 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=8160 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=8416 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8400 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8708 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8896 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8480 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7640 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8392 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8552 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9080 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7872 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8092 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8280 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=7268 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:6332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=6712 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=6696 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=8160 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=8152 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=8456 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=8500 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=8688 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7104 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:6884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7112 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:6880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:6772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:6208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3456 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:6200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7344 --field-trial-handle=1832,i,18240154379478336590,7514337948293801475,131072 /prefetch:8
  2⤵
  PID:6408
- C:\Users\Admin\Downloads\Restoro.exe
  "C:\Users\Admin\Downloads\Restoro.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74zr2vzs.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
      4⤵
      Executes dropped EXE
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:392
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74zr2vzs.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"
      4⤵
      Executes dropped EXE
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74zr2vzs.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"
      4⤵
      Executes dropped EXE
      PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:4360
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq RestoroMain.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq avupdate.exe"
      4⤵
      Enumerates processes with tasklist
      PID:6656
- - C:\Windows\SYSTEM32\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\jscript.dll"
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:5320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq RestoroSetup.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq RestoroSetup.exe"
      4⤵
      Enumerates processes with tasklist
      PID:696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:4708
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq GeoProxy.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:7036
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\74zr2vzs.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_country_product_24';"
      4⤵
      Executes dropped EXE
      PID:6712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:920
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Wireshark.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:6716
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler.exe"
      4⤵
      Enumerates processes with tasklist
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5600
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq smsniff.exe"
      4⤵
      Enumerates processes with tasklist
      PID:6828
- - C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe" /GUI=http://www.restoro.com/ui/2105/layout.php?consumer=1&trackutil=&MinorSessionID=634efaa284134fe39015adcc64&lang_code=en&trial=0&ShowSettings=false "/Location=C:\Users\Admin\Downloads\Restoro.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=2100 /RunSilent=false /SessionID=31ce2708-61ed-4392-83e2-cd0d937f16a8 /IDMinorSession=634efaa284134fe39015adcc64 /pxkp=Delete /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:380
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroMain.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:5276
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avupdate.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6776
  - - C:\Program Files\Restoro\lzma.exe
      "C:\Program Files\Restoro\lzma.exe" "d" "C:\Program Files\Restoro\ax.lza" "C:\Program Files\Restoro\ax.dll"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3336
  - - C:\Program Files\Restoro\lzma.exe
      "C:\Program Files\Restoro\lzma.exe" "d" "C:\Program Files\Restoro\engine.lza" "C:\Program Files\Restoro\engine.dll"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroAM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:5204
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroAM.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:6392
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Restoro\ax.dll"
      4⤵
      Loads dropped DLL
      PID:6024
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\Restoro\ax.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5436
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Restoro\engine.dll"
      4⤵
      Loads dropped DLL
      PID:3584
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\Restoro\engine.dll"
        5⤵
        Loads dropped DLL
        
        PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\nss6D66.tmp\RestoroUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\nss6D66.tmp\RestoroUpdater.exe" /S /MinorSessionID=634efaa284134fe39015adcc64 /SessionID=31ce2708-61ed-4392-83e2-cd0d937f16a8 /TrackID= /AgentLogLocation=C:\C:\ProgramData\Restoro\bin\results /CflLocation=C:\ProgramData\Restoro\cfl.rei /Install=True /DownloaderVersion=2100 /Iav=False
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5284
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq RestoroServiceSetup.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:6560
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroServiceSetup.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\RestoroServiceSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RestoroServiceSetup.exe" /S /MinorSessionID=634efaa284134fe39015adcc64 /SessionID=31ce2708-61ed-4392-83e2-cd0d937f16a8 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:5392
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq RestoroScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        6⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroScanner.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:6080
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq RestoroUI.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        6⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroUI.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:5748
      - C:\Program Files\Restoro\bin\RestoroProtection.exe
        
        "C:\Program Files\Restoro\bin\RestoroProtection.exe" -install
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:3676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroProtection.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:5596
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroProtection.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:6512
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroApp.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4088
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN RestoroActiveProtection /F
      4⤵
      PID:1784
  - - C:\Program Files\Restoro\bin\RestoroApp.exe
      "C:\Program Files\Restoro\bin\RestoroApp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:6920
  - - C:\Program Files\Restoro\RestoroMain.exe
      "C:\Program Files\Restoro\RestoroMain.exe" http://www.restoro.com/ui/2105/layout.php?consumer=1&trackutil=&MinorSessionID=634efaa284134fe39015adcc64&lang_code=en&trial=0&ShowSettings=false /Locale=1033
      4⤵
      Uses Session Manager for persistence
      Executes dropped EXE
      Enumerates connected drives
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:6748
    - - C:\Windows\SYSTEM32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:4796
    - - C:\Program Files\Restoro\RestoroAM.exe
        
        "C:\Program Files\Restoro\RestoroAM.exe" "C:\ProgramData\Restoro\AV"
        5⤵
        Executes dropped EXE
        
        PID:6596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault34d6e2d5h79f1h49bchaf4ah35cc80b305b1
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcadda46f8,0x7ffcadda4708,0x7ffcadda4718
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5891616905042616523,9430676581467899820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5891616905042616523,9430676581467899820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5891616905042616523,9430676581467899820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Program Files\Restoro\bin\RestoroProtection.exe
"C:\Program Files\Restoro\bin\RestoroProtection.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3984
- C:\Program Files\Restoro\bin\RestoroService.exe
  "C:\Program Files\Restoro\bin\RestoroService.exe"
  2⤵
  - Executes dropped EXE
  PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery