glupteba | b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe = "0"	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
5468	netsh.exe
5504	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AGKoXYvf9EWl2gGkcXbHCAF9.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JIA6jkaALDHffnPXb8PyxzLo.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LR6gt3cpL3XmKJglmSeCHqS2.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2m6TxcJ8R3obsLcVygrw72a2.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vAwTC7Y5IQQEFgov1nzFZMco.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UGfVcqsgmRhrvxoCkZoNt1gw.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeGrfnsfnG9J3vyb22ScDaHZ.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgCdvwWIAfT7GUC5ng9kmFcR.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PfQZJXhySyU1PPIwPMy26Moa.bat	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6iRQPHcTDvRv6vIADmezdQXY.bat	MSBuild.exe

Executes dropped EXE 16 IoCs

pid	Process
4196	MSnBOaIw9HV1MMkKGCW3Drpg.exe
728	uJtT9BEOOIheai76Ang6sISY.exe
1064	L90kA9brdR0viPoXoTSAINs6.exe
1072	hBbN98VOeqqtPMgWbLoGWTYV.exe
2200	tozZdotZmqQvHo52t5cQKW9o.exe
4592	schtasks.exe
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe
1280	hBbN98VOeqqtPMgWbLoGWTYV.exe
5100	DHlIadET6W5cavnxRmgbQoe5.tmp
3876	hBbN98VOeqqtPMgWbLoGWTYV.exe
100	hBbN98VOeqqtPMgWbLoGWTYV.exe
3076	hBbN98VOeqqtPMgWbLoGWTYV.exe
1544	_setup64.tmp
1676	9qQnHiMU62NsG8MosLE4a8en.exe
1508	DigitalPulseService.exe
4444	Assistant_103.0.4928.25_Setup.exe_sfx.exe

Loads dropped DLL 5 IoCs

pid	Process
1072	hBbN98VOeqqtPMgWbLoGWTYV.exe
1280	hBbN98VOeqqtPMgWbLoGWTYV.exe
3876	hBbN98VOeqqtPMgWbLoGWTYV.exe
100	hBbN98VOeqqtPMgWbLoGWTYV.exe
3076	hBbN98VOeqqtPMgWbLoGWTYV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0006000000023252-325.dat	themida
behavioral2/files/0x0006000000023252-324.dat	themida
behavioral2/files/0x0006000000023252-316.dat	themida
behavioral2/memory/1676-337-0x00007FF683840000-0x00007FF6848BB000-memory.dmp	themida

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321e-150.dat	upx
behavioral2/memory/1072-143-0x0000000000050000-0x000000000059D000-memory.dmp	upx
behavioral2/files/0x000600000002321e-128.dat	upx
behavioral2/files/0x000600000002321e-115.dat	upx
behavioral2/files/0x000600000002321e-164.dat	upx
behavioral2/files/0x0006000000023238-168.dat	upx
behavioral2/memory/3876-177-0x0000000000770000-0x0000000000CBD000-memory.dmp	upx
behavioral2/files/0x000600000002321e-193.dat	upx
behavioral2/memory/100-199-0x0000000000050000-0x000000000059D000-memory.dmp	upx
behavioral2/files/0x000600000002321e-201.dat	upx
behavioral2/memory/3076-214-0x0000000000050000-0x000000000059D000-memory.dmp	upx
behavioral2/memory/1280-169-0x0000000000050000-0x000000000059D000-memory.dmp	upx
behavioral2/memory/100-251-0x0000000000050000-0x000000000059D000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe = "0"	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId="	DHlIadET6W5cavnxRmgbQoe5.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	hBbN98VOeqqtPMgWbLoGWTYV.exe
File opened (read-only)	\??\D:	hBbN98VOeqqtPMgWbLoGWTYV.exe
File opened (read-only)	\??\F:	hBbN98VOeqqtPMgWbLoGWTYV.exe
File opened (read-only)	\??\D:	hBbN98VOeqqtPMgWbLoGWTYV.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
179	ipinfo.io
199	ipinfo.io
176	api.myip.com
177	api.myip.com
178	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4112 set thread context of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 2200 set thread context of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2228	sc.exe
2056	sc.exe
1588	sc.exe
4676	sc.exe
224	sc.exe
5292	sc.exe
5364	sc.exe
5312	sc.exe
5328	sc.exe
5344	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3828	schtasks.exe
4592	schtasks.exe
5564	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	hBbN98VOeqqtPMgWbLoGWTYV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	hBbN98VOeqqtPMgWbLoGWTYV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	hBbN98VOeqqtPMgWbLoGWTYV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	hBbN98VOeqqtPMgWbLoGWTYV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	hBbN98VOeqqtPMgWbLoGWTYV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	hBbN98VOeqqtPMgWbLoGWTYV.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4828	powershell.exe
4828	powershell.exe
5100	DHlIadET6W5cavnxRmgbQoe5.tmp
5100	DHlIadET6W5cavnxRmgbQoe5.tmp
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe
4628	powershell.exe
4628	powershell.exe
1676	9qQnHiMU62NsG8MosLE4a8en.exe
1676	9qQnHiMU62NsG8MosLE4a8en.exe
4628	powershell.exe
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe
4176	HwxoL4fWoK2cMfZnUCQa7Mnh.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	MSBuild.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2200	tozZdotZmqQvHo52t5cQKW9o.exe
Token: SeDebugPrivilege	1064	L90kA9brdR0viPoXoTSAINs6.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	1508	DigitalPulseService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5100	DHlIadET6W5cavnxRmgbQoe5.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4828	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	88
PID 4112 wrote to memory of 4828	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	88
PID 4112 wrote to memory of 4828	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	88
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 4112 wrote to memory of 1356	4112	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe	90
PID 1356 wrote to memory of 4196	1356	MSBuild.exe	92
PID 1356 wrote to memory of 4196	1356	MSBuild.exe	92
PID 1356 wrote to memory of 4196	1356	MSBuild.exe	92
PID 1356 wrote to memory of 728	1356	MSBuild.exe	91
PID 1356 wrote to memory of 728	1356	MSBuild.exe	91
PID 1356 wrote to memory of 728	1356	MSBuild.exe	91
PID 1356 wrote to memory of 1064	1356	MSBuild.exe	93
PID 1356 wrote to memory of 1064	1356	MSBuild.exe	93
PID 1356 wrote to memory of 1064	1356	MSBuild.exe	93
PID 1356 wrote to memory of 1072	1356	MSBuild.exe	99
PID 1356 wrote to memory of 1072	1356	MSBuild.exe	99
PID 1356 wrote to memory of 1072	1356	MSBuild.exe	99
PID 1356 wrote to memory of 2200	1356	MSBuild.exe	94
PID 1356 wrote to memory of 2200	1356	MSBuild.exe	94
PID 1356 wrote to memory of 2200	1356	MSBuild.exe	94
PID 1356 wrote to memory of 4592	1356	MSBuild.exe	136
PID 1356 wrote to memory of 4592	1356	MSBuild.exe	136
PID 1356 wrote to memory of 4592	1356	MSBuild.exe	136
PID 1356 wrote to memory of 4176	1356	MSBuild.exe	97
PID 1356 wrote to memory of 4176	1356	MSBuild.exe	97
PID 1072 wrote to memory of 1280	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	95
PID 1072 wrote to memory of 1280	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	95
PID 1072 wrote to memory of 1280	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	95
PID 4592 wrote to memory of 5100	4592	schtasks.exe	96
PID 4592 wrote to memory of 5100	4592	schtasks.exe	96
PID 4592 wrote to memory of 5100	4592	schtasks.exe	96
PID 1072 wrote to memory of 3876	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	104
PID 1072 wrote to memory of 3876	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	104
PID 1072 wrote to memory of 3876	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	104
PID 1072 wrote to memory of 100	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	103
PID 1072 wrote to memory of 100	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	103
PID 1072 wrote to memory of 100	1072	hBbN98VOeqqtPMgWbLoGWTYV.exe	103
PID 100 wrote to memory of 3076	100	hBbN98VOeqqtPMgWbLoGWTYV.exe	100
PID 100 wrote to memory of 3076	100	hBbN98VOeqqtPMgWbLoGWTYV.exe	100
PID 100 wrote to memory of 3076	100	hBbN98VOeqqtPMgWbLoGWTYV.exe	100
PID 5100 wrote to memory of 1544	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	102
PID 5100 wrote to memory of 1544	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	102
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 2200 wrote to memory of 908	2200	tozZdotZmqQvHo52t5cQKW9o.exe	111
PID 1356 wrote to memory of 1676	1356	MSBuild.exe	112
PID 1356 wrote to memory of 1676	1356	MSBuild.exe	112
PID 5100 wrote to memory of 1344	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	113
PID 5100 wrote to memory of 1344	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	113
PID 5100 wrote to memory of 3828	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	115
PID 5100 wrote to memory of 3828	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	115
PID 5100 wrote to memory of 1508	5100	DHlIadET6W5cavnxRmgbQoe5.tmp	120

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe
  "C:\Users\Admin\AppData\Local\Temp\b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\Pictures\uJtT9BEOOIheai76Ang6sISY.exe
      "C:\Users\Admin\Pictures\uJtT9BEOOIheai76Ang6sISY.exe"
      4⤵
      Executes dropped EXE
      PID:728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3276
    - - C:\Users\Admin\Pictures\uJtT9BEOOIheai76Ang6sISY.exe
        
        "C:\Users\Admin\Pictures\uJtT9BEOOIheai76Ang6sISY.exe"
        5⤵
        
        PID:1252
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3880
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5380
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5468
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5744
  - - C:\Users\Admin\Pictures\MSnBOaIw9HV1MMkKGCW3Drpg.exe
      "C:\Users\Admin\Pictures\MSnBOaIw9HV1MMkKGCW3Drpg.exe"
      4⤵
      Executes dropped EXE
      PID:4196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1416
    - - C:\Users\Admin\Pictures\MSnBOaIw9HV1MMkKGCW3Drpg.exe
        
        "C:\Users\Admin\Pictures\MSnBOaIw9HV1MMkKGCW3Drpg.exe"
        5⤵
        
        PID:5008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5416
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5812
  - - C:\Users\Admin\Pictures\L90kA9brdR0viPoXoTSAINs6.exe
      "C:\Users\Admin\Pictures\L90kA9brdR0viPoXoTSAINs6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Users\Admin\Pictures\tozZdotZmqQvHo52t5cQKW9o.exe
      "C:\Users\Admin\Pictures\tozZdotZmqQvHo52t5cQKW9o.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:908
  - - C:\Users\Admin\Pictures\HwxoL4fWoK2cMfZnUCQa7Mnh.exe
      "C:\Users\Admin\Pictures\HwxoL4fWoK2cMfZnUCQa7Mnh.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4176
  - - C:\Users\Admin\Pictures\DHlIadET6W5cavnxRmgbQoe5.exe
      "C:\Users\Admin\Pictures\DHlIadET6W5cavnxRmgbQoe5.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
      4⤵
      PID:4592
  - - C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe
      "C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe
        
        "C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1072 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231012055321" --session-guid=388af7bc-c92c-4b47-96da-3207da12a105 --server-tracking-blob=MzNkODI2MDRiOTY2ODY3MmEwYzJjMDk2ZGE3MTNjZDZjNjFmOTM5YWRjOTdhMzIzZWQyZmMwZjJlZTAxMGM0ZDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NzA4OTk5MC45MDk4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5YjUyZDYyNy0wYWM1LTRhNDUtOTIzOS0wNWQ3MGEyMzkwYTEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0405000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:100
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\hBbN98VOeqqtPMgWbLoGWTYV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\hBbN98VOeqqtPMgWbLoGWTYV.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3876
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310120553211\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310120553211\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        
        PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310120553211\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310120553211\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310120553211\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310120553211\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xb41588,0xb41598,0xb415a4
        6⤵
        
        PID:4928
  - - C:\Users\Admin\Pictures\9qQnHiMU62NsG8MosLE4a8en.exe
      "C:\Users\Admin\Pictures\9qQnHiMU62NsG8MosLE4a8en.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2744
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2228
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2056
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1588
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4676
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:224
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:392
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1620
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2208
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1936
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4140
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - Executes dropped EXE
  - Creates scheduled task(s)
  - Suspicious use of WriteProcessMemory
  PID:4592
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4740
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5244
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5292
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5312
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5328
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5344
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5364
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5492
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5572
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5624
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5644
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5660
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:5564
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5712
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:5736

C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe
C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.26 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6ff08538,0x6ff08548,0x6ff08554
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280

C:\Users\Admin\AppData\Local\Temp\is-AO9O6.tmp\DHlIadET6W5cavnxRmgbQoe5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AO9O6.tmp\DHlIadET6W5cavnxRmgbQoe5.tmp" /SL5="$70200,5025136,832512,C:\Users\Admin\Pictures\DHlIadET6W5cavnxRmgbQoe5.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\is-A0VLH.tmp\_isetup\_setup64.tmp
  helper 105 0x444
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\system32\schtasks.exe
  "schtasks" /Query /TN "DigitalPulseUpdateTask"
  2⤵
  PID:1344
- C:\Windows\system32\schtasks.exe
  "schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3828
- C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe
  "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1508

C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe
C:\Users\Admin\Pictures\hBbN98VOeqqtPMgWbLoGWTYV.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.26 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6e3e8538,0x6e3e8548,0x6e3e8554
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3076

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery